My Christmas Vacation from Hell, a Cautionary Tale.

To paraphrase Joe Friday of Dragnet fame, here are just the facts, ma’am: Since 2012 marked our 30th anniversary, my wife and I booked a Christmas Cruise. This being our first cruise, we were lucky to be accompanied by some family members, several of which are veteran cruisers. The salient fact about this cruise is that it embarked from Baltimore, MD USA and included a stop in Port Canaveral, FL USA before sailing on to the Bahamas. As Charles Dickens writes in A Christmas Carol, this must be distinctly understood, or nothing wonderful can come of the story I am going to relate.

Shortly after we sailed I started feeling ill. By dinner I was very sick, but everyone including the ship’s doctor assured me that it was just sea-sickness and that a nice lie down in the stateroom would have me ready to eat and drink my way to cruise nirvana soon. By the time the ship docked in Port Canaveral it was apparent that my affliction was not motion sickness but something more serious and probably contagious. So at this point my wife and I decided to leave the cruise since luckily we were still in the USA. Turns out that was not so lucky after all.

The guest services people on the ship, while quite solicitous and sympathetic, were nonetheless flummoxed by this situation. First they told us that we were not allowed to disembark until we reached Nassau, in the Bahamas. When pressed further they decided that while we could technically disembark in Florida, there would be a $300 per person fee to do so. We decided that it would be worth the $600 to avoid sailing on and then risking having to fly home to Colorado from Nassau. So we made the appropriate arrangements with a local hotel and rescheduled our flights accordingly. When we arrived back at the guest services desk, luggage in hand, the attendant informed us that they just needed to contact Customs and Border Protection (CBP) so we could be escorted off the ship. A few moments later, the seriously flustered crew member returned with news that CBP would not be able to send anyone until long after the ship was scheduled to sail for the Bahamas. At this point we got a bit testy and pointed out that we could simply walk off the ship, it being docked and we being American citizens to which the amazingly understanding, but frustrated guest services guy replied while that was a possibility they would be required to inform local authorities that we had disembarked and we would then in essence be fugitives, albeit very easy to find fugitives.

So feeling defeated, we decided that the best course of action would be to make another visit to the ship’s doctor and stick it out until we reached Nassau and decide then what course of action to take. The doctor concurred with our amateur diagnosis of some kind of virus infection, medicated me heavily and quarantined me to our stateroom for 24 hours which would be about the time we would arrive in Nassau. Fortunately the treatment was effective and I was more or less healthy when we reached Nassau and decided to continue the cruise. Unfortunately between the hotel we booked on short notice and never used and the changes in airline flights we made, the cost was substantial.

So how does a snarky security blogger having a bad vacation affect you and how is this a “cautionary tale”? I’m glad you asked.

The real story involves antiquated laws, security theater and the nature of the passenger maritime industry. But I’m getting ahead of myself.

The story begins in 1886 with a bit of legislation intended to protect the then in it’s infancy American passenger vessel industry, called the Passenger Vessel Services Act of 1886.

The Passenger Vessel Services Act of 1886 (sometimes abbreviated to PVSA, Passenger Services Act, or PSA) is a piece of United States legislation which came into force in 1886 relating to cabotage. Essentially, it says:

No foreign vessels shall transport passengers between ports or places in the United States, either directly or by way of a foreign port, under a penalty of $200 (now $300) for each passenger so transported and landed.

This was further bolstered by the Merchant Marine Act of 1920, better known as the “Jones Act”.

The Merchant Marine Act of 1920 (P.L. 66-261) is a United States federal statute that regulates maritime commerce in U.S. waters and between U.S. ports. Section 27, better known as the Jones Act, deals with cabotage (i.e., coastal shipping) and requires that all goods transported by water between U.S. ports be carried in U.S.-flag ships, constructed in the United States, owned by U.S. citizens, and crewed by U.S. citizens and U.S. permanent residents. The purpose of the law is to support the U.S. maritime industry.

So putting this together we get the following (presumably unintended) consequences.

Any vessel subject to the Merchant Marine Act of 1920 counts as a U.S. vessel. Under the Passenger Vessel Services Act of 1886 (46 U.S.C. § 55103), foreign-flagged vessels cannot transport passengers directly between U.S. ports. The handful of U.S.-flagged cruise ships in operation are registered in the U.S. to permit cruises between the Hawaiian Islands, or from the continental U.S. to Hawaii. The Passenger Vessel Services Act, however, does not prohibit foreign-flagged ships departing from and returning to the same U.S. port or foreign-flagged ships departing from a U.S. port, visiting a foreign port, and then continuing to a second U.S. port. However, in order to embark in a U.S. port and disembark in a second U.S. port, the vessel must visit a distant foreign port outside of North America (Central America, Bermuda. the Bahamas, and all of the Caribbean except Aruba, Bonaire, and Curaçao, count as part of North America).

In accordance with this law, Cruise lines that operate foreign-flagged vessels are fined $300 for each passenger who boarded such a vessel in one U.S. port and left the vessel at another port.

There are legal exceptions in the case of medical emergency, which in spite of how I felt at the time, my 48-hour malady could hardly be considered such. So the bottom line is that the cruise line was prohibited by US law from allowing us to disembark at an intermediate US port.

But wait! This gets better. Since 911 the Customs and Border Protection (CBP), now a part of the Department of Homeland Security (DHS), has had a strict policy that no one embarks to or disembarks from a foreign-flag vessel in a US port without going through CBP (often referred to as “Customs”). And this is where it gets really interesting. Turns out there is no CBP office in Port Canaveral since no foreign-flag vessels embark or disembark passengers there and the nearest CBP office is in Orlando which is 55 miles away. So it’s not too surprising that the CBP folks were not ready to lend assistance immediately. So the bottom line is this: there was no legal way for the cruise line to allow us to disembark at Port Canaveral except if we were taken directly to a hospital or in police custody.

So why didn’t the ship’s guest services crew just tell us this up front? Here’s where the final bit of that foreshadowing of doom comes in: the nature of the passenger maritime industry. You see, the typical crew member on a cruise ship is not American (given that as far as I can find out there is exactly one US-flag cruise ship in operation) so they can hardly be expected to be familiar with US maritime law. Also crew members are not permanently assigned to a ship and ships are not dedicated to a single cruise route. Since very few cruises that embark from US ports have an intermediate stop in another US port before heading out into international waters thereby being subject to the Jones Act, it’s hardly surprising that no one on the guest services crew during the holiday season had ever heard anything about either the Jones Act or CBP policy. So you can hardly fault the crew members for not having good information.

Finally there’s yet another bit that didn’t figure in to this tale that would have had we decided to stop cruising and disembark in the Bahamas per the suggestion of the crew. Since 911 DHS has aggressively discouraged airlines from booking short notice one-way flights into the US. Airlines will not actually refuse to do so, but it will cost a lot. In fact they will suggest that you buy a round-trip ticket which will cost less, although still expensive, and just forget the return trip. In either case this will pretty much guarantee a strip search and several hours of intimate conversation with TSA officials once you get back into the US.

So what should you take from this cautionary tale? Here’s the list:

  1. If you take a cruise from a US port to anywhere outside the US, be aware that if you get sick or have an emergency that cuts short your cruise it will be a very expensive proposition.
  2. Do not assume that crew members on the cruise ship have any idea how to handle your emergency situation with respect to getting you off of the ship.
  3. If you are forced to cut short your cruise be aware that the cruise line is very limited in what they can do to help you as they too are victims of antique protectionist law and modern security theater.
  4. Since the cruise line is forced into an untenable situation there are no guarantees regarding what they can or will be responsible for. You are on your own to figure this out and know what should happen next.

Fortunately this story does have a happy ending. My vacation wasn’t totally ruined. I got to visit Nassau and bask in the warm Caribbean sun on Coco Cay, so I definitely will be returning to the Bahamas in the future. The cruise line, Royal Caribbean, really made things right. Not only waiving all medical fees and refunding part of the cruise fee for the time I was quarantined they refunded all of the extra expenses incurred with the failed attempt to leave the ship. So kudos to Royal Caribbean (no they didn’t spiff me to write this – they just did the right thing). Since I have no other experience, I have no idea what other cruise lines might do in such a situation but I can definitely recommend Royal Caribbean. Only next time I think I’ll take a cruise not subject to the Jones Law / CBP / DHS perfect storm of cruise hell.

Half glass security

Your glass half empty, glass half full
I’d say you’ve got some catching up to do
Your glass half empty, glass half full
I’d say you’ve got some catching up to do
Best to impress, you win
Everything you do
Makes me wanna run
from Give Me What I Want by Kids In Glass Houses

The Security For All Half Glass award for unwarranted optimism and delusions of adequacy in security is awarded jointly to the New York Metropolitan Transportation Authority and the Department of Homeland Security E-Verify program. In the case of the MTA, this article in the New York Times sums up the reason for nomination.

While there were some conflicting witness accounts, the police believe the man who fatally stabbed two others with a knife during a subway brawl early Sunday morning fled the train at the Christopher Street station.

In an era of heightened security, when it seems as if virtually every step one takes in Lower Manhattan is captured on hidden camera somewhere, subway surveillance cameras might well have recorded the man leaving the station.

Except for one problem: the Christopher Street station has no cameras.

Moreover, nearly half of the subway system’s 4,313 security cameras that have been installed — in stations and tunnels throughout the system — do not work, because of either shoddy software or construction problems, say officials with the Metropolitan Transportation Authority, which operates the city’s bus, subway and train system.

More than eight years after the Sept. 11, 2001 attacks, the subway’s video surveillance system, one of the key tools the city has in deterring and investigating attacks of any and all kinds in the subways, remains a patchwork of lifeless cameras, unequipped stations and problem-plagued wiring.

And in the case of DHS E-Verify, this entry on the Homeland Security Newswire describes the reason for nomination thusly.

The U.S. government’s E-Verify program to detect illegal workers has an “inaccuracy rate” of about 54 percent, outside consultants have determined. An evaluation of E-Verify carried out for DHS by a Maryland firm found the program allows “many unauthorized workers” to obtain employment, the Wall Street Journal’s Louise Radofsky and Miriam Jordan reported.

Westat of Rockville, Maryland, said E-Verify is not able to confirm whether information workers are presenting is their own. As a result, Westat says, “many unauthorized workers obtain employment by committing identity fraud that cannot be detected by E-Verify.”

It put the inaccuracy rate for unauthorized workers at about 54 percent. Westat’s report, submitted to DHS in December, has received little public attention, the Journal’s writers said. UPI reports that all federal contractors are required to enroll in E-Verify within thirty days of being awarded a government contract. At least ten states use the system to check eligibility of state workers.

In the case of the subway surveillance cameras, only half of them work. And the E-Verify program has an “inaccuracy rate” of 54%. Hence the award. Let me revise the old idiom this way:

Optimists look at the glass half full
Pessimists look at the glass half empty.
Security looks at the wrong half of the glass.

You can see where this is going. As a security geek I can’t look at the subway cameras and say “they have 50% coverage” [optimist] or “they are 50% blind” [pessimist]. I can only say they are 100% unreliable. That’s right, when bad stuff goes undetected in half of a system that’s a fully unreliable system. By the same token, with the DHS E-Verify program you can’t say “they are 46% accurate” [optimist] or “they are 54% inaccurate” [pessimist] only that they are 100% unreliable.

So what’s the moral of these debacles? On the surface they might seem like classic Government funded Security Theater stories. And certainly they are that. But unlike many others, both of these programs had the potential of valuable side effects completely unrelated to their original intent. For the MTA subway surveillance cameras the side effect, which was illustrated nicely in the NYT article, is criminal prosecution and, assuming broad and reliable coverage, crime prevention. For the E-Verify system the best side effect would be that to actually implement such a system correctly you would need a reliable source of data – like say worker visa records – which doesn’t yet exist. So a reasonable person could infer that E-Verify would be dependent on immigration reform legislation that would establish just such a data source among other things. But guess what never happened. What did happen was a whole lot of funding for a whole lot of useless, badly designed security theater. Leaving us holding the bag and looking at the wrong half of the glass.

Everybody must get phished

Did you catch this post from the Homeland Security Blogwatch? [emphasis is mine]

Some e-mails purporting to be from the Homeland Security Department’s intelligence division were fake and contained malicious software.

The e-mails actually originated from Internet addresses in Latvia and Russia, according to a three-page alert from the Homeland Security Department’s counterintelligence unit.

These fake e-mails were sent to officials in the Defense Department and to state and local officials since June. The spyware appears to be criminal, according to the alert. But counterintelligence officials “cannot discount that targeting of DHS partners and DoD personnel may be for other purposes.”

Um… Sounds like pretty standard phishing or bot-hunting stuff to me. So I’m wondering what the “other purposes” may be. Maybe the sinister other purpose is to see if someone in the DoD or state and local officials is stupid enough to open the spyware and reveal some valuable information? But wait – isn’t that exactly the purpose of all spyware? Is it the fact that the emails were purporting to be from DHS (as opposed to say a bank) or that the targeted users were DHS partners and DoD personnel (as opposed to say you or me) that makes this somehow more nefarious? Arguably it’s a higher value target. Although if the source is my bank and the target is me I have a hard time swallowing that argument. However true it may be. The sad truth is that everybody gets phished. Whether or not you get pwned is entirely up to you.

Nice stuff from DHS for your FDPP

In recent days the U.S. Department of Homeland Security (DHS) has been getting spanked pretty hard for being unprepared for cyberthreats. Since that mule has been pretty well beat to death, I’m not going to chime in on that. Instead, in the immortal words of the great philosopher sage Monty Python “And now for something completely different”.

I’d like you to know about something the DHS is doing right – the Ready Kids Campaign. From this press release on September 17:

Today the Department of Homeland Security’s Ready Kids Campaign announced with Sesame Workshop a new tool on emergency preparedness for parents of young children called “Let’s Get Ready!” This guide aims to get families planning together for emergencies through simple activities and games that focus on talking to young children about the people, places and things that will keep the family safe during an emergency.

“Emergencies can happen at any time with little or no warning and, as we’ve seen with recent natural disasters, personal and family preparedness are critically important,” said Erin Streeter, Director of the Ready Campaign. “‘Let’s Get Ready!’ gives parents the tools they need to talk to their young children in a very kid-friendly and non-threatening way and instill in them important information to help them deal with the unexpected.”

Specifically, the guide offers tips from Sesame Street’s and Rosita on how families can prepare their children for an emergency in age-appropriate ways such as:

  • Everyone, including young children, can play a role in planning for the unexpected.
  • Creating an emergency kit and plan that the entire family practices and shares is important.
  • Helping children learn personal information such as a phone number, their full names and the full names of their parents or caregivers, is helpful in case of any emergency.

If you have children you should definitely take advantage of this excellent resource. This is something that every family needs to consider seriously. Just like every business should have a Disaster Recovery Plan (DRP) and a Business Continuity Plan (BCP),  (I’ll bet you were wondering how I was going to relate this to security) you need to have a Family Disaster Preparedness Plan (FDPP). Except that your  FDPP is way more important than any DRP or BCP because this is your family, not some business that we’re talking about. It’s critical to note that no disaster plan (or any plan for that matter) has value if all of the players don’t know their parts. In the same way that it is critical for a business to make sure all employees, especially those in leadership roles, have and understand current copies of the DRP and BCP documents, all members of your family, must understand your FDPP. Furthermore, (and this is where many if not most businesses fall down) you must practice the plan. That’s right, it’s very well and good to have a plan that calls for tuning the weather radio to the correct station in case of a tornado warning, but it doesn’t work too well if you don’t know what station that is or where to find the radio.

So this is where you can really leverage the “Let’s Get Ready!” resources. It can help you devise, disseminate and practice your family’s FDPP. While this specific program is targeted at families with young children, there are links on this page to many excellent resources. I will admit that I learned a few things and picked up some ideas for my family’s FDPP. According to the site, this month, as part of Emergency Preparedness month, Sesame Workshop will be distributing 150,000 of the free kits to families. These kits include not only the downloadable materials on the site, but a DVD that is great for young kids.

So get going on your own FDPP, and definitely check out the resources at DHS. Seriously, they’re not just about fighting terrorism and cyberthreats. Which I guess is a good thing. Sorry couldn’t resist.

Information on “Let’s Get Ready!” is here. Materials are available in English and Spanish.

9/11 seven years on

Yesterday the Department of Homeland Security (DHS) released it’s annual report
Fact Sheet: U.S. Department of Homeland Security 9/11 Anniversary Progress and Priorities which begins with the following introduction (emphasis mine):

Since 9/11, the Department of Homeland Security (DHS) has made significant progress in protecting the nation from dangerous people and goods, protecting the nation’s critical infrastructure on which our lives and economy depend, strengthening emergency response and unifying department operations. Seven years without an attack on U.S. soil are a testament to this department’s 216,000 employees – and the nation’s first responders and law enforcement officers – who every day put service before self. Since its creation in the aftermath of the tragic events of 9/11, the department has achieved much to protect and secure the United States

What struck me about this report, aside from the solemn occasion it commemorates, was the realization that what all professional security organizations have in common regardless of size, scope or budget is that when we do our job right nothing happens. Our successes go unnoticed but our failures are spectacularly visible.

On this day lets take some time to think about all of those folks whose purpose is to keep our lives as safe as possible and remain unnoticed.

Welcome to Security For All

Blackhawk Helicopter

Blackhawk Helicopter

It’s apropos that I’m starting this blog while enjoying the security theater accompanying the Democratic National Convention here in Denver. Specifically I’m watching the blackhawk helicopters patrolling our  friendly skies. I enjoy watching them so I’m not complaining. The point is that while it seems so obvious, preventing a terrorist attack is hardly an important element of their mission. Because that is what almost everyone thinks that security means in this context.

You see security is all about risk management and threat mitigation. So what would you think the risk of a terrorist attack occurring in Denver during the DNC – that could be mitigated by attack helicopters – would be? I’m thinking somewhere between slim and none (closer to none). So if a terrorist attack is the threat you are trying to mitigate then attack helicopters are great security theater. Fun but useless.

Now don’t interpret this as an indictment of the Department of Homeland Security. On the contrary, I believe that an important part of their mission is security theater. “Now just hold on a minute!” I hear you saying, “didn’t you just say that security theater is useless?”. Well you’ve got me. What I meant was that it’s useless in the context of actually mitigating a threat. It’s extremely useful in the sense that it shows that our government is is taking steps to protect us. Steps we can see. And we FEEL better about it. The reality of this situation is that a terrorist attack is not one of the risks being addressed by the blackhawks and security theater is just a nice side effect.

So how does this apply to you? Well, again it depends on the context (doesn’t it always?). If you are a large corporation – like the many vying for my attention and sage advice (hey, it could happen) – security is about managing the risks to your IT infrastructure, protecting your information and complying to the standards and regulations of your particular industry. If you are a small business security is about managing the risks around the communication channels to your employees and customers like making sure those channels are highly available (if your web site isn’t available your customers can’t buy anything) and that those channels are safe for both you and your customers to use (you really don’t want somebody hijacking your customers’ information or using your web site to distribute malware). If you are an individual, security is mostly about mitigating the risks of connecting to the internet without the benefit of high priced network hardware and an IT department (your kids and your son-in-law aren’t really an IT department). The point is that security has different priorities to those with different risks. I’ll address each of these different situations in detail in upcoming posts.

But right now I’m going outside and watch the blackhawks.