• Choose a category
• All
• Classic-Fiction

lingo

SPEAKEASY SECURITY Security that relies on knowing where desired information is, and using a word or name to gain access to that information or computer system.

SPEAKEASY SECURITY

In the old days of speakeasies—those Prohibition-era nightclubs where so-called bathtub gin flowed—a would-be customer gained admission by showing up at the door and knocking. After a few moments, a small flap in the door would swing open and a tough, intimidating face would peer out. If the visitor was in the know, he would speak the name of some frequent patron of the place (“Joe sent me” was often enough), whereupon the bouncer inside would unlatch the door and let him in.

The real trick lay in knowing the location of the speakeasy because the door was unmarked, and the owners didn’t exactly hang out neon signs to mark their presence. For the most part, just showing up at the right place was about all it took to get in. The same degree of safekeeping is, unhappily, practiced widely in the corporate world, providing a level of nonprotection that I call speakeasy security.

I Saw It at the Movies

Here’s an illustration from a favorite movie that many people will remember. In Three Days of the Condor the central character, Turner (played by Robert Redford), works for a small research firm contracted by the CIA. One day he comes back from a lunch run to find that all his coworkers have been gunned down. He’s left to figure out who has done this and why, all the while knowing that the bad guys, whoever they are, are looking for him.

Late in the story, Turner manages to get the phone number of one the bad guys. But who is this person, and how can Turner pin down his location? He’s in luck: The screenwriter, David Rayfiel, has happily given Turner a background that includes training as a telephone lineman with the Army Signal Corps, making him knowledgeable about techniques and practices of the phone company. With the bad guy’s phone number in hand, Turner knows exactly what to do. In the screenplay, the scene reads like this:

TURNER RECONNECTS and TAPS OUT ANOTHER NUMBER. RING! RING! Then:

WOMAN’S VOICE (FILTER)

CNA, Mrs. Coleman speaking.

TURNER (into test set)

This is Harold Thomas, Mrs. Coleman. Customer Service. CNA on 202-555-7389, please.

WOMAN’S VOICE (FILTER)

One moment, please.

(almost at once)

Leonard Atwood, 765 MacKensie Lane, Chevy Chase, Maryland.

Ignoring the fact that the screenwriter mistakenly uses a Washington, D.C., area code for a Maryland address, can you spot what just happened here?

Turner, because of his training as a telephone lineman, knew what number to dial in order to reach a phone company office called CNA, the Customer Name and Address bureau. CNA is set up for the convenience of installers and other authorized phone company personnel. An installer could call CNA, and give them a phone number. The CNA clerk would respond by providing the name of the person the phone belongs to and his address.

Fooling the Phone Company

In the real world, the phone number for CNA is a closely guarded secret. Although the phone companies finally caught on and these days are less generous about handing out information so readily, at the time they operated on a variation of speakeasy security that security professionals call security throughobscurity. They presumed that anybody who called CNA and knew the proper lingo (“Customer service. CNA on 555-1234, please,” for example) was a person authorized to have the information.

lingo

SECURITY THROUGH OBSCURITY An ineffective method of computer security that relies on keeping secret the details of how the system works (protocols, algorithms, and internal systems). Security through obscurity relies on the false assumption that no one outside a trusted group of people will be able to circumvent the system.

mitnick message

Security through obscurity does not have any effect in blocking social engineering