Saturday, July 15, 2006

Dual Post Coca-Cola Marketing and NSA Security

This article was copied from Bruce Schneier's recent newsletter, for those of you who dont know him, he's a guru in the encryption/security space.

Although it's quite funny, it also makes a serious point about evaluating risks in relation to the circumstances, eg does my home network need to be as secure as my corporate network.

Personally if I was a marketer I would be ripping this concept (or a derivative of it) off as soon as possible.

Think of the local/regional press you would get as your marketing swat team swoop into town to award the prizes, the press would well and truly outweigh the cost of the prize.

As for listening in to my conversations......nothing to hear here where's my prize.


Coca-Cola has a new contest. Hidden inside 100 cans of Coke there's a SIM card, GPS transmitter, and a microphone.

The winners activate the Coke can by pressing a button, which will call a central monitoring facility. Then Coke tracks the winners down using the GPS transmitter and surprises them with their prize.

NSA engineers drink Coke. Lots and lots of Coke.

The possibility that an active microphone in a Coke can could be in one of the NSA's highly secure facilities is worth considering. A reasonable threat analysis might look like this: "You know, the chances that one of these 100 cans out of hundreds of millions of cans ends up in our building is extremely small -- somewhere around 1 in 100,000 -- so it's not worth worrying about."

But the NSA's Information Staff Security Office) decreed differently: "It is important that ALL cans of Coca-Cola within our spaces be inspected. This includes cans already in our buildings and those being delivered on a daily basis. If you discover one of these cans, DO NOT activate it. Instead, you should alert your ISSO immediately and report the incident."

This is hysterical. Can you imagine inspecting every can of Coke entering the NSA, opening each of the hundreds of cases of Coke and inspecting every can for a GPS transmitter? What does this cost? What is the NSA not doing because they're doing this instead? Of course the engineers at NSA are already starting to create Coke cans with antennas, circuit boards, and keypads. They are leaving them around snack messes as practical jokes.

And where's Pepsi in all of this? Shouldn't they be advertising "surveillance-free cola"?

Funny stuff, but there's a serious point here. Again and again, security decisions are clouded by agenda. The NSA's Coca-Cola inspection policy is an example of CYA. Some executive within NSA didn't want to be personally responsible for a GPS receiver slipping through security, so he decided that everything should be inspected. It's a small risk to the greater population, but it's a larger risk to him. His agenda is different from that of society's, but because his agenda matters more to him and it's his decision, his is what gets followed.

We as a society need to figure out how to make security trade-off decisions another way. Having specific individuals or corporations make security trade-offs for us based on their agenda isn't making us more secure, and it's costing us a whole lot of money.

No comments:

Post a Comment