Security Kabuki. Or as Bruce Schneier would likely label it, "Security Theater", so I will pay homage to Mr. Schneier as I further that theatrical theme. I say Kabuki as it is highly dramatized and the outfits (uniforms in many cases) are usually something to die for...or at least something that will scare you to death.
I have all the respect in the world for law enforcement, the Armed Forces, Coast Guard, anyone in public safety or service. Big ups. God Bless them. However, some of the processes appear to be more laughable than laudable. I witnessed something a couple weeks ago that brought a memory rushing back. Have been going to drop a blog about it as it brought back memories and kind of stewed and simmered in my cavernous skull. I'll likely break this into several posts so as not to make it too lengthy and sleep inducing.
I drove onto a secure government facility where I had official business during one of our periods of heightened alert. This means there were more people out front with more and bigger guns than normal. More vehicle searches, etc. So, here I come in my wife's minivan. Wearing the credentials of the group with which I am affiliated that has a building on the complex. I would be known as a semi-regular at the time I suppose. As I pull up in line for the semi-permanent checkpoint I am in one of two lanes behind several vehicles. I am out of coffee and becoming upset at that or myself for not filling a second mug.
So, bored and out of java, I begin to watch the folks in uniform and automatic weapons and their searching of the vehicles. I notice something interesting. Large trucks with lots of boxes in the back. The "Routine" after watching a couple trucks, seems to equal = man in uniform with weapon opens rear door, stares at boxes for ten seconds, pulls door down and secures. Sends driver on his/her way.
Okay, so, that is not the most secure process to witness (having worked in a prison early in my days and having had to get up in the back of trucks, open and move boxes for vehicles coming and going, I have an idea of how the process is suppose to go-not that prisons are all that secure; but more on that another time).
Next up, comes Sally Soccermom in her Volvo station wagon, well, certainly they are going to wave her through or only do the cursory review like with the trucks. Hmmm, they have Sally out of the vehicle. They are opening all doors. Opening hood and inspecting engine compartment. Well, where did that K-9 come from--he must have been in the German Shepard Port-o-John when the trucks were out here. Out of the back seat of the car come the two baby-seats onto the asphalt. German Shepard does a once through. And then another pass. Luckily no rubber gloves, hoses, etc. are used on Sally nor are any soccer moms harmed in the retelling of this event.
I witnessed about eight different vehicles with the same results. Being a security guy (and/or having watched a Holiday Inn Express commercial last night to gain some expertise), I begin to think the obvious; which is the bigger threat? Trucks filled with boxes - or a false-front of boxes; or the Volvo with baby seats. I just would not want the bigger delivery vehicle coming to the inner sanctum with just a wave. It is like the guys drinking the baby formula before getting on the plane to prove it isn't explosive; while lax security surrounds the physical access to the plane itself on the ground for maintenance. Maybe the process was correct and it is a people issue. How to motivate people to do the hard work and get their butts up into a truck where the real threats may present themselves. I am a big guy and I could have hidden a dozen of me behind the first row of boxes in each of the trucks. Or worse.
I could see doing everyone the same and that would not cause me to throw the penalty flag. K-9s and Volvo's and minivans?
Believe it or not, that one morning watching the trucks get the wave through has been repeated several times as I have watched security at other places. This fits with Johnny Long's book or No-Tech Hacking presentation from DefCon or Shmoo (Google if the link is dead). Perfect example of where to just sit and watch to find the weaknesses in systems to later exploit them for a penetration test. Only, it is a bit scary how many places you can observe this. And at banks. And at. Well, I'll stop. For now. It is late here. 00:45 (UTC -4:00).
14 February 2009
Subscribe to:
Posts (Atom)
