upvote

points

by firefoxd7 hours ago |
comments
upvoteby latexr5 hours ago|
next
[-]
> Based on the comments I see here, I think the focus is going on the turnstiles just as it did when I worked there.

You titled the piece after the turnstiles and spent the overwhelming majority of the post talking about them (and surrounding physical features). The Jira ticket felt secondary, and when it was introduced in the middle of the post I was genuinely confused, thinking why the heck the card system was contacting Jira.

People reading your writing are going to focus on whatever you did when you wrote it. The turnstiles read like the important part.

reply
upvoteby margalabargala5 hours ago|
parent|
[-]
The part about Jira is important because it highlights that while the company claims to take security seriously, they in fact do not take it seriously.

The incompetence of the turnstiles makes it a good focus for the story while the juxtaposition of the turnstiles with Jira exposes the company's hypocrisy.

reply
upvoteby Dylan168072 hours ago|
parent|
next
[-]
What's the threat model for cookie theft? That if someone gets access to your company hard drive, but not enough access to install a keylogger, then instead of invalidating a session you also have to invalidate the password too?

It's an issue but I wouldn't call it a particularly big issue. I don't think it's very damning for how much the company cares about security.

And it sounds like the turnstiles did work for actual security? Sure, they gave up on per-floor security, but that's a lot less important.

Edit: And if employees are reusing passwords then we should be getting them password managers (or SSO) as the top priority, much more than we worry about logins in cookies inside the building. I mean, there's a point where a single purpose password and a login token become the same thing.

reply
upvoteby glitchcrab4 hours ago|
parent|
prev|
[-]
I believe like that was the intent, but the (very few) mentions of Jira feel like a bit of a non sequitur; they don't belong.
reply
upvoteby compass_copium5 hours ago|
prev|
next
[-]
I care a lot more about my life (or my car's catalytic converter, which was stolen off my car in my work parking lot before they inatalled a gate for the lot) than any of my work-related IT credentials. Health and safety threats are a much bigger deal to people than nebulous, difficult to exploit threats to IP.
reply
upvoteby angry_octet4 hours ago|
parent|
[-]
Except the turnstiles and swipe cards do almost nothing against an active shooter situation.

But missing in this discussion is a risk and consequence analysis. If the risk is armed attackers, do something that targets that. For physical theft, target that. Likewise IT risks. The core problem is that risks were not being identified (systematically or in response to expert feedback) and prioritised.

Incidentally, the solution to car park access is ALPRs, and the solution to most of the physical security is solid core doors at the workgroup level with EACS swipe and surveillance cameras there, and at the front desk have face level 4k video surveillance. With an on duty guard to resolve issues with access.

reply
upvoteby handoflixue53 minutes ago|
parent|
[-]
> The core problem is that risks were not being identified (systematically or in response to expert feedback) and prioritised.

Or the person who wrote the article just wasn't involved in that loop, or otherwise disagreed on what threat models mattered.

reply
upvoteby anigbrowl4 hours ago|
prev|
next
[-]
You're right, but the consequences of different security failure are different, no?
reply
upvoteby horeszko6 hours ago|
prev|
next
[-]
Perhaps part of the problem is that an active shooter is easy to visualize and understand whereas unsecured credentials stored in cookies are an abstract and difficult to visualize problem for management.

Furthermore, turnstiles are easy to promote and take credit for. Secure web authentication would have to be explained to and understood by the boss's boss before credit for it could be claimed.

I suspect it's these aspects of organizational reality that results in security theater.

reply
upvoteby margalabargala4 hours ago|
parent|
[-]
I think it has less to do with ease of visualization and more to do with priority of consequences.

Do a poll of whether people would prefer that a mass shooting or a mass data breach occur at their place of work while they are there. I bet I know which one wins.

reply
upvoteby kristianp6 hours ago|
prev|
next
[-]
The majority of commenters don't actually read the article, or at least not the whole thing.
reply
upvoteby gosub1005 hours ago|
prev|
next
[-]
I don't think you could take over the company with a jira token. Another factor for consideration with turnstiles is disability access and fire egress. Those are covered by building code but since this is a parable, it's worth noting that physical security has often caused tragic stampedes that have killed many.
reply
upvoteby firefoxd2 hours ago|
parent|
[-]
You are right, it's much harder to compromise a system with the jira token, which is why it was the solution for the username/password stored as cookies. Plus the token was never exposed to the client.
reply
upvoteby layer85 hours ago|
prev|
[-]
I was disappointed by the lack of photo of the single turnstile.
reply