Monday, August 15, 2005
No one Knows You are a Security Expert...
The above is a famous old cartoon which made uncomfortable sense to anyone who has ever had an online chat (or worse, online sex) with someone they had never seen in real-life.
A more recent phenomena, particularly with the advent of easy content-publishing such as blogging, is that "On the Internet, everyone's an expert" illustrated wonderfully by this quote on a reptile farming forum:
On the internet everyone is an expert. Laughing Any moron can have a website and post up all sorts of half-truths and misguided opinions, look at me for example.....I have like 10 websites (I lost count). Seriously though, be really careful what advice you take from websites, I have literally KILLED animals using advice found online. A long time ago I...ended up with mites on most of my animals, long story short I was in need of a treatment for mites. Didn't know anything about them or what to do so I looked around online until I found a treatment. The site said to use a diluted mix of water and Nix (the lice med) and bathe the animals in it. Well it killed the mites for sure but it also killed my 2 geckos and left my HMD and Iggy in a daze for about a week and probably killed off more brain cells than smoking crack.Meanwhile, there are 'experts' online giving advice about everything from healthcare (on Indymedia) to weapons and self-defense. Scary!
Alternatively, there are those who exploit their fame, looks or celebrity in one area, to push an opinion about which they are no more informed or qualified to air than anyone else. Team America paid 'tribute' to most of those in the "Film Actors Guild" for precisely this.
Here however is an interesting one. While curiously researching hacking sites for my recent posts on Hacking, activism and cyber-security, I came across Bruce Schneier. According to a quote on his website, The Economist said: "He is one of the world's leading experts on computer security, and arguably the most articulate.... " so I read some of his material and came across the latest issue of his email publication which was discussing the controversial issue of profiling as applicable to security.
"Profiling works better if the characteristics profiled are accurate. If erratic driving is a good indication that the driver is intoxicated, then that's a good characteristic for a police officer to use to determine who he's going to pull over. If furtively looking around a store or wearing a coat on a hot day is a good indication that the person is a shoplifter, then those are good characteristics for a store owner to pay attention to. But if wearing baggy trousers isn't a good indication that the person is a shoplifter, then the store owner is going to spend a lot of time paying undue attention to honest people with lousy fashion sense.It is my belief that many tradeoffs are worth it. If I have to spend an extra hour before I board my flight, and this has the slightest chance of preventing my death, I think it is worth it and don't get annoyed. If members of certain groups feel harassed, I believe my physical safety takes precedence over some peoples' feelings. Sorry.
"In common parlance, the term 'profiling' doesn't refer to these characteristics. It refers to profiling based on characteristics like race and ethnicity, and institutionalized profiling based on those characteristics alone. During World War II, the U.S. rounded up over 100,000 people of Japanese origin who lived on the West Coast and locked them in camps (prisons, really). That was an example of profiling. Israeli border guards spend a lot more time scrutinizing Arab men than Israeli women; that's another example of profiling. In many U.S. communities, police have been known to stop and question people of color driving around in wealthy white neighborhoods (commonly referred to as 'DWB' -- Driving While Black). In all of these cases you might possibly be able to argue some security benefit, but the trade-offs are enormous: honest people who fit the profile can get annoyed, or harassed, or arrested, when they're assumed to be attackers.
Our opinions differ, however he is entitled to his. Here however, is where it goes off the rails:
Despite what many people think, terrorism is not confined to young Arab males.Sorry? Who said they had to be young Arab males? There is another ethnic trait of that region which has been overlooked. Schneier continues:
Shoe-bomber Richard Reid was British.(and Muslim)
Germaine Lindsay, one of the 7/7 London bombers, was Afro-Caribbean.and also known as Abdullah Shaheed
Jamal - Muslim.
"In 1987, a 70-year-old man and a 25-year-old woman -- neither of whom were Middle Eastern -- posed as father and daughter and brought a bomb aboard a Korean Air flight from Baghdad to Thailand. En route to Bangkok, the bomb exploded, killing all on board.Schneier doesn't mention they were North Korean agents. Members of the 'Axis of Evil' also deserve profiling says me...
The 2002 Bali terrorists were Indonesian.No, they were Indonesian Muslims. While the dominant religion in most of Indonesia is Islam, 90 percent of Bali's 3 million residents are Hindu and as a result of the terrorism, the 75 percent of Balinese who depend on tourism to make a living were screwed.
Schneier addresses some wrong perceptions (somewhat):
And many Muslims are not Arabs. Even worse, almost everyone who is Arab is not a terrorist -- many people who look Arab are not even Muslims. So not only are there an large number of false negatives -- terrorists who don't meet the profile -- but there an enormous number of false positives: innocents that do meet the profile.But this is only if, as Schneier suggests, law-enforcement are looking for "Arabs" or "Arab Males". Islamic terrorists come in all shapes, sizes and colours. If law-enforcement are looking for an Osama bin-Laden parody, they may miss a genuine terrorist. If on the other hand, they are aware of a trait which which Schneier has ignored, they stand a much better chance of avoiding the predominant current source of terrorism.
To ignore this common thread suggests Schneier has missed a crucial fact in order to make his point. Reading some of the other (very interesting) material on the same page, I believe he should stick to securing companies and computer networks but move away from counter-terrorism. Quickly.
On the other hand, he points to this cartoon which sums up part of the problem.
Yes these issues are uncomfortably difficult, particularly for those who have never and would never do anything wrong yet are singled out because of some who would. However, if we do not discuss these matters frankly and genuinely, the problems of terror won't go away.