We installed a single turnstile to feel secure
idiallo.com242 points by firefoxd 2 days ago
242 points by firefoxd 2 days ago
I worked at a company that had effectively no physical security during work hours until the second time someone came in during lunch and stole an armload of laptops.
Then we got card readers and a staffed front desk, and discovered our snack budget was too high because people from other companies on other floors were coming to ours for snacks too.
I never felt the office was insecure, except in retrospect once it was actually secure.
I once lived in Singapore for a while and we were all sure that nobody would steal anything anyway, so we just never bothered to lock the doors. (That was also very helpful if you wanted to stop for a quick coffee with a date in the middle of the night.) You could see the MacBooks from the street, but nothing ever went missing. I don’t know what exactly it was, but Singapore felt incredibly safe and crime-free.
Wait, explain the quick coffee bit? You'd let yourself into a random person's house to make coffee?
I used to accumulate a pile of change on my desk from buying coffees.
Never got touched across about a hundred different offices around Australia (I’m a consultant).
Except once: the pile was replaced by a $50 note and a hand written apology saying the guilty party needed change for the parking lot machine. I had less than $30 there in coins so… profit!
>I don’t know what exactly it was, but Singapore felt incredibly safe and crime-free.
The extreme punishments for breaking the law might have something to do with it.
> The extreme punishments for breaking the law might have something to do with it.
Historically speaking, this is almost never true. People constantly think the solution is crueler punishments and we have hundreds of years of records of what happens.
I don't think it explains everything.
I think social norms have a lot to do with it. It's like the actual social costs of being the one who broke the social trust is so high it dissuades people.
It worked for me on a lower level. Everyone cut queues and will grab an empty seat if it looks available at a packed restaurant here so I do it too but I never did that when I lived in Singapore because I knew that's not how things work there and people would genuinely be mad at me for doing it.
It's like a self-fulfilling, self-improving environment. Same with Japan and cleanliness.
State provided housing for most and a booming economy with low unemployment must help too.
Twitch had badged entry and still managed to have a couple of incidents in which people walked in off the street to steal laptops. No snack theft though, thankfully some things are sacred.
What year was that? I was at a startup from 2010 onward and I'm pretty sure we had physical keys until about twelve people and after that it was straight to badges. There was never a time where you could just walk in.
Late 2010s. We actually did have badges but the doors were only locked outside work hours, so nobody carried them.
The thief had to walk past a security desk in the lobby, take the elevator up to our floor, walk past a front desk to the kitchen, then open a door to get to the office area. Probably sounded like enough layers for whoever was in charge of security at the time, but both desks were frequently unoccupied during lunch.
I know we had cameras too, but I never got updates on the investigation. I suspect it was an employee at one of the other companies in our building.
Interesting. I feel like most places still make you badge into the doors during business hours, and even specifically encourage not permitting tailgating, sometimes tied to a purported safety concern around being able to know who is in the building in an emergency... though honestly at most shops I bet no one has any idea how to get a report like "everyone who has badged in in since 6am this morning".
How the fuck nobody notices some randoms coming to steal snacks in the first place ?
There's a huge difference between a company with its own building, and a company that shares a building in some way with other companies.
Many I've seen have it setup so that if you get past the security guard at the lobby, you effectively had full reign of the entire building, including many companies that wouldn't lock the doors or common areas.
I worked somewhere with a few hundred employees across 3 floors. If someone wearing business casual walked onto our floor I would have no idea if they worked for us or not.
~400 person company spread across a few floors, but only one kitchen. It wasn't weird for people you didn't recognize to come off the elevator and get snacks to take back to their floor.
I work at a company of ~200 people and I already don't recognize everyone. Seeing an unknown face, I just assume they are from some distant team that I never had to interact with, say hi and move on.
We have nearly a 1000 people in my building. I don't track every rando that walks by, nor reasonably could I.
Author here. I posted this on Sunday for a light read, but I guess it got traction today.
Based on the comments I see here, I think the focus is going on the turnstiles just as it did when I worked there. While the cookie credentials are pushed aside. I think that's the security theater. We are worried about supposed active shooters, different physical threats while a backdoor to the company is left wide open. The turnstiles are not useless, they give an active record of who is in the building, and stop unauthorized people. But they also give so much comfort that we neglect the other types of threats.
> Based on the comments I see here, I think the focus is going on the turnstiles just as it did when I worked there.
You titled the piece after the turnstiles and spent the overwhelming majority of the post talking about them (and surrounding physical features). The Jira ticket felt secondary, and when it was introduced in the middle of the post I was genuinely confused, thinking why the heck the card system was contacting Jira.
People reading your writing are going to focus on whatever you did when you wrote it. The turnstiles read like the important part.
The part about Jira is important because it highlights that while the company claims to take security seriously, they in fact do not take it seriously.
The incompetence of the turnstiles makes it a good focus for the story while the juxtaposition of the turnstiles with Jira exposes the company's hypocrisy.
I believe like that was the intent, but the (very few) mentions of Jira feel like a bit of a non sequitur; they don't belong.
I care a lot more about my life (or my car's catalytic converter, which was stolen off my car in my work parking lot before they inatalled a gate for the lot) than any of my work-related IT credentials. Health and safety threats are a much bigger deal to people than nebulous, difficult to exploit threats to IP.
Except the turnstiles and swipe cards do almost nothing against an active shooter situation.
But missing in this discussion is a risk and consequence analysis. If the risk is armed attackers, do something that targets that. For physical theft, target that. Likewise IT risks. The core problem is that risks were not being identified (systematically or in response to expert feedback) and prioritised.
Incidentally, the solution to car park access is ALPRs, and the solution to most of the physical security is solid core doors at the workgroup level with EACS swipe and surveillance cameras there, and at the front desk have face level 4k video surveillance. With an on duty guard to resolve issues with access.
You're right, but the consequences of different security failure are different, no?
Perhaps part of the problem is that an active shooter is easy to visualize and understand whereas unsecured credentials stored in cookies are an abstract and difficult to visualize problem for management.
Furthermore, turnstiles are easy to promote and take credit for. Secure web authentication would have to be explained to and understood by the boss's boss before credit for it could be claimed.
I suspect it's these aspects of organizational reality that results in security theater.
I think it has less to do with ease of visualization and more to do with priority of consequences.
Do a poll of whether people would prefer that a mass shooting or a mass data breach occur at their place of work while they are there. I bet I know which one wins.
I don't think you could take over the company with a jira token. Another factor for consideration with turnstiles is disability access and fire egress. Those are covered by building code but since this is a parable, it's worth noting that physical security has often caused tragic stampedes that have killed many.
The majority of commenters don't actually read the article, or at least not the whole thing.
There is nothing here that really tells us the turnstile was security theatre? Or the various key card swipes.
There are many ways to skin a cat; and there are many ways to ensure authenticated / trusted access. If you have site wide security gates, it means you know everyone on site / on a given floor conforms to a given minimal security or trust level, so now you can conduct operations in that area with more freedom. This makes the risk assessments for other actions so much simpler. e.g. Now when the apprentice IT tech leaves the SLT's laptop trolley in the corridor it doesn't trigger a reflash of all of the machines. Or when a key individual misplaces their keyfob (e.g. in the kitchen) it doesn't trigger a lockdown of core systems, because they had it on the way in and its reasonable to trust that nobody stole it.
Obviously the implementation was botched in this case - but "feel secure" and "security theatre" are right as often as they are wrong.
> Obviously the implementation was botched in this case
The long wait times could easily have been fixed by staggering employee start times. You could even optimize it per building/floor. Sadly, a lot of bureaucrats lack the imagination to do simple stuff like this. (Anyone with a desperate need to have 9 am meetings would just have to suck it up)
It also doesn’t describe any of the why the additional security measures were put in place. It sounds arbitrary, but could be an insurance or regulatory requirement that the acquiring company needed to meet. Similar for the login issue, it’s suboptimal but what constraints caused that solution to be put in place? And why wasn’t it fixed?
Sans context there’s not a lot to complain about here.
Card readers in elevators are theater though. You would need separate vestibules to actually secure entry via elevator. That’s why most buildings have those.
Are they? The goal isn't to draw a hard boundary it's to create layered defenses which increase the difficulty and reduce opportunity.
If instead of open access you need to tailgate on a limited set of employees, that increases difficulty considerably and makes the opportunity much less common.
Real security analysis works this way: you don't assume you can build a wall which is never breached.
Amazon is pretty serious about physical access security. Even back in 2002, you had to scan your badge while a security guard watches, to check if you are the same person as the badge picture.
The same guard also checked if your dog was registered (I think my dog got a badge with his picture, although I think that was just for fun, and not functional)
And no easy ability to enter through side doors - you couldn't open a side door with your badge. At the time, you could still lurk outside a side door until someone else opens the door to exit. Eventually (11 years later) they locked all the side doors because they noticed people doing this sort of thing.
More recently, I think you have to scan your badge to leave so they can even track how long you're in the building, and know when you're supposed to work on site but you were there only long enough to have a coffee and then went home to continue working from home. This last part is second-hand knowledge since I haven't work there in a long time.
> they locked all the side doors
And this didn't get them in trouble with the fire marshal?
If it's anything like Facebook, the side entrances (which always had guards sitting by them anyways) were all converted to alarmed fire exits. So the fire marshal would still be happy, but it was far less convenient for employees.
Instead of locking they could alarm when opened. Slap a big "Emergency exit only, alarm will sound" sticker on it & link it into the pull alarm system. Treat opening the door without an emergency the same as pulling a fire alarm without an emergency.
Amazon employees can just use all the ...water... bottles they keep around their workstation to put out the fires.
> Additionally, the weapon is not limited to offensive use, as it can be used to extinguish afterburn on oneself and teammates
I won't miss the days I had to take a full day of meetings from my car in the Amazon parking lot because there weren't enough meeting rooms onsite, but the badge swipes at the main entrance in-between meetings were needed to not be labeled as an "inconsistent badger".
It was laughable how much effort and money Amazon invested into badge tracking and enforcement instead of directing funds at making the office a nice place that people would want to spend time in and an efficient place to get work done.
As others have mentioned, it comes down to the threat model, but sometimes the threat model itself is uncomfortable to talk about.
It’s sad to think about, but in my recollection a lot of intra-building badge readers went up in response to the 2018 active shooter situation at the YouTube HQ[1]. In cases like this, the threat model is “confine a hostile person to a specific part of the building once they’ve gotten in while law enforcement arrives,” less than preventing someone from coat tailing their way into the building at all.
No, the model there is something bad happened, we must do something. This is something, so we will do it.
I’m not saying that to diminish the value of the actual solution, but what the people want is literally something to make them feel better about a situation that is mostly out of their control.
Someone showed up to their workplace with a fucking gun. And now they have to go there every day, and hope it doesn’t happen again. They want and need the theater.
This is exactly it - most "security" isn't really built around actual threat models, nor is it ever verified. IT security is perhaps the weirdest in the world in that the security of your web server will be constantly probed, whilst your front door could go your entire lifetime and never be probed once.
Where people actually care about physical security, they develop things that do actually work; and often are so unobtrusive you never realize they're there.
Security theater necessitates that it be showy and in your face.
Except a decent part of security is literally just deterrence.
Will my front door stop someone robbing my house if they want to? No: I have sidelight windows you could just smash them and come through.
But the one time a house I was in got robbed, it was because we left the front door open and went out.
Which is odd if you think about it right? Statistically an open front door rather implies someone is home, not away so it's a terrible targeting priority - but our house was targeted and not say, our neighbors who also wouldn't have been home that day.
People are quick to claim security theater, talk about threat models, but equally ignore them anyway.
I doubt these card readers would prevent someone leaving the part of their building they’re in, as that’s a lesson written in charred corpses and was a foundational aspect of health and safety becoming a thing: https://en.wikipedia.org/wiki/Triangle_Shirtwaist_Factory_fi...
In theory it might prevent access to other buildings, but equally often the card readers are around doors of mostly standard glass or near internal windows of the same.
So if that’s the motivation, it doesn’t seem like a particularly effective mitigation
Or the Victoria Hall disaster (183 dead), or Cocoanut Grove (492 dead), or The Station Nightclub (100 dead), or The Beverly Hills Supper Club (165 dead), or.....
Also in what world is a badge reader going to contain an armed gunman unless the walls, floors, doors, and windows are also bulletproof??
(Triangle shirtwaist fire resulted in 146 dead)
Theres footage online of a basic security door stopping an armed robber from escaping despite him trying to shoot the lock.
Bullets aren't universal door openers, and shooting your way through one lock doesn't magically unlock the next one.
And the bullets and time spent getting through the door are bullets and time that aren’t used harming the people behind that door.
If an active shooter is the anticipated threat, how does a turnstile effectively stop that? Many of these turnstiles are specifically meant to allow people through in emergencies, and aren't strong enough to withstand bullets or even a sturdy kick. The elevator restrictions would be a better chokepoint, but as the article noted they didn't turn those back on.
Many turnstiles can be jumped over. In this case it’s more about preventing theft and espionage.
I knew someone years and years ago who worked as an assistant to lawyers. The firm had a second office in the state capital, turns out someone was walking in and stealing laptops. I think they had done it three times the last I had heard.
Lawyer laptops going missing is a problem. I don’t know how they ended up fixing that.
> Lawyer laptops going missing is a problem.
It shouldn't be. If there was a particular profession that I would expect to properly secure their devices lawyers would be near the top of the list.
It doesn't effectively stop it, but it forces them to give up some element of surprise. They have to either start the attack or start a trespassing action that will initiate contact with police.
If forced partition of a building were the primary goal, that goal could be achieved without badges. Or, at least, without having to badge into every door. Just have locks on every door that are normally disengaged, but which can be locked remotely and promptly.
(While at it, I once worked on an access control system. It was aeons ago; the system ran under OS/2. We installed it on a factory. It worked well, until we ran it in demo mode under production load, that is, the stream of morning shift turnstile registration events. The DB melted. I solved the problem trivially: I noticed that the DB was installed on a FAT volume for unknown reasons, so I moved it to an HPFS volume, and increased the RAM cache for the disk to maximum. Everything worked without a hitch then.)
This actually exposes how this type of system is just security theater usually.
A shooter can get a badge. Most partitions aren't bulletproof (and probably don't have security film), and a shooter doesn't fear getting a cut on some tempered glass.
The thing that would be effective is 24/7 security monitoring with a building lockdown and reinforced entrances/partitions. Of course, the victims whose badges were disabled during lockdown will sue.
So instead, just install badge readers and say that "something was done".
One uncomfortable, but wise truth is: Actual security is bound to the number of minutes until people with big guns arrive. A lot of other measures just exist to bridge time and limit damages until that happens.
We learned this during a funny situation when a customer sent us the wrong question set for vendors. We were asked to clarify our plans for example for an armed intrusion by an armed, hostile force to seize protected assets from us. After some discussion, we answered the equivalent of "Uh Sir. This is a software company. We would surrender and try to call the cops".
During some laughter from the customer they told us, the only part missing from that answer was the durability rating of our safes and secure storages for assets, of which we had none, because they just had to last until cops or reinforcements arrived. That was a silly day.
Shooters tend to be mentally ill people who have been pushed too far by a system, trying to burn that system down.
Killing a boss with a keycard that opens everything might not just be possible but also preferable. Fuck you Tom, you made me work through memaw’s funeral
Hand out weapons to the workers?
Places that really do care about security do exactly that. Military bases routinely prohibit on-duty soldiers from carrying arms - except the guards at the gate and the military police.
Bad implementations do not "security theater" make. When I did some work for a large coffee company, they had turnstiles at their building entrances, and I don't remember any lines in the morning. The scan/auth/enter process went about as fast as if there was no turnstile.
I remember when I started at Microsoft decades ago that there were still "old-timers" who were pissy about having to use card keys to enter the building. With that attitude, man, did that ever explain Microsoft application and OS security in the early 2000s.
Allegations of security theater should start with discussing the threat model. This is just somebody complaining about a crappy key card system.
To be fair, he was pointing out that the invisible "credentials in cookies" issue was much harder to get fixed:
The turnstiles were visible. They were expensive. They disrupted everyone's day and made headlines in company-wide emails. Management could point to them and say that we're taking security seriously. Meanwhile, thousands of employees had their Jira credentials stored in cookies. A vulnerability that could expose our entire project management system. But that fix required documentation, vendor approval, a month of convincing people it mattered. A whole lot of begging.
Again, not security theater. Signs of general dysfunction yes. Embarrassing. Fun to tease about for sure.
Aside: the more times I re-read the article the more annoyed I am with the self-righteous tone. It feels like the author is mimicking the style of legendary Usenet posts, but the story just isn’t that interesting and the writing not that witty, it falls flat.
If it isn't outright fake it's at least embellished. It even has the "and then everyone clapped" line!
The writing is clearly AI-generated or at least AI-assisted, so I think it's safe to assume it's also a work of fiction.
I’ll take your word for that. I don’t know how to tell. But I did notice that the writing was conspicuously terrible throughout. Entire sentences make no sense, such as “I'd slip in suspiciously while they contemplated the email that clearly said not to let anyone in with your own card.”
Turnstiles aren't theater and Redis doesn't make password storage secure so the entire thing seems a little el-el-emish..
But what about that sentence does that not make sense? They are describing tailgating..
It doesn’t make sense as a whole. But, for example, what was he suspicious of?
"I'd slip in suspiciously" means the "slipping in" was suspicious.
You sure? I wasn’t.
“John regarded Mary suspiciously”
“Sharon suspected her husband of cheating. She looked through his emails suspiciously.”