Questions tagged [security-theater]

DO NOT USE THIS TAG AS A GENERIC SECURITY TAG!! Security theater is a term that describes security countermeasures intended to provide the feeling of improved security while doing little or nothing to actually improve security. The term was coined by computer security specialist and writer Bruce Schneier for his book Beyond Fear.

Security theater is a term that describes security countermeasures intended to provide the feeling of improved security while doing little or nothing to actually improve security. The term was coined by computer security specialist and writer Bruce Schneier for his book Beyond Fear.

_{(derived from the Wikipedia entry)}

Despite the connotations of the word theater, those responsible for producing security theater may believe they are providing real security. It is however critical that the producers believe that those exposed to their measures, techniques, and methods will feel more secure. The producers may fail to provide real security either through resource constraint (time, money, personnel, etc), failure to properly evaluate the system, or actual intent to deceive.

94 questions

236

votes

3 answers

Why did I have to wave my hand in front of my ID card?

I recently had to authenticate myself online to use an internet-based service. The authentication process was done via video call with me holding my ID card in front of my laptop camera beside my face. I also had to wiggle the ID card so the person…

authentication security-theater

asked Aug 13 '18 at 09:31

Tom K.

7,913
3
30
53

votes

6 answers

How am I ever going to be able to "vet" 120,000+ lines of Composer PHP code not written by me?

I depend on PHP CLI for all kinds of personal and (hopefully, soon) professional/mission-critical "business logic". (This could be any other language and the exact same problem would still stand; I'm just stating what I personally use for the sake…

privacy audit source-code code-review security-theater

asked Dec 09 '19 at 01:28

Paranoid Android

votes

8 answers

If we should encrypt the message rather than the method of transfer, why do we care about wifi security? Is this just security theatre?

Most answers to this question about the security of satellite internet boil down to: encrypting the message is more important than encrypting the method of transfer. However, there seems to be a lot of focus on wi-fi security. For what threat models…

wifi security-theater

asked Oct 08 '19 at 08:17

gerrit

1,829
1
17
26

votes

8 answers

Popular Security "Cargo Cults"

In Information and IT Security there is a nasty tendency for specific "best practices" to become inviolable golden rules, which then leads to people recommending that they are applied regardless of whether they are appropriate for a given situation…

security-theater

asked Sep 16 '13 at 15:47

Rory McCune

60,923
14
136
217

votes

4 answers

Effectiveness of Security Images

Do security images such as those presented upon logging into banks provide any tangible security benefits, or are they mostly theater? Per my understanding, if somebody is phishing your users, it's also trivial for them to proxy requests from your…

authentication phishing security-theater sitekey security-seal

asked Aug 23 '12 at 21:07

Stephen Touset

5,736
1
23
38

votes

7 answers

Could SQRL really be as secure as they say?

I just came across https://www.grc.com/sqrl/sqrl.htm With Secure QR Login, your phone snaps the QR code displayed on a website's login page . . . . and YOU are securely logged in. This seems like it would be pretty awesome - one of the…

authentication cryptography security-theater qr-code sqrl

asked Oct 05 '13 at 04:26

Wayne Werner

1,755
3
15
20

votes

3 answers

Changing picture as characters entered into password

When Lotus Notes asks for the password, it displays a screen with a picture that appears to change after a new character is entered after the fifth character. I have noticed the sequence of pictures is the same between closing and reopening…

passwords security-theater

asked Aug 26 '13 at 16:41

Celeritas

10,039
22
77
144

votes

8 answers

Why don't banks get hacked?

From reading a lot of info on this website I came to the conclusion that if someone with enough skill really badly wants to gain access somewhere, then there is absolutely nothing stopping them from doing so. Additionally I learned that getting…

penetration-test data-leakage security-theater

asked Nov 07 '13 at 21:15

Quillion

1,134
5
16
25

votes

4 answers

Security seals and the "perception of safety"?

I clearly understand that the security seals (verisign or norton secure etc.) shown on banking and other websites are generated using a script and available only after an ssl certificate is purchased and installed. The certificate vendors say "the…

phishing trust security-theater security-seal

asked Apr 05 '13 at 05:41

Shurmajee

7,285
5
27
59

votes

4 answers

What are the security threats of zip file uploads and what preventive actions should be taken?

We have a Drupal application developed for sharing files. We are allowing zip files to be uploaded by logged in departmental user. We are using Drupal private file system (outside webroot). We are using php Fileinfo for validation. Only logged in…

php file-upload security-theater drupal zip

asked Apr 04 '13 at 07:38

msmani

votes

6 answers

When secure email, is not really secure

We have a vendor who sends us "secure" messages. The messages come as an email message that contains a link to an SSL encrypted website that has the real message. There is no username/password on the linked site, or any other form of authentication…

email security-theater

asked Mar 11 '13 at 16:55

matthew

1,090
1
7
10

votes

8 answers

Are 7-Zip password-protected split archives safe against hackers when they are password-protected a couple of times?

Imagine I wish to upload my sensitive personal information (photos, document scans, list of passwords, email backups, credit card information, etc.) on Google Drive (or any other cloud service). I want to make sure this entire bunch of data is as…

encryption privacy security-theater compression cloud-storage

asked Mar 24 '17 at 13:10

Neli

votes

7 answers

Tripwire - Is it security Theater?

Tripwire type intrusion detection systems supposedly protect your system from rootkits, by monitoring the checksums of important binaries for changes. Let's say I have tripwire configured to run nightly and installed it on a fresh non-rootkitted…

hash ids integrity security-theater

asked Jan 03 '12 at 23:16

dr jimbob

38,768
8
92
161

votes

7 answers

Is a "security measure" that doesn't provide a security benefit actually harmful?

If a security measure is implemented that doesn't provide any additional security benefit, can it be considered harmful? As an example, consider a login page where the user is asked to enter their username, and then their password twice (for…

web-application passwords security-theater

asked Nov 18 '10 at 22:00

Damovisa

votes

2 answers

Is adding a supplementary credit transaction something that could improve online payment security?

An online company from which I regularly buy goods apparently recently upgraded their security policy. Let's say I bought something for 73,31€. As usual this company uses 3D-Secure for the checkout process and will actually process the payment only…

credit-card security-theater fraud e-commerce

asked Oct 26 '15 at 09:55

WhiteWinterWolf

19,082
4
58
104

2 3 4 5 6 7 Next