Articles by Jim Harper

I have examined the CAPPS program and the fake boarding pass generator in a longish post over on Cato@Liberty.

At the tail end, I say “The fake boarding pass generator does not create a new security weakness. It reveals an existing one. Though some people may want to, it’s important not to kill the messenger . . . .”

Michael Hampton of the enteraining and insightful HomelandStupidity.us quickly pointed me to the views of Congressman Ed Markey (D-MA), which are reflected in Ryan Singel’s post on 27B Stroke 6: Congressman Ed Markey Wants Security Researcher Arrested.

Update: Do check the post on this topic at HomelandStupidity. Scroll down for a YouTube video send-up of identity-based security.

SHARE:

With the holidays approaching, a new program providing greater access to airport concourses is underway. At select airports throughout the country, non-travelers can now enter and meet arriving loved ones, as was routine just a few years ago.

Everyone entering the concourse will still be subject to physical security checks, but the program permits travelers to pass through security and board planes without showing ID to transportation authorities or by using a false/pseudonymous ID.

Has the Transportation Security Administration seen fit to restore convenience, privacy, and freedom to air travelers? Seen the light on identification-based security and relented on ID/boarding card checks? Well, no.

A PhD student in the Security Informatics program at Indiana University has created a generator that anyone can use to mock up their own boarding pass. He notes a number of different uses for it – among them, meeting your elderly grandparents at the gate, or evading the TSA’s no-fly list. So far, it’s only good for Northwest Airlines, but others would be equally easy to design.

Checking the ID and boarding pass is intended to communicate to personnel at the concourse checkpoint that a person has been run past the watch list and “no-fly” list. It provides a sort of second credential, linked by name to the ID of the person who has been reviewed. This spoof easily breaks that link. Fake a credential matching any ID you have, and you are in the concourse.

I wouldn’t recommend using this system without a careful check of the law – if you are allowed to see it. It’s probably illegal to access an airport concourse this way and the TSA would bring the full weight of its enforcement powers down on you if you were caught. Needless to say, making it illegal to evade security is what keeps the terrorists in line.

Hmm. Or maybe security procedures actually need to work.

And that’s the researcher’s point: Comparing a boarding pass to an identification document at the airport does little to prevent a watch-listed or no-fly-listed person from passing (except perhaps to inconvenience him a little more than everyone else). Indeed, identification-based security is swiss-cheesed with flaws.

The first problem is that you have to know who the bad guys are. If you don’t know who is bad, your ID-based security system can’t catch them. If you do know who is bad, you have to make sure that they aren’t using an alias. The cost of doing so may vary, but defrauding or corrupting identity systems is an option that will never be closed to wrongdoers. Making an identity system costly for bad guys to defeat also makes it costly for good people to use. Witness the REAL ID Act.

The linear response to the exposure of this flaw could be to “tighten up” the system – perhaps by discontinuing the use of self-printed boarding passes. The right response is to abandon the folly of identity-based security and use security methods that address tools and methods of attack directly.

There’s plenty on identity and identity-based security in my book Identity Crisis.

SHARE: 6 comments

Interesting question – and perhaps simpler than many people think.

Back in June, the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee (on which I serve) published a draft report on the use of RFID for human tracking.  The report poured cold water on using RFID in government-mandated identity cards and documents.  This met with some consternation among the DHS bureaus that plan to use RFID this way, and among the businesses eager to sell the technology to the government.

Despite diligent work to put the report in final form, the Committee took a pass on it at its most recent meeting in September – nominally because new members of the Committee had not had time to consider it.  The Committee is expected to finish this work and finalize the report in December.

But skeptics of the report continue to come out of the woodwork.  Most recently, the Center for Democracy and Technology wrote a letter to the Privacy Committee encouraging more study of the issue, implicitly discouraging the Committee from finding against RFID-embedded government documents.  CDT invited “a deeper factual inquiry and analysis [that] would foster more thoughtful and constructive public dialog.”

If the correct answer is “no” do you have to say “yes” to be constructive? RFID offers no anti-forgery or anti-tampering benefit over other digital technologies that can be used in identification cards – indeed it has greater security weaknesses than alternatives.  And RFID has only negligible benefits in terms of speed and convenience because it does not assist with the comparison between the identifiers on a card and the bearer of the card.  This is what takes up all the time in the process of identifying someone.   (If that’s too much jargon, you need to read my book Identity Crisis: How Identification is Overused and Misunderstood.)

I shared my impression of CDT’s comments in an e-mail back to Jim Dempsey.  Jim and CDT do valuable work, but I think they are late to this discussion and are unwittingly undermining the Privacy Committee’s work to protect Americans’ privacy and civil liberties. My missive helps illustrate the thinking and the urgency of this problem, so after the jump, the contents of that e-mail:

Continue reading →

SHARE:

Child predators. Before we go down the road of locking them up and throwing away the key, we should read of this botched raid, by police who had used the wrong IP address to determine who were suspects. Weirdly, Shaquille O’Neal was part of the goon squad.

(ht: Balko)

SHARE:

In this recent post, TechCrunch briefly assessed some concerns with Google’s office strategy. As most TLFers probably know, Google has online offerings in the works that could substitute for the word processing and spreadsheet software on your computer – just like Gmail did with e-mail.

And just like Gmail, documents and information would remain on Google’s servers so they can be accessed anywhere. This is a great convenience, but brings with it several problems, namely:

The fact that unauthorized document access is a simple password guess or government “request” away already works against them. But the steady stream of minor security incidents we’ve seen (many very recently) can also hurt Google in the long run.

Arrington’s post goes on to highlight a series of small but significant security lapses at Google. If Google wants companies and individuals to store sensitive data on their servers, they have to be pretty near perfect – or better than perfect.

Then there is government “request.” Arrington makes appropriate use of quotation marks to indicate irony. Governments rarely “request” data in the true sense of that term. Rather, they require its disclosure various ways – by warrant or subpoena, for example, by issuing “national security letters,” or by making a technical “request” that is backed by the implicit threat of more direct action or regulatory sanctions.

Continue reading →

SHARE: