Pee, Pools, and Instrumenting Security: The Importance of Finding Out What You'd Rather Not Know

People pee in pools. We know this. Now we know (ewww) how much.

A Canadian study published Wednesday in Environmental Science & Technology Letters found that the typical large public pool contains roughly 75 liters of human urine. That’s not a typo. Seventy-five.

Besides being gross, urine and chlorinated water react to form cyanogen chloride: a substance classified as a chemical warfare agent banned by the 1928 Geneva Protocol. Luckily, even 75 liters of pee won’t produce enough CNCl to hurt you (much); daily swimmers and pool workers are more likely to suffer from asthma, but otherwise, you’re probably going to be OK.

The researchers analyzed water from 31 pools for acesulfame-K (ACE), a synthetic sweetener that’s in lots of processed foods and stable enough to pass through into urine. From 250 samples, researchers computed that there are about 75 liters of pee in a typical public pool, which is usually just 1/3 the size of an Olympic pool. Concentrations ranged up to 7,110 nanograms per liter: that’s 570 times the levels of acesulfame-K typically found in tap water. Hot tubs were especially nasty; one hotel bubbler had three times the ACE concentration found in the most contaminated pool they sampled.

What in the world does this have to do with Security Instrumentation? I’m so glad you asked.

Too often, as modern office professionals, we assume that things are “just fine” with our pool – our network. We assume our “pool managers” are taking care of things, putting in lots of magic pee-destroying chemicals (made from unicorn horns) and that there couldn’t possibly be that much pee in network pool. But that’s almost never the case. In fact, once you’ve peed in a pool, it’s mostly there to stay: “It’s not uncommon for water in a pool to go unchanged for years,” Ernest Blatchley III, an environmental engineer at Purdue told NPR. Pool owners tend to simply add more water, which is cheaper than draining and refilling. Enterprise networks, unfortunately, are pretty analogous. We tend to just keep making them bigger and “pouring in more chlorine” (buying more security software/boxes) – which doesn’t actually solve the real problem… and in some cases, actually makes things worse.

For Verodin (and for you, out there, as security professionals) a lot of what we do is finding things your clients wish you hadn’t found. We also have the unenviable task of delivering the bad news to power. Probably least pleasant of all: we security pros have to be the “naggers” that keep telling our kids not to pee in the pool in the first place.

But we can’t just go on assuming that “everything’s cool”. It’s not. In fact, it never is. In virtually all Verodin proofs-of-concept, we find serious security control problems that our clients didn’t know about before we arrived on the scene.

The only way to make quantitative improvements in network security is by using empirical data derived from security instrumentation. So: use Verodin. Look. Test. And communicate what, precisely, you’ve found. It might not be fun news, but in the long run, you’ll be happier (and healthier) for it.

back to blog
No items found.
Business Need