Due to some sort of glitch in either his RSS or my blog reader (Thunderbird), this very old post from David Cowan popped up as unread for me this morning.

I know I read it, but had forgotten about this excerpt:

As we approached the theater, I tried to think of how to explain the fluid nature of the data security threat. Walking in (thanks to Fandango we righteously bypassed the long lines of teenagers), I noticed that the theater had just implemented its own security program to mitigate Movie View Theft by patrons who would watch a second film without paying. Instead of collecting tickets at the front door, tickets were now collected at the two hallways off the lobby, to where customers were ushered out as each film ended. No ticket, no second movie.

So I said: watch this. I stood by the front door, waited for a lull in traffic, and then nonchalantly proferred my hand toward the next approaching bevy of teenagers. “Tickets” I murmured.

Once the first victim handed me his ticket, the rest were cake. Tickets accumulated in my hand as my victims jabbered on about football games and SAT prep. I collected half a dozen and stopped. A good 5 minutes passed before they wafted over to the hallway, encountering another ticket stand (by then I could have sold the tickets to folks standing in line). Another 2 minutes passed as they tried to figure out which of them had the tickets! As it dawned on them that they had been phished, I returned their assets (and thankfully they didn’t kick mine).

Security systems are not like computers or network switches, which improve over time and asymptotically approach perfection. To quote Justin Label, security is a Man v. Man problem, not Man v. Nature. Creative and motivated thieves respond to every new security system with a workaround, and so the best we can ever hope to do with the safety of our computer networks is tread water.

He was trying to make the point about why there are so many security start-ups, but I think it actually gains from being taken out of context.

People have ingrained expectations about how systems work. Beyond a certain level of familiarity, we utilize those systems subconsciously. When going to the movies, people expect to present their ticket at the door. When the theater removes that check, they don’t remove the expectation from the person’s subconscious brain and an opportunity for malicious activity is created.

As David notes, this is not a technology problem. But, ironically, this doesn’t keep people like himself from giving money to those who would try to solve it with technology. Of course, once people expect that technology to protect them, the next-weakest link in the chain of assumptions will be broken. And David will give money to others who would solve that next link with technology.

Which, might not be such a bad thing for him either, since it means that he will also always have a career.