Wednesday, February 09, 2005

Who will guard the guards?

I've been doing a lot of thinking about security lately for some reason. Both personal and information related. Maybe it's my upcoming battle with airport security (I'm headed out of the country next month) that has me rattled. I know this will be an adventure because I'm the guy that always gets stopped at the gate for the "random" screening. Always. Every flight I've taken since 911. (about 20 in case you are wondering) Think of me the next time you see the poor sucker turning the top of his pants down and lifting his bare feet for the metal detector as you walk down the jetway and use the last overhead bin.

There will most likely be several posts forthcoming about this. That's the way my so-called brain works.

I've said this before (as my good friends would groan and tell you). But it's really worrying me how the TSA is handling our so called safety. You see, after working with IT security for a number of years you start to see things in a different light. You are forced to think in a logical fashion. Actually consider possibilities and find ways to close holes before they are exploited. You can't just setup an expensive firewall and walk away. If you do - hope that your employer is as naive as the US voter when you blame the inevitable hack on the firewall and ask for an even more expensive model.

Anyway, I find that explaining my ramblings tends to work best in metaphor. So here we go.

Say you are a medieval thug bent on getting into your rival's castle. Stop and think for a minute. How would you go about it? Grab a pen and make a short list. Go on. Now lets go down it. Unless you are a complete moron, I bet "attack the wall" is nowhere on it. You probably had visions of ladders and battering rams. If you are a snow boarder you probably even thought of shooting yourself over the wall with your newly completed trebuchet.

The hackers among you (or hacker IN you) thought of other things like finding secret doors. Flooding the fortress. Playing Celine Deon records really, really loudly for days. Or convincing someone on the inside that you are actually their long lost nephew and that they should open the gate and let you in. I mean you ARE the heir to Great Ant Einie's treasured sweet potato pie recipe after all.

Now apply the same thought process to airplanes... Make your list.

In the meantime ponder this photo and read This post on Bruce Schnier's blog.

Then be angry and afraid - not of the terrorists but the so called experts. And remember that the 911 terrorists had "valid id" and passed through the same basic security we now pay 4 times the price - both monetarily and in lost civil rights - to employ.

UPDATE: 3-15-05
Ok I'm back - The charm has been broken. I WAS NOT randomly selected for anything this trip. In fact my trips through security were pretty uneventful - not counting the little side trip through an "Agricultural Screening" upon return to the US. "The difference?" You ask. This time I was traveling with my wife and two boys - not alone. I actually watched the officer in Mexico look at my documents - then me (eyes narrow) - then my little tribe. Hesitate, Sigh, and then wave me on to the plane. Interesting.

Also - found this little related tidbit this morning.


Don and Laura said...
This comment has been removed by a blog administrator.
Don and Laura said...

When you posed your question about how to infiltrate the castle, the hacker in me immediatley thought about digging a tunnel. I like that type of attack because it is hidden from view, unlike an attack from the air, straight on, blasting them with annoying music and so forth. It may take longer to tunnel in, but it works and it is completely hidden until the actual attack occurs. I think terrorists think the same way and they will find a way to tunnel under our security without us knowing about it. That is what makes the TSA and their current methods a waste of time and money; no serious threat will be made to "attack the wall."

AS far as who will guard the guards? That is a really tough issue. It demands levels of infinite redundancy and at any point in the system it can break down if one link in the system is corrupt. That is what Barlow is facing with his fourth amendment fight and he has already encountered one corrupt link in the checks build into the system.

Security is becoming a nightmare and is totally uncontrolable since it involves people and given enough incentive those charged with security will allow intruders. This can be a problem for us working in IT since our trusted security staff, assigned to maintain, monitor and update firewall and other security can certainly be bribed to allow someone access, or become angry and disgruntled at the company and allow access as a method of revenge or sabotage. (Present company excluded, of course!)

The sad part of all this is we stand and watch as our rights are circling down the toilet of apathy soon to be flushed away forever. Have fun out of the country and don't forget to check your bill of rights at the airport curb: they are contraband once inside the airport terminal.