Then we got card readers and a staffed front desk, and discovered our snack budget was too high because people from other companies on other floors were coming to ours for snacks too.
I never felt the office was insecure, except in retrospect once it was actually secure.
Never got touched across about a hundred different offices around Australia (I’m a consultant).
Except once: the pile was replaced by a $50 note and a hand written apology saying the guilty party needed change for the parking lot machine. I had less than $30 there in coins so… profit!
The extreme punishments for breaking the law might have something to do with it.
She thought that because he was wearing a suit and a badge from his "company" that he must have been supposed to be there, and assumed he was probably taking the computers away to be fixed.
There was surprisingly little repercussion for violating the "one card one person" door policy and by someone whose job it was to know which visitors would be on-site on any given day, and so should have known that this guy wasn't supposed to be there.
Presumably because "everyone" knows that "noone" complies with those policies, in part because it's socially awkward to e.g. close the door on someone who tries to tailgate, and so it needs to be heavily and consistently enforced before it becomes more socially unacceptable to be the person who potentially puts their colleagues at risk of disciplinary actions than to be the person who tells someone they need to swipe.
After that I lobbied, successfully but not easily, to have them send out an email that just said “X is no longer with the company” regardless of how/why they left.
The “winning” argument was that if that VP had emailed me (or probably any of the developers) and asked for an export of data (our client list, stats, etc) we would have sent it to him. Probably even with him reaching out from a personal email address or via sms. What IC is going to tell a VP to “follow procedure”? Same deal with if he had followed me to the keycard door and told me he forgot his key card. No one is going to thank the IC who tells the VP they can’t let them in.
The thief had to walk past a security desk in the lobby, take the elevator up to our floor, walk past a front desk to the kitchen, then open a door to get to the office area. Probably sounded like enough layers for whoever was in charge of security at the time, but both desks were frequently unoccupied during lunch.
I know we had cameras too, but I never got updates on the investigation. I suspect it was an employee at one of the other companies in our building.
Many I've seen have it setup so that if you get past the security guard at the lobby, you effectively had full reign of the entire building, including many companies that wouldn't lock the doors or common areas.
Also, a few other things may also be there- people won't make noise if someone steals snack packets, but they may make noise if someone steals laptops.
Also, if one person steals it may get pointed out more than if a lot of people steal- where stealing is culture, etc.
People I know seems to not take issue with them being there, so I'm sure it's probably fine. Fine enough for it not to be my issue to deal with in any case.
There are many ways to skin a cat; and there are many ways to ensure authenticated / trusted access. If you have site wide security gates, it means you know everyone on site / on a given floor conforms to a given minimal security or trust level, so now you can conduct operations in that area with more freedom. This makes the risk assessments for other actions so much simpler. e.g. Now when the apprentice IT tech leaves the SLT's laptop trolley in the corridor it doesn't trigger a reflash of all of the machines. Or when a key individual misplaces their keyfob (e.g. in the kitchen) it doesn't trigger a lockdown of core systems, because they had it on the way in and its reasonable to trust that nobody stole it.
Obviously the implementation was botched in this case - but "feel secure" and "security theatre" are right as often as they are wrong.
Sans context there’s not a lot to complain about here.
The long wait times could easily have been fixed by staggering employee start times. You could even optimize it per building/floor. Sadly, a lot of bureaucrats lack the imagination to do simple stuff like this. (Anyone with a desperate need to have 9 am meetings would just have to suck it up)
Immediately reminds me of Severance.
If instead of open access you need to tailgate on a limited set of employees, that increases difficulty considerably and makes the opportunity much less common.
Real security analysis works this way: you don't assume you can build a wall which is never breached.
The same guard also checked if your dog was registered (I think my dog got a badge with his picture, although I think that was just for fun, and not functional)
And no easy ability to enter through side doors - you couldn't open a side door with your badge. At the time, you could still lurk outside a side door until someone else opens the door to exit. Eventually (11 years later) they locked all the side doors because they noticed people doing this sort of thing.
More recently, I think you have to scan your badge to leave so they can even track how long you're in the building, and know when you're supposed to work on site but you were there only long enough to have a coffee and then went home to continue working from home. This last part is second-hand knowledge since I haven't work there in a long time.
It was laughable how much effort and money Amazon invested into badge tracking and enforcement instead of directing funds at making the office a nice place that people would want to spend time in and an efficient place to get work done.
And this didn't get them in trouble with the fire marshal?
Based on the comments I see here, I think the focus is going on the turnstiles just as it did when I worked there. While the cookie credentials are pushed aside. I think that's the security theater. We are worried about supposed active shooters, different physical threats while a backdoor to the company is left wide open. The turnstiles are not useless, they give an active record of who is in the building, and stop unauthorized people. But they also give so much comfort that we neglect the other types of threats.
You titled the piece after the turnstiles and spent the overwhelming majority of the post talking about them (and surrounding physical features). The Jira ticket felt secondary, and when it was introduced in the middle of the post I was genuinely confused, thinking why the heck the card system was contacting Jira.
People reading your writing are going to focus on whatever you did when you wrote it. The turnstiles read like the important part.
The incompetence of the turnstiles makes it a good focus for the story while the juxtaposition of the turnstiles with Jira exposes the company's hypocrisy.
But missing in this discussion is a risk and consequence analysis. If the risk is armed attackers, do something that targets that. For physical theft, target that. Likewise IT risks. The core problem is that risks were not being identified (systematically or in response to expert feedback) and prioritised.
Incidentally, the solution to car park access is ALPRs, and the solution to most of the physical security is solid core doors at the workgroup level with EACS swipe and surveillance cameras there, and at the front desk have face level 4k video surveillance. With an on duty guard to resolve issues with access.
Furthermore, turnstiles are easy to promote and take credit for. Secure web authentication would have to be explained to and understood by the boss's boss before credit for it could be claimed.
I suspect it's these aspects of organizational reality that results in security theater.
Do a poll of whether people would prefer that a mass shooting or a mass data breach occur at their place of work while they are there. I bet I know which one wins.
It’s sad to think about, but in my recollection a lot of intra-building badge readers went up in response to the 2018 active shooter situation at the YouTube HQ[1]. In cases like this, the threat model is “confine a hostile person to a specific part of the building once they’ve gotten in while law enforcement arrives,” less than preventing someone from coat tailing their way into the building at all.
I’m not saying that to diminish the value of the actual solution, but what the people want is literally something to make them feel better about a situation that is mostly out of their control.
Someone showed up to their workplace with a fucking gun. And now they have to go there every day, and hope it doesn’t happen again. They want and need the theater.
Where people actually care about physical security, they develop things that do actually work; and often are so unobtrusive you never realize they're there.
Security theater necessitates that it be showy and in your face.
In theory it might prevent access to other buildings, but equally often the card readers are around doors of mostly standard glass or near internal windows of the same.
So if that’s the motivation, it doesn’t seem like a particularly effective mitigation
Also in what world is a badge reader going to contain an armed gunman unless the walls, floors, doors, and windows are also bulletproof??
(Triangle shirtwaist fire resulted in 146 dead)
I knew someone years and years ago who worked as an assistant to lawyers. The firm had a second office in the state capital, turns out someone was walking in and stealing laptops. I think they had done it three times the last I had heard.
Lawyer laptops going missing is a problem. I don’t know how they ended up fixing that.
(While at it, I once worked on an access control system. It was aeons ago; the system ran under OS/2. We installed it on a factory. It worked well, until we ran it in demo mode under production load, that is, the stream of morning shift turnstile registration events. The DB melted. I solved the problem trivially: I noticed that the DB was installed on a FAT volume for unknown reasons, so I moved it to an HPFS volume, and increased the RAM cache for the disk to maximum. Everything worked without a hitch then.)
A shooter can get a badge. Most partitions aren't bulletproof (and probably don't have security film), and a shooter doesn't fear getting a cut on some tempered glass.
The thing that would be effective is 24/7 security monitoring with a building lockdown and reinforced entrances/partitions. Of course, the victims whose badges were disabled during lockdown will sue.
So instead, just install badge readers and say that "something was done".
The turnstiles were visible. They were expensive. They disrupted everyone's day and made headlines in company-wide emails. Management could point to them and say that we're taking security seriously. Meanwhile, thousands of employees had their Jira credentials stored in cookies. A vulnerability that could expose our entire project management system. But that fix required documentation, vendor approval, a month of convincing people it mattered. A whole lot of begging.
Aside: the more times I re-read the article the more annoyed I am with the self-righteous tone. It feels like the author is mimicking the style of legendary Usenet posts, but the story just isn’t that interesting and the writing not that witty, it falls flat.
I remember when I started at Microsoft decades ago that there were still "old-timers" who were pissy about having to use card keys to enter the building. With that attitude, man, did that ever explain Microsoft application and OS security in the early 2000s.
Elevators do back up, especially when everyone has to scan for their floor. Not like the author suggests, but you can lose a good few minutes a couple times a day that way. It does start some people on an exercise kick of using the stairwell to leave the building. Not great exercise though.
The one place solved this by not building parking garages. Flat parking that went to the horizon. By the time I got to work the spot I parked at was going to be over half a mile from my desk. I bought a grownup scooter with oversized wheels, first day I used it security tracked me down and said those aren’t allowed on company property (I had half a mind to use it on the sidewalks around the outside of the property but didn’t, since I’d still be carrying the stupid thing into the building). But I spent a lot on that scooter and had no other use for it, so I was mad.
My coworker had convinced me that this was billable hours (court precedent about a factory that had a bad setup for employees to get to the time clock) so I started phoning into standup when I was on site but still eight minutes from my desk.
When you’re walking half a mile to the security doors it tends to stagger the arrival times. Which is a feature, if the dumbest one.
Humans' most important achievement is the ability to create structures larger than the Dunbar number. But this is not achieved for free.
(And this is another reason why I strive to work at startups more than at huge corporations.)
The most important thing a startup is expected to do is not to get profitable quick but suffocate all possibilities of competition. Dysfunctionality is not a bug, it is a feature of our economic system.
There never was a line and there were 1400 people in those buildings.
I never realized how incredibly that guy's contribution was but this story made it perfectly clear.
Also, I don't actually buy the story as related here. It would seem to me that within minutes of that queue building up the turnstiles + card system would be disabled because something clearly was not working.
The loading dock was kept completely open "because it's hot and we don't have A/C back here!".
Unnervingly, this usually occurs to me when I’m waiting patiently in the densely packed line of fellow targets.
In response to the perceived need to "do something", my company put cameras in the hallway we share with other companies and gave the receptionist monitors for the cameras and a panic button that locks all the doors.
It's not a terrible thing, it's largely security theater though. Someone would have to be clearly brandishing a weapon and our receptionist would have to notice this amongst all her other duties and out of all the people in the hall. It could happen, but it seems unlikely.
Was it really a single turnstile for a building with over 10 floors? That's kind of silly, isn't it? Mass transit operations have this figured out. Most recently for me, taking the monorail in Las Vegas for the CES show. No problems for the most part. It would be interesting to know what this company actually installed.
I guess I could see contention possibly happening as described if everybody arrived almost simultaneously and both swiping points had very high latency. But why not keep the door checkpoints armed and disable the elevator swipes? That makes me think it's a contrived example.
In every sphere there are attempts at security that either achieve a practical balance of fit versus downsides.
The failure of access cards is probably analogous to a well intentioned sofware authentication system that was implemented without simulating or testing for the scale of deployment, and had to be rolled back when it failed in production.
He used copies of the production database, but forgot to set the admin password. The machine in ec2, public on the internet.
It was fixed few weeks later. But the connection still doesn’t use SSL, sends passwords plain text.
Yeah, he doesn’t really like criticism about his work…
I always think about the phrase:
“Security is our highest priority”
Sure.
The feel of the piece is that the entire effort was misguided, when the real story seems to be, "My company was somehow unable to implement something that every other company does easily."
Besides, visibility is sufficient as a deterrent. Back in India, there'd be a big difference between leaving an old man in a chair in front of the shop and having exactly zero people in front of the shop. There are classes of people you deter with the former who will not be deterred by the latter. The old man is not 'security' - anyone motivated can shut him up without much effort. And yet his presence works.
There is a device you can deploy if you're serious about ensuring that every single individual in a moving crowd has a valid credential... a turnstile! Assuming you've calculated the appropriate number of them for the expected traffic flow.
I'm baffled. I've worked in multiple buildings with turnstiles. There's never been a line. They take about a second to scan. Is this just some horrible broken implementation?
I get why they're used. They protect randos from walking in and stealing stuff. It's not about "feeling" secure. When you have someone make off with 10 laptops, it's actual security. And that's before you start worrying about more serious threats that come from plugging in USB keys...
That’s a quote I tell security people in jest when they suggest yet another door literally or figuratively slamming in someone’s face to let them know that there is a security procedure in place.
Seriously though, “security” is an overloaded word used for two unrelated business goals:
1. Having security.
2. Appearing to have security.
The latter is strongly preferred by management that just wants someone else or something else to blame.
To reiterate: this isn’t an error! It’s done on purpose.
