I was reading a short article on DNS poisoning this weekend, as you do, and came across one of the best explanations of why complete security is something you can never achieve.
Some guy walks up and says he’s from the gas company. You let him in, he steals your beer.
Next time you ask him for gas company ID. He shows you a fake one. Beer stolen.
Next time you call the gas company phone number printed on his ID. It’s his buddy’s phone number; the buddy tells you the guy’s legit. Beer stolen.
Next time you call the gas company’s number as shown on your latest gas bill. It’s his buddy’s other line; they sent you a forged gas bill. Beer stolen again.
Next time you call the gas company as shown in the phone book. Oops, they sent you a forged phone book. You talk to the people at the gas company building downtown and get their phone number. You dial it but his buddy has broken into the phone company’s switch and forwarded the call to his other line. Or the beer thieves rented office space and set up a whole fake gas company office, a tactic seen in “Sneakers”. Again, beer stolen.
Indeed, perhaps they simply bribe a real gas company employee to steal your beer. It’s a never-ending arms race.
Yes, but I don’t have anything to steal except maybe my beer collection. Why would they set up a whole fake gas company just to do that? If you take precautions against the most common threats then there will always be somebody else more easy to steal from. Then its just bad luck if you get your beer stolen, but that’s life. Risk management isn’t the same as risk avoidance, it’s a lot less expensive for a start.
By: Dominic Sayers on December 11, 2007
at 1:22 pm