From: Charles Hixson (charleshixsn@earthlink.net)
Date: Thu May 23 2002 - 14:47:23 MDT
Harvey Newstrom wrote:
> ...
>
>> Or consider a security guard
>> who is deciding whether or not to search someone.
>
>
> As a security professional, I really must insist that standards
> require search of everyone or random searches. You cannot let guards
> try to detect the possible "guilt" of people by looking at them. They
> do not have that skill, and it is not effective enough to base a
> security policy on. Security profiling must be based on individuals,
> meaning behavior or situation. Groupism that includes or excludes
> whole genders or races will instantly fail because the bad guys then
> have a magic profile that will let them through. Just choose a person
> who looks right as your agent, and you get through security. Such a
> security policy would be invalid according to any security standards I
> know.
> ...
> --
> Harvey Newstrom, CISSP <www.HarveyNewstrom.com>
> Principal Security Consultant <www.Newstaff.com>
I wouldn't want to claim that these actions would be an "effective
security policy", but unfortunately many security organizations do
practice this kind of profiling. One might suspect that this is a
racist policy, and a way I suppose that it is, but I suspect that it is
emergent rather than planned behavior.
Consider that a police officer is expected to conduct some number of
"random" searches in a period of time. Now suppose that the group of
people he is expected to select his targets from has some way that has a
positive probability of selecting those individuals who will be less
able to injure his career. (Say, they are less able to hire a lawyer
and sue for harassment, or some such.) The "random" search will quickly
become non-random for obvious reasons. The projection not only doesn't
need to be perfect, it doesn't even need to be better than chance. It
will still result in non-random selection of targets of investigation.
How often do the security guards search the boss when he leaves the
company compound? Not often! Actually, even in security areas that I
have worked in, people were never searched on leaving (for the day ..
for some reason when I left to go back to college I was searched on the
last day I worked there). This wasn't highly classified though. But I
doubt that the rules changed, except, perhaps, for brief periods of
time. Radiation monitors are something else. But they are 1) passive
and 2) non-obtrusive.
So either everyone gets searched, or the selection of targets is made by
some non-involved process (say, throwing a die). Or the process becomes
non-random. And you've already said what that causes.
This archive was generated by hypermail 2.1.5 : Sat Nov 02 2002 - 09:14:18 MST