The difference between being secure and not
Dec 31st, 2009 by Jesper Kråkhede
Just recently read that a German scientist, Karsten Nohl, managed to crack GSM crypto A5/1 due to a vulnerability not previously exposed. The thing that got my attention is the response from the GSM-organization. “The vulnerability is only theoretical because it is illegal to crack the crypto”. I suspect that this is mostly due to a bad translation but still the reasoning is quite common within security.
I once did a vulnerability assessment on a data centre and found an unlocked door that had been unlocked for five years because “everyone knew it was locked”. Same reasoning again. Just because it is illegal or that everyone knew doesn´t mean that some is going to try.
If you want to be secure you have to think not only on the process but on all ways to break the process as well.
Have a happy new year!