At the airport.

Security: Please put all your electronics in the bin, including your watch.

Me: No problem

<goes through scanner>

Me: there was an Apple Watch in here and now it is gone.

Security: Oh, you lost your Apple Watch?

Me: No! I put my Apple Watch in the bin like you instructed and YOU lost my Apple Watch.

Security: It must be in the spinners.

Me: So my $500 Watch is in the spinners being run over by bins?

Security: you have to put the small things on the bottom.

Me: It was on the bottom and I did as you asked, this is entirely on you. Do not try to shift the blame to me again please.

Security: As I said...

Me: As I said, Do not try to shift the blame to me again. This is entirely your responsibility once you separate me from my electronics so you can perform security theatre. Have a nice day.

—————

Fuck this god damn security theatre. Fuck the dumbasses they hire. Fuck your country. Fuck your god damn feeling of insecurity. Fuck Your ineffective security theatre.

Sick my fucking dick until you choke and gag you worthless pieces of shit. Homeless people the street provide more security than you incompetent, under-educated assholes. Fuck you

And yes, I have 2 fucking laptops. I have a real fucking job where I provide actual value and for that I need a work laptop. I don’t come to work in a stupid looking outfit with a chip on my shoulder looking to inconvenience people. I come to work to provide real value to someone.

Fuck you and your worthless bullshit

Apple is now forcing 2 factor authentication for publishing apps on the App Store. Except not just regular 2 factor, 2 factor via AppleId. Which means you have to have the AppleID on 2 different Apple devices! You now have to have a Mac and another Apple device to ship an app and you still have to pay $100/yr for the license.

Hell I usually like Apple stuff but this has gone so fucking far off the rails.

Google simply can't knock off harrassing their users with security theatre.

A friend of mine has a small personal YouTube channel. He has recently been bombarded with several phone verification requests a week: "Verify it's you. To continue your session, complete a brief verification. This extra step helps us keep your account safe by making sure it’s really you. "

While frequent verifications may be understandable on YouTube channels with millions of subscribers, channels with only a few dozen subscribers are not attractive hacking targets. A verification would be justified before a potentially harmful action such as deleting videos or deleting a channel. But not for normal everyday use.

What's next? Will they ask users to "verify it's them" every ten minutes, "just for extra security"? Just to verify that it is "really, really, really, really, really" them?

It's not security. It's security theatre.

Sorry, Google, but users are not in the mood of doing a phone verification every other day.

Has this been Google's perverted wet dream all along?

Your three-second password retry delay is far more likely to annoy users than preventing a brute-force attack.

If you insist on a retry delay, let the user enter a password five times without any delay. This would make no difference in the grand scheme, the trillions of retries needed for a brute-force attack, and guessing a password takes longer than three seconds of thinking anyway.

Another alternative is a tenth of the password retry delay but one added character. One added character slows down a brute-force attack by at least sixty-two (62) times, so one more character but a tenth of the password retry delay would still mean more than six (6) times the protection against brute-forcing.

On Linux, the password retry delay can thankfully be reduced by changing a value inside /etc/pam.d/common-auth or /etc/pam.d/login (out of scope for this post, you can search online for more details).

I can’t take the stupid security theatre anymore. I give up.

Multifactor authentication every 5 minutes. I hate it.

I don’t have a solution and neither does anyone else that doesn’t involve rewriting all apps from scratch.

What are opinions out there on security theatre?

Should developers have access to aws secrets?

Should dev test and prod be on separate vpcs or all in one vpc.

I have worked at banks where this was strictly not allowed.

Can’t wait to hear responses on this one….