What Stevie Ray Vaughan Can Teach Us About Security Design
from the instructive-parable dept
The SolarWind intrusion, with the revelation that part of the architecture included, at least for a while, a really weak default password, and the hack of the water treatment plant with a similar password reuse problem, reminded me of this story I heard not long ago about another instance of poor security design.
In a recent fan Q&A on Facebook, Bill Gibson, the drummer for Huey Lewis and the News, told a story about his friendship with Stevie Ray Vaughan. Stevie Ray Vaughan and his band Double Trouble had opened for the News for a while in the mid-1980s, and in that time Bill and Stevie had become good friends. Back at the hotel one evening after a show in New York City it came up that Bill had seen Jimi Hendrix perform something like seven times. Stevie, a guitarist who idolized Hendrix, was in awe. He wanted to hear everything about what it was like seeing Hendrix play, so he grabbed some beer and they settled in for an evening of Bill telling Stevie everything he remembered.
By 3:00 AM they were out of beer, so they went down to Stevie’s tour bus parked out in front of the hotel to get some more. He opened the bus with his key and started looking for the cooler he kept it in. “That’s odd,” Bill recalls Stevie musing, “The cooler is usually kept in this spot over here.” Eventually he found a cooler elsewhere, removed the needed beer, and they left to go back up to finish their conversation.
The next day they discovered why they’d had trouble finding the cooler. At the time, most bands were touring in buses that all came from the same company. That all looked the same. And that all were opened by the exact same key. Thus the reason that Stevie could not find the cooler where he expected it to be was because they were not on the bus where they expected to be. Instead of being on Stevie’s bus, it turns out they were actually on UB40’s bus that, unbeknownst to them, had just pulled up that night while they’d been ensconced in the hotel talking. Which Stevie’s key had opened. And on which the UB40 band had apparently been sleeping the whole time Stevie and Bill were there inadvertently pilfering their beer?
So let this story be a lesson to security designers, people who really should be employing security designers, and pretty much everyone else who likes to reuse their passwords: When the security credentials for one resource can be used to gain access elsewhere, especially in a way you did not anticipate, there’s really not that much security to be had.
And in most such cases it will likely be so much more than UB40’s beer that’s now been put at risk.
Filed Under: bill gibson, security, security design, shared passwords, stevie ray vaughn, ub40
Comments on “What Stevie Ray Vaughan Can Teach Us About Security Design”
Sad xmas
This year all my lil girls wanted was bratz from babies to teens or wat ever an it sad said to see that this was the year they could not get wat the ask 4. So Barbie got mad cause they was losin money well heres a not come up wit better ideals an make more of her friends. When I was lil i had barbie an all of her friends now only barbie gets the job an all the other stuff wat the hell happend 2 all her sisters an friends. With bratz u got 4 main girls an some other girls as well. So now theres these new dolls out is Barbie gonna cry when they lose money to them as well an shut them down
What's this?
Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »
I would’ve thought they’d find a lot of red, red wine coolers but not much beer. Either way, that’s a concert I’d like…
A bit off topic, but security related
I once saw Stevie Ray Vaughan at the Chastain Amphitheater in Atlanta, GA. The Chastain Amphitheater is a fairly small venue, in a nice area of town, with tables seating several people on the "floor" area in front of the stage. The venue was expensive, especially the tables, and catered to the somewhat older, rather affluent, "wine & cheese" crowd, both in the selection of acts and in the amenities provided. IIRC you could bring your own stuff to the tables, or have your food and drink catered ($$$), too.
Standing on the floor, backs to the stage, was a row of big, burly security guards. They wore black T-shirts with the letters "PAS" in bright yellow on the front, in a font reminiscent of the Yes band logo. There were lots of them, shoulder-to-shoulder, from one edge of the stage to the other, with their arms crossed in front of them. They remained that way, never moving, for the entire show. It was very unnerving, and more than a little distracting.
I never did figure out why Stevie Ray Vaughan (or the venue?) had such an intimidating security presence, particularly at such an up-scale venue that catered to such an up-scale "wine & cheese" type crowd.
In any case, it was an excellent show!
Re: A bit off topic, but security related
I saw Alice Cooper at Chastain Amphitheater. It is a very nice place to see an act.
This comment has been flagged by the community. Click here to show it.
Re: A bit off topic, but security related
We specialize in web development agency in Islamabad, in which we highlight the corporate responsive sites, portals, blogs, e-commerces/virtual stores, Landing Pages, Newsletter, web systems, among other creative and programming solutions for web .
No SRV and no maps
No Stevie Ray Vaughan concert …
I was 12 and the family was visiting some Florida theme park. it was 1980. I had to remember where we parked; x rows in, next to y light pole.
After a day at the park, we returned, I found the car, we got in and drive out. Mom says, ”grab the map and follow where we are going". Small problem: map missing. Missing too are our other papers and our jackets.
Turn around, drive back to the theme park, park back in the same spot, get out, lock car and find OUR identical car parked in the same position, y lamposts in, one row over, complete with same rental car sticker on bumper! Open it up, hop on and drive off, map and jackets in hand. We did leave a note in the other car explaining where it went. My first stolen car!
Years later, there was a big story how the major car Mfrs only had 1000 or so unique key tumbler combos, yet would sell millions of cars/year. Happened more often than people knew.
Re: No SRV and no maps
Actually, they only have a few hundred unique keys, so it’s worse than that. That was one of the weird cases that occurred in Houston while I was going to college there. Someone dropped dead at the park from heart problems or some such, and only had his keys on him. They went back to his vehicle to get his ID and called his family to tell them the bad news, only it was the wrong vehicle. Someone else had the same make/model and just happened to use the same key. The person they thought was dead had come back, gotten in the wrong vehicle and driven off, leaving his own vehicle to be identified as the dead man’s.
It can be even worse than that in some cases. Back in the 90s, a Mazda blank could open the doors and trunk of ANY model/year Mazda, and could start half of them. We had a Mazda 323, and a locksmith showed us – he took a blank and opened the doors and trunk, but couldn’t start the car. We were "lucky". We got rid of that car quickly.
Re: No SRV and no maps
My father-in-law was an insurance agent. He related about one fellow, years ago, who had come out of the mall and discovered his car was stolen. They went through the whole insurance path, police report, new car, etc. Then about a year later, the mall was being torn down for redevelopment, and someone phoned the guy asking him to move his car. It hadn’t been stolen, he just misremembered where he’d parked.
the main thing to learn
The main thing we can learn from SRV is not to trust helicopters. Vic Morrow, Kobe Bryant, Olivier Dassault, Alejandro Murat, Camille Muffat and counless others have learned this lesson too late.
Re: the main thing to learn
Vic Morrow, pyrotechnics detonated under a low flying (<25ft) helicopter with resulting damage bringing it down.
Kobe Bryant, pilot losing control, probably due to disorientation having accidental entered instrument flying conditions, a common cause of helicopter and aircraft crashes.
Olivier Dassault, crash on night take off from a private property
Alejandro Murat, survived, pilot lost control attempting a landing in field.
Camille Muffat, Attempted formation flight by two helicopters leading to a mid air collision.
So we have one film stunt that went wrong, and four, and probably five cases of pilot error. More cases of the old adage, there are old pilots and there are bold pilots, but there are no old bold pilots.
People make interesting assumptions about things, even in the face of evidence to the contrary.
How can one forget that Maude, of Harold & Maude, carried a large ring of keys that assisted her in obtaining transportation?
There is a couple generations of gun safes that dropping will pop open.
There are people who put padlocks on doors to protect the contents, completely unaware that the more gadgety & added features often make them less secure.
While letting someone use the same login & password across the network stops a lot of whining, what is the current cost to hire an IRT to come in and certify you are a dumbass?
Short term happiness doesn’t look that happy when you consider they didn’t fire the execs at Equifax who demanded admin 12345 everywhere… they put IT’s heads on pikes.
Sounds like..
…an episode of the lock picking lawyer.
Not surprising
Everyone in pop music was using the same major keys at the time.
Re: Not surprising
Lurch groan
Similar thing happened to me in high school
We walked to Rafael’s car to go out to lunch. He unlocked the yellow Datson B-210 and we got in. Suddenly we were confused as his stuff was no on the console or rear-view mirror. It turns out we were in the wrong car (one aisle over) but the key fit.
Very strange.
My father told me a story of how a coworker got into a car after unlocking it and couldn’t understand why it wouldn’t start. Turns out she was in the wrong car. But her key still unlocked it. But it wouldn’t start it, better tolerances on the ignition key I guess.
But the issue is -
Every site wants us to login; nobody wants to remember 1,000 unique userid’s and passwords. Worse, to help you remember (and make life and spam easier for them) many sites ask for your email as a login. And, what do we do? For anything (except the most critical sites, we hope) we use the same password. A breach in one place will allow the hackers to not only harvest valid emails, but also get a generic password; but I do NOT want to have to get a text from every site I login to…
maybe an "I send you certificate" option or such is the answer. But then, if my PC crashes or I buy a new one – then what? And hackers could still get those certs from your home PC.
Re: But the issue is -
There have been password managers since forever.
Re: But the issue is -
I use a different email address from an anonymous email provider for each site I have to register on. This makes it just a bit more difficult (but still not impossible) for the Dark Tech Overlords to profile you.
Anything you can do to throw some sand in the gears of the DTO’s system is a good thing.
I think last time I checked my password manager, KeePassXC, had well over 300 entries. I know it has grown by at least a couple dozen since I checked. Yeah, it is all a PITA, but these are the time we live in.
Re: But the issue is -
I use a little 3×5-ish ring notebook that rides in my shirt pocket. I "back it up" using a digital camera. The images are stored on an sdcard in my lockbox.
Loss of the notebook would be a major security fail… but I’ve been keeping track of it for more than thirty years. And it’s not something that can be compromised remotely, or without my knowledge.
Security is a seesaw, with "security" on one end and "convenience" at the other.
We know why UB40 were fast asleep
The reason that there was still beer to be found on their bus is because the band had instead all been drinking Red, Red Wine.
From the sublime...
Imagine seeing Hendrix perform seven times and then being in Huey Lewis and the News.
Kubota tractors all have the same key too
I don’t know why in 2021 a manufacturer of a very expensive piece of farm equipment that is frequently the target of thieves doesn’t have at least a few different key blanks they can use. But here they are. A friend of mine who has one as well was coming to move something on my property and asked me to leave my tractor key outside, and I said “why? The key to your tractor is the same.” He didn’t believe me until it worked.
Blogs Lab
Outlook additionally has way too many problems or Mistakes as well as when we deal with some problems; we attempt our ideal to address that since there is likewise service to all troubles. <a href ="https://www.bloglabs.online/2020/07/piiemailb47d29538f12c20da426.html“> [pii_email_b47d29538f12c20da426] </a> error is likewise among those mistakes, and also we are going to have a look at this to solve it.
Blogs Lab
Outlook additionally has way too many problems or Mistakes as well as when we deal with some problems; we attempt our ideal to address that since there is likewise service to all troubles. <a href ="https://www.bloglabs.online/2020/07/piiemailb47d29538f12c20da426.html“> [pii_email_b47d29538f12c20da426] </a> error is likewise among those mistakes, and also we are going to have a look at this to solve it.
https://www.bloglabs.online/2020/07/piiemailb47d29538f12c20da426.html
Re: Violation of natural right vs Infringement of privilege
Privacy?
You’re on crack.
Privacy would apply to my “personal papers”. It’s wrong for you to steal them and copyright has nothing to do with it. The notion that copyright has anything to do with my “personal papers” just shows how much misshapen copyright ideas have permeated our culture.
Copyright is simply the wrong framework for considering the theft of your diary. It isn’t a published work and quite likely isn’t a creative work either. The relevant “social contract” isn’t in force.
Property is a natural right on it’s own.
That is why ownership of your house, your computer and your cat doesn’t “expire”.
There’s centuries of interesting bits surrounding property rights. These include things that Big Media probably never want to be applied to Snow White. Adverse posession and taxes would probably be the top ones.
What's this?
Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »