Security features only work if everyone plays along


Since Microsoft released Windows XP SP2 and Windows Vista, they have clamped down on security a bit more.  The firewall is enabled by default.  Unlike previous versions, you could format and reinstall Windows but your system would still be wide open to attackers while this process was occurring and you were installing security patches.

Similarly, with antiviruses, they are good at protecting your computer from bots and from turning your computer into a node of a botnet, but it only works if you keep it up to date.  If you disable your antivirus and your firewall, then you've pretty much defeated the purpose of security.

I tell you this because while it is obvious to everyone, humans are always the weak point in the security process.  Security only works if everyone plays along and follows the rules.  Let me tell you a story to illustrate this, it is a true story.

Next month, I am going to visit China for a couple of weeks.  In order for a US or Canadian citizen to get into China on a tourist visa, you have to get a Chinese travel visa.  To that end, I had to physically mail my passport to an agency that handles these requests.  I also had to fill in a bunch of documentation, and include my work visa.  This means that I had to send in my actual passport and all of my work documentation where I couldn't keep it close to me in my secure location (I've lost my passport before -- it sucks when that happens).

Now, they processed it and sent it back and I got an email confirmation from Fedex saying that they had delivered it.  It was (supposedly) delivered on Sept 25 and I got back into town on Sept 27.  I went to my door, but no package from Fedex!  I went to my apartment head office, and they had nothing either.  I phoned up Fedex and they said that a signature was required, but no one was there so they took it back (even though the confirmation on the web site said they left it there at the door).  I said "Fine, deliver it to the main office then."  They said "Okay."  After I hung up the phone, they added "...sucker!"

Two days pass, and no package from Fedex and I am beginning to panic.  I call up Fedex and ask "WTF is my package?  It's critical I get this!"  They said they'd get someone to look into it and call me back.  Again, after I hung up the phone, they added "...sucker."  Now, at this point I'm beginning to get antsy.  My passport contains my work visa.  I began running through the scenarios, if I couldn't get this thing back, I'd have to call the police because technically a passport is property of the federal gov't.  Maybe they'd kick-start the process.

I got back to my apartment and had a thought.  My condo number is #A106 (not my real one) in Phase II.  What if Fedex delivered it to Phase I?  I walked about 200 yards up the road to Phase I, to #A106.  I walked up the stairs, looked and sure enough, there was a package from Fedex, addressed to me, lying outside the door which a few other bags and stuff.  It had been sitting there for five days unattended, where anyone (or anything, like a raccoon) could have grabbed it and tossed it away.

The reason people send stuff by Fedex is for security and tracking -- so I can have peace of mind that the package is traceable.  But for crying out loud, that only works if you deliver a secure package and don't leave it outside the door!  In other words, all of this security broke down at the end when the driver decided to dispense with all of the security features inherent in tracked mail and leave it unattended when anyone could have picked it up.  Seriously, am I alone in thinking that's analogous to turning off your firewall or disabling your antivirus?

At least I don't have to cancel my trip.

Comments (4)

  1. Norman Diamond says:

    You shouldn’t have posted this story yet.  First, since delivery requires a signature, you should have demanded a tracing of the signature.  That would have some likelihood of reducing future repetitions of this kind of malfeasance.  If you demand a tracing of the signature now, FedEx might just say you already announced that you received the delivery.

    "In order for a US or Canadian citizen to get into China on a tourist visa, you have to get a Chinese travel visa."

    To use a tourist visa you have to get a _tourist_ visa.  A transit visa is something different, I don’t know if China offers one, but it’s not what you would need anyway.

    "I had to send in my actual passport"

    Depending on countries involved, sometimes you have to bring it in yourself instead of sending it.  Sometimes you have to make a second trip to get it back yourself too.

    By the way don’t forget about countries whose governments don’t even try to use secure methods when mailing passports.  You’re living in one.  Or countries where registered mail addressed to the government doesn’t even reach the government.  You came from one.

  2. To be honest, this doesn’t surprise me in the slightest. As Norman pointed out in his comment I think that in the USA there is still a very lazy approach to all round security.

    I just spent 3 months in New York and often got the feeling that security is a surface level operation there. I think the USA is the best nation in the world at making it look like everything is secure; high visibility security guards everywhere, the appearance that things are taken care of.

    I couldn’t believe it when I called my cell phone carrier (I was using a US SIM card) and was asked to confirm my name, my address, date of birth and then my full security PIN number just to add a service to my account.

    I advised the call centre operative that I wasn’t going to give her the full PIN, and suggested that she asked me to confirm any two digits i.e. the first and third or second and third, whatever. She said that this is the way it had to be done.

    I explained that this was highly insecure. I’m sitting in a busy coffee shop and I’ve just told you my full name, address, and date of birth. I can’t now be sure if somebody here isn’t already scheming to sell my apartment but if I also give you my full PIN they can call you up later and add extra minutes to my cell phone package. And I won’t have that!

    Chinazor U. Ozoemena

  3. tzink says:

    Another thing about the US is that I have to hand over my Social Security number to pretty much everyone.  When I lived in Canada, I never had to reveal my Social Insurance Number except to employers.  Heck, I wouldn’t be surprised if Blockbuster made me give them my SSN.

Skip to main content