Questions tagged [security-theater]
DO NOT USE THIS TAG AS A GENERIC SECURITY TAG!! Security theater is a term that describes security countermeasures intended to provide the feeling of improved security while doing little or nothing to actually improve security. The term was coined by computer security specialist and writer Bruce Schneier for his book Beyond Fear.
97 questions
1 vote
0 answers
162 views
What is a term for ineffective security measures that don't prevent any realistic attack? [closed]
Is there a term for when you a particular system design might prove to have some advantages, but doesn't actually qualitatively change the potential attacks on the system and thus ends up as redundant,...
- 417
0 votes
0 answers
45 views
Do `Signature` headers have real benefits? [duplicate]
I'm working with an HTTPS API that requires me to include a Signature header, the signature is calculated as codeBase64(hmacWithSha384(key, body)). I'm wondering if it provides any real-life benefits ...
- 1
0 votes
3 answers
213 views
Security in depth vs security theatre
If some security measure serves only to add an extremely small barrier to an attack, are there generally accepted principles for deciding whether that measure should be retained? Does defence in depth ...
- 195
2 votes
2 answers
205 views
How can I, as an enduser, put pressure on corporations and discourage password strength theater? [duplicate]
For work and other official matters, I am often forced to use websites and apps which clearly have some kind of cargo cult going on in their security department, given that they impose extremely ...
- 249
2 votes
1 answer
275 views
Over-the-top (?) security practices for CVV inputs
On some internet banking websites, I've seen some CVV input fields that seem strange to me. Here is an example: The field works as such: You can not input a CVV code using a keyboard. The numbers ...
user195617
-1 votes
1 answer
257 views
Why do people, even programmers and geeks, seem to almost feel the urge to "give hackers a fair chance" at stealing their data? [closed]
I once heard that the author of the early NES emulator "Nesticle", clearly a very intelligent person, baffingly used some kind of exploitable "Samba" or "SMB" server ...
- 1
1 vote
0 answers
180 views
Does Snowflake Data Sharing add any real security?
Snowflake is a cloud database like Google BigQuery or Amazon Redshift. Unlike them, however, it markets a "Secure Data Sharing" feature. They go to some effort (including a full "Data ...
- 111
3 votes
1 answer
2k views
How exactly does Windows Defender in Windows 10 determine when to upload your local files to Microsoft?
Every time I install Windows 10, I painstakingly go through every setting that can be found in any GUI setting for the OS, disabling everything that sounds creepy. One of the most disturbing things I'...
3 votes
1 answer
3k views
What attacks are prevented using Session Timeout or Expiry?
OWASP recommends setting session timeouts to minimal value possible, to minimize the time an attacker has to hijack the session: Session timeout define action window time for a user thus this window ...
- 543
2 votes
0 answers
151 views
Benefit of authentication with a gateway
Given... a public web service with enabled SSL/TLS the web service enforces authentication using JSON Web Tokens a client on a LAN without an Internet connection a proxy on the LAN that grants point-...
- 211
86 votes
6 answers
20k views
How am I ever going to be able to "vet" 120,000+ lines of Composer PHP code not written by me? [duplicate]
I depend on PHP CLI for all kinds of personal and (hopefully, soon) professional/mission-critical "business logic". (This could be any other language and the exact same problem would still stand; I'm ...
- 711
14 votes
1 answer
976 views
What would happen if some random webpage made an Ajax request for http://127.0.0.1/private.txt?
I run a localhost-only webserver (PHP's built-in one) for all my admin panels and whatnot on my machine. I'm worried that, if any random webpage has a JavaScript snippet which makes an Ajax call to ...
- 149
3 votes
1 answer
393 views
When a closed-source company hires somebody to audit their code, is the auditor forced to do it in the company's office?
Let's say that ACME, Inc. is making closed-source software. It's closed for a reason (they don't want it leaving their building other than in compiled form). Now, they are hiring some company/person ...
77 votes
8 answers
15k views
If we should encrypt the message rather than the method of transfer, why do we care about wifi security? Is this just security theatre?
Most answers to this question about the security of satellite internet boil down to: encrypting the message is more important than encrypting the method of transfer. However, there seems to be a lot ...
- 1,920
4 votes
2 answers
294 views
What is the difference between exploitable security measures and security theater?
As an example, the US no-fly list is commonly referred to as a security theater given that it is easy to work around. However blurring license plates when posting a picture online is not considered a ...
- 1,044