Hello,
My name is Kevin Njeru and have been an Ubuntu user for a while. I am Kenyan and given what happened over the weekend and some discussions I have had since then I wanted to ask a few things I have running in my mind.

Open source has revolutionised information technology. It has allowed for growth in IT in numerous ways due to the fact that many minds are working on the same issue. A lot of view points are discussed and then the best alternatives implemented. These undergo various tests and different possible outcomes are considered due to the many brilliant minds that work on it.

So here is my question, is it possible to make security plans open source? Various government agencies and corporations have different ways of ensuring our safety but they keep a majority of the internal operations confidential for security reasons. Are there no ways to make this open source and try to come up with ways to prevent this past weekends attacks to a minimum? I understand that open source will mean all will have access to the designed systems, both criminals and those benefiting from the proposed security systems. I still wonder whether such a project can be started, using methods discussed and thought of by a community such as this one.

I would appreciate any input people may have.

The only thing that I can think of that comes close to an "open security" model is what the US 2nd Amendment was originally intended for. To put most of the citizens' security directly in the hands of the citizens. Where all citizens become part of the security model, to protect one's self and each other. The fact that it is known that most, if not all citizens are armed is quite open and serves as a deterent of those kinds of acts, IMO.

****Note, I will not get into the politics of such a policy, just throwing it out there as one type of model. If I have still managed to cross a line of the CoC, by all means moderate this post.

In my mind the thing that limits any attempt to out-think criminals and terrorists is lack of imagination by those in authority. Until recently I was employed by a major UK high street retailer. I worked as a Fire, Health & Safety officer in one of the company's stores that was located in a shopping mall.

One year the management of the mall held a meeting with representatives of the various stores in the mall. Representatives of the emergency services were also there, police, fire, ambulance, as well as the local authority and even the government.

The idea was to talk our way through what each of them would do if a certain act was carried out in the mall. We started with the shopping centre management receiving a bomb threat and progressed through finding a suspect package onto the bomb exploding and what happened afterwards. At each stage the various organisations explained what they would do to react to this situation as it developed.

I went to this meeting but could I get anyone from the management of my store to come with me? And afterwards they were not interested in what was discussed. I was never debriefed. I had information that should have been part of the store's emergency pack and which management were require both by Company policy and legislation to be familiar with it. But they were not interested.

There is a lot of information available. The basics are not top secret. There are books and leaflets on these kind of subjects. An organisation's emergency plan should be available to all members of staff and training should be given. But a 'it will never happen here' attitude stops most attempts to take this kind of stuff seriously.

Here is some of the stuff publicly available in the UK

https://www.gov.uk/government/organisations/department-for-communities-and-local-government/series/fire-safety-law-and-guidance-documents-for-business

Legislation is a good place to start but it is not the place to stop.

Regards.

So here is my question, is it possible to make security plans open source?

I'm not sure I understand. Does this refer only to computer software? If so, then yes, open source is the best policy. The alternative is "security though obscurity", which doesn't eliminate weaknesses, but just hides them.

Well, I would say that it depends. I think it might enable citizens to have closer insight at what is really happening around them and thus it would give them a kind of motivation to participate and basically care about what is happening around them. They would not have to trust third-parties about their security. It would mean more self-reliance.
On the other hand, also "the bad guys" could have a look at the "security plans" (however obscure that term might be) and give them more attack vectors. However, in turn, this would conclude that the "responsible" people would take more care about the design processes of security concepts as they cannot rely on the fact anymore, that nobody but them knows all the secrets.
I tend to see this a bit like most of the cryptographic algorithms in use out there: All of the important ones are public, everybody can have a look at the math and many people around the world are trying to break them (of course, this is a bunch of math combinded with some random stuff). If anybody manages to break the algorithm, somebody has to invent something more secure.

The problem with physical security is not so much knowledge of the methods, but willingness to implement, resources available, and balancing with function.

There is proprietary technology, but it generally isn't useful outside of security focused agencies (military, police, etc.) Without sufficient training and maintenance, these technologies become more of a distraction than an asset. For security at a retail facility, the resources available in the public domain are likely a better choice.

You can make your buildings bomb proof, but it will cost more and not reduce loss from threats other than bombs. You can hire armed security, but it will bother patrons and cost more. Metal detectors will cost money, annoy patrons, and do little to prevent loss without enforcement (like armed security). You can arm staff members at little cost, but this requires a certain degree of trust and therefore higher wages. All motivating factors lead to externalization of security. Even in regions or the U.S. where martial training is readily available and defensive tools can be carried without restriction people demonstrate little sense of responsibility for their personal security.