I have seen this phenomenon especially at a couple of FAANGs over the past couple of years. Things are getting locked down so much, and so many special permissions are required that now people ask for permissions to systems or procedures preemptively. Because by the time they know if they will need it or not, it's too late.
And no one in the security business seems to consider the overall burden of yet another step. Each of which is simple in by itself, but cumulatively they are a giant hassle, and so people look for workarounds.
> And no one in the security business seems to consider the overall burden of yet another step. Each of which is simple in by itself, but cumulatively they are a giant hassle, and so people look for workarounds.
This is a tale as old as time.
At a prior gig, IT took away touch ID for ... $reasons. ~40% of the engineering team was already big into mechanical keyboards so it only took one person to "just FYI, VIA allows you to program macros". Is it _as bad_ as password on a sticky note? Not quite but I can't imagine that touch ID was _more_ of a threat.
Curious, why remove Touch ID? Been moving everything into it seems like a really good mix of convenience + security (especially if the alternative is copying your key into AI :) )
I call this sort of thing a self-DoS. If the system is unusable enough, it's indistinguishable from a DoS attack. This sort of sabotage isn't restricted to the security team, anything that makes the system unreliable enough from bad design through bad performance can have the same effects as an external attack.
I think security became part of compliance so security recommendations got detached from actual security. It seems like a lot of security recommendations are just busy work that justifies having a huge compliance industry. So an example of this might be security scanners for code where the output is not even useful. But using the tool, which searches for irrelevant findings, is required for compliance even if it basically does nothing for security.
thats part of why NIST updated their password rotation recommendations from 90 days to indefinite: people pay lip service to security if it is too inconvenient. you have to try to meet people where they are.
It's not just about "convenience", it is hard for the human mind to remember a truly random password. You can try all the mnemonic tricks you want but at the end of the day it requires a lot of time and repetition before entering the password is effortless. So what people do is create a stream of derivable passwords. For example, I can think of a phrase "I love beach balls bouncing on the ocean!" and then make a password "ilBBbotocean!" and when it comes time to change that password, I'll just add a number "ilBBbotocean!1". Studies have shown this is what people do. But it is easy for attackers to also derive these passwords once one password in the chain has been compromised.
The effect of that is that by requiring frequent rotation, the organization is effectively training their users to have a single permanent password and to never change it, even after a compromise. That's extremely harmful. At least with permanent passwords that are force rotated after they show up in database or there has been an incident, you have a much higher percentage of compliance with making new passwords, and the organization is safer because everyone isn't using passwords derived from the previous password.
I remember a case where a company decided to assign employees random 16 character passwords with symbols and rotated them every 90 days or so. They were unchangeable and the idea was that everyone would be forced to use a secure password that changed regularly.
You can probably guess what happened, and that was that no one remembered their passwords and people wrote it down on their pads or sticky notes instead.
Writing down a password is a great option. However you need to keep that paper in a secure location. Put it in your wallet and treat it like a $100 bill - don't paste it to a monitor or under the keyboard.
A password manager is better for most things, but you need to unlock the password manager somehow.
The level of lockdown in current years is wild. With our 2FA requirements and SSO, signing into GitHub every morning takes me something like eight clicks and a solid minute. Everything has gotten so locked down in recent years, people are working so hard to protect what are largely basic CRUD apps
Would have been less if GitHub had just allowed proper SSO instead of this hybrid account mixing.
I get that the hybrid method might be desirable for contractors or similar who have many hats, but for a regular employee it just adds friction for no benefit.
I've never had that issue with Github—I think their account mixing setup reduces the amount of work I have to do to sign in 100x compared to other SSO systems I use.
Incidents are inevitable at scale, but risk management at scale is an append-only operation that eventually becomes so complex and suffocating the only recourse is noncompliance.
Even going to the doctor I find myself pleading with the staff to just let me see my PCP instead of going through the full process. It takes 30 minutes now to get through the opening interrogation about overseas travel, human trafficking, vaccine awareness, anxiety and depression panels, domestic violence questions, multi-part questions about recent falls, and everything else that they keep tacking on. Usually in triplicate, waiting room forms, questions from the nurse, questions from the doctor.
And I know behind each of these individual decisions there is a horror story or someone proactively trying to prevent one, but altogether they create their own.
Absolutely. Easier said than done, but the best security is structural security - as near to invisible for end users as possible. This needs to be the goal, imo, even if not fully achievable.
And now we're at the threshold of the next level of security fatigue: permission fatigue.
It's shocking how little people are paying attention to this upcoming security nightmare. It wouldn't take much for a bad actor to poison an AI session to wait for you to start selecting yes, yes, yes and then slip in something bad.
Very obvious, but things that seem obvious might not actually be true. It is worth verifying.
Getting organisations to act on the obvious if it requires changing is harder than you might think. Having research to point to and saying you are doing the wrong thing and now you've been told is like turning the lights on and off really quickly and moaning "Liability" in a spooky voice.
Fair enough. I had a hard time advocating for good password flows because "standards" said frequent rotation etc.
And tbh when you apply those standards with context and are faced with people bare-minimum pointing at the standards, you sometimes come off as less knowledgeable - such is the authority of research/standards.
Anyway, I skimmed your profile and learnt a new word, milquetoast - so thanks for that!
At some point I need to ask Corporate IT for my justification logs for every elevation request. I'm certainly sure I've submitted at least a couple hundred "because I said so"s and at least three Bee Movie scripts.
Just get off as many of these platform as you can. That’s about the only security that you’ll ever get. If you are still in the Matrix, listen the weirdos on here that take “don’t trust anything” seriously to the point of absurdity.
The Matrix was not fiction. Our modern internet is a system. You have to figure out how to live truly free from it, because it absolutely owns you.
__
Revelation 13:16–17
“And he causeth all, both small and great, rich and poor, free and bond, to receive a mark in their right hand, or in their foreheads:
And that no man might buy or sell, save he that had the mark…”
And no one in the security business seems to consider the overall burden of yet another step. Each of which is simple in by itself, but cumulatively they are a giant hassle, and so people look for workarounds.
This is a tale as old as time. At a prior gig, IT took away touch ID for ... $reasons. ~40% of the engineering team was already big into mechanical keyboards so it only took one person to "just FYI, VIA allows you to program macros". Is it _as bad_ as password on a sticky note? Not quite but I can't imagine that touch ID was _more_ of a threat.
It became so prevalent that whenever we were planning anything, if a task had to be done by someone outside of our team, we added 20 days.
Security through eternity I guess ?
Preaching is not a strong motivator for long.
The effect of that is that by requiring frequent rotation, the organization is effectively training their users to have a single permanent password and to never change it, even after a compromise. That's extremely harmful. At least with permanent passwords that are force rotated after they show up in database or there has been an incident, you have a much higher percentage of compliance with making new passwords, and the organization is safer because everyone isn't using passwords derived from the previous password.
You can probably guess what happened, and that was that no one remembered their passwords and people wrote it down on their pads or sticky notes instead.
A password manager is better for most things, but you need to unlock the password manager somehow.
What does that mean? Passwords are stored in textiles accessible by admin only, and shared. And everyone is worse for it.
CRUD apps can contain very sensitive data, so not sure how that’s relevant.
I get that the hybrid method might be desirable for contractors or similar who have many hats, but for a regular employee it just adds friction for no benefit.
Incidents are inevitable at scale, but risk management at scale is an append-only operation that eventually becomes so complex and suffocating the only recourse is noncompliance.
Even going to the doctor I find myself pleading with the staff to just let me see my PCP instead of going through the full process. It takes 30 minutes now to get through the opening interrogation about overseas travel, human trafficking, vaccine awareness, anxiety and depression panels, domestic violence questions, multi-part questions about recent falls, and everything else that they keep tacking on. Usually in triplicate, waiting room forms, questions from the nurse, questions from the doctor.
And I know behind each of these individual decisions there is a horror story or someone proactively trying to prevent one, but altogether they create their own.
It's shocking how little people are paying attention to this upcoming security nightmare. It wouldn't take much for a bad actor to poison an AI session to wait for you to start selecting yes, yes, yes and then slip in something bad.
1. Enter a password to decrypt the computer
2. Enter a username and password to log into my account
3. Enter another set of credentials to access the corporate VPN
4. Enter another username and password to access the network the VM is on
5. Enter another username and password to get to the actual machine
6. And then navigate a nest of authorization for docker/git/etc to actually do anything useful
Getting organisations to act on the obvious if it requires changing is harder than you might think. Having research to point to and saying you are doing the wrong thing and now you've been told is like turning the lights on and off really quickly and moaning "Liability" in a spooky voice.
And tbh when you apply those standards with context and are faced with people bare-minimum pointing at the standards, you sometimes come off as less knowledgeable - such is the authority of research/standards.
Anyway, I skimmed your profile and learnt a new word, milquetoast - so thanks for that!
The Matrix was not fiction. Our modern internet is a system. You have to figure out how to live truly free from it, because it absolutely owns you.
__
Revelation 13:16–17
“And he causeth all, both small and great, rich and poor, free and bond, to receive a mark in their right hand, or in their foreheads: And that no man might buy or sell, save he that had the mark…”