Quotulatiousness

June 8, 2019

Differentiating between actual security and security theatre

Filed under: Britain, Humour, Liberty, Technology — Tags: , — Nicholas @ 03:00

Alistair Dabbs has a security tale of woe:

“Keypad Entry”by Victor Frost is licensed under CC BY-NC-SA 2.0

Access denied. Enter Access Code.

That’s a good start. Just a few moments ago I was handed a card on which is written, in blue ballpoint, a newly compiled string of alphanumerics that is supposed to identify me as a unique user. Oh well, maybe I fumbled the buttons. Let’s try again.

Access denied. Enter Access Code.

I am standing in the driving rain – this is London in the summer – in front of a large electronically operated vehicle barrier that keeps the riff-raff from getting anywhere near the car park and loading bay behind the building where I am to be working this week.

The vertical stainless steel keypad into which I am pushing my access code is weather-resistant. I am not. You’d think they could have installed the keypad at car-window level but no, it’s at lorry level. And it’s not on the driver’s side anyway, so anyone not rolling up in an unmodified US or continental import vehicle is forced to exit and walk over to the access terminal.

Access denied. Enter Access Code.

As far as it is concerned, I am riff-raff. I look behind me to see a steel-grey car has pulled up behind mine. Steel-grey = bland, unimaginative, company car, must be management. As I trudge back towards the street entrance around the corner to ask the security desk for an alternative access code, remembering this time to express an explicit preference for one that actually provides access, I notice the driver in the grey car has started to harrumph.

Security systems like this exist to protect me and my possessions, whether physical or electronic. They keep out the nasties and foil the mischievous. They allow access to the honest and prevent it to the unauthorised.

They are a pain in the arse.

Security is essential, of course, but only for other people. Not me. I’m the nice guy here and this sodding keypad is stopping me from getting in.

But then security authentication is one of those functions whose philosophical concept is hampered by self-contradictory details of its own design. To pick a topical example, it is the right of European Union citizens to enjoy free movement between EU countries without being stopped by border controls. However, how can the border controls know whether you are an EU citizen or not unless they stop you to ask for your EU identification? So it’s only by presenting your passport or ID card that you can exercise your right not to have to present your passport or ID card.

The forces of law and order, from police to night club bouncers, face the same recursive logic. Why do they insist on frisking me? Why can’t they concentrate their stop and search efforts only on those who are carrying concealed weapons?

December 20, 2018

Repost – Happy holiday travels!

Filed under: Bureaucracy, Humour — Tags: , , , — Nicholas @ 03:00

H/T to Economicrot. Many many more at the link.

August 15, 2018

Hotel security theatre meets DEF CON attendees in Las Vegas

Filed under: Business, Liberty, USA — Tags: , — Nicholas @ 05:00

Las Vegas hotels have a clear duty to be more vigilant about their security procedures, but the folks at the most recent DEF CON gathering were perhaps not the best-chosen group to try out a new “swaggering bully-boys security enforcement” policy:

In the wake of the mass shooting in Las Vegas in October of 2017, hotels in the city started drafting more aggressive policies regarding security. Just as Caesars Entertainment was rolling out its new security policies, the company ran head on into DEF CON — an event with privacy tightly linked to its culture.

The resulting clash of worlds — especially at Caesars Palace, the hotel where much of DEF CON was held — left some attendees feeling violated, harassed, or abused, and that exploded onto Twitter this past weekend.

Caesars began rolling out a new security policy in February that mandated room searches when staff had not had access to rooms for over 24 hours. Caesars has been mostly tolerant of the idiosyncratic behavior of the DEF CON community, but it’s not clear that the company prepared security staff for dealing with the sorts of things they would find in the rooms of DEF CON attendees. Soldering irons and other gear were seized, and some attendees reported being intimidated by security staff.

And since the searches came without any warning other than a knock, they led, in some cases, to frightening encounters for attendees who were in those rooms. Katie Moussouris — a bug bounty and vulnerability disclosure program pioneer at Microsoft, an advocate for security researchers, and now the founder and CEO of Luta Security — was confronted by two male members of hotel security as she returned to her room. When she went into the room to call the desk to verify who they were, they banged on the door and screamed at her to immediately open it.

In another case, a hotel employee—likely hotel security—entered the room of a woman attending DEF CON without knocking:

April 6, 2018

QotD: Bordertown, USA

Filed under: Bureaucracy, Quotations, USA — Tags: , , , , — Nicholas @ 01:00

Welcome to Bordertown, USA. Population: 200 million. Expect occasional temporary population increases from travelers arriving from other countries. Your rights as a US citizen are indeterminate within 100 miles of US borders. They may be respected. They may be ignored. But courts have decided that the “right” to do national security stuff — as useless as most its efforts are — trumps the rights of US citizens.

Tim Cushing, Wall Street Journal Reporter Hassled At LA Airport; Successfully Prevents DHS From Searching Her Phones”, Techdirt, 2016-07-22.

December 20, 2017

Repost – Happy holiday travels!

Filed under: Bureaucracy, Humour — Tags: , , , — Nicholas @ 03:00

H/T to Economicrot. Many many more at the link.

June 29, 2017

QotD: The medical equivalent of security theatre

Filed under: Health, Quotations — Tags: , , — Nicholas @ 01:00

The most common reason for admission to a psychiatric hospital is “person is a danger to themselves or others”. The average length of stay in a psychiatric hospital is about one week.

Some clever person might ask: “Hey, don’t most psychiatric medicines require more than a week to take effect?” Good question! The answer is “yes”. Antidepressants classically take four weeks. Lithium and antipsychotics are more complicated, but the textbooks will still tell you a couple of weeks in both cases. And yet people are constantly being brought to psychiatric hospitals for dangerousness, treated with medications for one week, and then sent off. What gives?

As far as I can tell, a lot of it is the medical equivalent of security theater.

Scott Alexander, “Reflections From The Halfway Point”, Slate Star Codex, 2015-06-29.

November 2, 2016

Online security theatre: “We sell biometric authentication systems to people who need a good password manager”

Filed under: Technology — Tags: , , , — Nicholas @ 09:06

Joey DeVilla linked to this discussion of the Mirai botnet and the distressing failures of online security … not for the brilliance and sophistication of the attack (it was neither), but the failure to address simple common-sense security issues:

I’ve written about 1988’s Morris worm, and I wanted to dig into the source of the Mirai botnet (helpfully published by the author) to see how far we’ve come along in the past 28 years.

Can you guess how Mirai spreads?

Was there new zeroday in the devices? Hey, maybe there was an old, unpatched vulnerability hanging — who has time to apply software updates to their toaster? Maybe it was HeartBleed 👻?

Nope.

Mirai does one, and only one thing in order to break into new devices: it cycles through a bunch of default username/password combinations over telnet, like “admin/admin” and “root/realtek”. For a laugh, “mother/fucker” is in there too.

Default credentials. Over telnet. That’s how you get hundreds of thousands of devices. The Morris worm from 1988 tried a dictionary password attack too, but only after its buffer overflow and sendmail backdoor exploits failed.

Oh, and Morris’ password dictionary was larger, too.

August 26, 2016

QotD: France’s “burkini” ban

Filed under: France, Liberty, Quotations, Religion — Tags: , , , , — Nicholas @ 01:00

France, like the rest of the liberal West, gets this exactly and lethally wrong. First we forbid individuals their natural right to set the rules within their own property, to exclude and admit who they choose, to demand the burkini or to ban it. Then we set the law on people for the crime of wearing too much cloth on the public beach. A photograph is reproduced worldwide showing three armed male policemen standing over a Muslim woman and making her remove the clothes she considers necessary for modesty. Whatever your opinion of Islam and its clothing taboos, does anyone in the world believe that this makes the next jihadist attack less likely? To call it “security theatre” would be a compliment. The popular entertainment it calls to mind is that of the mob stripping and parading une femme tondue.

Natalie Solent, “Security strip”, Samizdata, 2016-08-24.

April 1, 2016

QotD: The real purpose of the TSA

Filed under: Government, Liberty, Quotations, USA — Tags: , , — Nicholas @ 01:00

The big pretend that costuming and repurposing mall food court workers as “security” will be anything approaching that has fooled the lazy American public that takes its civil liberties for granted.

They miss most of the items in DHL tests of their detection abilities, and really, it is clear that this is not security but a jobs program for unskilled earners, a cash program for former government employees like Michael Chertoff and the companies they are associated with, and obedience training for the American public — to be docile in the face of their rights being yanked from them.

Amy Alkon, “The Tragedy In Belgium Shows Up The Utter Fallacy That The TSA Will Keep You Safe”, Advice Goddess Blog, 2016-03-22.

December 12, 2015

The US government’s no-fly list

Filed under: Bureaucracy, Government, USA — Tags: , , , , , — Nicholas @ 02:00

Kevin Williamson on the travesty that is the no-fly list:

There are many popular demons in American public life: Barack Obama and his monarchical pretensions, Valerie Jarrett and her two-bit Svengali act, or, if your tastes run in the other direction, the Koch brothers, the NRA, the scheming behind-the-scenes influences of Big Whatever. But take a moment to doff your hat to the long, energetic, and wide-ranging careers of three of our most enduring bad guys: laziness, corruption, and stupidity, which deserve special recognition for their role in the recent debates over gun control, terrorism, and crime.

The Democratic party’s dramatic slide into naked authoritarianism — voting in the Senate to repeal the First Amendment, trying to lock up governors for vetoing legislation, and seeking to jail political opponents for holding unpopular views on global warming, etc. — has been both worrisome and dramatic. The Democrats even have a new position on the ancient civil-rights issue of due process, and that position is: “F— you.” The Bill of Rights guarantees Americans (like it or not) the right to keep and bear arms; it also reiterates the legal doctrine of some centuries standing that government may not deprive citizens of their rights without due process. In the case of gun rights, that generally means one of two things: the legal process by which one is convicted of a felony or the legal process by which one is declared mentally incompetent, usually as a prelude to involuntary commitment into a mental facility. The no-fly list and the terrorism watch list contain no such due process. Some bureaucrat somewhere in the executive branch puts a name onto a list, and that’s that. The ACLU has rightly called this “Kafkaesque.”

Here’s where our old friends laziness and stupidity play a really prominent role: The no-fly list is not composed of identities, but merely names. Lots of people share the same name. So, for instance, the late Senator Ted Kennedy ended up on the no-fly list, because somebody had used his name (or a similar name) as an alias. Among people called “Kevin Williamson,” we find myself, the famous Scream screenwriter, a notable Scottish politician and political activist (he is also the author of Drugs and the Party Line), a Canadian entertainment journalist, a fine woodworker who sells his wares on Twitter, and a famous underwear model for whom I am unlikely to be mistaken. If a trip to the DMV or the IRS one day eventually sends me over the edge into full-on barking mad durka-durka-Mohammed-jihad territory, those other Kevin Williamsons are going to suffer simply because we share a name.

And, of course, every third actual dirtbag terrorist has the same name as a million other ordinary schmoes, because Arabic names tend to be a little repetitive. (Is there a Mohammed al-Mohammed in the house? Seriously, go to LinkedIn and see how many graphic designers and accountants walking this good green Earth share that name.)

October 3, 2015

The TSA and the transgendered traveller

Filed under: Liberty, USA — Tags: , , , , , — Nicholas @ 04:00

Scott Shackford on the special hell the TSA reserves for transgendered air travellers:

When Shadi Petosky began tweeting about her terrible treatment at the hands of Transportation Security Administration (TSA) workers at Orlando International Airport on Sept. 21, she detailed an experience of being ordered around, patted down, dehumanized, and threatened. She was describing a situation familiar to anybody who gets caught up in the agency’s airport security theater.

Petosky is also transgender, and that played heavily into her experience. But being transgender and tripping up alerts at airports and getting taken aside or treated poorly is also not a new problem with TSA screening, though it was the first time Petosky, a writer and producer, had an encounter this bad. While she was tweeting her experience, other transgender people on Twitter responded about having similar problems.

What’s new is that Petosky’s encounter ended up getting significant news coverage, from The New York Times, to the Los Angeles Times, to Vox.com, along with television networks. The coverage highlighted a problem that has persisted for a while: TSA agents are not well-trained to deal with transgender travelers, leaving these flyers uncertain of what to expect when going through airports. Furthermore, the screening technology used for scanning bodies passing through the airport has no real mechanism for recognizing the biology of transgender travelers, prompting confusion to trigger completely unfounded security fears.

Many travelers may not even realize it, but as they’re forced in to spread eagle for body scanners in security lines at the airport, a TSA agent is pressing a button telling the machine whether the person inside is a male or female. They don’t ask—they just look and decide. In Petosky’s case, the TSA employee saw a woman and pressed the appropriate button. And then the employee declared there was an “anomaly,” which Petosky bluntly explains to Reason, is her penis.

July 11, 2015

Reason.tv – The TSA’s 12 Signs You Might Be a Terrorist

Filed under: Bureaucracy, Humour, USA — Tags: , , , , — Nicholas @ 02:00

Published on 9 Jul 2015

Traveling this summer? Avoid these officially terrorist-y behaviors—or you might get detained.

January 10, 2015

Sub-orbital airliners? Not if you know much about economics and physics

Filed under: Economics, Technology — Tags: , , , , , — Nicholas @ 02:00

Charles Stross in full “beat up the optimists” mode over a common SF notion about sub-orbital travel for the masses:

Let’s start with a simple normative assumption; that sub-orbital spaceplanes are going to obey the laws of physics. One consequence of this is that the amount of energy it takes to get from A to B via hypersonic airliner is going to exceed the energy input it takes to cover the same distance using a subsonic jet, by quite a margin. Yes, we can save some fuel by travelling above the atmosphere and cutting air resistance, but it’s not a free lunch: you expend energy getting up to altitude and speed, and the fuel burn for going faster rises nonlinearly with speed. Concorde, flying trans-Atlantic at Mach 2.0, burned about the same amount of fuel as a Boeing 747 of similar vintage flying trans-Atlantic at Mach 0.85 … while carrying less than a quarter as many passengers.

Rockets aren’t a magic technology. Neither are hybrid hypersonic air-breathing gadgets like Reaction Engines‘ Sabre engine. It’s going to be a wee bit expensive. But let’s suppose we can get the price down far enough that a seat in a Mach 5 to Mach 10 hypersonic or sub-orbital passenger aircraft is cost-competitive with a high-end first class seat on a subsonic jet. Surely the super-rich will all switch to hypersonic services in a shot, just as they used Concorde to commute between New York and London back before Airbus killed it off by cancelling support after the 30-year operational milestone?

Well, no.

Firstly, this is the post-9/11 age. Obviously security is a consideration for all civil aviation, right? Well, no: business jets are largely exempt, thanks to lobbying by their operators, backed up by their billionaire owners. But those of us who travel by civil airliners open to the general ticket-buying public are all suspects. If something goes wrong with a scheduled service, fighters are scrambled to intercept it, lest some fruitcake tries to fly it into a skyscraper.

So not only are we not going to get our promised flying cars, we’re not going to get fast, cheap, intercontinental travel options. But what about those hyper-rich folks who spend money like water?

First class air travel by civil aviation is a dying niche today. If you are wealthy enough to afford the £15,000-30,000 ticket cost of a first-class-plus intercontinental seat (or, rather, bedroom with en-suite toilet and shower if we’re talking about the very top end), you can also afford to pay for a seat on a business jet instead. A number of companies operate profitably on the basis that they lease seats on bizjets by the hour: you may end up sharing a jet with someone else who’s paying to fly the same route, but the operating principle is that when you call for it a jet will turn up and take you where you want to go, whenever you want. There’s no security theatre, no fuss, and it takes off when you want it to, not when the daily schedule says it has to. It will probably have internet connectivity via satellite—by the time hypersonic competition turns up, this is not a losing bet—and for extra money, the sky is the limit on comfort.

I don’t get to fly first class, but I’ve watched this happen over the past two decades. Business class is holding its own, and premium economy is growing on intercontinental flights (a cut-down version of Business with more leg-room than regular economy), but the number of first class seats you’ll find on an Air France or British Airways 747 is dwindling. The VIPs are leaving the carriers, driven away by the security annoyances and drawn by the convenience of much smaller jets that come when they call.

For rich people, time is the only thing money can’t buy. A HST flying between fixed hubs along pre-timed flight paths under conditions of high security is not convenient. A bizjet that flies at their beck and call is actually speedier across most intercontinental routes, unless the hypersonic route is serviced by multiple daily flights—which isn’t going to happen unless the operating costs are comparable to a subsonic craft.

December 22, 2014

Repost – Happy Holiday Travels!

Filed under: Bureaucracy, Humour — Tags: , , , — Nicholas @ 00:02

H/T to Economicrot. Many many more at the link.

October 31, 2014

US government’s no-fly list at an all-time high

Filed under: Government, Law, Liberty, USA — Tags: , , , — Nicholas @ 07:13

In The Atlantic, Conor Friedersdorf talks about the travesty that is the US government’s no-fly list:

An image accompanying the scoop starkly illustrated an out-of-control watchlist. (The Intercept)

An image accompanying the scoop starkly illustrated an out-of-control watchlist. (The Intercept)

Months ago, The Intercept reported that “nearly half of the people on the U.S. government’s database of terrorist suspects are not connected to any known terrorist group.” Citing classified documents, Jeremy Scahill and Ryan Devereaux went on to report that “Obama has boosted the number of people on the no fly list more than ten-fold, to an all-time high of 47,000 — surpassing the number of people barred from flying under George W. Bush.” Several experts were quoted questioning the effectiveness of a watch list so expansive, echoing concerns expressed by the Associated Press the previous month as well as the ACLU.

The Intercept article offered a long overdue look at one of the most troubling parts of the War on Terrorism. Being labeled a suspected terrorist can roil or destroy a person’s life — yet Team Obama kept adding people to the list using opaque standards that were never subject to democratic debate. Americans were denied due process. Innocent people were also put on a no-fly list with no clear way to get off.

As the ACLU put it, “The uncontroversial contention that Osama bin Laden and a handful of other known terrorists should not be allowed on an aircraft is being used to create a monster that goes far beyond what ordinary Americans think of when they think about a ‘terrorist watch list.’ If the government is going to rely on these kinds of lists, they need checks and balances to ensure that innocent people are protected.” The status quo made the War on Terror resemble a Franz Kafka novel.

« Newer PostsOlder Posts »

Powered by WordPress