What Stevie Ray Vaughan Can Teach Us About Security Design
from the instructive-parable dept
The SolarWind intrusion, with the revelation that part of the architecture included, at least for a while, a really weak default password, and the hack of the water treatment plant with a similar password reuse problem, reminded me of this story I heard not long ago about another instance of poor security design.
In a recent fan Q&A on Facebook, Bill Gibson, the drummer for Huey Lewis and the News, told a story about his friendship with Stevie Ray Vaughan. Stevie Ray Vaughan and his band Double Trouble had opened for the News for a while in the mid-1980s, and in that time Bill and Stevie had become good friends. Back at the hotel one evening after a show in New York City it came up that Bill had seen Jimi Hendrix perform something like seven times. Stevie, a guitarist who idolized Hendrix, was in awe. He wanted to hear everything about what it was like seeing Hendrix play, so he grabbed some beer and they settled in for an evening of Bill telling Stevie everything he remembered.
By 3:00 AM they were out of beer, so they went down to Stevie’s tour bus parked out in front of the hotel to get some more. He opened the bus with his key and started looking for the cooler he kept it in. “That’s odd,” Bill recalls Stevie musing, “The cooler is usually kept in this spot over here.” Eventually he found a cooler elsewhere, removed the needed beer, and they left to go back up to finish their conversation.
The next day they discovered why they’d had trouble finding the cooler. At the time, most bands were touring in buses that all came from the same company. That all looked the same. And that all were opened by the exact same key. Thus the reason that Stevie could not find the cooler where he expected it to be was because they were not on the bus where they expected to be. Instead of being on Stevie’s bus, it turns out they were actually on UB40’s bus that, unbeknownst to them, had just pulled up that night while they’d been ensconced in the hotel talking. Which Stevie’s key had opened. And on which the UB40 band had apparently been sleeping the whole time Stevie and Bill were there inadvertently pilfering their beer?
So let this story be a lesson to security designers, people who really should be employing security designers, and pretty much everyone else who likes to reuse their passwords: When the security credentials for one resource can be used to gain access elsewhere, especially in a way you did not anticipate, there’s really not that much security to be had.
And in most such cases it will likely be so much more than UB40’s beer that’s now been put at risk.