Comments on: Technology alarmism in spades

ID management expert Phil Libin says critics of a government security card program miss the point.

"If a biometric is stolen"

They mean exactly that. http://www.schneier.com/blog/archives/
2005/04/security_risks_2.html :

Police in Malaysia are hunting for members of a violent gang who
chopped off a car owner's finger to get round the vehicle's hi-tech
security system.
The car, a Mercedes S-class, was protected by a fingerprint
recognition system.

Yes. . .

I became worried about this scenario as soon as biometrics started to become the "next big thing."

Of course, some of the sensors out there are smart enough to distinguish a living finger and a dead one, but many criminals are very stupid and uninformed and would try it anyway. Fun, fun.

[Titos 2 Cents]

If ID management was this easy, this guy wouldn't have a job

Imagine what could happen to your credit today if your identity was stolen. A SSN, perhaps some identifying data from a website or bank record; it happens every day with the basic forms of identification we use. Now picture the world in five years, using ID that contains an incredible amount of personal data by comparison. With a one-stop source of ID, wouldn't the illegal demand for hacks rise as well?
The problem with technology as it relates to security is always the same - as fast as an organization can discover a way to protect something, five others have found a way to crack the nut.
I'm not an alarmist, I'm a realist. Banks are losing personal data. Phishing steals away the secrets of hapless victims, people devise physical tricks to capture credit card information using ATMs. Is the search for another's ID suddenly going to diminish once there's a new lock on the door? I think not. Phil Libin and his company will have plenty of work in their future, and I'd bet they already know it.

[frankly0]

I don't get what "strong encryption" buys us...

According to the piece, "The real long-term solution is to move to contactless cards with strong cryptography."

But what kind of protection is that really? If an ID card, or a passport has a contactless chip in it that can be read by a device at a distance, then presumably there will be 10s of thousands, if not more, of these reading devices, each of which can read that very contactless chip, and will be able to do so for lifetime of the chip (maybe 10 years?).

What on earth is going to prevent a reasonably intelligent terrorist from stealing just ONE of those devices, and souping it up so that it can read from a considerable distance?

Or are we only worried about the incompetent terrorists, who won't figure this out?

[eCurmudgeon]

The problem really is ...

... that the blasted techies insist on inventing all this stuff like RFID without giving a thought to the uses it'll be put to. When has a techie ever asked himself, "Is this really a good thing to create"?

[Phil Libin]

Thanks for the vote of confidence

I'm glad to hear that I'll still have a job. For the record, I'm not defending the program, only refuting sloppy criticism. On balance, I think the DAC is a good start, but that's a much longer topic.

[alx359]

the human factor is the irreducible problem

Any security system consists of 4 main components: the ID holder (e.g. chip card), the ID reader (e.g. ATM), the transport medium (wire/wireless) and the database of ID prints.

In at least one of these components the human factor is critical to keep the security system secure. As we well know, humans are inherently insecure "devices" in the secured chain and because we can never cut the human factor away, the build up of a 100% secure system is so futile as the Perpetuum Mobile.

Any secure system should offer levels of broader access for control and administrative purposes. Here is where the human factor becomes critical, as the wrong guy(s) (terrorist, corrupted official) could do harm proportional to the number of users and importance of data depending of such system.

So again security is always going to orbit around user education and the high morale of the key persons involved in the maintenance of such systems.

[ajbright]

Blind faith in technology

It constantly amazes me that the same press that over sensationalizes viruses, spyware and other forms of malware, continuously trumpets mythical technologies as the answer to all our national security problems.

Everything from impregnable databases, instantly displaying the details of wanted terroists to Homeland Security Officers (who incidentally have been found to be no more effective than the much maligned private security the airlines used to employ, and have also stated that technology will fix everything) to magic ID cards that will prevent 911 from happening again.

The flaws in these proposals are there for everyone to see. First of all there is no such thing as an uncrackable security system, secondly none of the proposed invasions on privacy would have stopped a single terroist from performing the attrocities of 911 (all of which had valid visas, and therefore would have easily obtained one of these new, techo-fix-all id cards). They didn't need to hide who they were, and several being listed in anti-terroism databases, were still able to board planes at will.

The other thing that constantly amazes me is that the US public is happy for their government to start spying on them, Nixon fashion, under the pretext that this will in some way protect them from terroism.

No doubt wiser heads than mine will explain how having national databases full of personal and biometric data will prevent people from other countries blowing up planes.

To be blunt Americans are being told that having their bank accounts monitored, their personal information stored in easily hackable, unencrypted databases, whilst at the same time carrying id cards that DO broadcast their identities well beyond the "several inches" often quoted, is in some way going to stop terroists.

All this is going to do is hand very large government contracts to this administrations friends and families, and while you may be able to prove beyond doubt who you are (yes, ofcourse, because all technology is infallible, and no one could possibly forge the identity of another person armed with a digital photograph on a plastic card, broadcasting it's data to anyone who can hack into the companies that produce said cards), terroists will be using their IT expertise (and you're a fool if you think they don't have any) to mass produce these so-called infallible id cards for their recruits to attack the US.

The worst part is that because everyone will believe these systems to be infallible two things will happen. First, when someone is wrongly listed as a person of interest, it will be impossible to get this corrected - because no one will believe that the system could be wrong, and secondly, when the system does query the id of someone using a forged card to enter the country, the very fact they're carrying one of these terroist-proof id cards will probably mean they get to pass through immigration without any problems.

[Michael Grogan]

What a load...

...the critics were absolutely right even if the details were flawed. The cards wiil be fallible and will be misused and abused. But the biggest point is it's not the hackers, crackers and terrorists we reallly need to be concerned with. We really need to be concerned that an ID like this is being implemented at all. If the government being able to track everyone's movements via an electronic ID card doesn't raise the hackles on your neck then you are a fool, and a dangerous fool at that.

EPIC's response

EPIC has responded to this article - http://www.epic.org/privacy/
surveillance/spotlight/0405response.html