alt Hacker NewsAllegations of security theater should start with discussing the threat model. This is just somebody complaining about a crappy key card system.
Allegations of security theater should start with discussing the threat model. This is just somebody complaining about a crappy key card system.
To be fair, he was pointing out that the invisible "credentials in cookies" issue was much harder to get fixed:
The turnstiles were visible. They were expensive. They disrupted everyone's day and made headlines in company-wide emails. Management could point to them and say that we're taking security seriously. Meanwhile, thousands of employees had their Jira credentials stored in cookies. A vulnerability that could expose our entire project management system. But that fix required documentation, vendor approval, a month of convincing people it mattered. A whole lot of begging.