From: Harvey Newstrom (mail@HarveyNewstrom.com)
Date: Thu Jul 25 2002 - 06:20:27 MDT
On Thursday, July 25, 2002, at 01:05 am, Lee Corbin wrote:
> First, I should make it clear that I am not a security professional, and
> although that doesn't necessarily make my points invalid, it does show
> that my points need not be taken entirely seriously. Of course,
> people's
> remarks since the dawn of time have always been understood and taken
> in the context of just who is speaking, but it's interesting that on the
> Extropians list, deference to authority often rises to an explicit
> level.
No one should defer to authority on the basis of "authority". That is
one of the classical logical fallacies, an appeal to authority. it also
violates the basic ideas of freedom and libertarianism, the people can't
decide for themselves. However, there is a good deal of knowledge that
comes with training, experience and professionalism. When discussing
how things work, it is often useful to talk to people who actually work
in the field and have actually has some level of expertise in a
subject. There are almost always vast gaps between what everyone thinks
they know and how things really are.
> Yes, any person with reasonably good judgment who regularly flies
> will tell you their opinion of the "idiotic" current procedures.
Yes. But there is a big difference between "any person" with
"reasonably good judgement" and an actual professional with expertise in
the field. I wish we have more real experts on the extropians list.
But I have long lamented that it seems like those with real expertise in
futuristic technologies are too busy to participate in a time-consuming
list like this one.
> The "zero tolerance" being pursued by
> the present American administration makes no sense to me.
I don't know why you would say this, when you give the perfect example
of a zero-tolerance system below:
> "El Al... receives daily threats, [yet] has not experienced a
> terrorist incident in over thirty years. Its success is mainly
> due to its tight on-site security. Each passenger each time he
> or she flies is psychologically evaluated. Carryon bags are
> checked multiple times. In essence, El Al's security system
> works from the assumption that every passenger is a threat,
> and treats him or her accordingly."
This is a perfect example of what the article Hal posted was talking
about. It also falls directly in line with what experts in the security
profession are saying. Profiling doesn't work. Every individual must
be processed, each on their own merits. Every bag must be screened,
preferably multiple times. The American system is not "zero
tolerance". It uses profiling to focus on the most likely targets and
deliberately allows some people and some bags to pass through the system
unseen. Until we process all passengers and bags, as does El Al, we
will not be safe.
> By asking good questions the well-trained and highly
> intelligent Israeli security personnel succeed where
> ours fail. The article is, to me, rightly explaining
> why we cannot automate security in the way that the CAPS
> system attempts. As Harvey and Hal point out, it makes
> it rather easy for an intelligent terrorist to evade the
> precautions.
>
> The key word in the above paragraph is "intelligent",
> which I used twice. There just isn't any substitute
> for intelligence.
This is very key. We need a higher caliber of security screeners. They
should be smarter. They should have more training. They should have
more expertise in the field.
> It's also interesting to wonder where "psychological evaluation"
> ends and "profiling" begins. The article mentions the case
> of the "80-year-old grandmother from Texas" which the CAPS
> system algorithmically profiles as a non-threat. My guess is that
> the intelligent El Al security agents doing the psychological
> examination do not fail to note the age and even the ethnic
> composition of the subject, and that this undoubtedly plays
> a part in their assessment, although again, all I can do is
> guess since I'm not a security professional.
They are on opposite ends of the scale. As discussions on this list
have pointed out, it is best to use real information whenever possible.
It is only when detailed information is not available that people are
tempted to start profiling. Profiling means that you don't have
specific information about a person, so you extrapolate it from the
statistical averages for whatever group they are in. The very act of
profiling is an admission that there is not enough information and one
is trying to fill in the gaps.
You shouldn't have to guess since you're not a security professional.
Read a book, do some research, take a class, google search for security
standards. Articles like the one Hal posted are available on the
Internet. There are free study guides for the various security
certifications. No one should guess on this list. Everything is
available on the Internet. The only limiting factor is time and
motivation. As in your specific example above, you can find the El Al
security methodologies discussed online. Instead of guessing, you could
actually find the detailed answers if you desire.
> "While El Al does keep a database of individuals' nationalities,
> genders, criminal
> records and flight histories, this tracking should not be confused with
> the a
> CAPS-like profile. Unlike CAPS, El Al's system only makes a
> determination of
> the risk of a passenger after a security agent has questioned him or
> her.
> CAPS, on the other hand, is a prior system focused on predicting who
> will become a
> terrorist. El Al, through its system of psychological analysis and
> advanced
> baggage screening, has found success in determining who is a terrorist."
>
> Although this is obviously good advice, the U.S.'s situation is not
> that similar to Israel's in several ways, and the U.S.'s needs for
> security, are, in my opinion, not as severe.
This is not only good advice, it answers your question above. This type
of tracking should not be confused with a CAPS-like profile. They are
not the same thing at all. As I said, profiling means you don't have
the needed information. That is the key that makes it invalid and not
work.
> statistical implications of large numbers in our daily lives,
> and I should appreciate others deferring to my judgment about
> such matters.
>
> Lee Corbin
>
> P.S. I must point out that the ironical tone of some of my remarks
> above may not be apparent to all, and for that I express my regrets.
Your irony is not lost on me, especially since it is my statements that
you are quoting, spoofing, and probably trying to malign. I am ignoring
them and trying to respond in a professional manner. However, the great
thing about true professionalism in security or mathematics is that
nobody should ever defer to our expertise. Once we reference a study, a
theorum, or an experiment, everybody should be free to verify it for
themselves. This is called peer review. Results must be repeatable by
others for them to be scientifically valid. Appeal to authority has no
place in logic as a proof. A reference to the current state of
knowledge in a field is not the same as an appeal to authority. Such a
reference allows the individual to do their own research and find out
for themselves whether the claims are true or not. As such, these
references to "common bodies of knowledge" are the exact opposite of an
appeal to authority.
-- Harvey Newstrom, CISSP <www.HarveyNewstrom.com> Principal Security Consultant <www.Newstaff.com>
This archive was generated by hypermail 2.1.5 : Sat Nov 02 2002 - 09:15:39 MST