[ISN] Time to fight security superstition

From: InfoSec News (alerts@private)
Date: Wed Mar 12 2008 - 01:02:55 PST


http://www.guardian.co.uk/technology/2008/mar/11/politics.hitechcrime

By Cory Doctorow
guardian.co.uk
March 11 2008

The Met's latest poster campaign urges Londoners who spot "unusual" 
activity to ring the police and let them know. Examples include someone 
taking pictures of CCTV cameras or acting out of the ordinary. After 
all, these are dangerous times, and we all must be vigilant.

Contrast this for a moment with an earlier dangerous time: the Blitz. 
Bombs rained down upon London on a near-daily basis, killing, maiming 
and laying waste to whole neighbourhoods (one American friend recently 
described a trip around east London where his hosts pointed to every car 
park and said, "Of course, that was bombed in the Blitz" – and came away 
with the impression that Hitler had dropped car parks on Hackney).

Back then, the government's message to the people wasn't "Take your 
shoes off" or "place your liquids in this bag". Instead, King George's 
printer stuck up millions of royal red posters bearing the legend "KEEP 
CALM AND CARRY ON."

The approaches are markedly different - eternal (even fearful) 
vigilance, versus a reassured, Zen-like calm. Which one makes us more 
secure?

There's the rub. Verifying the security of a system is a tricky 
business. Even during the second world war, when secrecy over codes was 
paramount, Alan Turing's team at Bletchley Park broke the German cipher 
and began listening to practically every Nazi communiqué. How did they 
outsmart the German mathematicians who designed Enigma? Bletchley 
spotted a mistake and used it to crack the system wide open.

Mistakes happen all the time in mathematical ventures, which is why 
science relies on peer review. As Bruce Schneier says, "Anyone can 
design a security system so smart that he can't outsmart it". Until 
security is subjected to peer review, you can't know whether it's proof 
against the whole world, or just the people who are dumber than you are.

Even though our lives increasingly defined by security measures, we 
can't know whether they are working without public peer review.

Unfortunately, today's security cheerleaders have regressed to a more 
superstitious era, a time from before Bletchley Park's wizards won the 
second world war. The public isn't supposed to take photographs of CCTV 
cameras in case this knowledge can be used against them (despite the 
fact that surely terrorists can memorise their locations).

We can't mention terrorist attacks at the airport while we're being 
subjected to systematic anti-dignity depredations; your bank won't let 
you open an account with a passport – you need to supply a laser-printed 
utility bill as well ("to prevent money laundering" … you can just hear 
Osama's chief forgers gnashing their teeth for lack of a piece of A4).

The superstitions that grip airport checkpoints and banks are themselves 
a threat to security, because the security that does not admit of 
examination and discussion is no security at all.

If terrorists are a danger to London, then the only way to be safe is to 
talk about real threats and real countermeasures, to question the 
security around us and shut down the systems that don't work.

If you're worried about money-laundering, your bank should have real 
anti-laundering systems in place. If you're worried about bombings, you 
need a security system that works even when the locations of the CCTV 
cameras are public. If you're worried about identity theft, then the 
government had better have a bloody good plan for "revoking" your 
fingerprints and retinas should a bad guy figure out how to copy them.

If you want your plane to be safe in the sky, you'd better know what new 
security you gain by removing your shoes and shedding your liquids while 
still taking to the sky with your highly explosive laptop battery and a 
huge bottle of duty free whiskey.

We live in a world of threats that transcend our instincts and 
intuitions. Staying safe in the face of phishing attacks, viruses, 
identity theft, RFID skimming, and yes, even terrorists, requires that 
the public itself be security conscious.

We can't rely on the authorities to defend us against attacks that 
outstrip their capacity to adapt to them. Remember, the same police 
force that's plastering London with signs exhorting us to "let 
experienced officers decide what action to take" is the same police 
force that gunned down a Brazilian for wearing an overcoat, and shut 
down Soho when a Thai restaurant burned its chilli sauce, releasing 
spicy smoke.

Security literacy can only be acquired through continuous practice and 
evaluation. The more our society punishes those who question security, 
the less secure we all become.

© Guardian News and Media Limited 2008



___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Wed Mar 12 2008 - 01:09:04 PST