My First Hack
Jul. 27th, 2008 12:03 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
le_bebna_kamniThe world is full of security systems. Hack one of them.
-- Bruce Schneier
I was listening to the afterward on my audio copy of Cory Doctorow's book Little Brother, an amazing read about kids who take on the Department of Homeland Security to win back freedom. The first afterward is by Bruce Schneier, who is an awesome security expert.
Schneier's afterward was an encouragement to anyone who was thrilled by the technology and security issues presented in the book to look into it further, to develop a security-oriented mindset. He wasn't just talking about computers, although computers do play a huge role in security nowadays. He was talking about any kind of security system, from stores with anti-theft devices, to airports, to the clunky bike locks we chain to our tires.
He encouraged the readers to go into a store and see how they might shoplift something -- not because they wanted to do it, but just so they had the knowledge that they could. He pointed out that you can't design a system to, say, protect against shoplifters if you don't know what what a shoplifter would do.
I felt a little discouraged by these words at first, because he's absolutely right. Security fascinates me, but I suck at figuring out exploits in most cases, because that isn't my default mentality. I mean, I'm still pretty ignorant about what things really are and aren't security issues. I know from listening to Sploitcast that viruses aren't the biggest threat, despite common opinion, and that having your Bluetooth to always be discoverable by anybody is a really bad idea, but other than that I'm about as clueless as your average end user.
Sometimes I worry that it's not something I'm capable of learning -- kind of like some people just have a hard time getting math -- and I'm at least twice the age of most people who get interested in security. I mean, Little Brother really is geared toward teenagers (although it's written so older adults can enjoy too), and everyone I know who is really good at this stuff started when they were teenagers or pre-teens.
But when I started thinking outside of computers, I realized that I made my first security "hack" a couple of weeks ago. Matt and I were going to a movie -- I think it was WALL-E, which had already been out for two weeks -- the same night that Hellboy II was released. Hellboy II was clearly packed -- people waiting in a line to get into the theatre half an hour in advance, tickets probably sold out days ahead of time.
I know that there are people who will purchase a ticket for a different movie, then hide out and risk getting caught until they could sneak into the other movie. That's why some theatres (like the one we went to) put the big releases in the theatres right next to where they take your tickets. They take your ticket, then someone is there to show you where to stand in the queue. Your chances of sneaking in would be very slim, because there's someone watching, or you would have to wait until the movie had already started and risk missing something important.
You could go to a theatre that you knew had less security, but often those don't have the best screens in town. But there is another way to get not only yourself in, but maybe two of your friends as well, and all it takes is *one* legitimate ticket. Here's what I noticed:
When you go in with one or two other people, the person taking the tickets rarely looks at all the tickets. They tear hundreds or even thousands of tickets in a night, so they usually only look at the top ticket to see where to direct the people before tearing the stubs and moving on to the next customers in line. So if one person in the party has a legitimate ticket for the blockbuster, then they take it for granted that the other people with them also have tickets for the same movie.
Now, I wouldn't try this with a lot of people -- heck, I wouldn't try this at all, but then again I rarely have a desire to see an opening night blockbuster film. I much prefer going when the theatre is less crowded or, even better when I can pay $1-$2 at the second-run theatres. But if someone wanted to try this, a group of three -- or even better, a couple that look like they're on a date -- would be the ideal size to make the bored teenager taking tickets not look twice at which movie everyone is *really* going to.
I pointed out this observation to Matt, and he said it was a sign I was becoming more security-minded. I felt a little surprised at myself, because it's not normally something I would think about. I think I felt a little guilty that the idea had occured to me, but at the same time I felt really proud.
Maybe there's hope for me yet... ;P
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
on 2008-08-05 04:48 pm (UTC)I mean, as much as I hate RFID tags, an RFID tag on the ticket that set off an alarm if you tried to go in with the wrong ticket might do the trick -- although you'd still need to have the bored teenager to check that there *was* a ticket to begin with. And you still might have a problem if you have someone with an old ticket stub in their wallet (which I frequently do).
I'm also sure there are some high-tech solutions that would eliminate the need for the bored teenager altogether. But considering how much theatres are willing to spend on loss prevention (especially since it's a hack that very few people will try), I'm not sure if it would [currently] be feasible to close the hole.
Also, I hate to see a bored teenager (or a penniless college student) out of a job. So I vote for leaving the hole. I'm guessing the cost-to-benefit ratio is too high at this point to patch it effectively.
no subject
on 2008-08-08 12:16 am (UTC)