Monday, April 18, 2005
Government Insecurity... Again
Oh, this is rich....
A big part of my job as a bank CIO is security. I get paid to sweat the small stuff. I've ranted in the past about the use of Radio Frequency ID (RFID) and security. RFID was developed as an aid to control inventory. A warehouse receives a pallet of DVD players. Embedded into the pallet is an RFID tag. When the pallet passes a scanner, it is told that the warehouse has just taken possession of 20 Sony DVD players. RFID tags are perfect for this application. Count and catalogue products as they enter and exit a warehouse.
The problem with RFID tags is that they are very insecure. If you pass within 30 feet of them (some say within 300 feet), you can pick up the "signature" of the device and read the information it contains. Even if the information is encrypted, breaking the code is child's play. Not something you want to use for a high security application.
My last rant on this subject concerned our government's desire to use RFID for passports (Passport Security System Hacked). Bad idea. Now it seems the Department of Homeland Security (DHS) wants to take a bad idea, and make it even worse. Three times worse. I guess that's our government's idea of progress.
The DHS is coming out with a card call DAC - the DHS Access Card. As EPIC (Electronic Privacy Information Center) reports, this card will combine 4 different technologies for identification: RFID, Bluetooth, biometrics and a PIN (Personal Identification Number - like you use with your ATM card).
The card will be used "to access facilities and appropriate data stores across the DHS enterprise [NOTE: That means access DHS computer information]. The DAC also supports access to resources controlled by federal, state and local government entities as well as DoD and Foreign National resources." Employees will also be able to purchase goods and buy train fares. OK, let's recap: DHS buildings; DHS computer systems; Fed, state and local computer systems; Department of Defense Computer systems; Foreign National Computer systems. Oh, and a Snickers bar and train fare home.
The way the card will operate, is the employee can use any of the technologies to make the card "work". If RFID doesn't work, use biometrics (in this case, fingerprint scans). Bio doesn't work, use the PIN.
Sounds great, right? Easy to use with "redundant access features". Swell. If you want to forge a DHS employee's identity.
I've already talked about the weaknesses of RFID. Bluetooth simply makes it worse, by acting as a signal booster for the information. Now, instead of needing to be within 30 (or 300 feet) of the card to steal the signal, you can be as far away as a mile. Really. 5,280 feet. Brilliant.
Biometrics are nearly as bad. The scan of your fingerprint, retina or palm is held as a small digital file. When scanned, a number of "points" are noted from your fingertip, and these are translated into bits and bytes. Steal this file (via Bluetooth?) and you have the bio signature of that person. As EPIC stated,
Why don't these people talk with some real security experts? Why isn't this process similar to the one the government uses when choosing an encryption standard? In that process, they open the solution up to anyone that wants to take a crack at it. A panel of experts determines the best options from those submitted, then releases the results to the public so that it can be tested in the real world. If it fails, it can be corrected and tested again. DHS is rolling this card out to 40,000 employees on it's first crack!
No security solution is perfect. You will always have some weakness that can be exploited. You design your system to minimize the access to your weakness. It is just plain insanity to design a system that combines 3 proven insecure technologies into a single "security" device.
|
A big part of my job as a bank CIO is security. I get paid to sweat the small stuff. I've ranted in the past about the use of Radio Frequency ID (RFID) and security. RFID was developed as an aid to control inventory. A warehouse receives a pallet of DVD players. Embedded into the pallet is an RFID tag. When the pallet passes a scanner, it is told that the warehouse has just taken possession of 20 Sony DVD players. RFID tags are perfect for this application. Count and catalogue products as they enter and exit a warehouse.
The problem with RFID tags is that they are very insecure. If you pass within 30 feet of them (some say within 300 feet), you can pick up the "signature" of the device and read the information it contains. Even if the information is encrypted, breaking the code is child's play. Not something you want to use for a high security application.
My last rant on this subject concerned our government's desire to use RFID for passports (Passport Security System Hacked). Bad idea. Now it seems the Department of Homeland Security (DHS) wants to take a bad idea, and make it even worse. Three times worse. I guess that's our government's idea of progress.
The DHS is coming out with a card call DAC - the DHS Access Card. As EPIC (Electronic Privacy Information Center) reports, this card will combine 4 different technologies for identification: RFID, Bluetooth, biometrics and a PIN (Personal Identification Number - like you use with your ATM card).
The card will be used "to access facilities and appropriate data stores across the DHS enterprise [NOTE: That means access DHS computer information]. The DAC also supports access to resources controlled by federal, state and local government entities as well as DoD and Foreign National resources." Employees will also be able to purchase goods and buy train fares. OK, let's recap: DHS buildings; DHS computer systems; Fed, state and local computer systems; Department of Defense Computer systems; Foreign National Computer systems. Oh, and a Snickers bar and train fare home.
The way the card will operate, is the employee can use any of the technologies to make the card "work". If RFID doesn't work, use biometrics (in this case, fingerprint scans). Bio doesn't work, use the PIN.
Sounds great, right? Easy to use with "redundant access features". Swell. If you want to forge a DHS employee's identity.
I've already talked about the weaknesses of RFID. Bluetooth simply makes it worse, by acting as a signal booster for the information. Now, instead of needing to be within 30 (or 300 feet) of the card to steal the signal, you can be as far away as a mile. Really. 5,280 feet. Brilliant.
Biometrics are nearly as bad. The scan of your fingerprint, retina or palm is held as a small digital file. When scanned, a number of "points" are noted from your fingertip, and these are translated into bits and bytes. Steal this file (via Bluetooth?) and you have the bio signature of that person. As EPIC stated,
Once a biometric identifier has been compromised, there can be severe consequences for the individual whose identity has been affected. It is possible to replace a credit card or Social Security numbers, but how does one replace a fingerprint, voiceprint, or retina scan? It would be difficult to remedy identity fraud when a thief has identification with a security-cleared federal employee name on it, but the thief's biometric identifier. Or, in a more innocuous scenario, the identities of employees with different security clearances and their biometric identifiers are mismatched in their files due to human or computer error.So what does that leave us with? If the high-tech stuff doesn't work, go with the PIN. You know, that number that's written on a scrap of paper you've got squirreled away in your wallet. Think about that: You could have access to all of those government (and foreign government) resources, simply by gaining access to a 6-digit number.
Why don't these people talk with some real security experts? Why isn't this process similar to the one the government uses when choosing an encryption standard? In that process, they open the solution up to anyone that wants to take a crack at it. A panel of experts determines the best options from those submitted, then releases the results to the public so that it can be tested in the real world. If it fails, it can be corrected and tested again. DHS is rolling this card out to 40,000 employees on it's first crack!
No security solution is perfect. You will always have some weakness that can be exploited. You design your system to minimize the access to your weakness. It is just plain insanity to design a system that combines 3 proven insecure technologies into a single "security" device.
Tuesday, April 12, 2005
Eminent Domain
It's all about the bucks...
Shit like this just makes my blood boil.
Eminent Domain is a legal process whereby the government can require you to sell your property - and pay you market rates - should they deem your property is required for some greater public good. Normally, this happens when a highway needs to be widened, or a new airport built, or a new sewage treatment plant erected. These are all public works that are owned and operated by a public entity.
The Fifth Amendment - normally thought of as a protection against self-incrimination ("I plead the 5th, your honor") - also addresses the protection of personal property rights. In particular:
Obviously, this is about more than 15 homeowners having their property taken "for the public good". It is about how government of all stripes - local, regional, state and federal - have this overriding need to control every aspect of our lives. In this case, instead of coming up with an alternative plan - different location, different layout, different tax generating solution - they bull forward and boot these people out of their homes. They do it, because they can.
Where do you draw the line? Do you bulldoze a block of low-income homes so that a private developer can build luxury apartments? How about confiscating a few hundred acres of "unused" ranch land - land the owner does not want to part with - to be used for a municipal (government run) golf course? Using New London's criteria, you most certainly could take these lands by force.
If government is able to confiscate our property simply to increase the tax base, the spirit, if not the actual intent of the Fifth Amendment are worthless.
|
Shit like this just makes my blood boil.
Eminent Domain is a legal process whereby the government can require you to sell your property - and pay you market rates - should they deem your property is required for some greater public good. Normally, this happens when a highway needs to be widened, or a new airport built, or a new sewage treatment plant erected. These are all public works that are owned and operated by a public entity.
The Fifth Amendment - normally thought of as a protection against self-incrimination ("I plead the 5th, your honor") - also addresses the protection of personal property rights. In particular:
...nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.The last section, in particular, is where Eminent Domain comes into play - private property should only be taken for public uses. The folks from New London, Conn., have a new twist on things. They wanted a 90 acre parcel, which they gave to Pfizer pharmaceuticals - a private company - in exchange for a new research facility.
New London officials say they can appropriately use eminent domain to acquire the land from the homeowners because the development would create jobs and bring in additional tax revenue -- providing the revitalization they think the city needs.Fifteen homeowners disagreed that this was an appropriate use of eminent domain, and it's been taken up by the US Supreme Court.
Obviously, this is about more than 15 homeowners having their property taken "for the public good". It is about how government of all stripes - local, regional, state and federal - have this overriding need to control every aspect of our lives. In this case, instead of coming up with an alternative plan - different location, different layout, different tax generating solution - they bull forward and boot these people out of their homes. They do it, because they can.
Where do you draw the line? Do you bulldoze a block of low-income homes so that a private developer can build luxury apartments? How about confiscating a few hundred acres of "unused" ranch land - land the owner does not want to part with - to be used for a municipal (government run) golf course? Using New London's criteria, you most certainly could take these lands by force.
If government is able to confiscate our property simply to increase the tax base, the spirit, if not the actual intent of the Fifth Amendment are worthless.
Friday, April 08, 2005
Comfortably Numb
“Political correctness” is not an annoying fad. It is a deadly serious means of preventing public discussion of things that those in power do not want discussed (for example, race, affirmative action, illegal immigration.)If you've never read Fred Reed of Fredoneverything.net, you're truly missing out on some great observations, commentary and humor. I've recently learned that Fred has done what my wife and I are considering: Becoming ex-patriots, largely because observations such as above accurately reflect reality.
The quote, culled from essay number 270: The Path of Democracy, truly cuts to the chase for me. Americans have become nothing more than cattle: docile creatures that are easily spooked, overly dependent on our handlers, and easily prodded to comply to the whims of the herd. Don't acquiesce to the crack-of-the-whip by one of the ranch hands, and you're a Quarter Pounder at McDonalds. Don't run with the stampede - started by the ranch hands - and you're likely to be trampled.
Why have we become so fat, dumb and happy?
America is no longer a nation of rifle-toting frontiersmen or self-sufficient farmers. It is a nation of employees. On average they are heavily indebted, imprisoned by the retirement system, unable to farm, fish, hunt, defend themselves, change their spark plugs or build a shelter. They cannot live without the state, which leaves…who in charge?It's so true. Collectively, we've become "employees" of the state. We are told what to do, when to do it and how to act as we're working. Toe the line, keep our heads down, and we're rewarded with a sense of security - real or imagined - and a government stipend when we're old and frail.
Rarely do average American's have to make a real decision. Rarely do we want to make a real decision. A decision that matters. We take what's doled out by our benefactor and seldom care about the consequences. We're living in Pink Floyd's Comfortably Numb world.
It's discouraging to see how our youth are becoming so pliant to Nanny. My oldest son questions everything. He will rarely take anything at face-value. He does not suffer fools lightly, be they peers, teachers or other adults. He will
comply when he must, but always provides the "ranch hand" with plans for a better mousetrap.
My youngest, while not always happy with what he must do, will eventually comply, generally without comment or conflict. To do otherwise requires an effort. "The result will be the same", he laments. "Why bust my ass for nuthin'?"
More often than not, I see "younger sons" populating our society.
Look at the fight we're having over Social Security. The Conservatives want to allow you to manage your own retirement, your own destiny. The Liberals will have none of that. Nanny knows best. The poor, uneducated masses don't know what's best, so we'll just take care of it for them. Forget trying to instill independence and promote critical thinking skills. Since the 1930's, Nanny's stance has been, "Take the decision away because the masses don't have the capacity to make these important decisions."
Tragically, Nanny may finally be right.
Tuesday, April 05, 2005
Michael Getting Hosed?
If Nanny Wants You In Jail, You're Goin' Down
Just so you don't feel the need to draw and quarter me, I think Michael Jackson most probably molested kids. No "regular" adult has kids sleep over, porn all around, etc. Whether he molested the kid that's in his current trial is up to a jury to decide. And that's where I've got a problem.
I read today that the prosecution has been allowed to introduce witnesses that say Jackson molested them in the past. They have nothing to do whatsoever with the supposed molestation of the current accuser.
The prosecution says this testimony is needed to show a pattern of abuse. First of all, Jackson has never been convicted of child abuse. Ever. Secondly, what do "alleged past acts" have to do with the current accusations? If I were accused of beating my dog 20 years ago, does that mean current accusations that I tortured my dog last year are more likely to be true?
Of course not.
Past acts - proven acts, not accusations - can and should be used when (and if) you enter the sentencing phase. Accusations of past acts - hell, even proven past acts - should not be allowed as "evidence" into a new, unrelated trial. All current charges need to be proven and tried on their own merits.
MJ is gettin' hosed....
|
Just so you don't feel the need to draw and quarter me, I think Michael Jackson most probably molested kids. No "regular" adult has kids sleep over, porn all around, etc. Whether he molested the kid that's in his current trial is up to a jury to decide. And that's where I've got a problem.
I read today that the prosecution has been allowed to introduce witnesses that say Jackson molested them in the past. They have nothing to do whatsoever with the supposed molestation of the current accuser.
The prosecution says this testimony is needed to show a pattern of abuse. First of all, Jackson has never been convicted of child abuse. Ever. Secondly, what do "alleged past acts" have to do with the current accusations? If I were accused of beating my dog 20 years ago, does that mean current accusations that I tortured my dog last year are more likely to be true?
Of course not.
Past acts - proven acts, not accusations - can and should be used when (and if) you enter the sentencing phase. Accusations of past acts - hell, even proven past acts - should not be allowed as "evidence" into a new, unrelated trial. All current charges need to be proven and tried on their own merits.
MJ is gettin' hosed....
Friday, April 01, 2005
Happy Happy Birthday, Baby
Wow. It's been a year since I started this rag. Some might say it's appropriate that this was started on April Fool's Day....
My first rant was about how requiring high school students to wear uniforms was just another step towards Nanny forcing Conformity instead of promoting Intelligent Thought. Hey, instead of punishing those that abuse the system, crack-down on everyone - make them all Pretty Little Soldiers.
Anyway, my goal has been to promote self-sufficiency, smaller government intervention into our lives and to foster the idea that the words in our Constitution are pretty damned impressive - truly, words to live by.
I hope I've done a little of that along the way.
|
My first rant was about how requiring high school students to wear uniforms was just another step towards Nanny forcing Conformity instead of promoting Intelligent Thought. Hey, instead of punishing those that abuse the system, crack-down on everyone - make them all Pretty Little Soldiers.
Anyway, my goal has been to promote self-sufficiency, smaller government intervention into our lives and to foster the idea that the words in our Constitution are pretty damned impressive - truly, words to live by.
I hope I've done a little of that along the way.