OVER the years I saw criticisms of school or classroom indoctrination about copyrights. They're basically teaching/pushing a bunch of lies to young children in an effort to "educate" them about "copyright law" (sounds reasonable on the surface... until one actually checks what these pupils are being told).

"It's supposed to sound sophisticated, but the net gain for security is laughable."For ISO compliance purposes, sometimes I'm required to take and pass some online "training" courses. Some of these are ridiculously bad, so I end up taking screenshots.

This post is about fake security mindset -- a concept explained here several times earlier this year. It's supposed to sound sophisticated, but the net gain for security is laughable. Complexity does not beget security (usually the opposite is true; simplicity is auditable). Basically, it boils down to what's sometimes known as "security theatre", owing to a 'fake security' cargo cult of "phones" or "apps" and "clown computing" (i.e. giving all your access credentials to some other company, along with highly sensitive data).

During my latest "training" I stumbled upon about 40 examples of amusing errors and silliness (it's all over the place, sometimes with repetition for extra effect or 'good' measure), but to keep things more concise and digestable I took screenshots and annotated them a little, just as I did last year with edX [1, 2], in effect shilling for the Linux Foundation in the guise of "training". Where does one draw the line between courses and marketing, revisionism, and even outright lies?

"Basically, it boils down to what's sometimes known as "security theatre", owing to a 'fake security' cargo cult of "phones" or "apps" and "clown computing" (i.e. giving all your access credentials to some other company, along with highly sensitive data)."Below I present just a small sample. Almost at random I narrowed it down to just a dozen rather unique examples (there are many more similar instances of these). Surely, a more exhaustive list would take a lot of time to prepare while the clock is running. At the end, one is required to lie or say what they expect you to say in order to pass the test (which I did). To be fair, the questions aren't as terrible as the supposed 'training', as they don't mention brand names there or promote outrageous fallacies.

Without further ado, let's begin.



It doesn't take a genius to see what's happening here and why it's shallow. Infantile questions like, ARE CRIMINALS A THREAT? It's like a colouring book quiz with heroes and villains. They present actual adults with such questions. We'll come back to it later when it comes to "exam time".



Notice how, just like Microsoft, they're looking to blame computer users or "criminals" (or some nations like China or Russia). Anything to divert liability away from rogue software companies that write shoddy code, hide the defects, and code back doors for the NSA et al.

Let's move on.



Wait, I'm confused.



As if it's the user's fault that Microsoft cannot secure its own systems...



Yes, let's all use 'phones' to manage critical servers... with "apps".



Missing part?



No mention of "weakened" (i.e. fake) encryption.



Why are they ignoring bigger players like Facebook and Twitter? Brand promoting? Wait, there's more right after that...



It's 2021 and they still think everyone uses Windows. Guess what... Windows market share is less than a third.



Windows again.

OK, questions time. First in the test:



So let me guess... "criminals" are the threat. Who would have guessed?

Did I learn something from this course? Absolutely nothing. But I got some giggles. Many millions of people are constantly subjected to this kind of propaganda, which sometimes seems more like marketing than actual education. ⬆