Since reading my friend Dan’s travel blog of his exciting day in South Africa where he talked/sneaked himself out of two muggings in a day, I’ve given some thought to how I’d try to handle these kind of situations.
A few months ago, as I was cycling into town after work, I was stopped at the top of an isolated pedestrian bridge by 4 induviduals on bikes and was told in no uncertain terms that I was being mugged. As one of them tried to reach into one of my pockets contains a phone, I held onto it, which brought a few punches flying in the direction of my head. Deciding at this point, that I didn’t really fancy parting company with the contents of my pockets (phone and wallet), I pushed my bike towards them (step-through frames allow for easy dismounting!) and sprinted back in the direction I’d come. After hearing someone say “after him”, I decided that now might be a really good time to start loudly and choosing the most appropriate word I could think of, I started shouting “help” and by the time I reached the original end of the bridge, I was met by a member of the public who called the police.
Since then, I’ve spent at least 6 hours of my life giving statements and doing identifits etc. for an incident that, at most, lasted 30 seconds.
- I wasn’t seriously hurt (there were two minor and inconspicuous bruises)
- I wasn’t seriously missing anything (though I lost my glasses in the affray)
I think it’s fair to say that it went “about as well as an attempted mugging could go”. I didn’t lose anything to the robber and I wasn’t seriously hurt.
I’ve thought long about this. Could I have avoided any issues with them simply by dressing and acting differently? Could I have avoided any physical confrontation if I’d handed stuff over straight away? Could I have done things differently?
Ultimately, these questions will drive you crazy – the answer is “yes, probably”, but the fact is ‘shit happened’ and thankfully I came out of it pretty well this time, so that’s what I should focus on.
Immediately after the incident I was quite nervous, however, I’m very eager to avoid is demonising groups of people – young people growing up in the inner city are generally great people, and, in my opinion, more work needs to be done to help organisations like RECLAIM help empower young people in these areas.
The most interesting thing about the incident now, is actually observations of how people’s reactions to the incident subsequently affected me and the impact that had.
The most prominent reaction has been a statement or something like “hope you’re ok”, which whilst being the easiest, and probably least likely to upset, response, is quite passive.
Interestingly, for me, the worst thing that happened was being asked “What happened?”, and forcing me to recount the details of the incident in detail. It’s not that it was particularly traumatising, but reliving the incident each time I was asked doesn’t really help put the incident into the larger perspective, both for me and the person I was telling it to.
Perhaps one of the less helpful responses was suggestions that I could have been stabbed and being told that I should have just handed over my phone. Whilst there’s certainly truth in that, it’s a really unhelpful perspective to suggest to the victim at that point. Clearly there were worse possible outcomes, however, with the bigger picture, the given response resulted in about as good as one could hope, with an actual guarantee that the suggested response would result in am objectively worse outcome (with still no guarantee it wouldn’t involve stabbing) than what actually happened.
One possibly interesting reaction was being told that they know how I felt, and that anger that comes afterwards is worse than the event – probably an incredibly clear indicator of how clearly personal people’s reactions to events like this are – I suspect they did not know how I felt, as the anger wasn’t forthcoming…
One reaction was to simply label the perpetrators as “manchester dickheads” – possibly objectively true – but still unhelpful, rather pointless name-calling – “Ahah, you almost mugged me. You’re a dickhead! Oooh. I said a naughty word!”.
I’ve had people say that they hope this won’t change my approach to the world – and for me this was the most well-received response – mainly I suspect – because I’d already decided that this had to be the case, within 10 minutes of the incident.
In my opinion, perhaps, the most empathetic response is to ask how the victim is feeling, then be quiet and let them do the talking.
In many ways, however, I suspect that despite people meaning well, I might actually have been happier to not publicise it so much. This may be partly related to my distaste for verbally repeating anecdotes a number of times, but I suspect is also to do with coming to terms with things actually being quite a personal thing, and whilst other people’s perspectives are obviously helpful to themselves, I can find them, at best, hard to relate to, and at worst, somewhat unhelpful.
I was a bit shaken for a while (aka an evening) after the incident, and there’s still the odd flashback or moment where I feel irrationally unsafe, but I’d had enough of talking about it within hours of it happening.
I’m “over” the incident - shit’s gonna happen, in the past and the future, it’s not surprising really, and I’m happy it went as best it could this time.
I’d really like to look forward in life for a while now.
I recently came across this this photo – some of the things that I took on holiday with me back in 2006:
The book is an interesting mix of Kevin Mitnick – a notorious former black/greyhat computer hacker/cracker – talking to former associates about other alleged hits.
Obviously, in the same way as watching Frank Abagnale‘s Catch Me If You Can doesn’t mean you support the passing of fraudulent checks or posing as airline pilots, clearly I also don’t endorse any of the things described in the Art of Intrusion – but the really valuable thing about the book is that it allows you to get inside the minds of ‘the bad guys’, see and understand how and why they do things.
The prequel to The Art of Intrusion is slightly different. The Art of Deception is the story of Kevin Mitnick’s own run from the FBI – Mitnick famously evaded the FBI for 2 and a half years before his arrest, during which time he managed to gain unauthorised access to the voicemail of the FBI officer who’d been assigned to his case (allowing him to evade capture for some time longer).
A few weekends ago, I was Blue Light Camp – billed as “the first truly interdisciplinary emergency services unconference in the UK”. As the name implies, there were many people from a variety of different emergency services backgrounds and so when I saw a talk titled The Art of Deception, I vaguely remembered the book, and wandered along. Kate Norman of an NHS trust (or known better to me as a friend of Ian Forrester), had recently read the book and was interested in people’s opinions. No-one else had read the book, but the discussion that followed was quite insightful.
I hadn’t gone along to talk internet security, in theory, yes, I’ve been in ‘Cyber Security’ competitions but largely my aim of attending this event was to listen, learn and meet some passionate and enthusiastic “blue lights”. The discussion was interesting because we really covered a lot of ground; privacy online, uses of social media and website’s being taken down/defaced.
The question was: “What can one do about one’s website being defaced/hacked/DDOS’d/etc?”
I think really the answer is quite simple: “You can apologise and do your best to bring things back to normal as fast as you can with the resources you have available”.
Ultimately, whatever you do, you can never be fully confident your website is secure – in the same way that you can be confident that whilst you’re a good driver, even if you’ve done advanced driving courses, someone can still drive into your rear end at a traffic lights or cut you up on a motorway and a collision happens. Even if you took all the possible precautions, there’s still some risk involved.
In terms of compromise of websites; even if your penetration testers haven’t found any serious flaws in your CMS (hint: if this happens, hire someone else), even if your base operating system is all patched and up to date, it’s not unlikely that tomorrow, someone will discover a vulnerability that affects one of them, and that your regime of patching doesn’t happen that quickly because you value stability.
It’s a very thin line to tread, and ultimately, it’s wisest to recognise that you’re going to do your best, but at some point in the next 10 years, you’ll need to apologise to your users. Being good at apologising to your users is not a skill to be sniffed at. If you can do it well, explain what happened in terms the users and your management understand then so much the better. There are worse things your could do than looking into the best ways to apologise to your users – to me this seems like a good use of training time.
During the session at Blue Light Camp I brought up this XKCD cartoon:
The amusing thing about me reading The Art of Intrusion was that it was 2006. 6 years ago. I was a teenager. I was still at school, and that must have been a library book (I’ve never owned a copy of it). It was just one of the security orientated books I read at the time (along with Bruce Schnier’s “Secrets and Lies in a Networked World”)
The types of attack, the types of thinking described in the books are alive and well today – there isn’t a problem with legislation – illegal acts are quite clearly illegal – yet really there’s been many years in which to learn how best to respond to security issues.
What scared me though is how far we’ve come in terms of the pervasiveness of technology since 2006 (back then government websites were mainly brochures, I hadn’t joined Facebook yet, Twitter really didn’t exist), and yet the basic premises of responsible and realistic net security are still not well known.
How can we fix this? How can one explain net security to the masses? As in ‘nothing is ever truly safe’ not ‘you need a password with lower and upper case and numbers’? As in ‘we fucked up, we’re really sorry, have some cake’.
I don’t know the answer, but I think it’s probably not going to be by prepending everything with “cyber” and trying to scare the shit out of everyone.
At Blue Light Camp I described Kevin Mitnick as “a bad person”.
I was asked: “well did did anyone die because of him?”
I responded negatively..
“Well on the scale of people we deal with, he’s not a very bad person then!”