That's fucking stupid

Posts Tagged ‘security theater’

A fortune cookie once said:

Rules are for the guidance of the wise and the blind allegiance of fools.

The message behind the proverb is that rules are there to show people what generally is and is not acceptable but they are fallable so should not be seen as inflexible boundries. Unfortunately, where rules and laws fall down is when dealing with people who follow rules too closely and use them for their own means.

Most civilised societies have laws which prohibit murder but most countries also have a pretty narrow definition of murder and an often less serious crime of manslaughter. Murder is defined as the taking of life with malice aforethought, or with the intention of doing it. If I cause an accident which kills someone then that would be manslaughter but if I set out to kill someone then that would be murder. Proving the intent is the hard part and often means that prosecutors settle for manslaughter charges rather than murder because they are easier to prove. Unfortunately this puts us in a situation where occasionally accidental deaths are convicted as murder because the guilty party cannot prove it was accidental and also means that a clever murderer will be able to make the death seem either accidental or claim that it was accidental in order to get a reduced sentence.

Pedophiles can get their kicks just by being in the audience at a school swimming gala while parents are unable to take photos of their own kids, terrorists find new and interesting ways of causing mayhem while regular travellers get their duty free booze confiscated because it breaks the 100ml rule and copyright or patent laws are used by big corporations to attack the small creative groups that the laws were designed to protect.

The legal system has always had loop holes but the judiciary were selected for their strong moral judgement and ability to make decisions based on the evidence provided. Some of these decisions were subjective and occasionally errors of judgement happened. In an effort to prevent this from happening we, as a society, have built greater and greater layers of complexity to the legal system and filled the statute books with more and more laws which are designed to stipulate exactly what can and can’t be done in any given situation. The problem with closing loop holes is that for every one you close, many more open up. The idea of ‘rights’ is great however they must be evenly applied and are most often used by the malicious in order to escape or evade punishment.

A few years ago there was a story going around that a homeowner was sued by a burglar who had slipped while breaking in. It caused much outrage and was seen as a poster boy example for the ‘political correctness gone mad’ that the Daily Mail is keen to womble on about. In an ideal world this case (if it indeed existed) would have been thrown out by the courts for contravening the basic ideals of common sense and personal responsibility…

But what if it had? If a homeowner is allowed not liable for injury if the other party is trespassing then it might be wise to make sure that you have written invitations from the unscrupulous householders you may visit; they may exploit the loophole if you injure yourself at theirs by claiming you were trespassing. If a burglar injured himself while stealing from you he might think it wise to claim that you deliberately injured him, thus putting you in a riskier position.

Legislating for every eventuality is a process which leads inevitably towards totalitarianism and cannot be achieved without it, we are already happily skipping down that path and it would take a significant reverse in public policy to take us back to the point where judges were trusted to make decisions and policemen could use their discretion, the golden era that the “BBC Have your say” gang wistfully recall.

Media responsibility is pretty important if we want to steer away from a totalitiarian Britain. Newspapers and TV channels competing for attention are prone to blowing unusual events out of proportion. News coverage brings the unusual to the public attention. A few million people going to work is unremarkable yet a few million people trapped at home because of snow is unusual and worthy of news. All too often the remarkable events that capture the public imagination fuel massive changes in policy and legislation which are disproportionate to the original and improbably events.

In short, don’t worry about the little things that the papers report. It’s the stuff they don’t report that is happening every day in every city all around the country. Legislating for the little stuff just takes our eyes off the big stuff or gives the perpetrators new loopholes to use to their advantage.

The time is drawing to a close for Gary McKinnon who is waiting for the final final final final decision on if he will be extradited to the US to face charges for hacking into government computers and causing substantial damages. He stands to be extradited under the 2003 Extradition Act which formed into law the treaty made between the US and the UK in that year.

While the facts of the case are sketchy, and will remain so until a trial has been conducted, a few things that are known about this case raise concern. First of all the perception from his supporters is that he is being used as a political scapegoat and will not receive a fair trial, this stems from the fact that the US is stating that McKinnon caused damage to the computer systems amounting to $800,000 worth.

Once you rule out physical, or hardware damage (something that is not really possible using the remote access technology that McKinnon claims to have used) the software damage is limited to undoing the changes to the software that McKinnon made while infiltrating the systems. Even with an inadequate system in place for recovering systems to previous backups or resetting them to a known good state, $8,247 per computer is a lot of money to pay a consultant to undo the damage to each of the 97 computers that he accessed. I work for a major hardware vendor and have worked in the banking industry where security is taken considerably more seriously than in the military and in government*, the figures talked about here are more in line with the cost of work to improve the security after the discovery of obvious shortcomings. Some CIO type figure has gone to his boss and explained that $800,000 worth of damage was done while quietly spending most of that money on bringing the security up to the standard which it should have been at in order to prevent the attacks.

The second part is down to the extradition treaty itself. The treaty was not ratified in the US immediately, some sources will tell you that it has not been ratified at all, because the US wanted to remain a safe haven for terrorists. Irish Americans lobbied extensively to prevent the treaty being ratified for fear of facing extradition to the UK for supporting the Provisional IRA and several members of the PIRA fled to the US in the 80s to escape justice. The US likes to forget that it was a major source of funding for the terrorists who did stuff like this:

Since the treaty was ratified in the US this inequality has been relieved a little although the UK does not require the US (or Canada, Australia and New Zealand) to provide a case or body of evidence whereas the US is not required to allow their own citizens to be extradited unless the UK can provide a sufficient body of evidence against that person.

Yes, let’s just get that straight; the UK will extradite one of their own citizens to a country that still imposes the death penalty and has a recent record of using torture and all this without the need for that country to provide any evidence that the citizen in question is guilty of anything.

So what next for Gary? He’s currently trying to get the case tried in the UK because he will face a far lower sentence than he could expect in a political show trial abroad. He has confessed to the hack itself and if he is found guilty in the UK could be protected by the double jeopardy rules which prevent people being tried for the same crime twice. The question of jurisdiction comes into play here though and it’s not on his side. Although he was in the UK when he committed the crimes, the crimes took place in the US. His only real hope is for the new administration in the US to quietly forget this and let it go away because the people who were embarrased by the original hack probably moved on with the last administration. I don’t really care that much though, I met him at infosec a few years ago and he’s a bit of a dick.

*No really, it is. There have numerous leaks of sensitive information which have had no repercussions other than a little bit of blame skirting in the military and government but those that take place in Banking are often high profile and costly both financially and in terms of reputation. Some military organisations base their systems and controls on those used by the banking industry.

Shortly after Sensibly Common posted this article, our pet troll posted the following comments. He still seems unable to realise that we are not publishing his comments any more but I thought I would share this comedy genius with you all because it is an almost perfect example of the stupidity that smart people face.

I’m sure that if the security forces had been given the choice between causing you mental anguish by expecting you to endure a short-haul flight without trimming “the old goatee”, and acting on specific intelligence about the types of weapons terrorists were planning on using to HIJACK/DESTROY A PASSENGER PLANE, they would have gone the other route.

 I suggest you avoid all this heartbreak, by not flying again untill they change their minds.

Oh where do I start? Could I start with the Daily Mail style capitalisation which he has used to add drama to the comments? Should I start with the insight that this uneducated fucktard brings to us from the inner thoughts of MI5? I think I shall start with the fact that the item specifically mentioned was a grooming kit and a bottle of water and these are, according to our pet troll, highly volatile weapons and likely to be used by terrorists at any time to destroy democracy as we know it.

Airside you can purchase a bottle of water and take it on the plane so clearly water is safe, the offending item which he must be talking about must be a simple grooming kit.

I am quite an inventive sort of person but I can’t quite work out why I would choose these items to destroy or hijack a plane. I think I would probably go a stabbing and slashing instrument as pictured below which can be made using items easily available from the duty free shop.

Combine this with the fact that the doors to the cockpit are now locked and cannot be opened except by the pilots (whose duty is to protect the plane rather than individual passengers) and it’s pretty much impossible to hijack a plane in these post 11/9 times. The work of the people on 11/9 relied on the passengers thinking they would survive if they stayed sat down and kept quiet. It would not take a hero of Hollywood proportions to realise that a group of a handful of hijackers armed with nail clippers or even real weapons are unlikely to last long against a group of passengers who are motivated by a desire to see their loved ones again (even if they get a nasty scratch from a nail clipper in the process).

Yet another flight where my time has been wasted and I’ve been put out because I can’t take a bottle of water with me or even my grooming kit to clip my nails and trim the old goatee while waiting for take-off. OH NO, These are the TOOLS OF TERRORISTS and therefore I am a criminal for wanting to have a bit of convenience while I fly.

Newsflash: these rules are not “security”. They are “security theatre”.

Security is an effective way of stopping people doing bad stuff (like stealing money from a bank). Security theatre is for showing the public that you’re doing something to protect them without actually affording them any extra protection.

So here for you as my winter festival gift for 2008, is the That’s Fucking Stupid Terrorist Training Manual:

1. One passenger may take up to five 100ml bottles. Two people travelling together may therefore take up to 1 litre of liquids between them and as many empty vessels as they like.

2. Airside restaurants (the bit after “security”) give you nice big metal knives. So don’t worry about your nail clippers being confiscated.

3. Perimeter fences have nice big holes that you can pass anything through to a friendly airside employee.

4. Hint for wannabe airside employees: background checks mean nothing if you’ve done nothing wrong yet.

5. Not every member of every “terrorist cell” is going to be on the no-fly list (see point 4). Just send all your guys on dirt cheap no-frills flights – you’ll soon work out which of your members are on the list and which aren’t.

…or any of a million other possibilities.

This is my point: bad people will do bad things, no matter what. Air transport is only one of many targets (and let’s face it, there are far easier targets). None of the extra “security” silliness we’re subjected to today will do anything to prevent any terrorist attacks.

For more common sense, read Bruce Schneier’s excellent blog.