http://www.guardian.co.uk/technology/2008/mar/11/politics.hitechcrime By Cory Doctorow guardian.co.uk March 11 2008 The Met's latest poster campaign urges Londoners who spot "unusual" activity to ring the police and let them know. Examples include someone taking pictures of CCTV cameras or acting out of the ordinary. After all, these are dangerous times, and we all must be vigilant. Contrast this for a moment with an earlier dangerous time: the Blitz. Bombs rained down upon London on a near-daily basis, killing, maiming and laying waste to whole neighbourhoods (one American friend recently described a trip around east London where his hosts pointed to every car park and said, "Of course, that was bombed in the Blitz" – and came away with the impression that Hitler had dropped car parks on Hackney). Back then, the government's message to the people wasn't "Take your shoes off" or "place your liquids in this bag". Instead, King George's printer stuck up millions of royal red posters bearing the legend "KEEP CALM AND CARRY ON." The approaches are markedly different - eternal (even fearful) vigilance, versus a reassured, Zen-like calm. Which one makes us more secure? There's the rub. Verifying the security of a system is a tricky business. Even during the second world war, when secrecy over codes was paramount, Alan Turing's team at Bletchley Park broke the German cipher and began listening to practically every Nazi communiqué. How did they outsmart the German mathematicians who designed Enigma? Bletchley spotted a mistake and used it to crack the system wide open. Mistakes happen all the time in mathematical ventures, which is why science relies on peer review. As Bruce Schneier says, "Anyone can design a security system so smart that he can't outsmart it". Until security is subjected to peer review, you can't know whether it's proof against the whole world, or just the people who are dumber than you are. Even though our lives increasingly defined by security measures, we can't know whether they are working without public peer review. Unfortunately, today's security cheerleaders have regressed to a more superstitious era, a time from before Bletchley Park's wizards won the second world war. The public isn't supposed to take photographs of CCTV cameras in case this knowledge can be used against them (despite the fact that surely terrorists can memorise their locations). We can't mention terrorist attacks at the airport while we're being subjected to systematic anti-dignity depredations; your bank won't let you open an account with a passport – you need to supply a laser-printed utility bill as well ("to prevent money laundering" … you can just hear Osama's chief forgers gnashing their teeth for lack of a piece of A4). The superstitions that grip airport checkpoints and banks are themselves a threat to security, because the security that does not admit of examination and discussion is no security at all. If terrorists are a danger to London, then the only way to be safe is to talk about real threats and real countermeasures, to question the security around us and shut down the systems that don't work. If you're worried about money-laundering, your bank should have real anti-laundering systems in place. If you're worried about bombings, you need a security system that works even when the locations of the CCTV cameras are public. If you're worried about identity theft, then the government had better have a bloody good plan for "revoking" your fingerprints and retinas should a bad guy figure out how to copy them. If you want your plane to be safe in the sky, you'd better know what new security you gain by removing your shoes and shedding your liquids while still taking to the sky with your highly explosive laptop battery and a huge bottle of duty free whiskey. We live in a world of threats that transcend our instincts and intuitions. Staying safe in the face of phishing attacks, viruses, identity theft, RFID skimming, and yes, even terrorists, requires that the public itself be security conscious. We can't rely on the authorities to defend us against attacks that outstrip their capacity to adapt to them. Remember, the same police force that's plastering London with signs exhorting us to "let experienced officers decide what action to take" is the same police force that gunned down a Brazilian for wearing an overcoat, and shut down Soho when a Thai restaurant burned its chilli sauce, releasing spicy smoke. Security literacy can only be acquired through continuous practice and evaluation. The more our society punishes those who question security, the less secure we all become. © Guardian News and Media Limited 2008 ___________________________________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Wed Mar 12 2008 - 01:09:04 PST