http://www.guardian.co.uk/technology/2008/mar/11/politics.hitechcrime
By Cory Doctorow
guardian.co.uk
March 11 2008
The Met's latest poster campaign urges Londoners who spot "unusual"
activity to ring the police and let them know. Examples include someone
taking pictures of CCTV cameras or acting out of the ordinary. After
all, these are dangerous times, and we all must be vigilant.
Contrast this for a moment with an earlier dangerous time: the Blitz.
Bombs rained down upon London on a near-daily basis, killing, maiming
and laying waste to whole neighbourhoods (one American friend recently
described a trip around east London where his hosts pointed to every car
park and said, "Of course, that was bombed in the Blitz" – and came away
with the impression that Hitler had dropped car parks on Hackney).
Back then, the government's message to the people wasn't "Take your
shoes off" or "place your liquids in this bag". Instead, King George's
printer stuck up millions of royal red posters bearing the legend "KEEP
CALM AND CARRY ON."
The approaches are markedly different - eternal (even fearful)
vigilance, versus a reassured, Zen-like calm. Which one makes us more
secure?
There's the rub. Verifying the security of a system is a tricky
business. Even during the second world war, when secrecy over codes was
paramount, Alan Turing's team at Bletchley Park broke the German cipher
and began listening to practically every Nazi communiqué. How did they
outsmart the German mathematicians who designed Enigma? Bletchley
spotted a mistake and used it to crack the system wide open.
Mistakes happen all the time in mathematical ventures, which is why
science relies on peer review. As Bruce Schneier says, "Anyone can
design a security system so smart that he can't outsmart it". Until
security is subjected to peer review, you can't know whether it's proof
against the whole world, or just the people who are dumber than you are.
Even though our lives increasingly defined by security measures, we
can't know whether they are working without public peer review.
Unfortunately, today's security cheerleaders have regressed to a more
superstitious era, a time from before Bletchley Park's wizards won the
second world war. The public isn't supposed to take photographs of CCTV
cameras in case this knowledge can be used against them (despite the
fact that surely terrorists can memorise their locations).
We can't mention terrorist attacks at the airport while we're being
subjected to systematic anti-dignity depredations; your bank won't let
you open an account with a passport – you need to supply a laser-printed
utility bill as well ("to prevent money laundering" … you can just hear
Osama's chief forgers gnashing their teeth for lack of a piece of A4).
The superstitions that grip airport checkpoints and banks are themselves
a threat to security, because the security that does not admit of
examination and discussion is no security at all.
If terrorists are a danger to London, then the only way to be safe is to
talk about real threats and real countermeasures, to question the
security around us and shut down the systems that don't work.
If you're worried about money-laundering, your bank should have real
anti-laundering systems in place. If you're worried about bombings, you
need a security system that works even when the locations of the CCTV
cameras are public. If you're worried about identity theft, then the
government had better have a bloody good plan for "revoking" your
fingerprints and retinas should a bad guy figure out how to copy them.
If you want your plane to be safe in the sky, you'd better know what new
security you gain by removing your shoes and shedding your liquids while
still taking to the sky with your highly explosive laptop battery and a
huge bottle of duty free whiskey.
We live in a world of threats that transcend our instincts and
intuitions. Staying safe in the face of phishing attacks, viruses,
identity theft, RFID skimming, and yes, even terrorists, requires that
the public itself be security conscious.
We can't rely on the authorities to defend us against attacks that
outstrip their capacity to adapt to them. Remember, the same police
force that's plastering London with signs exhorting us to "let
experienced officers decide what action to take" is the same police
force that gunned down a Brazilian for wearing an overcoat, and shut
down Soho when a Thai restaurant burned its chilli sauce, releasing
spicy smoke.
Security literacy can only be acquired through continuous practice and
evaluation. The more our society punishes those who question security,
the less secure we all become.
© Guardian News and Media Limited 2008
___________________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Wed Mar 12 2008 - 01:09:04 PST