Monday, October 18, 2004

RFID, Security and Your Privacy 

Ulterior Motives?

There is a relatively new technology, Radio Frequency Identification (RFID) that is being considered as a way of making passports less likely to be counterfeited. While the goal is laudable, this is the wrong technology to accomplish this task. And there may be other motives involved here, too.

RFID is currently used by retailers as a way of using automated systems to keep track of their goods. For instance, when a shipment of TV's is brought into a warehouse, an RFID chip that's embedded in the pallet tells the retailer that they just took possession of eight sets made by Sony. An automated conveyor system can then place the TV's in a particular section of the warehouse. Very cool stuff.

The Department of Homeland Security (DHS) is proposing that a similar thing happen with American passports. They're proposing that a chip be embedded in our passports.

On first blush, this may seem like a good idea. But it's not. It actually has the potential to be used as a tool against Americans that are traveling abroad. There are also concerns about Nanny using this as a tool for tracking our whereabouts.

First, a little background. When you design a security system, you must expect it to be compromised. You want to reduce the number of "points of failure". For instance, most people at work have a password that is required to access information on their employer's computer system. The employer knows that, if allowed, an employee will use the same password for all of the various systems they must access. To combat this weakness, they have systems in place that require the passwords to be changed on a periodic basis.

The DHS is building a system that is known to have a number of weaknesses. For instance, the RFID chips work by broadcasting the information they contain. A nearby receiver accepts and processes the information. Privacy advocates contend that this is a serious problem. Visualize yourself in a foreign airport - say somewhere in the middle east - and you have this beacon in your breast pocket that is broadcasting the fact that you're an American.

DHS official contend that the devices are only readable if they're within a few inches of a reader. Wrong. RFID chips have been read as far away as 400 feet - well over the length of a football field.

The same thing was believed to be true when wireless networks first came around. "They can't project past the walls of the building." Really? Some students took a Prigles can (really!) and some parts from Radio Shack and made a directional antennae. Do you think a terrorist might be able to come up with something similar?

They then counter that the chips will be encrypted. Oooooo. Now I feel safe. Again, going back to wireless, the standard used (called 802.11) had an encryption scheme that was deemed unbreakable. And it was. For a month.

Let's assume they came up with an encryption algorithm that was unbreakable. How long do you think it would be before one of the thousands of portable scanners that would be required to read the data, would come up missing? With access to the scanner, it could be reverse engineered, and the encryption algorithm would be essentially useless. This would also provide terrorists or criminals with the information needed to produce their own forged passports.

All of this begs the question, "Why would they want to use this technology?" I'm not part of the "black helicopter" crowd, but I do think our government has shown a proclivity in the past for breaking our privacy right. If you don't know the story behind Carnivore, read up here.

Bruce Schneier, Founder and Chief Technology Officer of Counterpane Internet Security, Inc., has some ideas:
The administration is deliberately choosing a less secure technology
without justification. If there were a good reason to choose that
technology, then it might make sense. But there isn't. There's a
large cost in security and privacy, and no benefit. Any rational
analysis will conclude that there isn't any reason to choose an RFID
chip over a conventional chip.

Unfortunately, there is a reason. At least, it's the only reason I can
think of for the administration wanting RFID chips in passports: they
want surreptitious access themselves. They want to be able to identify
people in crowds. They want to pick out the Americans, and pick out
the foreigners. They want to do the very thing that they insist,
despite demonstrations to the contrary, can't be done.
There may be some basis to his supposition. It just so happens that the company that makes the RFID chip being proposed for the passports also makes [gasp] a chip for tracking people. In fact, that's how they got started.

There are myriad technologies out there that are much better suited to this type of application - iris scans, facial recognition programs, even the simple fingerprint. These are all part of a category of authentication tools called, "biometrics". These tools require that a physical characteristic of the individual being identified be used. Since no two human beings are exactly alike - even twins - this offers a greater likelihood of positive ID, without the risk of breaching the privacy of the individual.

Is Nanny working to protect us or track us? Regardless, the DHS needs to focus on their mission of protecting the Homeland. The practices and methods they employ must be proven, "best of class" solutions, not ones where defeating the system is mere child's play.


Tuesday, October 05, 2004

Risk Analysis 

Your Tax Dollars At Work

I find it very disconcerting how American is become so easily cowed by Nanny - our government. We're like little huddled, shivering babes-in-the-woods. And the government does nothing to dissuade us from our belief that we are helpless without ole' Uncle Sam there by our side. Many, including myself, believe that the current administration attempts to leverage this fear by perpetuating this sense of helplessness. Now, they're not unique, they're just the latest to spread the fear. Code Yellow. Code Orange. Code Red. Sorry, no specifics, but the boogie man is out there. Boo!

Why do they do this? To stay in power, of course.

My work (as a Chief Information Officer) involves risk analysis. I need to look at a set of risk profiles and vectors (what hackers can do and how will they get into our systems) and determine their threat to our company. This analysis includes: Is this threat likely to occur? What would be the impact (financial and reputational risk) should it occur? What would be the cost to build a "bullet-proof" solution to stop this threat?

I look at all of these factors and design a solution. It is never perfect. It can't be, as that would be too expensive or require that all systems be taken off-line, rendering them useless.

Instead, we use a practice of Depth In Defense. We build layer upon layer of protection. The attacker must penetrate multiple layers to be successful. Router to firewall to proxy to Intrusion Detection System to network virus scan to host virus scan to logon ID to password. That's a lot to go through to breach a system.

Virtually none of those protections would be needed if I could trust our users. Trust them not to surf porn sites. Trust them not to open email messages from unknown sources. Trust them not to click links to unknown sites.

But I can't trust them. So I must build this cocoon around our systems to protect the assets of the corporation.

That is exactly how Nanny thinks, too. They don't trust us to be self reliant. What I'm seeing in our society is this omnipresent fear that is stopping us from living our lives and our reliance on the government to protect us from every imaginable boogie man.

Have you ever heard of GHB? It's that date-rape drug that guys drop into a woman's drink. She passes out, gets raped, and doesn't remember anything that happened. It is an epidemic, particularly in college towns and in major urban centers, typically with women in the 21 to 34 age group. Many women defend themselves by now carrying their own bottle openers and will only drink from bottles they open themselves. This is in response to the last defeated defensive measure which was to never drink mixed drinks, only bottled drinks. The scumbags figured out that you just need to put the drops into the bottle on the way back from the bar.

Oh, and this epidemic.... in a country of 280 million people, there are forty reported cases a year. But the media and the government jump all over this to reinforce the idea that, "you're not safe unless Nanny is there to protect you".

Do you know how many people die each year in America from the flu? Forty THOUSAND. Every year. Hell, that's an entire small town. Wiped out. Why don't we hear much about this? Sure, each year some Doc from the CDC tells us to remember our vaccinations, but that's about it. Then 40,000 die. Just like the year before and the year before that. We don't hear anything about it because the government knows there is nothing they can do to protect us. Those people, mostly very young or very old, are going to die, regardless of any government interaction. So they keep their mouths shut.

Look at what the government does each year with DUI statistics. According to the National Highway Traffic Safety Administration (NHTSA), their own statistics are just a guess.
"Estimates of alcohol involvement in fatal crashes for the U.S. are based on data from NHTSA's Fatality Analysis Reporting System (FARS). Known BAC [Blood Alcohol Content] test results are not available for all drivers and non-occupants involved in fatal crashes for a number of reasons, most frequent of which is that persons are not always tested for alcohol. To address missing data, NHTSA has developed and employs a statistical model to estimate the likelihood that a fatal crash involved driver or non-occupant was sober (zero BAC), had some alcohol (BAC of 0.01-0.09) or was intoxicated (BAC of 0.10) at the time of the crash. The statistical model was developed using all available known data in the aggregate (that is, at the national level) and applied to each individual driver and non-occupant with an unknown BAC test result. The estimates include a mix of both known and estimated BACs."---(DOT HS 809 334).
Well, isn't that special? If you don't know the answer, just guess. Did you also know that if you are driving down the road, sober as can be, and you kill a drunk that falls in front of your moving car, it is considered to be a, "alcohol related fatal crash"? Yep. From their web site:
It is necessary to emphasize that none of the tabulations presented can be interpreted as implying a direct causal relationship between alcohol use and any other attribute of fatal crashes. Inferences concerning causality can only be made on the basis of additional data that is independent of the FARS data.
Funny how this quote is never mentioned when the bureaucrat is at the press conference releasing the data. Because of this fear of rampant drunk driving that has been ingrained in our collective psyche, we now are quite OK with allowing road side sobriety check points. "If you're not breaking the law, you should have nothing to hide." What ever happened to probable cause? I fully support pulling someone over that is swerving on the freeway. They are exhibiting characteristics of someone who is actually a threat to a fellow citizen. How can the same be said for the check points? They reek so awfully of East German or Soviet Union border crossing stations. "You vill show me zee papers, NOW!"

Little by little, we are becoming accustomed to giving up our freedoms. It is time for all Americans to do a little Risk Analysis of their own before there are no assets - our rights - left to analyze.


Friday, October 01, 2004

My Boy Done Good 

La Cucaracha

My oldest son has been playing football now for 4 years. Last year as a sophomore, he earned the starting offensive tackle position on the junior varsity. His season was cut short by the two screws that were required to put his broken leg back together.

It must be nice to be young. He was playing rugby within 4 months of the football injury!

Anyway, this year he made varsity, but isn't big enough for offensive tackle, so he moved to center, a position he's never played before. He's started in all 3 of their games, and will be starting tonight as well (it's their homecoming game).

Anyone who's played football knows that the offensive line is the least glamorous part of the team. Your name never gets announced over the loudspeaker, you only get public recognition when it was your guy that sacked the quarterback, and the prissy little running backs let the world know that they are God's gift to football for running through the holes the linemen made. John Madden is the only TV announcer that gives them their due. (I played defensive end/tackle in high school and college 'cause I'm a glory hound!).

The offensive line coach has come up with a way to reward the O-line. Anytime they knock an opposing player on their back (so he looks like a bug with his legs up in the air), they get a cockroach sticker for their helmets! The best "cockroach" hit of the game gets a T-shirt with a picture of a big cockroach on the back.

Guess who's been wearing one of these T-shirts around the house this week?

My son's team had an away game that was real tight. Great game. Our touchdown was a middle screen. This is where the defensive line is allowed to get by the O-line with just a light smack. The running back slips past these guys, the quarter back dumps him the ball and it's off to the races.

The other linemen were occupied with trailing linemen and some line backers. All that was left was my son leading the running back and two defenders - a linebacker and a defensive back. The linebacker had been having a very good game. I guess he determined that he was probably 2-3 inches taller and 20 pounds heavier than my son, so he got cocky. He made the mistake of taking on my son almost fully standing up. Bad, bad mistake.

With a full head of steam, my son hit him just below the numbers, and this fucker went flying! He was literally in the air. The dumbshit defensive back was right behind him, and got taken out in a domino effect. Six points, baby! The extra point made it 7. We ended up winning by a score of 7 to 6.

I don't think I'll be able to look at a cockroach quite the same ever again. Viva La Cucaracha!


Rumblin', Bumblin', Stumblin' 

That Was Painful To Watch

I want BushCo out of the White House. I want this in the worst way. I am not pro-Kerry, I'm anti-Bush.

At least I was before last night's debate. Holy crap, Bush was handed his lunch, already eaten. Honestly, I was embarrassed by his "deer in the headlights" stares, his stammering, his "this is hard" mantra.

It was awesome!

Kerry was polished, fought back forcefully whenever one of Bush's little white lies dribbled from his lips, and had the president on the defensive the entire night. He looked presidential.

Bush was shaken badly. It looked like he wanted to throw a tantrum. "Fuck You, Asshole. This job is HARD", was ready to spring from his lips. Yeah, cry me a river.

They've got to be shitting bricks in the West Wing today.


This page is powered by Blogger. Isn't yours?