When security takes over

The other day at work I was taking my annual Information Assurance Awareness Training. This training is supposed to teach me how to protect our information systems, also known as our computers. One of the first statements that I was presented with, after I got past their paranoid scenario whereby hackers have brought down our economic system by taking over the federal pay system and writing themselves paychecks, is the fact that, I, as an insider, am the greatest threat to our information systems. Now, I realize that inside threats are the most difficult to protect against. We have, after all, deliberately been given access to those systems. But I really think they could have worded it better. They could have told me that I was a key element in information system security, thereby trying to enlist me as an ally rather than immediately branding me as an enemy. This sort of thing does, however, shed some insight into the mindset of the security people. In their universe, it seems, everything and everyone is a potential threat.

Now, in my day job I am a system safety engineer on military systems and I understand the necessity of evaluating risk. In fact, evaluating risk is something that we all do, whether or not we realize it, everyday. But if I adopted the mindset of the security culture, I wouldn’t let anyone do anything because I wouldn’t trust them to do the right thing. This is a road that our information security folks seem to be heading down. For several years now, I have not had any administrative privileges on my computer, I can’t even open up the system clock to look at the calendar because I might change the time. Recently they have restricted our emails to plain text only, ostensibly to reduce the bandwidth of our email traffic to make room for the digital signatures that have now become mandatory. Yeah, I don’t really buy their reason, either, but at least they gave us a reason, which is more than they did a couple of months ago when they suddenly banned us from using thumb drives.

Banning the thumb drives actually created a lot of problems. It isn’t easy for us to share our files on our computer networks because we are limited to 10Mb for our email attachments. Fine, you say, why not just post the file to a server. Well, that works, if you’re in my immediate organization, and if I’ve been given write permission to that folder, but access is restricted, and we have limited server space. We have been cleared to use USB hard drives, but not everyone has those, and it is not so easy for us to order supplies, so a lot of CDs are getting burned. Of course, they never told us why we couldn’t use the thumb sticks, and they probably won’t ever let us use them again. Maybe they think that sharing their reasons with us will somehow weaken their security posture. Or maybe, somewhere, deep inside, they know how utterly absurd what they are doing is. Nah, I don’t buy that either.

All of this shows what happens when one factor outweighs all other considerations. In this case that factor is security. Someone, somewhere, doesn’t want to balance security with our ability to perform our jobs. It is just easier to ban things than it is to put an intelligent security policy in place. It is also apparently easier to turn us all into enemies, rather than to enlist us as allies. If I used this approach in my system safety work I would end up killing our soldiers because I would have made the system so safe they wouldn’t be able to use it effectively when they needed to.

The end result of this securitizing (ugly word, isn’t it, well it’s an ugly concept) is the empowerment of the security elements and the disempowerment of the productive elements of our society. Look at what the Federal Government has been doing with airport security? How many hours are being wasted every day by business travelers? How many millions of dollars of tax payer money is being wasted every year on this Security Theater? With security, as with system safety, a little bit of effort will get you a lot of return, but you can never achieve absolute security, just as you can never achieve absolute safety. It is wasteful, and an abuse of power, to even try.

The Demise of the Beer Fairy

Twice a month, for the past four years, the beer fairy has been leaving boxes of beer at my door. Sadly, the beer fairy will no longer be visiting us. Why? Because of the Adult Signature Required.

This wasn't a problem with the previous shipper that the company was using, because they left the packages, but a couple of months ago they had to switch shippers. First they went to FedEx. I had almost worked out an arrangement with the FedEx delivery guy to leave our boxes of beer in our shed, but not before we had to actually go to the local home delivery shipping center to pick up one of our deliveries. Let me digress a minute and talk about the customer service at FedEx - there isn't much. All you can do is call their 800 number, you can't talk to anyone local, and they didn't even list the address of the local shipping center on the notice I received. To find out the hours of the local shipping center I had to call the 800 number and they had to put me on hold while they called the local shipping center.

I imagine that the company that was sending me my beer received a lot of complaints, because after shipping with FedEx for only two months, they switch to UPS. UPS is better to deal with than FedEx, and their customer service center is at least easy to get to. (Finding the FedEx local shipping center required a guide dog and a Ouija board.) Unfortunately, I was unable to work out an arrangement with the UPS driver to leave my beer in our shed, even when I provided a padlock for the latch. Unable to make any other arrangements for delivery - my neighbors all work, and receiving regular deliveries at my work place was not possible - I had to cancel my subscription.

When I talked to the customer service at the company sending me the beer I did suggest what I considered the best solution - go back to FedEx, arrange for Saturday deliveries and email me a shipping notice so I knew it was coming. I don't know if they will adopt my suggestions.

What bothers me the most about this, besides the fact that I will no longer have yummy beer delivered to my door step every month, is that the laws that we have governing access to alcohol are hurting a productive business. I understand that the purpose of requiring an adult signature is to keep alcohol out of the hands of minors. But I'm not really sure that, at least where I have lived, this is really that great a risk. For two of those four years I lived in an apartment complex that had a lot of families, including teenagers, and I never had my beer stolen. The boxes are not labeled. Frankly, I think boxes of Godiva chocolate are more at risk - they advertise their contents boldly on their boxes. I don't know about you, but if I saw a box of Godiva chocolate sitting unattended on a door step, I might be tempted to filch it.

But there is a deeper issue here - the idea that our government, whether it be state or federal, needs to protect us from ourselves, even if that means infringing on our rights. Despite all of the best (or worst) efforts of our law makers, you can't legislate morality or common sense. Laws will never replace the bonds of civil society. Laws are necessary, to protect property rights, for example, but too many of our laws are focused on restricting the actions and choices of people. I am a libertarian and I believe in individual freedom and responsibility. I know that our society has a lot of problems, but laws will not solve them, only people and communities can solve them. Unfortunately, our modern civilization is not human centered and as a result the social bonds that are so essential for a civil society have been weakened and even broken, but that is a topic for another day.