Main | « July 2004 | September 2004 » | Archives
Common ID mandate
Last Friday, the White House issued a presidential directive calling for a “Policy for a Common Identification Standard for Federal Employees and Contractors”. The policy is mandated to be completed by March, 2005 and by November 2005:
“… the heads of executive departments and agencies shall, to the maximum extent practicable, require the use of identification by Federal employees and contractors that meets the Standard in gaining physical access to Federally controlled facilities and logical access to Federally controlled information systems.”
This is big news: a common standard for identification credentials to be used for both physical and logical access for the roughly 60 million US government employees and contractors. The contactors have a very important role to play. Once big contractors like Boeing, SAIC, Raytheon, etc. start giving smart cards to all their employees for use on government work, they’ll naturally want to leverage the investment on the commercial side as well. I’ve often said that real credentials and validation are the only ways to solve common problems such as phishing and identity theft. Just as with the development of the Internet, the federal government is once again the main initial catalyst for new technology that’s going to change the foundations of mainstream business transactions in the near future.
The big question: If this grows past government employees, can we do it without infringing on people’s rights? I think we can.
[The small question: Is the “near future” near enough for my investors to make a healthy return? I think it is.]
August 30, 2004 | Permalink | Comments (0)
I round out my expertise
I spend a lot of time talking about the convergence of physical and IT security. This usually means prognosticating on how your “firewalls and VPNs” strategy has to work with your “locks and gates” strategy and your “guns and dogs” strategy. My knowledge of the last category is purely theoretical.
Today I decided to do some hands-on field research to add a touch of practice to the theory, so I drove out to the Boston Gun Range (cleverly located an hour away in Worcester – beware of extremely annoying gun shot sounds on the website) to shoot some guns. Under careful adult supervision, I worked my way up from a Ruger .22 to a Glock 9, Smith & Wesson .44 and, naturally, the gold-plated Desert Eagle .50 caliber, which throws a bullet about the size of a small school bus. It was keen.
I wonder if next time they’ll let me shoot up my always-broken WiFi access point. That would be some seriously therapeutic convergence.
Now how do I learn about “dogs”?
August 27, 2004 | Permalink | Comments (3)
I asked for a debate
There’s a pretty good and lengthy discussion brewing in the comments section on my last post about national IDs. I say this as a service to my RSS and bloglines readers who, as far as I can tell, do not normally get to see comments (and who don’t show up on any of my page view stats). Oh, you’re so smug.
August 23, 2004 | Permalink | Comments (0)
E-Voting radio link
The Viewpoints Radio e-voting interview I did last month is up on the web. Here’s the audio clip (Windows Media, 2:32 minutes) and my blog entry from when it happened.
Viewpoints Radio bills itself as, “Compliancy-based public affairs” and runs weekly on 250 radio stations. According to my calculations, that means there’s a 6% chance that my rambling about public disclosure of voting machine innards is interrupting somebody’s smooth-jazz marathon right now.
August 21, 2004 | Permalink | Comments (0)
Charlie Wilson’s Movie
Thanks again to Lee Wright for pointing out that someone in Hollywood apparently has the good sense to make a movie out of George Crile’s Charlie Wilson’s War. To continue the arbitrary comparison started in my previous review of the book, I’m certain that the movie will feature more cocaine, true-life espionage and attack helicopters than, say, The Chosen.
Tom Hanks will be playing the eponymous congressman. No other casting information is available, but I hereby decree that the role of CIA-meshuganah Gust Avrakotos must be played by Harvey Keitel.
I await my check from central casting.
August 20, 2004 | Permalink | Comments (0)
National ID debate
Senator John McCain and the 9/11 panel have called for a debate on the idea of issuing National ID cards. There’s a lot of confusion about this issue, so it’s good to see our political leaders engaging in serious discussion about it:
Kean replied that the commission had judged biometric screening -- using techniques like fingerprinting or retinal scanning -- to be "a little less intrusive," but acknowledged "A national ID card would be another way to do it."
Unfortunately, the above quote is total gibberish, but at least they’re talking.
My take is that a National ID Card program, if done properly with a very carefully thought out set of policies and technologies, would be the single best thing we can do to increase security in this country. However, if done poorly, it could easily be every bit the disaster that the ACLU and other privacy groups are predicting. What’s the US government’s track record for doing such big things reasonably well? Not as bad as you think, really.
I have hope that it can be done well. More than hope, actually; CoreStreet is actively involved in trying to shape the architecture for similar programs at home and abroad. I believe that a properly architected National ID program will not erode privacy, but enhance it. It will not constrain our freedom of movement, but expand it.
Of course, there are many opportunities for serious mistakes and ominous turns. Full transparency and public scrutiny of the procedures and technologies will be required. The government must resist the urge to be secretive about National ID plans. This is vital and complex and our country is not well served by knee-jerk reactions from either side. We must wrestle with the substantive issues.
If this were on the Daily Show right now (I have not yet been invited), now is the time when Jon Stewart would rub his eyes and say something like, “I don’t think this audience is gonna wrestle with anything more substantive than stale Cheetos.” Funny… true, etc. We can’t keep our attention on anything important in this country. Let’s try just this once.
You know, just to be different and stuff.
We’ll work on the architecture and the debate. The national conversation must be vigorous and closely monitored by skeptics. It would help if our leaders could get the basic concepts of biometrics, databases, validation and credentials straight. We’ll work on that part as well.
August 19, 2004 | Permalink | Comments (13)
SpoofStick Update
We’ve just released a new version SpoofStick for Internet Explorer (v. 1.02) that addresses a newly discovered IE flaw described by this Secunia advisory. As always, you can download the latest version at the CoreStreet SpoofStick homepage.
The flaw is not present in FireFox, so no update to the FireFox version of SpoofStick is necessary.
For those of you keeping count, we’ve had over 130,000 downloads of SpoofStick since the official release three months ago.
[Update: Oooh, that’s an average of about one download every minute.]
August 18, 2004 | Permalink | Comments (40)
Kind of sad
Here are two pictures of quickly-disappearing vintage European phone booths that I took with one of the devices that are making them disappear.
Cell phones are better in virtually every respect, but it seems like we’ll lose something of the universal city fabric when phone booths are finally relegated to technology museums. It is fitting that the last generation of cell phones to overlap widely with phone booths have cameras on them to help document the evolutionary passing of their predecessors. When you take a snapshot of a phone booth with a camera phone, you get a neat trophy, but you also feel like you’ve helped speed the demise. At some point, the only function of phone booths might be to be photographed by camera phone toting tourists.
Click on the thumbnails for a full-size view.
Leicester Square, London. Taken with a Motorola V300.
Was it built at a time when it was considered unthinkably rude to subject passersby to your conversations, or simply when transmission quality was so bad you had to isolate yourself from the outside noise?
Gamla Stan, Stockholm. Taken with a Motorola V300.
Notice the raised standing platform for inclement weather.
Anyone else have these kinds of snapshots? There might be a geek-sentimental photo book waiting to be made here. I’ll try to snap more on my next trips.
August 16, 2004 | Permalink | Comments (16)
New X-Ray
I was flying out of London’s Heathrow airport a few days ago and was pulled aside by a security officer for a “random” screening through a new x-ray machine. The officer explained that this was a “perfectly safe” procedure that would take four “low-intensity, high-resolution” x-ray images of my body. If I didn’t want to go through the machine, I could choose an old-fashioned manual search instead. That sounded ominous, so I agreed to the hands-off option.
The officer took me to a semi-private section near the security line and asked me to empty my pockets. Then I had to stand with my back to a wall, click, turn sideways with my legs apart and my arms away from my body, click, turn to face the wall, click, and turn to the other side with legs apart and arms away from my body, click. The whole thing took about 30 seconds.
I was interested in what the images looked like, so I asked the officer if I could see the computer display. He initially said no, but I used the secret code-phrase to identify myself as a fellow security professional (“aw come on, lemme see”), so he took me into a little room a few feet away and showed me the monitor. Luckily for the world, there is no surviving picture of myself standing with legs apart and arms away from my body, so here is a Photoshop recreation using the closest stand-in I could find and my best memory of the event:
“Yikes”, I said, “that’s unattractive.” The officer explained that, of course, the x-ray makes the image very squashed in the vertical axis. “Of course”, I concurred. You couldn’t exactly see bones, but all clothes were effectively removed. It looked like I was wearing a splotchy full-body stocking (I wasn’t at the time), but the splotches were probably internal bits. All in all, it looked like this scanner would do a good job finding anything suspicious. I can understand why they have the monitor in a separate room; many people might be a bit offended at seeing themselves like this. I also feel bad for the guy who has to sit in a closet and look at quasi-naked, splotchy fat people all day. It’s bad enough in London, but I don’t envy the operators when this thing gets installed in, say, Houston.
My verdict: This thing is great. It’s fast, convenient and (most likely) effective. I’ve written before about how the metal-detector ceremony is mostly useless and I’m glad that new technology is finally doing something about it. This type of x-ray combined with one of those air-puff explosive detectors would be an ideal passenger-entry unit.
Oh, the real secret to the code-phrase is the inflection. Don’t try it yourself unless you really are a security professional, or you'll get it wrong and wind up in airport jail.
August 13, 2004 | Permalink | Comments (2)
Doing something about the weather
I’ve been bouncing around northern Europe for the past few days and have noticed at least one way in which this part of the world is less advanced than the USA. They may have better cell phones, better service, better food and better transportation; but one glaring deficiency diminishes my enjoyment: Europe is insufficiently air conditioned.
Even fairly high-end hotels, shops and cars are typically left at the mercy of the outside temperature. I’m so used to ubiquitous artificial refrigeration in the US, that walking into a hot building feels, well, unnatural. Of course there are plenty of Europeans who would argue that US consumption of energy to keep our entire half-continent at 68 degrees (F) all year round is exactly the sort of thing that causes global warming and is therefore responsible for the recent record high temperatures of European summers, which is why they need air conditioners for the first time in history. I’ve heard this twice now, but it’s a long train of thought and, as an American, I can only get as far as the dining car. If we’re going to keep ruining their environment, I’m going to have to remember to stay home in August.
August 9, 2004 | Permalink | Comments (5)
