Feeds

Cab drivers lecturing on lawsuits

The flat pavement syndrome

  • alert
  • submit to reddit

Top three mobile application threats

A taxi driver writes The funny thing isn't the cab driver. It's the total, absolute lack of interest in the issue of the ID card.

For those of you who don't read Sunday papers, the story that occupied my attention for most of last week was not the preparation for this week's Wireless Event in London, it was the fact that I was exposed as being a moonlighting taxi driver - and one who, when asked whether Apple should have won the judgement against Apple, clearly hadn't a clue what the question was about.

Great fun! - and an episode which will probably make it into the all-time blooper list, with past generations asking why I was regarded as any kind of high tech columnist - but the question which should be asked is: "How can someone who is so clearly not the right person get past security in such a high-profile target building, as the BBC TV Centre in London?"

A friend used to specialise in doing penetration testing for blue-chip financial institutions. That means, his job was to hack into their security systems, to see if they were really secure. That meant, all security - computer, front door, vaults, funds transfer - everything. I took him out for dinner one evening when he was visiting London, and found him in a state of giggles.

"I've just done five days of intensive pen testing of this major merchant bank," he told me over our first cocktail. "I've been going in an out of their head office wearing a badge which looks exactly like the official badge. I've been going underneath a row of five - count them! five! - CCTV cameras every time I go into their marble HQ."

And?

"And I've been wearing a badge all the time, showing my name as Armitage Shanks."

For readers who don't live in the UK, it may not be blindingly obvious how stupid that is, but anybody who has ever used toilet facilities in a public building in Britain will recognise the name on the vitreous enamel that adorns most Ladies and Gents. In short, Armitage Shanks is not the name of any living human. It should be instantly apparent on first glance that this is a hoax.

So, why wasn't it?

"Because," said my expert friend, "the more authoritative the form is in appearance, the less likely anybody is to challenge it."

And thus we head on to biometrics and ID cards. At some stage in the future, Britain will follow the lead of the US Government, which is mandating passports with embedded biometrics. Only a science fiction writer could do justice to the scene that is likely to unfold when this become universal, but the essence of the story is easy to describe: people who have biometric-data embedded passports will be waved through, and people without them, will be subjected to gross indignities - starting with three-hour queues at airports, and concluding with intimate body searches and incarceration until your bonafides can be verified.

Inevitably, the result of that will be that criminals with well-forged biometrics passports will walk freely in and out of the USA, while legitimate business travellers from poorer, less-techie countries will be terminally discouraged from going there. And we won't even discuss the possibility that there are any such people as American criminals...

Something like that appears to be the mentality of most security systems. I'm not just talking about the habit of putting wooden wedges under doors which are computer controlled (to make sure the staff who work behind the door can get to the loo without finding their ID cards) or farcical situations where an anonymous taxi driver can find himself sitting in front of live TV cameras, talking about internet downloads because he has what appears to be a valid piece of plastic. I'm talking about the habit of safety.

Ironically (ask any safety engineer), the more efficient the system is, the less people who work there think about it. At a security round table where I was called upon to lecture recently, I called this this "flat pavement syndrome."

Flat pavement syndrome is the reflex which makes people trip over a paving stone which is only a couple of millimetres out of alignment. Your normal reflexes adjust the length of your leg, when walking. Yes, really! - your leg is shorter when you walk across rough turf. Your muscles automatically pick your feet up higher, because you've tripped over tussocks in the past.

By contrast, when you're striding along a tiled floor, your foot skims along just above the ground, with a precision that is astonishing. You can (try it!) kick a bottle-top that is lying on such a floor, without missing it or kicking the floor.

And your mind makes a similar adjustment to the perceived security threat. If you are in a building where people are severely processed before being allowed in, it will never cross your mind to suspect anybody you meet of having been smuggled in.

The same applies to the way computer programmers write code. If you have a truly robust firewall, with the latest intrusion, prevention, and detection robots, it simply defeats security, becuase the people behind that firewall see no reason to "lift their feet high" over security risks. Why should they? - the bots take care of all that.

And that's why so much software is written to be inherently insecure.

I enjoyed a long debate with Mike Armistead of Fortify, who is getting a lot of what our American colleagues call "Traction" with a series of security products aimed at making code invulnerable. If software is written with tools and procedures that make unauthorised functions impossible to hijack, then "we can get rid of the firewalls", Armistead said.

Security, he says, is not the responsibility of "someone else" - with a peaked cap on. It's got to be inherent in our approach to system design.

As to whether a system can be designed inherently secure enough to overcome human determination to ignore it, is a question I can't answer. I do feel that a security system which is too clumsy to implement is guaranteed to fail: too many people in uniforms with guns at the front door, and all you achieve is to make the back door the usual way in.

On the other hand, isn't the world much more fun with cab drivers lecturing about a lawsuit between Apple Computer and Apple Corps? Perhaps we should encourage the random element? ®

Watch the BBC clip at Newswireless.net (WMV file).

Related links

The Daily Mail story

Combat fraud and increase customer satisfaction

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.