What Stevie Ray Vaughan Can Teach Us About Security Design

from the instructive-parable dept

The SolarWind intrusion, with the revelation that part of the architecture included, at least for a while, a really weak default password, and the hack of the water treatment plant with a similar password reuse problem, reminded me of this story I heard not long ago about another instance of poor security design.

In a recent fan Q&A on Facebook, Bill Gibson, the drummer for Huey Lewis and the News, told a story about his friendship with Stevie Ray Vaughan. Stevie Ray Vaughan and his band Double Trouble had opened for the News for a while in the mid-1980s, and in that time Bill and Stevie had become good friends. Back at the hotel one evening after a show in New York City it came up that Bill had seen Jimi Hendrix perform something like seven times. Stevie, a guitarist who idolized Hendrix, was in awe. He wanted to hear everything about what it was like seeing Hendrix play, so he grabbed some beer and they settled in for an evening of Bill telling Stevie everything he remembered.

By 3:00 AM they were out of beer, so they went down to Stevie's tour bus parked out in front of the hotel to get some more. He opened the bus with his key and started looking for the cooler he kept it in. "That's odd," Bill recalls Stevie musing, "The cooler is usually kept in this spot over here." Eventually he found a cooler elsewhere, removed the needed beer, and they left to go back up to finish their conversation.

The next day they discovered why they'd had trouble finding the cooler. At the time, most bands were touring in buses that all came from the same company. That all looked the same. And that all were opened by the exact same key. Thus the reason that Stevie could not find the cooler where he expected it to be was because they were not on the bus where they expected to be. Instead of being on Stevie's bus, it turns out they were actually on UB40's bus that, unbeknownst to them, had just pulled up that night while they'd been ensconced in the hotel talking. Which Stevie's key had opened. And on which the UB40 band had apparently been sleeping the whole time Stevie and Bill were there inadvertently pilfering their beer…

So let this story be a lesson to security designers, people who really should be employing security designers, and pretty much everyone else who likes to reuse their passwords: When the security credentials for one resource can be used to gain access elsewhere, especially in a way you did not anticipate, there's really not that much security to be had.

And in most such cases it will likely be so much more than UB40's beer that's now been put at risk.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: bill gibson, security, security design, shared passwords, stevie ray vaughn, ub40


Reader Comments

Subscribe: RSS

View by: Thread


  • identicon
    Glenn, 12 Mar 2021 @ 9:09pm

    I would've thought they'd find a lot of red, red wine coolers but not much beer. Either way, that's a concert I'd like...

    reply to this | link to this | view in chronology ]

  • icon
    Upstream (profile), 12 Mar 2021 @ 9:36pm

    A bit off topic, but security related

    I once saw Stevie Ray Vaughan at the Chastain Amphitheater in Atlanta, GA. The Chastain Amphitheater is a fairly small venue, in a nice area of town, with tables seating several people on the "floor" area in front of the stage. The venue was expensive, especially the tables, and catered to the somewhat older, rather affluent, "wine & cheese" crowd, both in the selection of acts and in the amenities provided. IIRC you could bring your own stuff to the tables, or have your food and drink catered ($$$), too.

    Standing on the floor, backs to the stage, was a row of big, burly security guards. They wore black T-shirts with the letters "PAS" in bright yellow on the front, in a font reminiscent of the Yes band logo. There were lots of them, shoulder-to-shoulder, from one edge of the stage to the other, with their arms crossed in front of them. They remained that way, never moving, for the entire show. It was very unnerving, and more than a little distracting.

    I never did figure out why Stevie Ray Vaughan (or the venue?) had such an intimidating security presence, particularly at such an up-scale venue that catered to such an up-scale "wine & cheese" type crowd.

    In any case, it was an excellent show!

    reply to this | link to this | view in chronology ]

    • identicon
      Professor Ronny, 13 Mar 2021 @ 5:48am

      Re: A bit off topic, but security related

      I saw Alice Cooper at Chastain Amphitheater. It is a very nice place to see an act.

      reply to this | link to this | view in chronology ]

    • This comment has been flagged by the community. Click here to show it
      icon
      Nicholas Burgess (profile), 15 Mar 2021 @ 4:31am

      Re: A bit off topic, but security related

      We specialize in web development agency in Islamabad, in which we highlight the corporate responsive sites, portals, blogs, e-commerces/virtual stores, Landing Pages, Newsletter, web systems, among other creative and programming solutions for web .

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Mar 2021 @ 3:55am

    No SRV and no maps

    No Stevie Ray Vaughan concert ...

    I was 12 and the family was visiting some Florida theme park. it was 1980. I had to remember where we parked; x rows in, next to y light pole.

    After a day at the park, we returned, I found the car, we got in and drive out. Mom says, ”grab the map and follow where we are going". Small problem: map missing. Missing too are our other papers and our jackets.

    Turn around, drive back to the theme park, park back in the same spot, get out, lock car and find OUR identical car parked in the same position, y lamposts in, one row over, complete with same rental car sticker on bumper! Open it up, hop on and drive off, map and jackets in hand. We did leave a note in the other car explaining where it went. My first stolen car!

    Years later, there was a big story how the major car Mfrs only had 1000 or so unique key tumbler combos, yet would sell millions of cars/year. Happened more often than people knew.

    reply to this | link to this | view in chronology ]

    • icon
      JoeCool (profile), 13 Mar 2021 @ 4:43am

      Re: No SRV and no maps

      Actually, they only have a few hundred unique keys, so it's worse than that. That was one of the weird cases that occurred in Houston while I was going to college there. Someone dropped dead at the park from heart problems or some such, and only had his keys on him. They went back to his vehicle to get his ID and called his family to tell them the bad news, only it was the wrong vehicle. Someone else had the same make/model and just happened to use the same key. The person they thought was dead had come back, gotten in the wrong vehicle and driven off, leaving his own vehicle to be identified as the dead man's.

      It can be even worse than that in some cases. Back in the 90s, a Mazda blank could open the doors and trunk of ANY model/year Mazda, and could start half of them. We had a Mazda 323, and a locksmith showed us - he took a blank and opened the doors and trunk, but couldn't start the car. We were "lucky". We got rid of that car quickly.

      reply to this | link to this | view in chronology ]

    • identicon
      Anon, 13 Mar 2021 @ 12:08pm

      Re: No SRV and no maps

      My father-in-law was an insurance agent. He related about one fellow, years ago, who had come out of the mall and discovered his car was stolen. They went through the whole insurance path, police report, new car, etc. Then about a year later, the mall was being torn down for redevelopment, and someone phoned the guy asking him to move his car. It hadn't been stolen, he just misremembered where he'd parked.

      reply to this | link to this | view in chronology ]

  • identicon
    anon, 13 Mar 2021 @ 7:45am

    the main thing to learn

    The main thing we can learn from SRV is not to trust helicopters. Vic Morrow, Kobe Bryant, Olivier Dassault, Alejandro Murat, Camille Muffat and counless others have learned this lesson too late.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Mar 2021 @ 10:46am

      Re: the main thing to learn

      Vic Morrow, pyrotechnics detonated under a low flying (<25ft) helicopter with resulting damage bringing it down.

      Kobe Bryant, pilot losing control, probably due to disorientation having accidental entered instrument flying conditions, a common cause of helicopter and aircraft crashes.

      Olivier Dassault, crash on night take off from a private property

      Alejandro Murat, survived, pilot lost control attempting a landing in field.

      Camille Muffat, Attempted formation flight by two helicopters leading to a mid air collision.

      So we have one film stunt that went wrong, and four, and probably five cases of pilot error. More cases of the old adage, there are old pilots and there are bold pilots, but there are no old bold pilots.

      reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 13 Mar 2021 @ 7:49am

    People make interesting assumptions about things, even in the face of evidence to the contrary.

    How can one forget that Maude, of Harold & Maude, carried a large ring of keys that assisted her in obtaining transportation?

    There is a couple generations of gun safes that dropping will pop open.

    There are people who put padlocks on doors to protect the contents, completely unaware that the more gadgety & added features often make them less secure.

    While letting someone use the same login & password across the network stops a lot of whining, what is the current cost to hire an IRT to come in and certify you are a dumbass?

    Short term happiness doesn't look that happy when you consider they didn't fire the execs at Equifax who demanded admin 12345 everywhere... they put IT's heads on pikes.

    reply to this | link to this | view in chronology ]

  • identicon
    Jordan, 13 Mar 2021 @ 7:50am

    Sounds like..

    ...an episode of the lock picking lawyer.

    reply to this | link to this | view in chronology ]

  • icon
    Beefcake (profile), 13 Mar 2021 @ 7:51am

    Not surprising

    Everyone in pop music was using the same major keys at the time.

    reply to this | link to this | view in chronology ]

  • identicon
    ConnGator, 13 Mar 2021 @ 8:30am

    Similar thing happened to me in high school

    We walked to Rafael's car to go out to lunch. He unlocked the yellow Datson B-210 and we got in. Suddenly we were confused as his stuff was no on the console or rear-view mirror. It turns out we were in the wrong car (one aisle over) but the key fit.

    Very strange.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Mar 2021 @ 9:40am

    My father told me a story of how a coworker got into a car after unlocking it and couldn’t understand why it wouldn’t start. Turns out she was in the wrong car. But her key still unlocked it. But it wouldn’t start it, better tolerances on the ignition key I guess.

    reply to this | link to this | view in chronology ]

  • identicon
    Anon, 13 Mar 2021 @ 12:13pm

    But the issue is -

    Every site wants us to login; nobody wants to remember 1,000 unique userid's and passwords. Worse, to help you remember (and make life and spam easier for them) many sites ask for your email as a login. And, what do we do? For anything (except the most critical sites, we hope) we use the same password. A breach in one place will allow the hackers to not only harvest valid emails, but also get a generic password; but I do NOT want to have to get a text from every site I login to...

    maybe an "I send you certificate" option or such is the answer. But then, if my PC crashes or I buy a new one - then what? And hackers could still get those certs from your home PC.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Mar 2021 @ 1:01pm

      Re: But the issue is -

      There have been password managers since forever.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Mar 2021 @ 1:33pm

      Re: But the issue is -

      I use a different email address from an anonymous email provider for each site I have to register on. This makes it just a bit more difficult (but still not impossible) for the Dark Tech Overlords to profile you.

      Anything you can do to throw some sand in the gears of the DTO's system is a good thing.

      I think last time I checked my password manager, KeePassXC, had well over 300 entries. I know it has grown by at least a couple dozen since I checked. Yeah, it is all a PITA, but these are the time we live in.

      reply to this | link to this | view in chronology ]

    • identicon
      TRX, 13 Mar 2021 @ 3:56pm

      Re: But the issue is -

      I use a little 3x5-ish ring notebook that rides in my shirt pocket. I "back it up" using a digital camera. The images are stored on an sdcard in my lockbox.

      Loss of the notebook would be a major security fail... but I've been keeping track of it for more than thirty years. And it's not something that can be compromised remotely, or without my knowledge.

      Security is a seesaw, with "security" on one end and "convenience" at the other.

      reply to this | link to this | view in chronology ]

  • identicon
    Bobvious, 13 Mar 2021 @ 1:38pm

    We know why UB40 were fast asleep

    The reason that there was still beer to be found on their bus is because the band had instead all been drinking Red, Red Wine.

    reply to this | link to this | view in chronology ]

  • identicon
    Kevin Carson, 13 Mar 2021 @ 3:32pm

    From the sublime...

    Imagine seeing Hendrix perform seven times and then being in Huey Lewis and the News.

    reply to this | link to this | view in chronology ]

  • identicon
    Junior Barnes, 15 Mar 2021 @ 9:56am

    Kubota tractors all have the same key too

    I don't know why in 2021 a manufacturer of a very expensive piece of farm equipment that is frequently the target of thieves doesn't have at least a few different key blanks they can use. But here they are. A friend of mine who has one as well was coming to move something on my property and asked me to leave my tractor key outside, and I said "why? The key to your tractor is the same." He didn't believe me until it worked.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads
.

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.