Hacker News new | comments | show | ask | jobs | submit login

It is fraught with theoretical peril in this guy's exposition, but I haven't seen any evidence that it's actually fraught with any practical peril. Many millions of citizens are asked this question every year, but "business or pleasure" does not appear to be a significant vector for criminal convictions the US.

This notion that answering "just visiting" to that question is some kind of pernicious legal tripwire seems like a fantasy, especially considering the fact that the border police can search you without provocation or cause if they really want mess with you.




You are one of a fairly small number of people worldwide who can be considered to be experts in computer security, yet you keep admitting here that this guy's approach is theoretically valid, and you just have a problem with it practically.

I really don't understand that.

How is that not like my saying, "Well, sure, theoretically I should be hashing the passwords in my database, but practically speaking we can't expect that it's going to matter anyway."?

-----


(I upvoted you).

You are making an allusion to the perennial controversy over "theoretical" vs. "practical" vulnerabilities in my field. That's an interesting point, but unfortunately not a valid one.

In security, "theoretical" vs. "practical" is a fig leaf used (mostly) by vendors to avoid facing up to their responsibilities after having shipped flawed products. Calling something "theoretical" shields people from culpability, mostly in public relations, but clearly isn't actually an assessment of the real-world impact of most vulnerabilities. It's spin.

But the fact that the words "theoretical" and "practical" can be used as spin doesn't mean the concepts of "theory" and "practice" are inherently spin; the reality is quite the opposite. Outside of computer security, we'd be well advised to use those words more; our adhesion to the notion that all theoretical threats are practical is probably a major component of the "security theater" trend that has us all getting electronically strip searched in airports.

-----


Yeah, I see what you're getting at. For my part, while I'm interested in computer security, I'm more interested in legal (or "real-life", or "social", or what-have-you) security. So, I'd be more inclined to say that when there's a theoretical legal attack, it should be handled as though it were a practical one.

I recently had a close friend go through the court system on multiple felony charges. That particular introduction to the legal system was eye-opening.

-----


I'd be inclined to say that when there's a theoretical legal attack, it should be handled as though it were a practical one.

The real flaw in this argument is that as soon as you mark yourself out as "that guy who's being a dick" you attract a lot of attention, and you're more likely to wind up in court on some other charge.

For instance, there's a very high probability once you've started being a dick that they'll decide to thoroughly search your suitcase. Have you accurately reported the value of all goods acquired overseas on your customs declaration form? If you haven't (or even if you have but they feel like quibbling over the value of some of those goods, or if they suspect that some of the goods acquired in the US were acquired overseas) then you could potentially wind up getting charged over that.

-----


The real flaw in this argument is that as soon as you mark yourself out as "that guy who's being a dick" you attract a lot of attention, and you're more likely to wind up in court on some other charge.

But doing the right thing can also get you into trouble. Just as Pascal Abidor.

-----


Another way to say that is that there's no such thing as a "theoretical" vulnerability. There's either a working exploit, or there is not and we can test it. In physical security, though, there are plenty of movie plot threats that nobody has ever actually tried and which are not, in fact, practical.

With software, you can have the computer try millions of times to go after that one crazy race condition. Meanwhile, your average crazy bomber generally has one chance to get it right before everyone on the plane attacks and subdues him.

-----


Tone of voice is just as important. I have an in-law who’s a cop, and most times if you're a jerk, he says you get the ticket you might otherwise not have. It’s very much an issue of power because someone needs to control the situation—you or them. Not to mention, being argumentative gives them a reason to suspect something else might be going on, and in turn, mess with you. Why give them that chance?

I wonder if he would try another experiment where he actually answers the questions as asked, but instead makes his tone sarcastic, etc. I bet he's pulled out of line just as quickly for cooling down, even though legally he’d have complied.

-----




Applications are open for YC Summer 2016

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: