14

Jun 2012

We are the terrorized, no time for reason (à la Queen)
Sushil Security No Comments on We are the terrorized, no time for reason (à la Queen)

When it comes to security, there is nobody that I trust more than Bruce Schneier. When it comes to being secure in my person and my rights, there is nothing I trust less than government, whether it is the US, Russia, Thailand or India.

Of course, a government is not an entity in itself, it consists of people making decisions and taking actions. However, without going into all the reasons, you can count on nearly all these individuals to take the action or policy that is the most self-serving and least risky in exposing them to scrutiny, accountability or notice of their superiors. Nowhere is this more apparent than in matters of security, especially in the post 9/11 world.

Security Theater

Security Theater” is the term that skeptics and critics apply to the security policies that have been implemented in the last 10 years. From the extra measures taken at airports to banking regulations, governments want to show that they are doing something about terrorism, but not much of real value is accomplished in protecting the public. Instead, these processes penalize nearly the entire population, encumber our lives and add myriad pinpricks of procedural misery, each one so little that it is hardly felt, but if you ever stopped to notice them all together, they add up to the equivalent of a bat to the head.

Take the example of the Shoe Bomber. In the aftermath, governments, or rather the people who make up the government, all over the world instituted a policy of making people take off shoes and x-raying them. Even if we are generous and allow that at the top level policy-makers took the decision because they genuinely thought they were protecting the public, rather than just reacting to show that they were doing something, by the time the policy trickled down to implementation at the checkpoint, infant shoes, flat-heeled pumps and flip-flops were also required to be taken off. The logic of how much explosive could be hidden in a 2-year-old’s shoes was never considered. If you wanted to hide explosives on a baby, a much better place would have been the diaper. And of course, it took a few years for some adult to try it, and then governments reacted again. We don’t have to take our underwear off, but the US has found the next best thing–full-body scanners. In the US, there is no incentive for any bureaucrat or politician to roll back the shoes-off policy, however remote the chance of that ever working again. Bureaucrats could lose their jobs, the elected president who is the bureaucrat’s boss could lose the next election, and any other politician will be called soft on terrorism or whatever.

None of this is anything new, many people have pointed this out, including Schneier. However, we all need to ask ourselves which way this is going and how far it will go. There is no sense in living in a false sense of security while putting up with hassles and spending money that could be better spent elsewhere.

I say false sense of security because these procedures are not really protecting us, as evidenced by security failures that lets loaded guns go through in hand-baggage. The reason that we are safe is that there aren’t that many people out to hurt us. These procedures also do nothing to protect us against threats for which they are not yet screening. For example, what will happen when someone swallows explosives the way that drug-mules swallow cocaine packets and boards a long-haul flight? Will we all be given laxatives an hour prior to flight and be required to void our bowels before we board?

Insecurity Assured

Try to walk into any building in New York or New Delhi and someone will ask you to state your business there and ask you for your name. Some buildings in New York ask for an ID, some don’t. In New Delhi you are asked to write down your name and mobile number. You can make anything up. What has it accomplished except to waste a few minutes of your time?

Try to get a mobile phone number in India and good luck to you. Even for a prepaid account you have to furnish ID and a photo, and if you have a foreign passport, you need to show a valid visa. Most first-timers will end up making two trips. If you want a post-paid phone account, then you have to additionally show proof of address, which for a recent arrivé can be quite difficult. With 800 million mobile numbers in circulation in India, a nefarious agent could steal a phone and have very little chance that it would get reported or shut down within the next 12 hours. Or the person could bring a SIM card into the country. If the point of the phone is to detonate a bomb, it won’t cost a penny to dial the number. I’m sure there are many other ways. So these security measures basically make it difficult for all the millions of legitimate mobile phone customers just to thwart a few handful, who would hardly be hindered.

Here is another example. As a reaction to the 2008 attacks in Mumbai, all the top hotels have installed metal detectors and baggage x-rays at their entrances. If trained TSA agents at airports miss loaded guns going by, imagine how effective staff at a hotel would be at spotting them. Moreover, this is as effective at thwarting murderous gunmen as no x-rays, because the gunmen can just shoot their way in. So all it does is put legitimate hotel guests through additional hassles.

This same inanity is transferred online. Various Web sites institute password policies that guarantee user discomfort. Here is one example:

– Passwords must be changed at least once every 90 (ninety) days.

-An acceptable password must have at least five (5) different characters. Repeated characters can make for palindromes and make it easier to crack.

– An acceptable password must have characters from at least three (3) different character types — upper case, lower case, digits, punctuation, etc.

– An acceptable password must not have an alphabetic sequence any longer than three (3) characters.

– An acceptable password must not have a digit sequence any longer than two (2) characters.

– There are a few characters that will cause problems if used in a password – the “delete” character is one of the obvious ones.

So a password that has uppercase and lowercase letters but not more than three together, numbers but not more than two in a row, special characters. Keep coming up with a new one every 90 days. Oh, and then remember these rules:
  • Writing down your password: One should never write down a password. Someone may discover the password. Make the password difficult for others to guess or crack but easy for you to memorise and remember.
  • Passwords should not be any of the following:
    • Dictionary words (including foreign and technical dictionaries)
    • Name of a person or a thing, a place, a proper noun, a phone number or a vehicle number
    • Simple pattern of letters on keyboards
    • Any of the above reversed or concatenated
  • One possible method for picking a good password is to make up your own acronym.
  • Do not let your computer remember your password . Do not accept auto complete option provided by your computer/ browser.
  • As far as possible do not use un-trusted system to access a sensitive service. If you must, change the password on the first occasion immediately thereafter from a trusted system

Meanwhile, our data can get stolen by the millions because institutions don’t take the proper precautions and don’t follow their own rules.

Tens of thousands of people die in road accidents, but there is no call on governments to spend billions to do something about it. We all need to think about what makes us secure and what doesn’t, and where it makes sense to spend our resources. Politicians will use fear to get themselves in power, but we should not be giving in to them. It’s no good feeling secure if you are not secure. On the other hand, it’s no good being hassled through life in the name of false security. If enough people understand this, maybe we can reverse course.

Leave a Reply