Vastly Important Notes

Main | Archives

PIVMAN (was almost) Legend

About a year ago my previous company, CoreStreet, was approached by the makers of "I Am Legend". They wanted a PIVMAN handheld to potentially use as a prop in the movie. We lent them the equipment, but never heard whether or not PIVMAN actually made it in to the shoot and survived the editing process.

I went to see the movie on opening night with a few west-coast CoreStreet expatriates and the goal of cheering wildly for our favorite inanimate prop. (I was going to make a Will Smith joke here, but it wouldn't make sense as he's quite convincingly emotive.) Unfortunately, PIVMAN was replaced by some kind of large, hand-held computer that pretended to be a virus-detecting eyeball scanner.

It's a good thing PIVMAN was cut, since the plot called for the replacement scanner to fail in a particularly embarrassing way while sorting out zombies from humans and I'm not sure I would have wanted to be associated with that sort of thing.

For those of you now hankering for some PIVMAN action, the original comic book (for which I get co-author credits, w00t!) is still a good read as far as corporate marketing brochures go. Maybe the next issue will have zombies.

December 16, 2007 | Permalink | Comments (0) | TrackBack

Security Theatre in Manzanillo

I recently came back from a great trip to Manzanillo, Mexico.  I always know that a vacation is over when I feel the first brush of the long arm of US airport security.  In this case, it was at the ticket counter for the sole US-bound flight.  All passengers had their bags thoroughly hand-searched before getting their tickets.  Our carry-on bags were then handed back to us and we passed the time milling around in the small front lobby, going into and out of random parked cars and grazing at the souvenir shops.  I asked the guy searching my bag about the logic of doing this outside of a controlled environment and with no attempt to prevent someone from adding contraband to their bags after the search, and was cheerfully told, "rules for American".  Of course there was another, proper, security checkpoint that everyone had to go through to get to the gates.  It's nice to know that folks traveling to the US get the added benefit of a bonus "warm up" search, even if it obviously doesn't count.

Geech says that this isn't Security Theater anymore, it's maybe Security Circus.  I'm afraid of clowns.

 

April 15, 2007 | Permalink | Comments (1)

I mumble about Real ID

Jon Udell has posted a podcast interview with me about Real ID.  We've both written briefly about it recently.  I just listened to the podcast again and must say that Jon is really good at asking the right questions.  His questions in the interview are a lot better than my answers.

Plus I don't really sound like that in real life.  How do radio people ever get used to hearing their own voice?

April 2, 2007 | Permalink | Comments (2)

Thinking about Real ID

DHS has published the proposed details of the Real ID act and criticism is staring to pour on in from all sides.  The Real ID act is supposed to standardize the driver's licenses issued by the states.  Supporters say that this is necessary to improve security.  Critics usually focus on the weakening of privacy protections.  The arguments and counter-arguments usually don't bother to address each other and, lofted on volume not substance, quickly grow heated and dim.

There's a way to have a meaningful debate on this.  Any new security proposal must be compared to the status quo on four dimensions: Security, Privacy, Convenience and Cost.  If the new proposal is clearly better at all four, then it's a no brainer.  If the new program is worse on all four, then, well, it has no brains.  What if the new program is better on some dimensions but not on others?  Should we weigh the relative merits and compromise?  Yes, eventually, but not right away!  Since the new proposal enjoys the airy freedom of not actually existing yet, we should go back and rework the proposal until it is overwhelmingly better than the status quo. 

What is the status quo that Real ID is aiming to replace?  Basically, each state has their own standards for driver's licenses which differ on many of the important details.  The status quo sucks in terms of security and privacy and is lackluster in convenience and cost. Is Real ID overwhelmingly better?  Not yet, but it can be made so.

Let's.

March 5, 2007 | Permalink | Comments (6) | TrackBack

What I don't know about privacy

A post on Steve Hunt's blog has me thinking about privacy again. 

A couple of years ago, I was speaking on an international identity and security panel in Rome.  At the end of my remarks, a French journalist asked me a long question that seemed to have something to do with privacy but a lot more to do with trying to bait me to agree or disagree with his stated distaste for some aspect of Bush's foreign policy.  I say "seemed to" because neither my French nor his English were up to the task at hand.  Unfortunately, this kind of game has become routine for traveling Americans and I almost always choose not to play.  So instead of answering directly or, the horror, asking him to clarify his question, I decided to use up my time with an impromptu digression on the nature of privacy.  I wasn't sure what I was going to say and, when it was said, I wasn't sure if I actually agreed with it. I'm still not sure.  It sounded good at the time though and sent the audience a-nodding.  Here's more or less what I said, [with my simultaneous inner monologue in brackets].

---

When our founding fathers wrote the Declaration of Independence [good, always start with the Founding Fathers when talking to a French reporter], they put in a curious sentence, "We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights," [Uh oh, is that in the Declaration or the Preamble to the Constitution?  Crap!  Ok, just act confident and the audience won't know.] "...that among these are Life, Liberty and the pursuit of Happiness."

Now there's an interesting thing here: the three rights specified are mentioned in order of decreasing specificity and ease of measurement.  The first one, Life, is pretty easy to measure; most people will agree on whether someone is alive or dead.  Well, not right now in Washington, but most of the time. [Polite laughter, good, they've heard about the Schiavo thing over here.] The second one, Liberty, is a bit harder to define but still pretty good.  You can usually get a pretty good consensus on whether someone is free or a slave. 

Now the third one is tough.  Happiness?  How can you really define it?  Or measure it?  It seems like a really personal quality that's really hard to pin down.  Some people don't even seem to want to be happy.  I mean I've seen French movies. [Better laugh line, but have I actually ever seen a French movie?  I must have.] Aren't standards of happiness based heavily on the ideas of the time? Plus what if my happiness makes you unhappy? Or vice versa?  Don't the Germans even have a word for this? Schadenschnitzel or something? [Big laugh, Europeans love the 'dumb American tries to say something important but gets comically confused with a food item' bit.  JFK knew this as well.]

That's why the Declaration doesn't give you a right to happiness, only to the pursuit of happiness.  We can't guarantee you happiness, but we can make sure that you can do whatever you think may make you happy - as long as you don't get in the way of the other two rights for others.  And this is the real genius of the document: you have a right to pursue.  You may never get there, or I may beat you to it, but you can pursue happiness if you want and we won't stand in your way.

[Now here's the part that I'm really not sure about, but it's such a smooth transition.]

So what about Privacy?  Is it like Life?  Is it like Liberty? [Yes, come to think of it, it probably is like liberty, should have thought this through better before starting.] Or is it more like Happiness?  I think privacy is a personal thing. Some people want to be very private, other people post pictures of their vasectomy on their blog.  Don't google for this! [Really, don't.] Some people want to hide every step they make on the web, others don't care at all.  And is there a corresponding right to know?  If I really want to know how much my customers earn, is it really wrong for me to try to find out?  What if I want to find out who's giving money to a politician?  Does your right to privacy trump my right to happiness?

I think maybe privacy is like happiness, and the "right to privacy" should really be "the right to the pursuit of privacy".  If you want to keep certain information private, you should have access to all the tools you need to make that happen.  If you choose not to use those tools, either because you don't care or because you agree to some kind of business or social proposition in return, then I have the right to get whatever information about you that I want.  And the default setting on your web browser shouldn't be "private" any more than the default setting on your life should be "happy".  If you want privacy or happiness, you have the absolute right to work at it, but it's not our responsibility as representatives of government or industry to hand you either one. [Big applause line from the audience, but it's a very business- and government- centric crowd.] Companies should be free to track their customers' actions and people should be free to hide whichever of those actions they want.  Each person gets to choose where they want to stand in that marketplace.

---

This got a good very good reaction at the conference, but the "privacy" guys were pretty severely outnumbered so it wasn't a balanced field.  I'm still not sure how I feel about this analogy.  The biggest danger seems to be the potential arms-race between privacy seeking individuals and information seeking businesses or governments.  For instance, is it OK for Google's default search behavior to be set to log your search history? (Nelson Minar and my brother had an interesting discussion about this a couple of weeks ago).  If so, would it be OK for Google to change the opt-out settings randomly every few months to force people to "really" care about their privacy? Would it be OK for Google to just lie to you and keep records even you've opted out, claiming that you should be using some third-party anonymizer if you really cared? (I think the answers are "yes", "no" and "no", but where do you draw the line?)  Also, are the implications significantly different for government/citizen interactions?

I'm not sure about any of this.  I told myself that I'd sort it out before posting, but my little talk was almost two years ago and I still haven't decided.  Is "privacy" like "happiness"?  Maybe it's not a very useful question.  What do you think?

Oh, the picture at the top of this post is a still from "Fireworks", the School House Rock episode on the Declaration of Independence.  It's how they chose to illustrate "pursuit of happiness".  Note that this kind of pursuit, deemed appropriate educational programming for children in the 1970s, would now land you in jail.

February 23, 2007 | Permalink | Comments (1) | TrackBack

On not punting to the user

While I'm getting a bit sick of the new Mac ads, the one about security is exactly on target.  I'm not talking about the actual security characteristics of Vista vs. OS X,  much of the advantage Macs have in this regard is doubtlessly due to their relative obscurity and will dissipate in direct proportion to the success of these ads, but about the security industry as a whole. 

We need to find the right balance.  It's somewhere between:

"Off with your shoes because we said so!"

and

"lanpak32.dll is attempting to increment the CX register [allow/deny]?". 

I'm not sure exactly where the balance lies, but making the user experience the forefront of every design decision is probably the only reliable way to find it.

February 14, 2007 | Permalink | Comments (1) | TrackBack

The Pros and Cons of Biometrics

I wrote this simple article for a new publication - the ASSA ABLOY Future Lab - about biometrics.  If you want to read it for some reason, please do so.

November 9, 2005 | Permalink | Comments (1)

I've been podcasted

I've never listened to a podcast before; I'm too old, and back in my day we just called them mp3 files. Until today!

InfoWorld's Jon Udell has just podcast (is this the right tense?) an interview with me talking about the convergence of physical and IT security. Forty minutes of hard-rockin' talk on FIPS-201 standards is exactly what all the cool kids will be jamming to while waiting for the, um, ski lift.

Sorry, the air conditioning in our building is down today. I'm going to have words with my landlord about the convergence of sweaty programmers and the withholding of the rent.

July 20, 2005 | Permalink | Comments (0)

Metal detectors at subway stations are probably a bad idea

I just saw a CNN poll which shows that 60-something percent of Americans are in favor of installing metal detectors at subway stations.  This is probably a bad idea for at least three reasons:

1. Metal detectors do not pick up explosives and would not prevent bomb attacks such as those that took place in London this morning or in Madrid last year.  You need explosives detectors for that.  Trained dogs can do a decent job at this, but electronic explosive detectors are currently far too expensive to install most subway entrances.

2. Metal detectors would cause bottlenecks of people lined up to go through them.  Such predictable concentrations of crowds in environments poorly designed to accommodate them are attractive terrorist targets in their own right.

3. Setting up visible but mostly ineffectual security devices such as metal detectors may both desensitize and frustrate regular commuters.  This could reduce situational awareness and make people less likely to cooperate with other, more meaningful, security measures in the future.

We should remember that metal detectors were originally installed at airports to prevent hijackings, not bombings.  There is relatively little danger of someone hijacking a train.

I'm hoping that we'll see a dramatic reduction in both the cost and operating time of electronic explosives detectors over the next few years.  That's a technology that could actually make a difference.  For now, investment in terrorist response capabilities are just as important as investment in terrorist prevention capabilities.  In the case of mass transit, perhaps even more important.

July 8, 2005 | Permalink | Comments (2)

Belated update

I think I've figured out the "DHS smartcards using Bluetooth" flap.  Near as I can tell, there was never any plan to make Bluetooth-enabled cards (which doesn't make any technical sense anyway) or Bluetooth-enable badge holders (which would be just strange).  There was speculation at a public forum about making Bluetooth-connected card readers so that you could read DHS smartcards with, say, a Blackberry.  This is actually not a bad idea.  I think you could overcome the security issues in this use case because Bluetooth would basically be an unsecured conduit between two secure participants (much like the Internet is with SSL).  Either way, I don't think it ever got much past the "wouldn't it be neat if we could..." public-musing phase.

Bottom line: Bluetooth panic around DHS cards is uninformed and unjustified.

July 6, 2005 | Permalink | Comments (7)

EPIC responds

Bruce Schneier, writing on behalf of the Electronic Privacy Information Center, has put out a well-written refutation of my recent criticisms of EPIC's report on the DHS smart card program.  (Links to EPIC's report, my original blog entry, the much-shortened C|net article and EPIC's response).

I'll post a more thorough response when I have a bit of time, but here's where I'm leaning:

1. I'll mostly concede the "ISO/14443 is RFID" point.   ISO/14443 clearly is "RFID" in the broad sense of the word, but much scare-hay has been made by applying non-ISO/14443 aspects of RFID to discussions about smart cards.  There's more to talk about here, but I was wrong and apologize for it.  The word "RFID" has taken on many meanings and I should have been more precise.  As I said in the original article, the only real answer is to move to strong, active cryptography on RFID cards which (among other benefits) would make it virtually impossible to an unauthorized third-party to snoop a conversation.

2. I'm glad that EPIC admits their mistake on calling the DAC cards "Bluetooth".  However, I'm very puzzled by this "Bluetooth-enabled card holder" business.  If, as Bruce suggests, it's a way to rebroadcast card data over Bluetooth... that's just strange.  Not necessarily bad, but strange.  Ok, probably bad.  Maybe he means Bluetooth card readers.  That would make a bit more sense.  I've never heard any talk at DHS about these things, so I'm going to do a bit more research before commenting further.  Still, the cards themselves have nothing to do with Bluetooth and the card program should not be unjustly criticized because some hypothetical peripherals that use the card might be poorly thought out.  There will eventually be thousands of hardware and software products that work with government smart cards.  Some of them are bound to be dumb.   I could make a machine that sucks in your dollar bill and then punches you in the stomach, but my talking about such a machine should not subject the entire system of U.S. Currency to ridicule.  Come to think of it, the Vend-o-Punch™ might not be such a bad idea. 

3. I do not agree at all with EPIC's response on the biometrics points.  There's still a lot of confusion over the issues.  More on this later.

4. We've met about half-way on the PIN discussion.  A global and mandatory-override short (4 or 6 number) PIN is probably a bad idea, although not for the reasons stated in the original report.  I think the DAC use of PINs is mostly fine.

5. The disclaimer about my indirect involvement with DHS appears on my blog but not on the C|net article because the editors at C|Net asked me to cut the originally submitted 1,700 words down to 700.  The blog is linked to from the article.

As an aside, Bruce Schneier is a demigod of sorts in the security industry.  His Crypto-Gram newsletter has been worth reading for a long time now.  I'm glad to see him engaged in this discussion.

May 30, 2005 | Permalink | Comments (4)

I don't write my own headlines on News.com

A few weeks back, C|Net's News.com asked me to shorten my previous post about the faulty EPIC report for publication on their site.  I pretty much rewrote it from scratch to condense the same points into 700 words.  They published it yesterday in the "Perspectives" section.  There are already some great, substantive comments at the bottom of the  story.  My flippant answers are forthcoming in place.

The photo at the head of the story is kind of creeping me out.  I must have been thinking of pie when it was taken.

May 18, 2005 | Permalink | Comments (2)

New York Times gets it at least two-thirds wrong

Yesterday, the New York Times online featured a brief video clip called Business Travel Minute: More Checkpoint Follies.  Video links on nytimes.com are kind of screwy and the whole thing will probably disappear in a few days, but as of this writing, you could still watch the video at the link above.)  The piece is in the currently popular "airport security is absurd" genre and features three examples of alleged TSA bone-headedness.  Smug tittering aside, at least two of the ridiculed examples are perfectly understandable.

The first case is a toss-up:

An on-duty FBI agent was cleared to board a plane with a loaded gun, but her nail file was confiscated.

Ok, the end-result here is absurd, but I do not find serious fault with the process.  How much leeway should gate inspectors be given to interpret the rule, "do not allow sharp metal things on board"?  Perhaps the law can be changed to give authorized airplane gun-carriers the additional authorization to carry knives (or be immune from the screening process in general), but unless that happens TSA inspectors should not be blamed for enforcing the rules.

Examples two and three are completely appropriate airport security behavior (at least as briefly stated by the NYT, there may have been other circumstances).

A woman holding an infant was ordered to remove her shirt.  When she refused, she was led away for a private inspection - and yes - the infant also got the full pat down.

Ho ho ho.  Wait, patting down an infant makes sense because, um, you can hide things on an infant.

An investment executive who's a retired navy man got so fed up with being treated like a suspect that he showed up at the airport in a tank top with all his military medals pinned on it.  Yes he had to remove the medals.

What were they supposed to say? "Go right ahead and set off the metal detector sir.  We trust that you don't have anything else in your pockets."  Come to think of it, a case could be made that any upset man who shows up at an airport wearing a tank top pinned through with dozens of medals (for proud service to the USA and/or eBay) should probably not be allowed to board at all.

There's no shortage of legitimate ridicule of US airport security (see my own attempts here, here and here), but this snickering from the New York Times is just dumb.

(Thanks to Dave Engberg for the link.)

May 4, 2005 | Permalink | Comments (14) | TrackBack

Security makes me hungry

From the Associated Press: School Mistakes Huge Burrito for a Weapon

The drama ended two hours later when the suspicious item was identified as a 30-inch burrito filled with steak, guacamole, lettuce, salsa and jalapenos and wrapped inside tin foil and a white T-shirt.

April 29, 2005 | Permalink | Comments (6)

You keep using that word...

I've received much good feedback on my last post about the pudding-headed report criticising the new DHS smartcard program.  Many people are justifyiably mystified by the report's references to Bluetooth.  The strange thing isn't that the new smartcard doesn't use Bluetooth, but that smart cards and Bluetooth have absolutely nothing to do with each other.  It's like asking, "Doesn't the new Honda Accord suffer from all the well documented problems of Esperanto?"  The short answer is "no", the real answer is, "what the hell are you talking about?"

The problem, of course, is buzzword creep.  With all the industry terminology floating around these days, it's hard for people to remember whether combining two particular concepts produces an argument that's coherent (like biometrics and privacy) or less so (like pancakes and the doctrine of original intent).  That modesty does not typically hinder such people from writing technology assesments or legal opinions is beyond the scope of this blog post. 

Bluetooth, a fine technology with many years of buzzwordiness behind it, is particularly suseptible to such content-free punditry.  In service to all the technology companies who make perfectly good products that have nothing to do with Bluetooth, but feel market pressure to be 100% buzzword compliant, I offer the following decal:

You wouldn't put it on a cell phone (whether it had Bluetooth or not), but you could stick it onto a toaster, tax software, or a government smart card.  I'd start sticking it on our software boxes, but I bet our attorneys wouldn't be too happy.

April 13, 2005 | Permalink | Comments (1)

EPIC report is not so good

A couple of days ago, the Electronic Privacy Information Center (EPIC) issued a scathing analysis of the Department of Homeland Security's upcoming smart card program.  Our country (indeed, much of the world) is currently struggling with the concepts of secure identity documents, and watchdog organizations such as the EFF, the ACLU and EPIC play a vital role shaping the debate.  I am completely in favor of holding every government security program to unyielding standards of efficiency, effectiveness and privacy (see here and here, especially in the comments).  Unfortunately, this particular report is muddled in many places and simply wrong in others.

Full disclosure: although I am not directly involved in the DHS card program, DHS is a customer of ours and we are working on several products that will make use of the card.  In other words, I may be biased but I kind of know what I'm talking about.

Even the first sentence of the report is inauspicious for a security document:

President Bush's proposed $2.57 trillion federal budget for Fiscal Year 2006 greatly increases the amount of money spent on surveillance technology and programs while cutting about 150 programs—most of them from the Department of Education.

Why is the source of the funding relevant to the security analysis of the program?  Would the technology be better if it were funded by, say, increased taxes on oil company profits?

EPIC quickly launched into the heart of their grievances:

The Department of Homeland Security Access Card (DAC) has vulnerabilities associated with its use of radio frequency identification (RFID) and Bluetooth technologies, biometric identifiers and PIN backup system.  But there are also risks that come from the DAC's "mission creep"; the Department also wants the card to be used as a payment device for everyday items.

This is a good executive summary - five specific identified problems.  Unfortunately the analysis of each one is pretty weak.  I'm going to leave the "mission creep" stuff aside because there are legitimate policy and design questions there that have nothing to do with technology.  The other four claims are fair game.  Let's look at them in order:

"RFID"

Here's an easy defense against the RFID claim:  The DAC does not use RFID.  The DAC uses a standard called ISO/14443 for contactless (wireless) communication between the card and a reader.  RFID is designed for tracking physical items.  It has a long read range (about four feet) and is not encrypted.  ISO/14443 is designed to identify people.  It has a much shorter read range (about 5 inches) and weak encryption.  The two standards are very different but they're frequently confused even by allegedly authoritative speakers.  I don't get too worked up about this mistake because even though it's much harder to snoop ISO/14443 than RFID, the vulnerabilities are of the same type.  Still, it doesn't help EPIC's credibility to conflate the two standards, especially since exactly this mistake was the center of much teeth-gnashing last month.  The real answer is to eventually move to contactless cards with strong cryptography.  Such cards are currently available but are not yet in common use.

Bluetooth??

The vulnerabilities of Bluetooth technology have also been well documented. Bluetooth technology enables wireless communication among electronic devices in close proximity. For example, a Bluetooth-enabled computer could work with a wireless keyboard or mouse. In August, security flaws in Bluetooth-enabled mobile phones allowed criminals to access the information in the phones including contact information and text messages.

This would be damming stuff, if it wasn't crazytalk.  The DHS card has nothing to do with Bluetooth.  Unlike the "RFID" claim in the paragraph above, there isn't even anything close to Bluetooth that the DAC uses.  Nothing.  No Bluetooth.  Nuh-uh.  Bluetooth has nothing to do with identity cards.  I don't even think you could put Bluetooth onto a card if you tried;  I believe (though I could be wrong) that Bluetooth requires an active power source and contactless cards are all passive.  I have no idea what EPIC is talking about, other than maybe DHS said that they would test Bluetooth as a way to hook up computers to phones or something.  Also, all the "Bluetooth flaws" that are so breathlessly reported in the EPIC report aren't really flaws with Bluetooth at all, but with specific phones and devices that happen to use Bluetooth.  This is an important distinction but I don't want to dwell on it here because THE DHS CARDS DO NOT USE BLUETOOTH.

Biometrics

The DAC identifies the cardholder and her level of access through the use of a biometric identifier—a fingerprint. A recent report by National Institute of Standards and Technology (NIST) showed that one-fingerprint identification systems had an accuracy rate of 98.6 percent, while the accuracy rate rose to 99.6 when two fingerprints were used and 99.9 when four, eight and ten fingerprints were used.

This makes it sound like unauthorized individuals will be getting in all the time while legitimate users will often be locked out of their doors and computers!  Fortunately, it doesn't work like that.  The accuracy of most biometrics systems can be tuned by balancing two competing types of errors: false positives and false negatives.  A false positive error occurs when a bad guy's fingerprint gets mistakenly matched for a good guy's fingerprint.  A false negative error occurs when a good guy's fingerprint doesn't get recognized at all.  Since fingerprint scanning produces slightly different results each time, the system must be configured with a certain tolerance level.  If the tolerance level is very loose, you can virtually eliminate false negatives at the cost of greatly increasing false positives.  The system basically says, "Meh, it looks kindda like a fingerprint - go on in."  If the tolerance level is very strict, you get the opposite effect: "Your fingerprint is off by 0.00001 millimeters - no access for you!"

The accuracy rate is also heavily influenced by how many possible fingerprint matches the system has to consider.  If the system has to match your scan against a large database of enrolled fingerprints (called a "one-to-many" match), it's far more likely to come up with a false positive ("hmmm, it kindda looks like user #7654231") and somewhat more likely to come up with a false negative ("it could be this guy or that guy, I better just punt"). The DHS card avoids this problem by matching your fingerprint against only one possible user - the user stored in the card - so the chances of a false positive are very low because someone trying to trick the system can't just match *anyone's* fingerprint, they have to match *your* fingerprint.  Also, the match tolerance can be set very high thereby further reducing the chances of a false positive but increasing the chances of a false negative. 

So you can virtually eliminate the false positives (and therefore security risks associated with biometric access), but doesn't the relatively high false negative rate still mean that legitimate users will be locked out?  Not really.  If you get a false negative, you just have to scan your finger a second time.  Let's say it takes you 2 seconds to scan your finger and the false negative error rate is 5%.  Most of the time (95%) you'll get access in two seconds.  Most of the rest of the time (4.75%) you'll get in with two swipes and four seconds.  Every 400 tries or so, you'll have to wait six seconds.  If you stay at your job for 20 years, you might have a chance of waiting eight seconds for access once.  I use a biometric reader to log onto my laptop and (once I figured out how to hold my finger) it takes me about two seconds to get a good match.

EPIC then proceed to quote out-of-context one of their own (earlier, better) reports:

Once a biometric identifier has been compromised, there can be severe consequences for the individual whose identity has been affected. It is possible to replace a credit card or Social Security numbers, but how does one replace a fingerprint, voiceprint, or retina scan?

Err.  That's exactly why you need to link the biometric identifier to a card - just like DHS is doing.  You can't revoke a fingerprint, but you can revoke a card.  The fingerprint itself doesn't do you any good and, if you lose your card, you can always re-scan your finger and associate it with the replacement card.  The criticism quoted above is perfectly legitimate when levied against ill-conceived attempts to use biometrics as identifiers by themselves, but is ironically inappropriate in discussing the DHS program.

PIN

The Department has a backup system built into the card—if the fingerprint identification fails, then the employee can gain access by using a 6- to 8- digit PIN. By allowing alternate access through the PIN, Homeland Security creates all of the vulnerabilities associated with allowing complete access to secure areas and information through one password.

The PIN is not inherently a way to bypass the biometrics, it's just another factor of authentication.  The DHS card provides applications with three factors to choose from: physical possession of the card (which is always required), fingerprint biometrics and a PIN.  Each door lock or computer program that uses the card can determine to use one, two or all three of these factors depending on the level of authentication security required.  For example, getting into the front door of a busy, low-security area may require only the physical possession of the card.  Logging into a computer may require the card and either the biometric or the PIN.  Accessing a very high-security file may require all three.  Giving applications designers more options does not reduce security.  Of course, some designers may make dumb choices about authentication, but that's not the fault of the card program.  Also, keep in mind that the lambasted "card and second factor" system is much better in almost every security and convenience regard than the "password only" systems it's designed to replace.

Wrapping it up

In the fall, hundreds of thousands of personnel will have access cards equipped with personal information, biometric and wireless technologies, and the security risks associated with their use.

Exactly.  That's why we need coherent debate to distill some clarity about the risks and rewards.  This EPIC report - by combining one part gross technology misidentification (RFID), one part random gibberish (Bluetooth), two parts common misunderstanding (biometric accuracy and PINs) and stewing in politics thinly-disguised as security analysis - just makes mud.

April 11, 2005 | Permalink | Comments (3)

New version of SpoofStick for Firefox

A new version of SpoofStick is out for Firefox.  Version 1.05 addresses two of the most common recent user comments:

1. Addresses the recently discovered Mozilla "IDN" vulnerability described at http://www.shmoo.com/idn/ .
2. SpoofStick is now a draggable, resizable toolbar button.

As always, you can download the latest version from the SpoofStick home page.

February 10, 2005 | Permalink | Comments (17)

Mr. Driver's License

I've used the phrase "security theatre" a few times in this blog.  It's a term, usually credited to Bruce Schneier, that describes highly visible but ineffectual security measures designed to placate the public that "something is being done".  The taking-off-your-shoes ceremony performed at most U.S. airports is a prime example.  Security theatre is usually tedious and unenlightening (it shares these characteristics with regular theatre), but occasionally a certain mixture of rules-following and stupidity can make for fine absurdist entertainment. 

Example:

A colleague of mine is a high-level officer at a multi-billion dollar Swedish public company.  On a recent investor/analyst tour through New York City, he had a meeting with one of the top U.S. financial services firms in their Manhattan headquarters.  Security being high, all visitors were required to show a picture ID before being admitted through the lobby.  My friend offered a Swedish driver's license to the uniformed desk guard.  All EU driver's licenses are pretty much the same, with the main difference being the bold-lettered title at the very top of the card.  This particular card read, "KÖRKORT SVERIGE", which (in the charming way that written Swedish has of being more or less comprehendible to an English-speaker if you squint long enough), means "Swedish Driver's License".  All the other information (name, issue date, etc.) were clearly written in the same predetermined and obvious sequence followed by every other European license.

The guard took the license, checked and photograph and typed the name into a computer to (presumably) check for prior warning.  Then he solemnly printed a name badge for "Mr. Sverige Korkort".  Mr. Driver's License.

This is funny and sad, but mostly just embarrassing for us American security types.  The problems with such broken security are obvious and manifold.   Keep in mind that there are tens (soon, quite possibly hundreds) of millions of EU driver's licenses in the world.  Even if only 2,000 people go in and out of such a building every day and only 1% are non-UK Europeans, that still leaves 20 "Mr. Driver's Licenses" walking around at any given time.  I'm sure that this wasn't the first such card that this guard saw.

It gets better.  Later in the day, my friend went to a second meeting with another large Manhattan financial services company and exactly the same thing happened again.  At least he didn't get mixed up with the infamous criminal mastermind "Carte D. Identite".  I hear that guy is on all sorts of watch lists.

February 9, 2005 | Permalink | Comments (2)

Jamaican security theatre

Strangely enough, the neon sign for the main bar at the Sangster International Airport in Montego Bay, Jamaica prominently features a large model airplane that's in the process of crashing through a tin roof and into the ocean.  I circled the mock crash site, large umbrella-drink in hand, and tried to puzzle out this obvious misunderstanding.  There wasn't one.  The bar's theme was clearly, "plane crash."  Most likely, you're supposed to think that the plane crashed into a happy beach bar, and the passengers are now enjoying rum drinks in the sun instead of flying back to their workaday lives.  Wacky.

Security at this airport was equally confidence-building.  It started out with a hand search of all checked luggage that, while quite time-consuming, was lackadaisical enough (pat, pat) that it would have been unlikely to turn up (lift, poke) any contraband less conspicuous (pat, zip) than a live goat.  This was followed by a queue at an obviously malfunctioning metal-detector which beeped non-stop regardless of whether or not anyone was actually in it.  If you placed a functioning metal-detector astride a large vein of iron-ore you would expect it to behave like this one did.  People who set off the metal detector (that is, every single person), were subjected to a perfunctory wanding.

Immediately on the other side of the metal detector was a duty free cigar stand which sold Cuban cigars (perfectly understandable, but illegal to bring back stateside), novelty bongs (I suppose because purely functional bongs are harder to explain to U.S. Customs agents), and giant scissors-style cigar cutters of exactly the same level of lethality that the security screening you just went through was supposed to prevent you from taking onboard the plane.  I don't remember the name of this stand but, given the immediately U.S.-bound nature of most of the shoppers, "Ye Olde Bad Idea Duty-Free Shoppe" would be appropriate.

Not everything was lax.  In the twenty feet from the crash-bar to the plane, my boarding pass was hand-inspected three separate times.  This probably has more to do with full-employment for Jamaican airport workers (whose air traffic controllers just went on strike) than with making really, really sure that my seat number was in order.

On the other hand, the security experience at many U.S. airports isn't significantly more sensible and you can't see the perfect beach from your airplane window as you're taxing away.  The airport at Montego Bay isn't bad; it just needs a little bit more security and a little bit less pretending.  And the bar decor can use some work.

[Update: The crashed-plane mystery has become less wacky and more creepy.  When posting the snapshot, I noticed the bullet holes and the registration number "N928J" near the tail.  Google says that "N928J" is a Grumman HU-16C Albatross named "Air Margaritaville" and owned by Jimmy Buffet.  Jimmy Buffet also owns a bunch of large "Margaritaville" club/bars in the area.  I'm not sure if this airport bar is affiliated with him.  So there are two choices: (1) The bar is Jimmy Buffet's competitor and the bullet-ridden, crashed airplane model is a murderous (though good-natured) threat, or (2) The bar is owned by Jimmy Buffet and the plane is some kind of suicidal fantasy.  Either way, it makes me want to drink and fly away.]

[Update 2: I feel maybe I'm missing some crucial Jimmy Buffet song lyric, but am not willing to investigate any further.  Got to draw the line somewhere.]

February 7, 2005 | Permalink | Comments (14)

Bad Idea Jeans

A few weeks ago I bought a green laser pointer from ThinkGeek for no good reason.  It's really very impressive and I played with it intently for 45 minutes before losing it in a desk drawer somewhere.  During that time, I performed a little thought experiment:  "I wonder what would happen", I thought, "if I pointed it at a passing airplane?"

It seems that somebody has actually run the experiment and the results are exactly as I'd imagined.

January 5, 2005 | Permalink | Comments (2)

Smart use of cell phones

Bruce Schneier reports on a good idea: using a cell phone to provide two factor authentication for secure websites.  For example, when you try to transfer more than $2,500 on an online banking site, the site can send your phone a random code via SMS which you then have to type into the site before the transaction can be processed. 

Of course, you have to register your cell phone number with the bank, which might be a slight privacy concern.  You also have to have your cell phone handy when browsing the site.  I don't usually keep my cell phone near my home computer, but I guess getting up off my ass whenever I want to pay someone a couple of grand is not wholly unreasonable. 

This is one of those elegant, clever and practical security ideas that I wish I'd though of first.  It's not as secure or convenient as having a real smart-credential based system, but it doesn't require any new infrastructure and can easily be implemented right now.  Maybe someone that already knows your cell phone number (like the cellular carrier) can map customer numbers to some kind of blind ID and offer the two-factor service as a B2B service to secure website providers.  If this was 1999, I'd have a a Powerpoint business plan around that idea by now.

Thanks to Dave Engberg for the link.

November 24, 2004 | Permalink | Comments (5)

Things to Do in Denver When You're Fed

I'm in Denver, Colorado for the Digital ID World 2004 Conference.  I came in directly from Japan (great trip, despite the typhoon and four earthquakes), so I'm going to spend some time balancing out the excellent tofu and tempura of Kyoto with good old-fashioned American steak. 

Tomorrow (Tuesday, 10/26), I'll be speaking on a panel discussion about "PKI Deployments. Balancing Return, Cost & Complexity" from 2:30 - 3:30.  If you're at the show, feel free to stop by and heckle me. 

Please no, "Who's your daddy?"  I was asked that by the US passport control officer at LAX where my standard response tactfully invoking the questioner's mother seemed situationally inappropriate.

October 25, 2004 | Permalink | Comments (1)

Jakob Nielsen's Alertbox

Jakob Nielsen has posted a new alert entitled "User Education Is Not the Answer to Security Problems" (amen).  Among other recommendations, Jakob advocates that we:

Digitally sign all information to prevent tampering and develop a simple way to inform users whether something is from a trusted source. This might, say, replace current stupid security warnings that people don't understand because they expose the guts of the technology. ("The security certificate has expired or is not yet valid." Aha. And what does that mean to a normal person?)

I've been saying something like this for years.  I'll even go a bit further: there is no good reason, today, that any legitimate email sent out by a serious company should not be digitally signed.  A small number of consumers behind email-modifying proxies may get confusing error messages (companies can mitigate this by sending important mail without embedded HTML or JavaScript), but this can be quickly ironed out.

If you're a bank, hospital, or any other company that's worried about consumer confidence in your brand - you should be signing all of your outgoing email.  Period.

Jakob's whole article is very good.  Read it here.

October 25, 2004 | Permalink | Comments (0)

What's taking so long in that voting booth?

Edward Felten over at Freedom to Tinker has two amazing posts (one, two) about bugs in popular electronic voting machines that, if true, make it possible for just about anyone with a $50 smart card kit to vote multiple times and otherwise seriously tamper with the election.  Actually “bugs” is not the right word.  The problems stem from a design so stupid that it’s hard to spot the specific error.  Like someone once said, “This so far off it’s not even wrong.”  Google thinks that someone was Wolfgang Pauli.

I’ve put together the following technical illustration to explain the problem:

Here’s a slight variation on the “conversation” from Edward’s first post.  It won’t make sense until you’ve read the original.

terminal to card: "My password is 1234"
card to terminal: "la la la la la la la la la la"
terminal to card: "Are you a valid card?"
card to terminal: "No. I mean yes!"
terminal to card: "Please deactivate yourself."
card to terminal: "Whatever you say, spaceman."

For the record, I cannot verify that Edward’s description of the problem in Diebold machines is accurate.  However, the allegations are well documented and wholly consistent with the track record of electronic voting machines in this country.  I can verify that “programming” smart cards is as easy as claimed; we do it all the time.  Of course you can make smart cards (or, more accurately, smart card based systems) that don’t have such flaws (again, we do it all the time), but just because something could be done correctly, doesn’t mean that it has been done correctly. 

The problems with electronic voting machines should be front page news.  These aren’t slight theoretical flaws.  They’re a clear and present danger to the foundations of our democracy.  Note, that I don’t believe the allegations that these flaws are deliberately engineered to throw the election. Occam’s razor digs up carelessness and incompetence long before it gets to malice.  Either way, the problems are inexcusable.  Secure electronic systems are a well known area.  For example, Dielbold also makes perfectly good ATM machines.  They should know how to build a secure box.

October 16, 2004 | Permalink | Comments (5)

FDA approves giant pennies

Here’s the MSNBC article.  Prior discussion on this blog can be found here and here.

All kidding aside, I think implantable RFID chips were a great idea for cows and are a great idea for those people who, like cows, cannot be expected to remember to bring their wallets all the time.  A medical history application is a reasonable use for this technology.  Just to be clear, your medical history is not stored on the chip.  The chip just has an ID number which can be used to call up your history from an existing database.  Access to the database can be controlled using the normal methods.  It’s kind of like those medical ID bracelets that professional golfers always seem to wear.  Not the magical copper and magnet ones; those are crap.

October 13, 2004 | Permalink | Comments (0)

e-Passport problems

There’s a good write-up in the EETimes about recently discovered flaws with the Department of Homeland Security’s proposed electronic passports.  The new passports have an embedded contactless (ISO 14443) “smart-card” chip that stores personal information and (sometimes) a biometric template. The problems come in two flavors: reliability and privacy.

The reliability issues are what you’d expect from a fairly new technology with mandated cross-vendor interoperability: some readers were not able to properly read some passports placed on them.  I have no reason to believe that this is a serious problem.  Like other standards before it, ISO 14443 will take a few generations to work out the kinks.  We at CoreStreet work with many cards and readers and I expect that the number we have to smash (run over, shoot, microwave) out of frustration will decline over the coming months.  Remember how hard it was to get Ethernet cards to work correctly in the late eighties?  No?  Sometimes I think I missed out on some fun in that decade.

The privacy issues are more serious.  Basically, since the current standards don’t call for any encryption between the passports and the readers, it’s possible to build a clandestine reader and read passports from a distance:

Using a reader equipped with an antenna, NIST testers were able to lift "an exact copy of digitally signed private data" from a contactless e-passport chip 30 feet away, said Neville Pattinson, director of business development technology and government affairs for smart-card provider Axalto Americas.

Two government officials are quoted with reassurances:

An ICAO spokesman said the organization specifies a contactless "proximity" chip that can be read only within a distance of a few inches. He said he didn't know which chips had been used in the tests but called it "extremely unlikely" that proximity chips could read information from more than 4 inches away.

Unfortunately, the distance limitation on the read has more to do with the antenna on the reader than with the chip on the passport.  Four inches is the maximum range for a regular antenna and a fast read time, but significantly greater distance can be achieved with larger antennas and multiple attempts.  Radio wave stuff is a black art to me, so I can’t say for certain whether or not it’s possible to restrict the read range on the actual chip, but i doubt it.

Another misleading quote follows:

A Homeland Security spokeswoman confirmed the tests had "demonstrated that if the readers are not designed with appropriate shielding, the data transmitted from the chip to the reader could be detected several feet away."

Once again, the problem has nothing to do with the legitimate readers.  You can shield the readers in the finest dwarven mithril, but that won’t stop a rogue reader from getting at your passport data.

The only long term solution is to add encryption to the cards.  This can’t be done in any meaningful way with most current ISO 14443 chips because those cards are not capable of storing a secure private key.  The finer points of public key cryptography are beyond the scope of this blog entry, but suffice it to say that the only way you can have meaningful encryption for tens of millions of individual passports is to have individual private keys.  There are cards that can do real public/private key stuff on a proximity interface, but this “dual interface” technology (so called because the cards can be typically be used in contact or contactless mode), is probably a year or two away from widespread use.  Maybe these kinds of findings can spur the industry forward.

In the meantime, the article suggests that it would be extremely impractical for bad guys to build giant covert readers, and that metal-lined passport wallets can minimize opportunities for unauthorized reading.  Both statements are true, so there’s no cause for near-term concern.  The chips are good enough for now, and “dual interface” cards will clean up the remaining problems over the next few years.

One quote near the end really caught my attention:

Kefauver also speculated that at some point, the contactless chip and passport could be eliminated altogether. Instead, a person's biometric data would be measured at the point of contact and compared with information stored in a central database. That would shift the security concerns from the chip to the network.

Now that seems like a really dangerous idea.  The privacy, reliability, performance, cost and security implications of a central database approach are all potentially catastrophic at the scale we’re talking about.  Proving this is left as an exercise to the reader.

(But if you have the answers and want a job, drop me a note.)

October 12, 2004 | Permalink | Comments (4)

Common ID mandate

Last Friday, the White House issued a presidential directive calling for a “Policy for a Common Identification Standard for Federal Employees and Contractors”.  The policy is mandated to be completed by March, 2005 and by November 2005:

“… the heads of executive departments and agencies shall, to the maximum extent practicable, require the use of identification by Federal employees and contractors that meets the Standard in gaining physical access to Federally controlled facilities and logical access to Federally controlled information systems.”

This is big news: a common standard for identification credentials to be used for both physical and logical access for the roughly 60 million US government employees and contractors.  The contactors have a very important role to play.  Once big contractors like Boeing, SAIC, Raytheon, etc. start giving smart cards to all their employees for use on government work, they’ll naturally want to leverage the investment on the commercial side as well.  I’ve often said that real credentials and validation are the only ways to solve common problems such as phishing and identity theft.  Just as with the development of the Internet, the federal government is once again the main initial catalyst for new technology that’s going to change the foundations of mainstream business transactions in the near future.

The big question: If this grows past government employees, can we do it without infringing on people’s rights?  I think we can.

[The small question: Is the “near future” near enough for my investors to make a healthy return?  I think it is.]

August 30, 2004 | Permalink | Comments (0)

I round out my expertise

I spend a lot of time talking about the convergence of physical and IT security.  This usually means prognosticating on how your “firewalls and VPNs” strategy has to work with your “locks and gates” strategy and your “guns and dogs” strategy.  My knowledge of the last category is purely theoretical.

Today I decided to do some hands-on field research to add a touch of practice to the theory, so I drove out to the Boston Gun Range (cleverly located an hour away in Worcester – beware of extremely annoying gun shot sounds on the website) to shoot some guns.  Under careful adult supervision, I worked my way up from a Ruger .22 to a Glock 9, Smith & Wesson .44 and, naturally, the gold-plated Desert Eagle .50 caliber, which throws a bullet about the size of a small school bus.  It was keen.

I wonder if next time they’ll let me shoot up my always-broken WiFi access point.  That would be some seriously therapeutic convergence.

Now how do I learn about “dogs”?

August 27, 2004 | Permalink | Comments (3)

I asked for a debate

There’s a pretty good and lengthy discussion brewing in the comments section on my last post about national IDs.  I say this as a service to my RSS and bloglines readers who, as far as I can tell, do not normally get to see comments (and who don’t show up on any of my page view stats).  Oh, you’re so smug.

August 23, 2004 | Permalink | Comments (0)

E-Voting radio link

The Viewpoints Radio e-voting interview I did last month is up on the web.  Here’s the audio clip (Windows Media, 2:32 minutes) and my blog entry from when it happened.

Viewpoints Radio bills itself as, “Compliancy-based public affairs” and runs weekly on 250 radio stations.  According to my calculations, that means there’s a 6% chance that my rambling about public disclosure of voting machine innards is interrupting somebody’s smooth-jazz marathon right now.

August 21, 2004 | Permalink | Comments (0)

SpoofStick Update

We’ve just released a new version SpoofStick for Internet Explorer (v. 1.02) that addresses a newly discovered IE flaw described by this Secunia advisory.  As always, you can download the latest version at the CoreStreet SpoofStick homepage.

The flaw is not present in FireFox, so no update to the FireFox version of SpoofStick is necessary.

For those of you keeping count, we’ve had over 130,000 downloads of SpoofStick since the official release three months ago.

[Update: Oooh, that’s an average of about one download every minute.]

August 18, 2004 | Permalink | Comments (40)

New X-Ray

I was flying out of London’s Heathrow airport a few days ago and was pulled aside by a security officer for a “random” screening through a new x-ray machine.  The officer explained that this was a “perfectly safe” procedure that would take four “low-intensity, high-resolution” x-ray images of my body.  If I didn’t want to go through the machine, I could choose an old-fashioned manual search instead.  That sounded ominous, so I agreed to the hands-off option.

The officer took me to a semi-private section near the security line and asked me to empty my pockets.  Then I had to stand with my back to a wall, click, turn sideways with my legs apart and my arms away from my body, click, turn to face the wall, click, and turn to the other side with legs apart and arms away from my body, click.  The whole thing took about 30 seconds. 

I was interested in what the images looked like, so I asked the officer if I could see the computer display.  He initially said no, but I used the secret code-phrase to identify myself as a fellow security professional (“aw come on, lemme see”), so he took me into a little room a few feet away and showed me the monitor.  Luckily for the world, there is no surviving picture of myself standing with legs apart and arms away from my body, so here is a Photoshop recreation using the closest stand-in I could find and my best memory of the event:

“Yikes”, I said, “that’s unattractive.”  The officer explained that, of course, the x-ray makes the image very squashed in the vertical axis.  “Of course”, I concurred.  You couldn’t exactly see bones, but all clothes were effectively removed.  It looked like I was wearing a splotchy full-body stocking (I wasn’t at the time), but the splotches were probably internal bits.  All in all, it looked like this scanner would do a good job finding anything suspicious.  I can understand why they have the monitor in a separate room; many people might be a bit offended at seeing themselves like this.  I also feel bad for the guy who has to sit in a closet and look at quasi-naked, splotchy fat people all day.  It’s bad enough in London, but I don’t envy the operators when this thing gets installed in, say, Houston.

My verdict:  This thing is great.  It’s fast, convenient and (most likely) effective.  I’ve written before about how the metal-detector ceremony is mostly useless and I’m glad that new technology is finally doing something about it.  This type of x-ray combined with one of those air-puff explosive detectors would be an ideal passenger-entry unit.

Oh, the real secret to the code-phrase is the inflection.  Don’t try it yourself unless you really are a security professional, or you'll get it wrong and wind up in airport jail.

August 13, 2004 | Permalink | Comments (2)

Report or publish or shut up?

I saw a CNN reporter make a nontrivial on-air security flub while small talking at the start of last week’s Democratic convention.  The reporter and morning anchor were speculating whether or not John Edwards would run for president in 2008 or 2012, and the reporter said something like, “Elizabeth Edwards refused to say if her husband was considering a run, but she told me that she just found out that the two of them were staying in hotel room 2012 during the convention and she thought that that room number was a good omen.”  “Har har”, said the anchor, “and now for these messages.”

Broadcasting the vice presidential candidate’s room number on live TV is an innocent mistake, but a pretty bad idea.  Of course knowing the room number by itself is not sufficient to mount an attack, but it’s a sensitive part of the multi-layered security policy.  There are certain conditions, for example a terrorist having infiltrated the hotel maintenance staff and having access to the VIP floor, where the room number might be the last piece of the puzzle.  It may be far-fetched, but there’s a good reason that hotels don’t disclose this kind of information.  Elizabeth Edwards should know better, but so should CNN. 

I wasn’t sure what to do after seeing the broadcast.  Eventually, and rather sheepishly, I decided to send an email to the Secret Service and the FBI and to hold off writing about it in the blog until after the convention was over.  The odds that this slip could have had an impact on convention security were very small, and I suspect that the authorities picked it up before hearing from me.  Still, it didn’t seem right to publicize it at the time.  I never heard back from either agency.

Speaking of security flaws, I think I spotted a fairly big procedural one at an airport just now.  I’ll go through my list of TSA contacts before posting it here, but I wonder if that’s the best approach.  Is the increased chance of corrective action due to a public airing of the problem worth the tiny chance that some attacker will learn about and exploit the flaw from the publicity?

August 5, 2004 | Permalink | Comments (1)

Boston is quiet

Predictions of a chaotic Boston snarled by convention security and impassable by car, subway or foot have so far proven to be a complete bunko.  It seems like half the locals treated the warnings as a good excuse to get out of town for the week.  The road traffic during rush hour is significantly lighter than on less newsworthy days, the subways are brisk and even downtown restaurants aren’t bulging at the seams.  I have to believe that, convention hotels and temporary construction crews aside, the local business community is losing a bucket of money.

As promised I took the “T” down to the convention center to check out the action at about 7pm.  It was underwhelming.  Here are some snapshots.  Click on the thumbnails for a larger view.

This is the view of the convention center from the entrance of the “Free Speech Zone.”  I’m not a big sports fan, but my friends tell me that the crowds here are usually larger when the Bruins play whatever it is they play.  Low temperature water-polo, I think.

Here’s a sign in front of the fenced-in free speech zone.  It seems reasonable to me.  I guess the official name for this is the "demonstration zone".  Notice the lack of people pushed into the fence.  This will be a recurring theme.

The inside of the fenced-in area has one raised stage with a podium.  The stage was occupied by this group of protesters.  Apparently this was the real group, not the parody, but who can tell for sure these days?  There were maybe thirty people in front of the stage taking pictures and/or heckling.  Someone had written “This pen is shameful” on the podium, but they wrote it in chalk so I had to blink a few times before the message parsed.  The other side said, “Flee the pen!”, which makes sense in a “mightier than the sword” sort of way.  Notice the razor wire on the top of the overpass – this was the only place with razor wire and it might have been more for keeping the pigeons at bay than for controlling the protesters.

The rest of the protest zone was almost completely deserted.  There were a few signs hanging on the fences.  About half of the signs were protesting the protest zone itself.  It seems like the biggest controversy in this convention is the forum set aside for discussing controversy.  The meta-protesters hung up their signs and mostly left.  I can’t decide if this is true irony or just the sort of thing that Alanis Morissette would find ironic.

The only vocal group outside of the protest zone was a sizable gaggle of Lyndon LaRouche supporters handing out their strangely comma-suffused alternative DNC platform.  Here’s an example sentence from the section entitled “Monetarists and Physiocrats as Such”:

Among domesticated cattle, except those raised and killed as fighting animals for public amusement, the preferred tactic is a combination of genetic downscaling of the mental capabilities and impulses of the captive, with culling of those specimens which are considered, for formally rational, or utterly capricious reasons, as undesirable.

I’m not sure why the LaRouche folks were allowed to chant outside of the demonstration zone.  How many times are they going to be able to say “Physiocrat” at passersby before someone is willing to throw down?

All in all, the security situation seemed to be under control.  People are staying away from downtown and, with any luck, the big story next week will be how all the media predictions of catastrophe were vastly overblown.  Only two days to go.

[BTW, I’m not going to comment on those Kerry NASA pictures, except to say that if I were given the opportunity to crawl around a NASA rocket in a bunnysuit, I would look just as happy and a whole lot less dignified.]

 

July 28, 2004 | Permalink | Comments (1)

Convention Eve

If somebody had told me four years ago that all protesters at the Democratic convention in 2004 would be corralled into a razor-wire enclosed holding pen un-ironically called the “Free Speech Zone”, well, I would have probably thought that they were more or less correct.  It’s still mighty creepy though.  I’m no student of architecture, but from seeing the place a couple of days ago I’m pretty sure it’s done up in early Camp X-Ray style.  The design seems to be as much intended to keep potential protesters at home as to keep the people who actually manage to show up well behaved.  This might all be necessary – it’s hard to know right now.

I think I’ll try to get down to the convention site in the next day or two just to see what the scene is like live and in person.  I’m especially curious if the “free speech” area is only for protestors or for all demonstrators (pro and anti-convention alike).  Some of the security arguments seem to get pretty weak if mobs of supporters are subjected to less supervision than mobs of protesters.  Will a “Kerry / Edwards” sign really get someone closer to the action?  We’ll see.

July 25, 2004 | Permalink | Comments (0)

The Mexican anti-kidnapping chip mystery

Rafael Macedo, the Attorney General of Mexico made an interesting claim yesterday:

Mexico's attorney general said on Monday he had had a microchip inserted under the skin of one of his arms to give him access to a new crime database and also enable him to be traced if he is ever abducted….

"It's an area of high security, it's necessary that we have access to this, through a chip, which what's more is unremovable," Macedo told reporters. "The system is here and I already have it. It's solely for access, for safety and so that I can be located at any moment wherever I am," he said, admitting the chip hurt "a little."

I’m more than a little skeptical about the anti-kidnapping claims; I’m not aware of any current technology that’s small enough to be implanted under the skin and still have enough radio and battery power to broadcast its location more than a few feet.  VeriChip, the manufacturer of the implantable RFID chips pretty much says the same thing:

Aceves said his company eventually hopes to provide Mexican officials with implantable devices that can track their physical location at any given time, but that technology is still under development.

My guess is that Señor  Macedo’s claims are a little ahead of the technology.  Unless your implanted RFID chip happens to pass within a few feet of a reader, and that reader is linked into some central alert network, I don’t see how the tracking would work.  If the Mexican chips are significantly more advanced than my best guess, I’d love to know the details.  Otherwise, I’d think twice before boasting about how the chip can find me in the case of a kidnapping and about how “unremovable” it is.  The first claim is a bit premature.  The second claim sounds like a challenge I wouldn’t be too keen about extending to any kidnappers.

If anyone wants a real tracking beacon for use in case of kidnappings or other natural disasters, I recommend the Breitling Emergency.  Sure it’s big and removable, but camouflaged by a sufficient tonnage of other bling, it may escape your captors’ attention long enough to signal for help. 

Plus, you can use it as a cudgel.

July 15, 2004 | Permalink | Comments (4)

E-Voting interview

I did a pre-taped radio interview on the topic of electronic voting today.  It should air in the next few weeks.  My two main points were:

1. Full public disclosure and strong auditing of the source code and all other details of an electronic voting system are necessary for public trust.  No voting system that relies on obfuscation for security should be placed into service.

2. A paper trail is absolutely necessary, for now, to validate election results.  In a few years, it may be possible to phase out paper completely once a strong digital-certificate based credential (like the U.S. Military’s Common Access Card) makes it into the hands of voters.

Much of my views on electronic voting have been informed by Edward Felten over at Freedom to Tinker.

July 12, 2004 | Permalink | Comments (2)

Let's put some science into the terror alert debate

Is the U.S. government playing politics with recent terror warnings?  I don’t really care.  What I care about a lot more is: are those warnings effective?  Fortunately, while people arguing the first question are probably not really interested in finding an answer, the second question should yield fairly well to dispassionate analysis.

Hype and political considerations aside, the two most frequently heard arguments in the debate over the value of periodic but vague terror alerts by the U.S. government are:

Con:  The alerts make people apprehensive and afraid.  This hurts our society (the “terrorists have already won” argument) and diminishes the impact of future alerts (the “boy who cried wolf” argument).

Pro: Even though the alerts may make people nervous, they also remind people to be vigilant.  Since information is the most important weapon in the fight against terrorism, an attentive citizenry is worth some disruption to daily life (the “price of freedom is eternal vigilance” argument).

Both points are plausible, but are they true?  I’m not sure, but there’s probably some useful behavioral data out there that could be used to evaluate the competing claims. 

For example, is the “boy who cried wolf” phenomena measurable in the real world?  Surprisingly, not everything named after a fairy tale is completely reliable.  In other words, are people who are repeatedly subjected to false alarms actually less likely to effectively react to a real emergency situation?  After all, most military and emergency workers are constantly drilling with “false” alarms and no one seems to feel that this compromises their readiness.  Of course these teams are repetitively practicing specific skills, not just being repetitively told to be anxious.  Maybe that’s the difference.

Similarly, is the “vigilance” claim accurate?  Are people who are repeatedly told to be on guard actually better able to identify and respond to emergency threats than people who are more relaxed?  Many skydiving or SCUBA instructors go to great lengths to teach their students how to be physically relaxed in dangerous situations; the justification being that an attentive but at-ease mind is more effective at coping with unexpected circumstances.  Does this logic apply to national terror alerts?

These are fairly narrow questions which are well suited to scientific investigation.  Much of this investigation has almost certainly already been carried out in the past half a century.  I’d like to see the media focus on reviewing relevant data from commercial, government and academic sources before bringing on the next set of political experts to fling unverifiable mud at each other.  Ain’t my naïve idealism cute?

July 10, 2004 | Permalink | Comments (0)

Military is right on spy cans

If you were shipwrecked on a deserted island and could only have one case of carbonated beverages with you, you’d want it to be a case of Coke because you might get a can with a built in cell phone and GPS.  These special cans, part of a zany new summertime promotion from Coca-Cola, have caused some US military bases to warn employees against bringing the potential listening devices into sensitive locations.  The press is predictably reporting the warnings as another example of superfluous military hand wringing:

Paul Saffo, research director at the Institute for the Future, a technology research firm, compared the concern about the Coke cans to when the CIA banned Furbies, stuffed toys that could repeat phrases. "There's things generals should stay up late at night worrying about," he said. "A talking Coke can isn't one of them."

Of course the problem isn’t that the cans can talk, it’s that they can listen and send their coordinates.  Similarly, the CIA didn’t ban Furbies because they were distracting and horrifically ugly, but because they could be used (perhaps unintentionally) to record conversations.  Ok, also because they were horrifically ugly.

Meanwhile. Coke is reassuring the public:

Coca-Cola spokesman Matt Martin, however, said there was no way that the cell phones or GPS devices could be used to eavesdrop on conversations or give away the positions of military sites.  "The cell phone will only talk to the prize center. There is only one line of communication, so it can't be intercepted," Martin said. "The GPS information can only be accessed by the prize center."

That statement is both misleading and beside the point.  What does, “one line of communication” even mean?  Any cell call can be intercepted and the coke-phones probably aren’t using the most sophisticated encryption schemes known to science.  More importantly, since when did Coke “prize center” employees (possibly sitting in an off-shore call center) become authorized to hear secret government conversations?  The thrust of Coke's argument seems to be that the military has nothing to worry about as long as it’s only Coca-Cola listening in on the other side.  Every day, life becomes more and more like Dr. Strangelove:

Group Capt. Lionel Mandrake: Colonel... that Coca-Cola machine. I want you to shoot the lock off it. There may be some change in there.
Colonel "Bat" Guano: That's private property.
Group Capt. Lionel Mandrake: Colonel! Can you possibly imagine what is going to happen to you, your frame, outlook, way of life, and everything, when they learn that you have obstructed a telephone call to the President of the United States? Can you imagine? Shoot it off! Shoot! With a gun! That's what the bullets are for, you twit!
Colonel "Bat" Guano: Okay. I'm gonna get your money for ya. But if you don't get the President of the United States on that phone, you know what's gonna happen to you?
Group Capt. Lionel Mandrake: What?
Colonel "Bat" Guano: You're gonna have to answer to the Coca-Cola company.

Let’s get down to the security specifics.  There are three main types of threats associated with the presence of potential listening devices in sensitive meetings:

1. Somebody could intentionally bring in or plant a listening device and record a conversation.
2. Somebody could unknowingly bring in an active listening device and be duped into recording a conversation.
3. Somebody could accidentally record a conversation which might be discovered at a later time.

Banning Coke cans and Furbies does nothing to reduce the likelihood of the first threat, because an intentional spy already has access to thousands of inconspicuous recording options.  However, threats two and three are significantly diminished by making sure that all personnel are aware of the potential eavesdropping capabilities of all of their possessions.  Sure, it’s not the biggest danger facing our nation, but thinking about potential misuse of recording gadgets is something that some general ought to stay up late worrying about.  Or at least some civilian analyst.

Should Coke pull the promotion?  Of course not; it’s an innovative campaign and poses no undue overall risk.  Should the military issue appropriate routine warnings to their bases?  Yes, just as they’ve done.  Should the media experts be a little less smug in these kinds of matters?  I may not be the right guy to throw that particular stone.

On second thought, the magic can is “powered by T-Mobile”, so coverage on some deserted islands may be limited.  I guess in a shipwreck, you’d be better off with the old fashioned sugar and water instead.

July 3, 2004 | Permalink | Comments (5)

The other shoe

[This is the third, and longest (yikes) part of my “Too Frequent Traveler” series.  See parts one and two.]

Many flight attendants are so practiced at constantly repeating the same things at the same times that their body language subtly changes when they’re about to say something new.  I saw this happen a few days ago while struggling to simultaneously tie my shoe and buckle my seatbelt after a clumsy sprint from airport security to the gate.  At the conclusion of a stiffly rendered pre-flight safety video, the lead flight attendant paused oddly before announcing:

“What our new safety video didn’t mention is that if you have to put on your life jacket in the event of a water landing, please inflate only one side inside the cabin and wait until you’re outside to inflate the other side.  That’s not going to happen today since we’re going to have a great, landlocked, flight from Chicago to San Jose.”

This must be a fairly new policy since I distinctly remember snickering at past safety brochures and videos that clearly depicted eerily calm people dutifully blowing into their air vests while the voice-over admonished real-life passengers NOT to inflate their vests inside the plane.  Here’s my completely uneducated guess about how this happened:  Once there were two panels of industry experts.  One panel argued that obese people with inflated vests might get stuck in the emergency doors. The other panel argued that poor swimmers might panic upon hitting the water and lack the presence of mind to inflate their vests.  They commissioned a study to determine the ratio of obese people to poor swimmers on domestic and international flights. After much debate, a compromise was reached: tell passengers to inflate only half the vest. A number of routes were selected to participate in a pilot study of the newly revised announcements. Naturally, to minimize risk, they were all completely over-land routes. The follow-up study to determine the optimal half to inflate first is still in progress.

Perhaps I’m being unfairly pessimistic about this new “half-full” policy, but common sense is not the strong suit of the American air travel security system.  Neither is openness to questions.  This is a shame because arbitrary, opaque and confusing procedures are exactly what’s wrong with flying today.  Opaque security slows down the process, strains already overworked personnel and leads to passenger resentment and disenfranchisement.  This last side effect blunts the industry’s best anti-terror weapon:  The vast majority of travelers would be more than willing to help with security if they only understood the reasons behind the policies.  There is a big difference between actual help and the type of passive-aggressive “cooperation” that we’re habitually being thanked for when subjected to inconveniences and delays.  Passengers can’t help the system if they’re kept in a perpetual state of surreal resentment and confusion.  Who even knows what’s normal in airports these days?  That guy running around with no pants?  Maybe he just had to remove his belt for the metal detector and is about to miss his plane. 

Let’s get rid of the arbitrary stuff, the confusing stuff, the misleading stuff and the silly stuff.  Instead of fear and bemusement, let’s earn the useful respect of the public.  What do I mean by arbitrary and misleading? Everyone’s got their favorite illustrations:

I was once granted an extra-thorough search for simply asking why my flimsy cardboard poster tube couldn’t be brought as a carry-on (it was “club-like”), and I’m nearly paralyzed with fear at the sight of those “No Joking!” signs present at many screening checkpoints. What if I only look funny? When I asked a high-ranking member of the TSA why my friend was subjected to extra searching on each of his last dozen flights, I was assured that it was purely “random.”  There’s “flips a coin” random and then there’s “moves in mysterious ways” random.  The government is not an institution that ought to be permitted the latter definition.

Another problem with arbitrary policies is that security personnel don’t understand them either. Poor understanding often leads to poor execution, which often leads to funny results. Unfortunately, funny isn’t the goal.

For example, when my wife and I were returning from Alaska, we brought four suitcases to the check-in counter. The ticket agent punched in some numbers and told us that while my bags were cleared for check-in, my wife’s had been selected for a random hand-inspection. The agent wanted to know which bags were my wife’s. I tried, “Um, they’re all mine”, but she dutifully informed me that we were allowed only two bags per person and so would I please select which two were mine – and would therefore go straight on the plane, and which two were my spouse’s – which we would have to take back and carry to another line for hand-searching. Had I hypothetically stashed a box of Cuban cigars in one of the bags, that would have been a hypothetically good time to remember which one. At least I didn’t make a joke!

This is making us safe?

Ralph “Where’s” Waldo Emerson famously wrote, “A foolish consistency is the hobgoblin of little minds…” I used to love that quote in junior high school because (1) it justified the state of my room and (2) I knew what a hobgoblin was. Thing is, I didn’t do a lot of business travel in junior high. Now I think a bit of consistency is just what good and lawful security should have.

Take the selection of cutlery that gets served with in-flight meals.  On domestic flights, I always get plastic butter knives, but in international business class I often get metal ones – even when departing from a U.S. airport.  The dull two-inch blades are completely non-threatening and someone attempting to wield one in a melee would find themselves at a severe tactical disadvantage against any sufficiently blunt object.  But why allow the knives on some flights and not on others?  Why make such a transparent mockery of security procedures?  Much of the time, the plastic knife comes with a sharp metal fork. Did someone decide that it was less dangerous to get forked than buttered?  I smell a committee compromise. 

On a recent flight from Japan I was actually given five knives – three for dinner and two for breakfast. By TSA logic, that would have been enough to fight off a whole ninja clan, should one have stowed onboard.  Also, do they allow women’s stiletto heels on-board? Hang on while I look… they do!

Which brings me full circle to my favorite example of pseudoscientific and counterproductive airport security: the shoe removal ceremony. This started immediately after the “shoebomber” incident and many people think it’s done so the shoes can be checked for explosives. This is patently not true – the shoes are simply run through the x-ray machine so they don’t set off the main metal detector. The fact that shoes don’t set off metal detectors in any other country just proves that the sensitivity on US metal detectors is jacked up to 11. A couple of times, I’ve seen a TSA employee will walk up and down the security line and scan shoes with a wand so as to warn people in advance if their shoes had metal in them. I’m fairly certain that the wand was set to detect homeopathic amounts of metal, because it went off on literally every single shoe he scanned – including the “airport friendly: contains no metal” shoes I had just purchased for the trip. Of course everybody knows that sneakers don’t have metal, so he didn’t bother scanning those. 

Taking off shoes and belts is not just frustrating. It actively hurts security by creating a mass of disorderly, irritable and partially disrobed passengers clogging up the line. That kind of confusion is exactly what a patient terrorist needs to better his chances of exploiting the system. Some expert panel really ought to study this carefully.  Of course should it come to that, I’ve got the perfect compromise: hold your pants up with one hand and hop through on only one shoe.

[The TSA and airline security folks have a very tough job.  Despite my criticism in the last two parts, there's a lot that they're doing right. The next and final part will be about the stuff that works today, the stuff that'll work soon, and how to get there from here.]

June 28, 2004 | Permalink | Comments (1)

SpoofStick on TV

A few days ago, PC World columnist Steve Bass demoed SpoofStick on G4TechTV’s “The Screen Savers”.  Everyone who has come to my house since then has been forced to watch it on Tivo.

Other recent SpoofStick coverage is on the CoreStreet SpoofStick homepage.

June 27, 2004 | Permalink | Comments (0)

Fortified answers

The Fortifying Network Security newsletter asked me to answer three questions for their June 9th issue.  Here’s what I had to say:

Question: What authentication method(s) offer the best performance and lend themselves to widest, secure use (PKI, biometrics, smart cards, etc.)?

Libin: The most secure and most reliable method of authentication is a one-to-one, locally matched biometric, recorded in a validated digital certificate and stored on a PKI smart card. The PKI smart card is almost impossible to duplicate, providing a very solid "something you have" factor. The local one-to-one match protects privacy and greatly reduces false identifications; a validated digital certificate proves that the whole package hasn't been tampered with and that it's still good right now. This triple-holy-grail of authentication used to be very expensive and cumbersome, but recent technology advances have brought both price and complexity way down.

Question: When adding authentication to the security mix, how can enterprises avoid adding management complexity from new identity management tasks?

Libin: Some work is always required when introducing additional technology, but a properly designed authentication scheme should reduce overall complexity, not increase it. Once you have a consistent way of doing authentication ¬ knowing who everyone is, and validation, knowing what each user is allowed to do ¬ tasks and applications that use your identity management scheme actually become easier to write and manage. Do some work up front; save a ton of work later.

Question: What key feature or element should enterprise customers insist on where authentication is concerned?

Libin: Convenience. If it's hard for the user, they won't use it, and you'll be worse off than before you implemented it. Period.

---

On another topic, I’m in the midst of some marathon traveling, so the frequency of my posts for the next week will depend on the complex and unpredictable interactions of airport delays, food digestibility, broadband availability and general time zone wackiness.  On the upside, I hope to buy some keen gadgets.

June 11, 2004 | Permalink | Comments (0)

Washington Post reviews SpoofStick

Rebecca Rohan has written a quick and positive review of SpoofStick, CoreStreet’s free anti-phishing utility, for today’s Washington Post.  Her conclusion:

SpoofStick is reassuring to have around, but it can't replace common-sense skepticism.

This is exactly right.  We never intended SpoofStick to be a comprehensive solution for all the possible bad things that can happen while using your computer.  SpoofStick is a straightforward tool that does one thing well: it cuts through the clutter of confusing, malicious or mislabeled URLs to tell you what web site you’re actually on.  We were trying for simple and useful, and I think that’s what we got.

About 30,000 downloads so far.  If anyone’s got suggestions for improvements, I’m all ears.  All the other SpoofStick news can be found here.

June 7, 2004 | Permalink | Comments (1)

Latest SpoofStick coverage and version

SpoofStick continues to make a mark on the net.  The latest mentions are from Network World, the Kansas City Star, the St. Petersburg Times (the one in Florida, not Russia, but see below) and the Newark Star Ledger.  PC World contributing editor Steve Bass gave SpoofStick a good mention in his June 2nd newsletter, but it’s not on-line yet.  Steve called me a “f