Schneier on Security: Stupid Security Awards Nominations Open

success fail Sep MAR Jul 08 2006 2007 2008 33 captures 02 Sep 2006 - 22 Apr 2017 About this capture COLLECTED BY Organization: Alexa Crawls Starting in 1996, Alexa Internet has been donating their crawl data to the Internet Archive. Flowing in every day, these data are added to the Wayback Machine after an embargo period. Collection: 38_crawl this data is currently not publicly accessible. TIMESTAMPS

Bruce Schneier

Home

Weblog

Crypto-Gram Newsletter

Books

Essays and Op Eds

Computer Security Articles

News and Interviews

Speaking Schedule

Password Safe

Cryptography and Computer Security Resources

Contact Information

Schneier on Security

A weblog covering security and security technology.

« Friday Squid Blogging: Piglet Squid | Main | World War II Statistics-and-Security Story »

August 28, 2006

Stupid Security Awards Nominations Open

Get your nominations in.

The "Stupid Security Awards" aim to highlight the absurdities of the security industry. Privacy International's director, Simon Davies, said his group had taken the initiative because of "innumerable" security initiatives around the world that had absolutely no genuine security benefit. The awards were first staged in 2003 and attracted over 5,000 nominations. This will be the second competition in the series.

"The situation has become ridiculous" said Mr Davies. "Security has become the smokescreen for incompetent and robotic managers the world over".

Unworkable security practices and illusory security measures do nothing to help issues of real public concern. They only hinder the public, intrude unnecessary into our private lives and often reduce us to the status of cattle.

[...]

Privacy International is calling for nominations to name and shame the worst offenders. The competition closes on October 31st 2006. The award categories are:

  • Most Egregiously Stupid Award
  • Most Inexplicably Stupid Award
  • Most Annoyingly Stupid Award
  • Most Flagrantly Intrusive Award
  • Most Stupidly Counter Productive Award

The competition will be judged by an international panel of well-known security experts, public policy specialists, privacy advocates and journalists.

Posted on August 28, 2006 at 07:39 AM

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

Home Secretary John Reid sweeps.

Posted by: TOMBOT at August 28, 2006 08:20 AM


Finally, something Microsoft is good at.

Posted by: Arthur Digby Sellers at August 28, 2006 09:29 AM


Interesting post! To add more fuel to this, earlier this morning I had a conversation with the Director of Risk Management and Security for a very well known satellite company over a security issue I discovered in their authentication. This security issue reveals username and passwords for their users. With this security hole an unscrupulous person can get account information, billing data, serial numbers for satellite equipment, and of course the subscription service. The response I received from the Director was comical. "If this issue is the least of my worries, I can sleep just fine. I have more important security concerns that keep me up at night." I’m glad I’m not a customer of this company, their arrogance and lack of concern for personal customer data is overwhelming. If this person worked for my company and had such disregard, I’d ask for a resignation. What is sadder is that this is not an isolation insolent; I’ve had several conversations like this with other large companies.

Austin Kauffman
Security Research

Posted by: Austin Kauffman at August 28, 2006 09:29 AM


It'd be great if they could merge this with the "Information Security Executive of the Year" awards: [web.archive.org]

Posted by: Boots at August 28, 2006 10:08 AM


Im voting for Sourcefire.

A security company that tries to spy on it competitors and goes through all the trouble to make a fake web businesses and contact its competitors about evaluating their products yet is so dumb that there actually use real Sourcefire information in the DNS record.

Hands down winner of the Most Inexplicably Stupid Award!

Posted by: TMR at August 28, 2006 11:08 AM


Surely the NSA will get an honourable mention for their domestic spying under the thin veil of "security".

Posted by: Suomynona at August 28, 2006 11:35 AM


Spying is used for breaking security, not testing or providing security.

Posted by: Jim at August 28, 2006 11:51 AM


I had not read the 2003 entries before

Mother made to drink her own breast milk
Packet of "Gunpoweder tea" opened; tea allowed but packet confiscated
Soldiers allowed personal firearms but made to check in knives
And many others!

And I thought paranoia was recent!

Silly me.

Paranoid

Posted by: Paranoid at August 28, 2006 11:55 AM


@TMR- got a reference for the Sourcefire incident?

Posted by: uninformed at August 28, 2006 12:15 PM


A person was required remove a t-shirt that had Arabic writings on it before allowed to board a plane: [web.archive.org]

Posted by: HT at August 28, 2006 12:25 PM


@uninformed
Im sure you could Google but this when to the Information Security mailing list

By Nick Booth
14 June 2006

SECURITY FIRMS must be ruthlessly cunning and intelligent to stay
ahead of the fiendish legions of hackers, crackers and cunning con
artists they constantly warn us about.

Or so you'd think.

But not if this recent example of 'intelligence' is typical.

All companies keep tabs on the opposition. Usually, they employ
competitive intelligence companies, who use all kinds of dirty tricks
to find out about rival's products, their marketing strategies and the
incentives offered to resellers.

A typically fiendish scam would be to set up a phoney head hunting
agency, then invite everyone that matters, at the target firm, for an
"off the record" interview. Flattered by the attention, most CTOs and
marketing directors are only too pleased to boast of the projects
they're working on, the budgets they're in charge of and how many
people are under them.

This information is all tabulated, and sold for hundreds of thousands
of dollars, to the client. Clients like to outsource this furtive
behaviour so they can distance themselves from it if they get caught.

Very cunning. Some security firms are slightly less sophisticated, it
seems.

When security vendor Countersnipe launched its latest product, it
expected a few bogus enquiries from its rivals. But a request from an
outfit calling themselves Ychange seemed genuine enough.

'Jeff' from Ychange saw a demo and was so impressed he promised to
show the product to Superluminal, his financial services client, which
was just gagging to place a multi-million dollar order.

But a quick Whois check revealed that Superluminal's web site was
owned by one of Countersnipe's rivals, Sourcefire. Perhaps Sourcefire
didn't think anyone else would know about this new-fangled Internet
thing.

"This has to be the least sophisticated attempt at spying I've ever
seen," laughed Countersnipe's Amar Rathore, "I wouldn't mind, but
they're a security firm, for God's sake. You'd think they'd know some
cleverer tricks than that."

Sourcefire was unavailable for comment.

Posted by: TMR at August 28, 2006 01:01 PM


The spineless us congress for Most Egregiously Stupid Award, Most Inexplicably Stupid Award, Most Flagrantly Intrusive Award and Most Stupidly Counter Productive Award for allowing the continued perversions of the DMCA to threaten people, and jail them, for conducting research into data protection measures that would otherwise be guaranteed protection by the first amendment.
[web.archive.org]

Posted by: crf at August 28, 2006 01:26 PM


The abominations, that is.

Posted by: jsaltz at August 28, 2006 02:56 PM


In Charlotte yesterday, I was informed that I could bring my salad on the plane, but only if I dumped the dressing on the salad first. Of course, I could have just put the salad and dressing in a paper bag and walked right in. The person in front of me, however, was able to walk in with his Cinnabon and tub of extra icing because Cinnabon goo was not on USAirways gate agents' list of banned substances.

The terrorists are making us stupider.

Posted by: seamus at August 28, 2006 03:06 PM


Now accustomed to the frantic excavation of my pockets and parsels into plastic bins- removing laptops and electronics from their prophilactic canvas bags, cell phone, change, etc. into a dish garnished with my keys, and removing my shoes as I crossed a threshold into sacred space- I had just finished my ritualistic passenger self-pat-down when I nearly collided with the man in front of me. The amateur! The Neophite! I filled my lungs. But before I could imbue my sigh with indignation and schadenfreude to- let's be honest- demonstrate to the impatient blonde behind me that it was not I who had interrupted the frantic procession, I realized the man had mastered the incantation, but the priests of the checkpoint were uncertain if he sought to profane the temple with his Boston Cremes.

After submitting his fried pastries to an x-ray scan, no fewer than eight TSA employees were gathered around the box, stroking their chins, and debating: do we confiscate only the liquid-filled donuts? What of the powdered, jelly-filled? Surely something that has both white powder and liquid is contraband, but what of icing? After about ten minutes, the man received all his donuts- the screeners had tired of the debate- and I continued to my flight, secure both in my person and my knowledge that my safety was certain.

Posted by: C at August 28, 2006 03:53 PM


I'll point out to those wrestling with finding someone to report a security issue _to_ - that insurance companies are usually very very interested in what kinds of risks their customers take. Now figuring out who insures that sattelite company that Austin Kauffman was referring to might be harder.

Business intelligence, anyone?
-r.

Posted by: rhandir at August 28, 2006 05:26 PM


BTW, Stupid Security is also a web site, that has been up for years now (and been mentioned in Crypto-Gram). See [web.archive.org] Tell 'em I sent ya!

Posted by: Dave Aronson at August 29, 2006 08:02 AM


This is pretty egregious ...
[web.archive.org]

Posted by: csrster at August 30, 2006 02:04 AM


It's not a surprise to most that airport security is smoke and mirrors, an act to fool the traveling public into thinking they are safe. The real threat comes from the backside of the airport, the baggage handlers, fuelers, aircraft cleaners, that never go through security. They have the ability to place a weapon onboard an aircraft for use at a future time. Each aircraft is suppossed to be inspected each morning before going into service but it is a half-hearted effort on the part of those that are assigned this task as it is a burden and time consuming ordeal that takes time away from their real tasks. As passengers we can only hope that the pilots are armed and have kept their training current. There is no doubt that a terrorist with a weapon to the head or throat of a flight attendant will gain access to the cockpit. We just have to hope that the pilot(s) will not think twice about firing their weapons.

Posted by: Gunner at September 3, 2006 04:28 PM


Post a comment

Powered by Movable Type 3.2. Photo at top by Steve Woit.

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT Counterpane.

Weblog Menu

Search

Recent Entries

Comments

Archives

Syndication RSS 1.0 (full text)
RSS 2.0 (excerpts) Crypto-Gram Newsletter If you prefer to receive Bruce Schneier's comments on security as a monthly e-mail digest, subscribe to Schneier on Security's sister publication, Crypto-Gram.
read more