Physical Security: The Good, The Bad, And The Ugly presented at 12th USENIX Security Symposium 2003

by Mark Seiden,

Tags: Security

Summary : Physical security is an oft-overlooked but critical prerequisite for good information security. A bad guy with a console root login can obviously adversely affect behavior in basic or profound ways, but you may not know how trust can be completely breached by brief and seemingly limited physical exposure using spiffy/inexpensive tools available on Ebay. Another dirty little secret: When critically examined, physical security policies/mechanisms perhaps have *always* oozed snake oil, including back doors relying on "security through obscurity" and ignoring environmental context--the need to function in a system. Outsourcing/colocation often presents only the perception (seldom the actuality) of security. A badging system implementation turns out to be >200K LOC, rather than simply "wave badge at the reader and maybe let 'em in," and is as buggy as any large program.