Main | « April 2005 | July 2005 » | Archives
EPIC responds
Bruce Schneier, writing on behalf of the Electronic Privacy Information Center, has put out a well-written refutation of my recent criticisms of EPIC's report on the DHS smart card program. (Links to EPIC's report, my original blog entry, the much-shortened C|net article and EPIC's response).
I'll post a more thorough response when I have a bit of time, but here's where I'm leaning:
1. I'll mostly concede the "ISO/14443 is RFID" point. ISO/14443 clearly is "RFID" in the broad sense of the word, but much scare-hay has been made by applying non-ISO/14443 aspects of RFID to discussions about smart cards. There's more to talk about here, but I was wrong and apologize for it. The word "RFID" has taken on many meanings and I should have been more precise. As I said in the original article, the only real answer is to move to strong, active cryptography on RFID cards which (among other benefits) would make it virtually impossible to an unauthorized third-party to snoop a conversation.
2. I'm glad that EPIC admits their mistake on calling the DAC cards "Bluetooth". However, I'm very puzzled by this "Bluetooth-enabled card holder" business. If, as Bruce suggests, it's a way to rebroadcast card data over Bluetooth... that's just strange. Not necessarily bad, but strange. Ok, probably bad. Maybe he means Bluetooth card readers. That would make a bit more sense. I've never heard any talk at DHS about these things, so I'm going to do a bit more research before commenting further. Still, the cards themselves have nothing to do with Bluetooth and the card program should not be unjustly criticized because some hypothetical peripherals that use the card might be poorly thought out. There will eventually be thousands of hardware and software products that work with government smart cards. Some of them are bound to be dumb. I could make a machine that sucks in your dollar bill and then punches you in the stomach, but my talking about such a machine should not subject the entire system of U.S. Currency to ridicule. Come to think of it, the Vend-o-Punch™ might not be such a bad idea.
3. I do not agree at all with EPIC's response on the biometrics points. There's still a lot of confusion over the issues. More on this later.
4. We've met about half-way on the PIN discussion. A global and mandatory-override short (4 or 6 number) PIN is probably a bad idea, although not for the reasons stated in the original report. I think the DAC use of PINs is mostly fine.
5. The disclaimer about my indirect involvement with DHS appears on my blog but not on the C|net article because the editors at C|Net asked me to cut the originally submitted 1,700 words down to 700. The blog is linked to from the article.
As an aside, Bruce Schneier is a demigod of sorts in the security industry. His Crypto-Gram newsletter has been worth reading for a long time now. I'm glad to see him engaged in this discussion.
May 30, 2005 | Permalink | Comments (4)
You gotta start small
Breaking news from the Associated Press. Probably fixed by the time you get there.
May 27, 2005 | Permalink | Comments (2)
I buy a jelly doughnut
Here’s a blurry camera phone picture of me in front of “Snack Point Charlie” - which is about fifteen feet away from Check Point Charlie - in Berlin. The city is now so seamlessly integrated, that it took me a minute to puzzle out east from west. May this be the fate of all divided countries.
May 21, 2005 | Permalink | Comments (2)
I don't write my own headlines on News.com
A few weeks back, C|Net's News.com asked me to shorten my previous post about the faulty EPIC report for publication on their site. I pretty much rewrote it from scratch to condense the same points into 700 words. They published it yesterday in the "Perspectives" section. There are already some great, substantive comments at the bottom of the story. My flippant answers are forthcoming in place.
The photo at the head of the story is kind of creeping me out. I must have been thinking of pie when it was taken.
May 18, 2005 | Permalink | Comments (2)
New York Times gets it at least two-thirds wrong
Yesterday, the New York Times online featured a brief video clip called Business Travel Minute: More Checkpoint Follies. Video links on nytimes.com are kind of screwy and the whole thing will probably disappear in a few days, but as of this writing, you could still watch the video at the link above.) The piece is in the currently popular "airport security is absurd" genre and features three examples of alleged TSA bone-headedness. Smug tittering aside, at least two of the ridiculed examples are perfectly understandable.
The first case is a toss-up:
An on-duty FBI agent was cleared to board a plane with a loaded gun, but her nail file was confiscated.
Ok, the end-result here is absurd, but I do not find serious fault with the process. How much leeway should gate inspectors be given to interpret the rule, "do not allow sharp metal things on board"? Perhaps the law can be changed to give authorized airplane gun-carriers the additional authorization to carry knives (or be immune from the screening process in general), but unless that happens TSA inspectors should not be blamed for enforcing the rules.
Examples two and three are completely appropriate airport security behavior (at least as briefly stated by the NYT, there may have been other circumstances).
A woman holding an infant was ordered to remove her shirt. When she refused, she was led away for a private inspection - and yes - the infant also got the full pat down.
Ho ho ho. Wait, patting down an infant makes sense because, um, you can hide things on an infant.
An investment executive who's a retired navy man got so fed up with being treated like a suspect that he showed up at the airport in a tank top with all his military medals pinned on it. Yes he had to remove the medals.
What were they supposed to say? "Go right ahead and set off the metal detector sir. We trust that you don't have anything else in your pockets." Come to think of it, a case could be made that any upset man who shows up at an airport wearing a tank top pinned through with dozens of medals (for proud service to the USA and/or eBay) should probably not be allowed to board at all.
There's no shortage of legitimate ridicule of US airport security (see my own attempts here, here and here), but this snickering from the New York Times is just dumb.
(Thanks to Dave Engberg for the link.)
May 4, 2005 | Permalink | Comments (15) | TrackBack
