As others have mentioned, it comes down to the threat model, but sometimes the threat model itself is uncomfortable to talk about.
It’s sad to think about, but in my recollection a lot of intra-building badge readers went up in response to the 2018 active shooter situation at the YouTube HQ[1]. In cases like this, the threat model is “confine a hostile person to a specific part of the building once they’ve gotten in while law enforcement arrives,” less than preventing someone from coat tailing their way into the building at all.
Amazon is pretty serious about physical access security. Even back in 2002, you had to scan your badge while a security guard watches, to check if you are the same person as the badge picture.
The same guard also checked if your dog was registered (I think my dog got a badge with his picture, although I think that was just for fun, and not functional)
And no easy ability to enter through side doors - you couldn't open a side door with your badge. At the time, you could still lurk outside a side door until someone else opens the door to exit. Eventually (11 years later) they locked all the side doors because they noticed people doing this sort of thing.
More recently, I think you have to scan your badge to leave so they can even track how long you're in the building, and know when you're supposed to work on site but you were there only long enough to have a coffee and then went home to continue working from home. This last part is second-hand knowledge since I haven't work there in a long time.
I worked at a company that had effectively no physical security during work hours until the second time someone came in during lunch and stole an armload of laptops.
Then we got card readers and a staffed front desk, and discovered our snack budget was too high because people from other companies on other floors were coming to ours for snacks too.
I never felt the office was insecure, except in retrospect once it was actually secure.
Funny. We had a security guard that had memorized all the faces of the employees. If he knew you he'd buzz you through. If he didn't know you you'd have to be vouched for by someone that he did know or by showing your credentials. By day #3 he'd know you, and he also somehow knew when you were no longer with the company.
There never was a line and there were 1400 people in those buildings.
I never realized how incredibly that guy's contribution was but this story made it perfectly clear.
There is nothing here that really tells us the turnstile was security theatre? Or the various key card swipes.
There are many ways to skin a cat; and there are many ways to ensure authenticated / trusted access. If you have site wide security gates, it means you know everyone on site / on a given floor conforms to a given minimal security or trust level, so now you can conduct operations in that area with more freedom. This makes the risk assessments for other actions so much simpler. e.g. Now when the apprentice IT tech leaves the SLT's laptop trolley in the corridor it doesn't trigger a reflash of all of the machines. Or when a key individual misplaces their keyfob (e.g. in the kitchen) it doesn't trigger a lockdown of core systems, because they had it on the way in and its reasonable to trust that nobody stole it.
Obviously the implementation was botched in this case - but "feel secure" and "security theatre" are right as often as they are wrong.
It also doesn’t describe any of the why the additional security measures were put in place. It sounds arbitrary, but could be an insurance or regulatory requirement that the acquiring company needed to meet. Similar for the login issue, it’s suboptimal but what constraints caused that solution to be put in place? And why wasn’t it fixed?
Sans context there’s not a lot to complain about here.
This text is another reminder about the fact that as organizations grow, they become more and more dysfunctional. They function despite that, because the economies of scale are apparently still larger than the loss of functionality due to the increased size.
Humans' most important achievement is the ability to create structures larger than the Dunbar number. But this is not achieved for free.
(And this is another reason why I strive to work at startups more than at huge corporations.)
To be fair, he was pointing out that the invisible "credentials in cookies" issue was much harder to get fixed:
The turnstiles were visible. They were expensive. They disrupted everyone's day and made headlines in company-wide emails. Management could point to them and say that we're taking security seriously. Meanwhile, thousands of employees had their Jira credentials stored in cookies. A vulnerability that could expose our entire project management system. But that fix required documentation, vendor approval, a month of convincing people it mattered. A whole lot of begging.
Again, not security theater. Signs of general dysfunction yes. Embarrassing. Fun to tease about for sure.
Aside: the more times I re-read the article the more annoyed I am with the self-righteous tone. It feels like the author is mimicking the style of legendary Usenet posts, but the story just isn’t that interesting and the writing not that witty, it falls flat.
I’ll take your word for that. I don’t know how to tell. But I did notice that the writing was conspicuously terrible throughout. Entire sentences make no sense, such as “I'd slip in suspiciously while they contemplated the email that clearly said not to let anyone in with your own card.”
This is the opposite of security theater. It was an apparently an implementation of security with issues but restricting physical access, both for people and vehicles, is absolutely a real improvement to security.
Many years ago I was doing due diligence on a point of sale hardware company, I had to head up to an acquisition they had done. People bitched and moaned about the level of physical security added, and when I asked them why they were so upset, they told me to go to the loading dock in the back.
The loading dock was kept completely open "because it's hot and we don't have A/C back here!".
Lift (elevator) sidenote: there are fancy well designed ones where the turnstile communicates what floor you need to go to to the lift, and a "destination dispatch" system assigns/batches groups of passengers with similar/same destinations to the same lift car to improve efficiency.
Turnstiles have a genuine security benefit compared to door and elevator security: convincing people not to let their coworkers in the door or up the elevator is difficult because the actual request (“close the door behind you, this blocking the friendly person trying to go through, so their scan their card”) is genuinely obnoxious. But a turnstile really does fundamentally let one person through, even if it’s easy to bypass.
I’ve been to many very large office buildings with turnstile systems, and I have never seen any kind of line, even during the busiest hours. Yes, they are security theater to a large extent, but they do legitimately help to make the elevators run a lot more efficiently.
Physical access controls get budget because executives can point at them. Meanwhile, Jira credentials sitting in base64-encoded cookies
The real attack surface, plaintext tokens that take months of vendor negotiations to fix, nobody even wants to hear about. Incentive problem, not a security problem.
Interesting. I have worked in ITAR environments with serious security and have never experienced 30 minute lines at the door. In fact, I can't remember lines at all. Hard to understand what happened here.
Was it really a single turnstile for a building with over 10 floors? That's kind of silly, isn't it? Mass transit operations have this figured out. Most recently for me, taking the monorail in Las Vegas for the CES show. No problems for the most part. It would be interesting to know what this company actually installed.
I don't see how any of this wasn't already a problem. In the story, everyone shows up to the office at the same time, how did they use to work out the elevator issue? This story has a bunch of AI telltales so I doubt it's real anyway.
Security theater, perhaps. Don't underestimate the degree to which those turnstiles were intended to serve the purpose of tracking employees' movements.
It’s sad to think about, but in my recollection a lot of intra-building badge readers went up in response to the 2018 active shooter situation at the YouTube HQ[1]. In cases like this, the threat model is “confine a hostile person to a specific part of the building once they’ve gotten in while law enforcement arrives,” less than preventing someone from coat tailing their way into the building at all.
[1] https://news.ycombinator.com/item?id=16748529
The same guard also checked if your dog was registered (I think my dog got a badge with his picture, although I think that was just for fun, and not functional)
And no easy ability to enter through side doors - you couldn't open a side door with your badge. At the time, you could still lurk outside a side door until someone else opens the door to exit. Eventually (11 years later) they locked all the side doors because they noticed people doing this sort of thing.
More recently, I think you have to scan your badge to leave so they can even track how long you're in the building, and know when you're supposed to work on site but you were there only long enough to have a coffee and then went home to continue working from home. This last part is second-hand knowledge since I haven't work there in a long time.
And this didn't get them in trouble with the fire marshal?
Then we got card readers and a staffed front desk, and discovered our snack budget was too high because people from other companies on other floors were coming to ours for snacks too.
I never felt the office was insecure, except in retrospect once it was actually secure.
There never was a line and there were 1400 people in those buildings.
I never realized how incredibly that guy's contribution was but this story made it perfectly clear.
There are many ways to skin a cat; and there are many ways to ensure authenticated / trusted access. If you have site wide security gates, it means you know everyone on site / on a given floor conforms to a given minimal security or trust level, so now you can conduct operations in that area with more freedom. This makes the risk assessments for other actions so much simpler. e.g. Now when the apprentice IT tech leaves the SLT's laptop trolley in the corridor it doesn't trigger a reflash of all of the machines. Or when a key individual misplaces their keyfob (e.g. in the kitchen) it doesn't trigger a lockdown of core systems, because they had it on the way in and its reasonable to trust that nobody stole it.
Obviously the implementation was botched in this case - but "feel secure" and "security theatre" are right as often as they are wrong.
Sans context there’s not a lot to complain about here.
Humans' most important achievement is the ability to create structures larger than the Dunbar number. But this is not achieved for free.
(And this is another reason why I strive to work at startups more than at huge corporations.)
The turnstiles were visible. They were expensive. They disrupted everyone's day and made headlines in company-wide emails. Management could point to them and say that we're taking security seriously. Meanwhile, thousands of employees had their Jira credentials stored in cookies. A vulnerability that could expose our entire project management system. But that fix required documentation, vendor approval, a month of convincing people it mattered. A whole lot of begging.
Aside: the more times I re-read the article the more annoyed I am with the self-righteous tone. It feels like the author is mimicking the style of legendary Usenet posts, but the story just isn’t that interesting and the writing not that witty, it falls flat.
The loading dock was kept completely open "because it's hot and we don't have A/C back here!".
The real attack surface, plaintext tokens that take months of vendor negotiations to fix, nobody even wants to hear about. Incentive problem, not a security problem.
Was it really a single turnstile for a building with over 10 floors? That's kind of silly, isn't it? Mass transit operations have this figured out. Most recently for me, taking the monorail in Las Vegas for the CES show. No problems for the most part. It would be interesting to know what this company actually installed.