What Stevie Ray Vaughan Can Teach Us About Security Design
from the instructive-parable dept
The SolarWind intrusion, with the revelation that part of the architecture included, at least for a while, a really weak default password, and the hack of the water treatment plant with a similar password reuse problem, reminded me of this story I heard not long ago about another instance of poor security design.
In a recent fan Q&A on Facebook, Bill Gibson, the drummer for Huey Lewis and the News, told a story about his friendship with Stevie Ray Vaughan. Stevie Ray Vaughan and his band Double Trouble had opened for the News for a while in the mid-1980s, and in that time Bill and Stevie had become good friends. Back at the hotel one evening after a show in New York City it came up that Bill had seen Jimi Hendrix perform something like seven times. Stevie, a guitarist who idolized Hendrix, was in awe. He wanted to hear everything about what it was like seeing Hendrix play, so he grabbed some beer and they settled in for an evening of Bill telling Stevie everything he remembered.
By 3:00 AM they were out of beer, so they went down to Stevie's tour bus parked out in front of the hotel to get some more. He opened the bus with his key and started looking for the cooler he kept it in. "That's odd," Bill recalls Stevie musing, "The cooler is usually kept in this spot over here." Eventually he found a cooler elsewhere, removed the needed beer, and they left to go back up to finish their conversation.
The next day they discovered why they'd had trouble finding the cooler. At the time, most bands were touring in buses that all came from the same company. That all looked the same. And that all were opened by the exact same key. Thus the reason that Stevie could not find the cooler where he expected it to be was because they were not on the bus where they expected to be. Instead of being on Stevie's bus, it turns out they were actually on UB40's bus that, unbeknownst to them, had just pulled up that night while they'd been ensconced in the hotel talking. Which Stevie's key had opened. And on which the UB40 band had apparently been sleeping the whole time Stevie and Bill were there inadvertently pilfering their beer…
So let this story be a lesson to security designers, people who really should be employing security designers, and pretty much everyone else who likes to reuse their passwords: When the security credentials for one resource can be used to gain access elsewhere, especially in a way you did not anticipate, there's really not that much security to be had.
And in most such cases it will likely be so much more than UB40's beer that's now been put at risk.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: bill gibson, security, security design, shared passwords, stevie ray vaughn, ub40
Reader Comments
Subscribe: RSS
View by: Time | Thread
I would've thought they'd find a lot of red, red wine coolers but not much beer. Either way, that's a concert I'd like...
[ link to this | view in chronology ]
A bit off topic, but security related
I once saw Stevie Ray Vaughan at the Chastain Amphitheater in Atlanta, GA. The Chastain Amphitheater is a fairly small venue, in a nice area of town, with tables seating several people on the "floor" area in front of the stage. The venue was expensive, especially the tables, and catered to the somewhat older, rather affluent, "wine & cheese" crowd, both in the selection of acts and in the amenities provided. IIRC you could bring your own stuff to the tables, or have your food and drink catered ($$$), too.
Standing on the floor, backs to the stage, was a row of big, burly security guards. They wore black T-shirts with the letters "PAS" in bright yellow on the front, in a font reminiscent of the Yes band logo. There were lots of them, shoulder-to-shoulder, from one edge of the stage to the other, with their arms crossed in front of them. They remained that way, never moving, for the entire show. It was very unnerving, and more than a little distracting.
I never did figure out why Stevie Ray Vaughan (or the venue?) had such an intimidating security presence, particularly at such an up-scale venue that catered to such an up-scale "wine & cheese" type crowd.
In any case, it was an excellent show!
[ link to this | view in chronology ]
Re: A bit off topic, but security related
I saw Alice Cooper at Chastain Amphitheater. It is a very nice place to see an act.
[ link to this | view in chronology ]
Re: A bit off topic, but security related
We specialize in web development agency in Islamabad, in which we highlight the corporate responsive sites, portals, blogs, e-commerces/virtual stores, Landing Pages, Newsletter, web systems, among other creative and programming solutions for web .
[ link to this | view in chronology ]
No SRV and no maps
No Stevie Ray Vaughan concert ...
I was 12 and the family was visiting some Florida theme park. it was 1980. I had to remember where we parked; x rows in, next to y light pole.
After a day at the park, we returned, I found the car, we got in and drive out. Mom says, ”grab the map and follow where we are going". Small problem: map missing. Missing too are our other papers and our jackets.
Turn around, drive back to the theme park, park back in the same spot, get out, lock car and find OUR identical car parked in the same position, y lamposts in, one row over, complete with same rental car sticker on bumper! Open it up, hop on and drive off, map and jackets in hand. We did leave a note in the other car explaining where it went. My first stolen car!
Years later, there was a big story how the major car Mfrs only had 1000 or so unique key tumbler combos, yet would sell millions of cars/year. Happened more often than people knew.
[ link to this | view in chronology ]
Re: No SRV and no maps
Actually, they only have a few hundred unique keys, so it's worse than that. That was one of the weird cases that occurred in Houston while I was going to college there. Someone dropped dead at the park from heart problems or some such, and only had his keys on him. They went back to his vehicle to get his ID and called his family to tell them the bad news, only it was the wrong vehicle. Someone else had the same make/model and just happened to use the same key. The person they thought was dead had come back, gotten in the wrong vehicle and driven off, leaving his own vehicle to be identified as the dead man's.
It can be even worse than that in some cases. Back in the 90s, a Mazda blank could open the doors and trunk of ANY model/year Mazda, and could start half of them. We had a Mazda 323, and a locksmith showed us - he took a blank and opened the doors and trunk, but couldn't start the car. We were "lucky". We got rid of that car quickly.
[ link to this | view in chronology ]
Re: No SRV and no maps
My father-in-law was an insurance agent. He related about one fellow, years ago, who had come out of the mall and discovered his car was stolen. They went through the whole insurance path, police report, new car, etc. Then about a year later, the mall was being torn down for redevelopment, and someone phoned the guy asking him to move his car. It hadn't been stolen, he just misremembered where he'd parked.
[ link to this | view in chronology ]
the main thing to learn
The main thing we can learn from SRV is not to trust helicopters. Vic Morrow, Kobe Bryant, Olivier Dassault, Alejandro Murat, Camille Muffat and counless others have learned this lesson too late.
[ link to this | view in chronology ]
Re: the main thing to learn
Vic Morrow, pyrotechnics detonated under a low flying (<25ft) helicopter with resulting damage bringing it down.
Kobe Bryant, pilot losing control, probably due to disorientation having accidental entered instrument flying conditions, a common cause of helicopter and aircraft crashes.
Olivier Dassault, crash on night take off from a private property
Alejandro Murat, survived, pilot lost control attempting a landing in field.
Camille Muffat, Attempted formation flight by two helicopters leading to a mid air collision.
So we have one film stunt that went wrong, and four, and probably five cases of pilot error. More cases of the old adage, there are old pilots and there are bold pilots, but there are no old bold pilots.
[ link to this | view in chronology ]
People make interesting assumptions about things, even in the face of evidence to the contrary.
How can one forget that Maude, of Harold & Maude, carried a large ring of keys that assisted her in obtaining transportation?
There is a couple generations of gun safes that dropping will pop open.
There are people who put padlocks on doors to protect the contents, completely unaware that the more gadgety & added features often make them less secure.
While letting someone use the same login & password across the network stops a lot of whining, what is the current cost to hire an IRT to come in and certify you are a dumbass?
Short term happiness doesn't look that happy when you consider they didn't fire the execs at Equifax who demanded admin 12345 everywhere... they put IT's heads on pikes.
[ link to this | view in chronology ]
Sounds like..
...an episode of the lock picking lawyer.
[ link to this | view in chronology ]
Not surprising
Everyone in pop music was using the same major keys at the time.
[ link to this | view in chronology ]
Re: Not surprising
Lurch groan
[ link to this | view in chronology ]
Similar thing happened to me in high school
We walked to Rafael's car to go out to lunch. He unlocked the yellow Datson B-210 and we got in. Suddenly we were confused as his stuff was no on the console or rear-view mirror. It turns out we were in the wrong car (one aisle over) but the key fit.
Very strange.
[ link to this | view in chronology ]
My father told me a story of how a coworker got into a car after unlocking it and couldn’t understand why it wouldn’t start. Turns out she was in the wrong car. But her key still unlocked it. But it wouldn’t start it, better tolerances on the ignition key I guess.
[ link to this | view in chronology ]
But the issue is -
Every site wants us to login; nobody wants to remember 1,000 unique userid's and passwords. Worse, to help you remember (and make life and spam easier for them) many sites ask for your email as a login. And, what do we do? For anything (except the most critical sites, we hope) we use the same password. A breach in one place will allow the hackers to not only harvest valid emails, but also get a generic password; but I do NOT want to have to get a text from every site I login to...
maybe an "I send you certificate" option or such is the answer. But then, if my PC crashes or I buy a new one - then what? And hackers could still get those certs from your home PC.
[ link to this | view in chronology ]
Re: But the issue is -
There have been password managers since forever.
[ link to this | view in chronology ]
Re: But the issue is -
I use a different email address from an anonymous email provider for each site I have to register on. This makes it just a bit more difficult (but still not impossible) for the Dark Tech Overlords to profile you.
Anything you can do to throw some sand in the gears of the DTO's system is a good thing.
I think last time I checked my password manager, KeePassXC, had well over 300 entries. I know it has grown by at least a couple dozen since I checked. Yeah, it is all a PITA, but these are the time we live in.
[ link to this | view in chronology ]
Re: But the issue is -
I use a little 3x5-ish ring notebook that rides in my shirt pocket. I "back it up" using a digital camera. The images are stored on an sdcard in my lockbox.
Loss of the notebook would be a major security fail... but I've been keeping track of it for more than thirty years. And it's not something that can be compromised remotely, or without my knowledge.
Security is a seesaw, with "security" on one end and "convenience" at the other.
[ link to this | view in chronology ]
We know why UB40 were fast asleep
The reason that there was still beer to be found on their bus is because the band had instead all been drinking Red, Red Wine.
[ link to this | view in chronology ]
From the sublime...
Imagine seeing Hendrix perform seven times and then being in Huey Lewis and the News.
[ link to this | view in chronology ]
Kubota tractors all have the same key too
[ link to this | view in chronology ]
Blogs Lab
Outlook additionally has way too many problems or Mistakes as well as when we deal with some problems; we attempt our ideal to address that since there is likewise service to all troubles. <a href ="https://www.bloglabs.online/2020/07/piiemailb47d29538f12c20da426.html"> [pii_email_b47d29538f12c20da426] </a> error is likewise among those mistakes, and also we are going to have a look at this to solve it.
[ link to this | view in chronology ]
Blogs Lab
Outlook additionally has way too many problems or Mistakes as well as when we deal with some problems; we attempt our ideal to address that since there is likewise service to all troubles. <a href ="https://www.bloglabs.online/2020/07/piiemailb47d29538f12c20da426.html"> [pii_email_b47d29538f12c20da426] </a> error is likewise among those mistakes, and also we are going to have a look at this to solve it.
https://www.bloglabs.online/2020/07/piiemailb47d29538f12c20da426.html
[ link to this | view in chronology ]