[Infowarrior] - Time to fight security superstition

Richard Forno rforno at infowarrior.org
Tue Mar 11 20:31:15 UTC 2008 

Time to fight security superstition

    * Cory Doctorow
    * guardian.co.uk,
    * Tuesday March 11 2008

This article was first published on guardian.co.uk on Tuesday March 11 2008.
It was last updated at 11:21 on March 11 2008.

http://www.guardian.co.uk/technology/2008/mar/11/politics.hitechcrime

The Met's latest poster campaign urges Londoners who spot "unusual" activity
to ring the police and let them know. Examples include someone taking
pictures of CCTV cameras or acting out of the ordinary. After all, these are
dangerous times, and we all must be vigilant.

Contrast this for a moment with an earlier dangerous time: the Blitz. Bombs
rained down upon London on a near-daily basis, killing, maiming and laying
waste to whole neighbourhoods (one American friend recently described a trip
around east London where his hosts pointed to every car park and said, "Of
course, that was bombed in the Blitz" ­ and came away with the impression
that Hitler had dropped car parks on Hackney).

Back then, the government's message to the people wasn't "Take your shoes
off" or "place your liquids in this bag". Instead, King George's printer
stuck up millions of royal red posters bearing the legend "KEEP CALM AND
CARRY ON."

The approaches are markedly different - eternal (even fearful) vigilance,
versus a reassured, Zen-like calm. Which one makes us more secure?

There's the rub. Verifying the security of a system is a tricky business.
Even during the second world war, when secrecy over codes was paramount,
Alan Turing's team at Bletchley Park broke the German cipher and began
listening to practically every Nazi communiqué. How did they outsmart the
German mathematicians who designed Enigma? Bletchley spotted a mistake and
used it to crack the system wide open.

Mistakes happen all the time in mathematical ventures, which is why science
relies on peer review. As Bruce Schneier says, "Anyone can design a security
system so smart that he can't outsmart it". Until security is subjected to
peer review, you can't know whether it's proof against the whole world, or
just the people who are dumber than you are.

Even though our lives increasingly defined by security measures, we can't
know whether they are working without public peer review.

Unfortunately, today's security cheerleaders have regressed to a more
superstitious era, a time from before Bletchley Park's wizards won the
second world war. The public isn't supposed to take photographs of CCTV
cameras in case this knowledge can be used against them (despite the fact
that surely terrorists can memorise their locations).

We can't mention terrorist attacks at the airport while we're being
subjected to systematic anti-dignity depredations; your bank won't let you
open an account with a passport ­ you need to supply a laser-printed utility
bill as well ("to prevent money laundering" Š you can just hear Osama's
chief forgers gnashing their teeth for lack of a piece of A4).

The superstitions that grip airport checkpoints and banks are themselves a
threat to security, because the security that does not admit of examination
and discussion is no security at all.

If terrorists are a danger to London, then the only way to be safe is to
talk about real threats and real countermeasures, to question the security
around us and shut down the systems that don't work.

If you're worried about money-laundering, your bank should have real
anti-laundering systems in place. If you're worried about bombings, you need
a security system that works even when the locations of the CCTV cameras are
public. If you're worried about identity theft, then the government had
better have a bloody good plan for "revoking" your fingerprints and retinas
should a bad guy figure out how to copy them.

If you want your plane to be safe in the sky, you'd better know what new
security you gain by removing your shoes and shedding your liquids while
still taking to the sky with your highly explosive laptop battery and a huge
bottle of duty free whiskey.

We live in a world of threats that transcend our instincts and intuitions.
Staying safe in the face of phishing attacks, viruses, identity theft, RFID
skimming, and yes, even terrorists, requires that the public itself be
security conscious.

We can't rely on the authorities to defend us against attacks that outstrip
their capacity to adapt to them. Remember, the same police force that's
plastering London with signs exhorting us to "let experienced officers
decide what action to take" is the same police force that gunned down a
Brazilian for wearing an overcoat, and shut down Soho when a Thai restaurant
burned its chilli sauce, releasing spicy smoke.

Security literacy can only be acquired through continuous practice and
evaluation. The more our society punishes those who question security, the
less secure we all become.

More information about the Infowarrior mailing list