3

As an example, the US no-fly list is commonly referred to as a security theater given that it is easy to work around. However blurring license plates when posting a picture online is not considered a security theater, even though license plates are open for everyone to see when the car is driving.

So where is the exact line between security measures that are merely exploitable and security measures that can be referred to as "security theater"?

JonathanReez
  • 1,052
  • 1
  • 7
  • 16

2 Answers2

3

A security measure has a goal: what it would do if nobody tried to work around it. This goal is intended to benefit someone — for example not allowing other people to withdraw money from my bank account, or preventing people from hijacking planes. It may be more or less efficient at achieving this goal, and thus it may provide more or less benefits. A security measure is security theater when its efficacy is negligible.

Blurring license plates is a privacy measure. Privacy is a holistic concern: the goal is not to make it impossible for anyone to know where my car was on Feb 29th 2019, but to make it hard for most people to know where my car was most of the time. Sure, Eve and Francis saw me on that day, but Hanna probably doesn't know that, and even if she knew they would be unlikely to tell her without some serious persuasion. So if she wants to know where I was, she'll have to do a lot more work than a Google image search for my license plate number. Blurring license plates does have a significant benefit to my privacy.

In contrast, the US no-fly list is supposed to make flying airplanes safer. The potential attacker isn't my ex-girlfriend: it's people who may have a network that can provide false papers, and who may be prepared to die for their cause. It's not just exploitable — every security measure is, with the right price or the right army — it's easily exploitable by the kind of people it's supposed to defend against. It's also easily exploitable at zero cost with a trivial workaround: bomb the queue at the airport instead of bombing the plane. It's security theater because it has negligible efficacy.

Additionally, the expression “security theater” is only used when the goal has received some media attention. Part of the connotation of the expression is that someone is making a show of implementing security measures, but those measures are inefficient. If a security measure falls in the forest but nobody is here to hear it, it isn't commonly called “theater”.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/93284/discussion-on-answer-by-gilles-what-is-the-difference-between-exploitable-securi). – schroeder May 06 '19 at 09:36
  • 1
    I disagree with your premise. It's security theatre when the security control is negligible *and it is meant to give the impression of increased security* either to the owner of the controls or the users. Lots of controls do not work, but they are not "theatre". Did you mean to leave that element out of your description? – schroeder May 06 '19 at 09:36
  • @schroeder Is it theater if the play is never produced? Eh, ok, maybe not in this context. – Gilles 'SO- stop being evil' May 06 '19 at 11:56
  • Take it to an extreme: "we, as an authority, have determined that to prevent hackers, you need to touch your nose at the point when you open a file." The control has 0 effect. But the authority, forced compliance, and evoked in the name of effective control makes it theatre. – schroeder May 06 '19 at 12:01
0

The thing is to define what you are protecting against whom.

In the case with blurring license plates, I may want to protect my online identity vidarlo against any correlation with name and address. Blurring the license plate of my car (I don't own a car, nor do I hide my identity, but...) when I post pictures of it online makes it more difficult to find my identity and location.

If you have the plate, it's a matter of a lookup in a public registry. If you don't, you'll have to recognize the car or location specifically, and the location may be publicly accessible.

The cost of blurring is low, and it's effective against a specific type of attack.

The no fly list attempts to stop people who may hijack planes from getting on planes. This is a more difficult problem, as it's largely unknown who will attempt to hijack a plane - and wanna-be hijackers can test the security by attempting to fly with no ill intent. It's costly to maintain the list, and it's costly to individuals who are on the list by mistake. In fact, it's so difficult to maintain that USA doesn't manage to.

In addition, it's the problem of false positives. If you're not interested in finding my identity, it likely doesn't bother you a lot that the plate is blurred. The cost of false positives is effectively zero; I don't need to discriminate between attackers and non-attackers.

As for the no fly list

Imagine you have a test that is 99.999% accurate - it will identify terrorists with 99.999% accuracy, and the false positive rate is similar.

Now, last year there was 4.3 billion airline passengers. Imagine that 100 of them was terrorists. If you run that 99.999% accurate test on all passengers, it'll give you 430000 names. Of those, 100 are terrorists. The wast majority are false positives. Checking those 430k people will be a huge job.

And 99.999% accurate is probably overly optimistic. This makes it very difficult to make a usable and useful list.

Community
  • 1
vidarlo
  • 12,850
  • 2
  • 35
  • 47
  • @user71659 Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/93274/discussion-between-forest-and-user71659). – forest May 06 '19 at 00:12
  • 2
    @user71659 Please continue in the above-linked chat so we don't keep pinging the author of this answer. – forest May 06 '19 at 00:17