« Java 5 Global Exception Handling
How To Ruin Your Interview »

The Value of Security Theater

17th June 2006, 10:41 pm

Bruce Schneier coined the phrase "Security Theater" in his book, Beyond Fear. Security Theater is a thing that has the appearance of security, but offers virtually none. Bruce Argues that security theater is more dangerous than no security at all, because assets are still vulnerable in both situations, but Security Theater offers a false sense of security, allowing people to be lazy.

Of course, most of the time when we talk about security (at least in the modern age) we are talking about issues of considerable controversy. For example, if I were to tell you that the efforts that have been put into airline security are, in reality, security theater, you might find this very irritating and emotional, which may cloud your judgement. You could also say that MY emotional investment in the issue makes me mislabel airline security as security theater. In any case, it is often difficult to think rationally about security when discussing something as difficult as homeland security.

Today I happened upon something that I found very humorous, and it serves as such a good example of security theater that I decided to post it.

I was looking at movie trailers on apple.com, and I saw that there was a trailer for a new movied called Texas Chainsaw Massacre: The Beginning. I hadn't heard of this (and I loved the original and liked the remake) so I decided to check it out. Feel free to go look. Be careful though, if it's before 10 PM, you won't be able to view the trailer.

Indeed, between the hours of 4 AM and 10 PM, the site gives you the message that the trailer is unavailable until that night. I presume this is because the trailer is so shocking that it's only around when kids are in bed, or something. Ridiculous nature of that aside, I began to ask questions. Probably the same questions you are asking now.

"How does it know what time to keep the file unavailable? Is it the time on the server?" Indeed, this is a reasonable question. If the server were in, say, California, then only people on Pacific Time would sync up correctly. Would a film studio do that in order to prevent parent groups from bitching and moaning? Of course not, movies are released all across the world, so the studio would never risk making the trailer unavailable internationally. If you "follow the money" (the quickest way to discover the true motivations behind anything 99% of the time), you can logically conclude the studio isn't going off the time of the server where the trailer is hosted. You can conclude this just as any kid (who shouldn't see the trailer) can. Is this good security?

So then, the only other time they could be using is *MY* time. That means JavaScript. Easy. Change my clock and reload. To my surprise, this did not work. So I decided to view the JavaScript source, and I saw that what the code actually does is make a new Date object (using my clock), then figure out my time zone, then poll the server to find out what the server time is, use the offset to calculate my ACTUAL time, and use that to decide if the trailer can be viewed. Honestly, this was a very clever solution and added one layer of difficulty to the "change my clock" workaround.

All I had to do, then, was change my time zone and reload. Problem solved. So, I was a person who had a pretty high degree of determination to see the trailer, and I was able to do so with very limited effort. The workaround is extremely simple, and can be communicated effectively to even someone who is unfamiliar with Javascript and could not discover this flaw on their own. Was this security?

No, it was security theater. It provides parents with the false sense of security that their kids cannot see this trailer, but it is trivially easy to bypass the 'security' for someone who wants to do so. The countermeasure is only effective against people who aren't very motivated in the first place. As a result, a parent might be confident letting his or her kid browse the internet unsupervised, knowing this trailer is unavailable for viewing (I'm being fecetious, but the point stands) until the child goes to bed.

In the end, the html elements that have the links are, in fact, on the page the entire time (style.visibility:hidden) and looking at the source code gives complete urls to the actual .mov files with the trailers. Bypassing the system isn't even required, you can just look the URL up in the source. This system adds about 20 seconds of inconvenience to the process of the viewing the trailer for a determined person, yet the theoretical parent is happy with the system. Security Theater defined.

By the way, the movie looks like shit.

Unleash This Post Upon Others:These icons link to social bookmarking sites where readers can share and discover new web pages.
  • del.icio.us
  • digg
  • Fark
  • YahooMyWeb
  • NewsVine
  • Ma.gnolia
  • blogmarks
  • co.mments
  • connotea
  • De.lirio.us
  • Furl
  • Netvouz
  • RawSugar
  • Reddit
  • scuttle
  • Shadows
  • Simpy
  • Smarking
  • Spurl
  • TailRank
Categories: Movies, Security  |    |  Comment (RSS)  |  Trackback

6 Comments

  1. Stephen Keller:

    Do you suppose it’s to keep kids from watching it, or just to encourage people from watching it late at night when it will (theoretically) be spookier?

    18 June 2006, 5:26 pm

  2. Rod:

    Stephen,

    That’s a very good question. My assumption was that it was a child-safety kind of issue, but I suppose it could have been to make the trailer more enjoyable.

    I kinda feel like the studio would think it gains more by making the trailer available at all times than it does from making it spookier when it is viewed. I have a hard time imagining studio exec types okay-ing the decision to make the trailer LESS available in order to make it better.

    18 June 2006, 5:40 pm

  3. Stephen Keller:

    Rod,

    I also have a hard time imaginging studio execs really wanting to keep marketing material out of the hands of children (despite what they tell members of Congress). People like to pretend the studios really want the rating system enforced, but in truth a lot of kids watch R-rated movies and the studios know it.

    My favorite “keep kids out of it” move that I see a lot of these days is to enter your birthdate on the first page of a site. Wow. No way could a kid possibly crack that wall of security.

    18 June 2006, 7:36 pm

  4. Stephen Keller:

    Of course I should add that I realize the R rating does not restrict kids from seeing a movie, it only requires they have a guardian with them when they see it. But I know when I was a teenager I saw a lot of R-rated movies without my parents around (of course my parents didn’t really care what movies I watched, either).

    18 June 2006, 7:38 pm

  5. Alexandre Breveglieri:

    Maybe they did it in order to generate hype about the movie. Like “Hey, did you saw that trailer that can only be seen at night?”. Just another form of advertising after all.

    19 June 2006, 2:26 pm

  6. John C. Kirk:

    In fairness, changing the timezone on Windows XP (and presumably Vista) does require admin privileges, and if a parent wants to restrict what their child does then they shouldn’t be logged in with those privileges. (In fact, I don’t think it’s a good idea for adult users to run as admin all the time either, but that’s a separate issue.) So, this may be a bit better than it seems…

    23 July 2006, 2:50 pm

Leave a comment