Safe/Break


I used to work in a place with a burglar problem. Every few weeks, someone would break in and steal some stuff - usually computers or other electronic equipment.

Exactly why anyone would want to steal those computers I don't know - they were obsolete, bought 3rd hand, and so slow I could literally read a book while doing my job. In fact, that's the reason I stayed in the job.

But evidently someone was dumb enough to come back time after time to steal stuff that belonged on the scrap heap...or there were lots of people dumb enough to do it once each. Either way, the staff weren't too concerned, because either the machines would get replaced with new ones that worked properly, or they wouldn't and we'd all get even more reading time waiting for the remaining computers to become available. The latter is what actually happened.

There was a night watchman. He was usually asleep. Sometimes I had to wake him up after spending my night-shift lunch break cruising in the park just over the road. That was the other reason I stayed in the job.

The staff turnover was so rapid, there was no way he'd even know who had a right to be let in and who didn't. Personal ID cards? Expensive to initiate, easily faked, and no one bothers to check them anyway.

One night he let in some strangers by pushing the 'door release' button on automatic pilot before settling back to his dream. The next day a dozen computers were gone, and then so was he.

His replacement lasted a month, before there was another break in. The security footage clearly showed him, awake and alert, letting in the thieves and helping them carry stuff out. It turned out he'd spent two terms in jail for doing exactly the same thing in other places. Three now.

I once had a very enlightening conversation with a security guard at the local university. He was quite open about the fact that maybe half those in his profession had criminal records, and at least half had drink or drug problems. He drank himself, but never on duty.

Nice fellow - and better at fixing the photocopiers than the highly qualified library staff.

You are probably not Barack Obama, but if you are, there is an FBI man standing outside the home of each of your close relations - and not so close ones.

If you're the president's aunt, there's a man in a suit - maybe more than one man - guarding you against any possible plots to kidnap you as a way to blackmail the government.

There's just about zero chance of anyone trying to do such a thing, but someone is slowly developing a mental illness because they do nothing for hours every day but quietly watch your house to prevent it.

I recall one case of a teenager who hacked into NASA using a guessed password - a row of sixes.

I'd be willing to be bet that, for all your online accounts, you either use the same or a very similar password for them all...or you use a different one for each but they're all written down on a bit of paper close to your computer.

This week, someone asked me to have a look at their old laptop.

The problem and solution were obvious - it needed windows reinstalling, which meant it needed to boot from the CD drive, which meant the BIOS needed to be configured to allow this, which meant I needed to get into the BIOS to configure it, which meant I needed the password to do so.

So how do I get this password? Simple, I go to the Hewlett Packard website, download a form, print it out, fill in the laptop's serial number printed on its underside, and fax the result to HP, who will send me the password.

Either that, or I take apart the laptop with a screwdriver, find the CMOS battery and remove it for ten seconds.

Have you noticed how the word 'security' refers both to measures taken to be more secure, and to the sensation of feeling reassured?

This may not be a coincidence, because the majority of security measures seem to serve solely to give reassurance to the nervous uninformed.

There's no reason to put a password on a computer's BIOS, because there's no sensitive information there, and even if there were, it's easy to bypass. It serves only to make legitimate maintenance inconvenient, and slightly slow down any illegitimate access. Or would do, if there were such a thing.

Hundreds of good FBI agents quit in disgust and/or need therapy because they're guarding against something which is somewhat less likely to happen than their protectee being struck by lightning.

Warehouses and office blocks everywhere are patrolled by exactly the people least suitable for the job - the easily led, the drunk or stoned, sometimes the habitually criminal, generally those with little to gain by doing their job well, and little to lose by not doing it at all. It's not like they're paid enough to care.

Most of the time, security measures seem to serve one of two purposes. One is to make some group feel secure. The other, as with immigration security, is to make a group feel insecure. Either way, it's about feeling safe, not being safe.

4 comments:

  1. One of my former buds from high school who was a big drug user and all around loser was hired in at the new casino as a member of the security staff. I wouldn't have trusted him to feed my pet goldfish. It took them a few months but I'm guessing they finally did a more thorough background check as they eventually fired him.

    ReplyDelete
  2. Well said. I don't know if you read Bruce Schneier's blog, but he has a lot to say about this kind of security theatre. Funnily enough, the same principle applies to the whole 'bored Secret Service agents watching the president's relatives' thing, as well; people feel there should be specific, visible reassurance when sometimes the best you can do is general security improvements that don't look impressive. Maybe your old employer could've headhunted all those FBI agents who quit to protect their third-rate computers, though ;).

    ReplyDelete
  3. @David: Ah, background checks. In the UK, they take at least a month, and they're fixated on sex crimes against children.

    I'm a teacher with a conviction for violence (alcoholic boyfriend - usual story), and I've colleagues with convictions for drug possession and what you might call 'protesting without a licence'.

    We've all taught while the check was being applied for, and the results have never been an issue.

    My last little job involved teaching pre-teens, and I don't think the school even bothered with a check.




    @Alex: "Security Theatre" - that's a good term for describing it. I'd heard of Schneier vaguely before (probably in connection with cryptogtaphy) but not come across his blog. It's always nice (and a little surprising) when an expert like him agrees with an amateur like me.

    My local government buildings are crawling with fat men sauntering about in security guard uniforms. There's almost no actual staff - sometimes literally half have been laid off.

    All the security men have ostentatiously visible earpieces - which I suspect the brighter ones have connected to their mp3 players.

    ReplyDelete
  4. He was quite open about the fact that maybe half those in his profession had criminal records, and at least half had drink or drug problems.

    I've heard the same thing from a reliable source.

    ReplyDelete