The Tool School

An oft quoted cartoon (can you quote a cartoon?) from Gary Larson's Far Side is the cowboy repairing the roof with the butt of his Smith and Wesson. You can't help but read the caption of the onlooker in an ol' timer accent, 'I hear you're pretty handy with a gun!'. Many a true word...how many things have you broken or damaged through action or inaction (Asimov, not Newton) by applying the wrong tool. Knocking in panel pins with a 1lb lump hammer, opening bottle tops on the strike plate of a door, and (ahem! Richard!) striking matches on the zip of your jeans?

You might just get away with it...for a while. But there is a difference between risk management and luck. Border security may be enhanced by biometric chips, face recognition etc. but they are part of the arsenal of recognition. They also assume that the really determined will pass through border control in the first place. Technology is a tool for people to use. I'm indebted for a lecture delivered by Softbox's (www.softbox.co.uk) Colin Williams (I've heard it three times and haven't tired) that plots the history of computers from science fiction to reality. Colin looks at the decision-making anticipated by the Turing test. Whereas Turing originally conceived it to challenge the differentiation between man and machine by people, the skewed 'CAPTCHA' images are machine processed. Machines now decide whether you are human or not. So if you want to get under the skin of your infrastructure, application, system (scope and boundaries are important) to find out where a criminal may compromise it, then don't confuse automated scans and penetration testing...because after all this time I think people still do. Penetration testing may start with an automated scan (there are good, free and open source tools, why not use them?) but it's just the opening gambit of a people-led process. It's the difference between rattling the doors to see if they're locked and breaking the windows. You may be too nice to break the windows but the thief works to a different moral code. So scan away with the written permission of whoever owns what you're scanning.

But it's the difference between watching a recording of the medal ceremony and actually being there when the record is broken.