(Written at 38,000 ft from the BA277 from Heathrow to Hyderabad, India. I am lucky enough to turn left when I get on a plane and so I bashed this little diatribe out with the help of a few glasses of red wine in my belly.)
It never ceases to amaze me at the false sense of security and warm cozy feeling we all appear to get from airport security.
After checking in on the Internet last night using nothing more than an six character code* sent via email ( for anyone who didn’t already know email is like a postcard; anyone who delivers it can read it) and my surname, I joined the FastTrack security line at the new Heathrow Terminal 5. As the SlowTrack line meandered toward the conveyer belt I removed my belt, watch and shoes and took my laptop from my briefcase. The four trays needed to pass my carry on apparel (1 for laptop (must be alone), 2 for glasses, cell phone and laptop bag, 3 for shoes and sweater and 4 for the carry-on bag) through the scanner followed a bleached blonde females fake Luis Vuitton handbag, Mac Book Air and pink cell phone (that her ear seemed to have been attached to five minutes before). She beeped as she walked through the scanner and I smiled smugly. I then heard her telling the minimum wage security guard that she had “body piercings”. After the wand passed again over her boobs and nothing beeped she nodded towards the floor and coyly said “its my front bits”. The blushing guard (female) passed the wand in front of the womans genitals and smiled “ah yeah”. I of course was thinking “prove it”. If you have the balls (sic pun intended) to mutilate your sensitive organs then surely you have the balls to get them out in public? She was ushered on, collected her tacky luggage and waddled off into insignificance like a “Big Brother” star expecting some paparazzi to jump put on her. If you can get your vagina pierced but can’t even say the word in public (I guess technically its a vulva as a vagina is internal but ….) then something is wrong in my book and surely warrants further investigation?
I of course passed without incident, reassembled my travel camel and went to the BA Lounge. When I got to the the lounge I freshened up in what can only be described as a “port-a-loo” inside an airport lounge. In my wash bag was a new pot of moisturizer (that I forgot to take out and put into a clear plastic bag but surely bigger than is allowed) and a sharp razor like blade used to deal with my ailing foot (another story) that I had also forgotten was packed. Lucky (I guess) I didn’t have a Prince Albert or I would have surely been frisked!
As I checked into gate 10b I was behind a “lady” dressed in a Burka. I say “lady” as I could only see her eyes (I am sure my wife who lived in the UAE will correct me that it’s a “hib-something” and not a Burka). Intrigued as to how you check a passport photo when you can’t see the face I watched the other lane as I approached the desk and asked the lady at my desk “How on earth do you check people when you can’t see their face?”. She whispered embarrassingly “we ask them to lift their head dresses” and sighed with a sarcastic look that told me a lot. I wasn’t looking for the sigh or sarcasm; I was genuinely interested in a straight non-judgmental answer. As I joined the queue for the bus (why you need to get a bus to a plane in a brand new airport is beyond me) I turned to see if the lady had been asked to remove her head dress. No, it was a quick visual scan of the passport and then she was ushered to join the queue for the bus.
I get onboard the plane and settle down in seat 3A. Late lunch is served along with the wine that fueled this post. Having recently flown the other way around the world (London > Seattle) house hunting economy I was reminded that in business you get a (chilled) set of metal cutlery. I am sure I just got a plastic knife in baggage class the week before last. Do global terrorists not have a few thousand pounds to upgrade to business class I ponder? I guess not…..
So in summary (and I suspect all terrorists already know this) : Get your bits pierced, wear a Burka and fly business class.
In the meantime for the rest of us I hope the queues and checks continue to give us a warm fuzzy feeling of security.
Fly on!
Warning : This blog was written on board a plan that possibly also served nuts (either definition of the word!).
* Sure its actually not that small a key space but when you consider the amount of people flying and the speed of guessing….
![3351321706_284ab62aee_o[1]](http://blogs.msdn.com/blogfiles/stevecla01/WindowsLiveWriter/TheCoolestResumeCV_D17B/3351321706_284ab62aee_o%5B1%5D_3.jpg "3351321706_284ab62aee_o[1]")
I will send a one free copy of a book that I recently contributed to called 
Farewell Security Buddha – Hello Curphey 2.0
Posted March 5, 2010 by mcurpheyCategories: Beautiful Security, Careers, Getting Things Done, Long Tail Security, Microsoft, OWASP, Productivity, Security Blogs, Security Book Reviews, Security Bullshit, Security Industry, Software Development, Software Security, Speaking, Technology Commentary, Travel, UX, Working at Microsoft, information security, open source
I openly admit I had a mis-spent youth. I was expelled from school and then went on a rampage of sex, drugs, booze and rock and roll for the best part of a decade. I lived hand to mouth and did everything from stacking yogurts in a yogurt factory (working nights), selling houses, working behind the bar and as a bouncer in a night club. It was good, I don’t regret a single second but one day in my mid twenties I woke up and simply decided I was never going to be a rock star and it was time to get a real life or drift into a wasted life. For the most part my brain and body was undamaged but more by luck than design.
I put myself through University (which took 4 years as I didn’t have any ‘A’ levels) and studied Mechanical Engineering. I was never gifted academically but I knew I could hold my own and with a bit of hard work graduated with a decent degree. My final year project was modeling fluid flow over a grand prix car using computational fluid dynamics software. The software was dongled and cost several thousand pounds. One weekend I decided to figure out how dongles work. As they say “the rest is history”. I managed to talk my way into Royal Holloway, University of London to study for a Masters in Information Security (a large dose of cryptography as its in the Math department) and became ignited by computer security. Royal Holloway is a very special place to me. It literally changed my life for ever, opened up doors and keep me on the straight and narrow. For the most part that fire ignited in me has been burning pretty strong for the last 15 years and allowed me to live a blessed life. If you are doing something you love, something you are good at and something people will pay you for you pretty much have the perfect job. I have lived in some amazing places (London, Brighton, the South of France, Boston, San Francisco and Seattle) and worked at some amazing companies (Schwab, ISS, Foundstone and now Microsoft). I have met some amazing people (too many to mention) and had some good luck (Foundstone acquisition). I have travelled all over the world (quite literally) and I got to start a security revolution on the net with OWASP. I contributed to many books and more than anything I have learned a lot about a lot of things. Security has been very, very good to me.
For the last few years I have grown increasing disillusioned with the security industry to the point where after nearly two years of thinking and talking about it I have decided that it’s time for me to move on. There is a long list of frustrations and I have seriously thought about a last detailed shot over the bow with some home truths as I see them. The reality is it will probably not be productive. I had commentary about the security circus and the clowns, ring masters and performance artists that play in the big top; commentary about the lack of genuine computer science that finds its way into security; commentary about the lack of business science that is being adopted (why aren’t security people obsessed by Freakonomics?); commentary about the sad fact that for the most part we are still doing “the same old shit” 15 years after I first started (the definition of insanity is to do the same thing twice and expect a different result); commentary about the farce of PCI (and related standards) and people caring about trivial issues (easy to understand and sensationalist in nature) when looming holes that could have major impacts go unnoticed …….I could go on. People thinking they need “purple dinosaur” features in their security software because some marketing spin says so and commentary about the sheer FUD being pumped out by the marketeers. I have watched an industry spin out of control largely paying lip service to the term risk and watched sectors of it become largely irrelevant outside of their own self-fulfilling set of prophesies. When things go right no one notices (at least outside of security) and when things go wrong everyone points fingers. That’s a tough place to be impactful and remain positive.
To the talented smart people that are able to make a difference and advance the state of security in this arena I salute you. We need you. You are troopers. Having been at MSFT for the last two years I am in awe of the way we think about security. The people, the process and the technology have turned us from laughing stock to poster children in 5 years (some may argue and they are welcome to). We are far from perfect but its been humbling to see it done on such a large scale. So it’s with this knowledge behind me that I can confidently say I have been part of the best and it’s just not cutting it for me any more. It’s time to move on.
The caveat here is that I will likely always have an interest in software security and specifically web security. I run the developer Security MVP Program at MSFT and will continue to do so. I am still passionate about making sure we have the right industry experts with the right resources to be their best for our customers. There are also a number of interesting problems still to solve (mainly at a technical level) and as you will see from my growing passion in development process below integrating security as one attribute into the development process is something where I will be able to add significant value (especially looking back from the other side of the wall).
As I move into Mark Curphey 2.0 (that’s a great tag line for the new blog!) I plan to be active talking about my current passions.
My new role at MSFT is a Director in the Server and Tools Online team which is part of the Developer Division. Among other things we build and run the developer focused web sites such as MSDN. MSDN has 20 million unique visitors a month. It’s large scale web development focused on building software and content to support our developer community. I am sure you see the fit!
I have a lot going on besides the new job. I am planning to regain my technical chops over the next year or so, probably launch another open community, a side commercial project focused on software for freelancers and seriously thinking about running a marathon this summer for Leukemia research. Then summer is coming so it’s kite-boarding ……
While it’s been fun I will be closing this blog down soon. I’ll leave it up for a few weeks while I get a new blog setup and port the articles I want to reference. The new blog will move to www.curphey.com (not currently active as of 3/5/2010).
You can can follow me on Twitter at @curphey and over at the new blog.
Lastly and by no means least is a big thank you. Thanks for reading this blog and thanks to all those that helped me be successful in the security industry.
Comments: 7 Comments