--- "Roy M. Silvernail" <roy@rant-central.com> wrote:
Quoting Tyler Durden <camera_lumina@hotmail.com>:
And since one's passport essentially boils down to a chip, why not implant it under the skin?
You say that as though it hasn't been considered.
Good point. As many of us know, there are groups of well-educated people who spend all their time on the analysis of technology: think tanks. Who can possibly say what sorts of universal, 'machine-readable' identification systems are considered, and which modes of use they imagine? Many of the studies that are conducted under the umbrella of think tank resarch is, of course, proprietary and restricted in distribution. Knowledgable individuals can do only so much (in their spare time, for instance) towards doing their own analysis of leading-edge technology use and misuse, and most people know this. So, why is it that there seem to be no open source groups who, like people in the free software movement might write software, produce non-trivial papers on the results of their brainstorming sessions? If we can agree that the research of closed NSA think-tank groups might be of immense interest to people with a vested interest in the use or misuse of emerging technologies, then it follows that open source intelligence analysis of technology is a field that is both very much wide-open for exploration, and also quite critical. People like Bruce Schneier do a good job more or less on their own in their respective fields, but it seems that there is likely a significant quality gap in what can be done by individual experts, and what might be accomplished by groups of savvy intellectuals. However, the playing field is such in the public realm most discussion and analysis of these kinds of issue are relegated to science fiction, academic journals, mailing lists, and of course blogs. There seems to be a reluctance on the part of a great many people to bring a more rigorous and wide ranging type of analysis to such fields, and I am not quite sure why. Nevertheless, for those who are at all aware of the kind of product produced by conventional think-tank groups, it is evident that there are large gaps in the areas of consideration and fields of study covered by the open-source analysis field. This obviously affects the quality of debate in the public sphere.
As for the encryption issue, can someone explain to me why it even matters?
It doesn't, actually. There is no clear and compelling reason to make a passport remotely readable, considering that a Customs agent still has to visually review the document. And if the agent has to look at it, s/he can certainly run it through a contact-based reader in much the same way the current design's submerged magnetic strip is read.
It would seem to me that any "on-demand" access to one's chip-stored info is only as secure as the encryption codes, which would have to be stored and which will eventually become "public", no matter how much the government says, "Trust us...the access codes are secure."
http://wired-vig.wired.com/news/privacy/0,1848,67333,00.html?tw=wn_story_rel...
This story says the data will be encrypted, but the key will be printed on the passport itself in a machine-readable format. Once again, this requires manual handling of the passport, so there's *still* no advantage to RFID in the official use case.
(ie, they want to be able to read your RFID wihtout you having to perform any additional actions to release the information.)
Yup. Bruce Schneier nailed the real motivation almost a year ago:
http://www.schneier.com/blog/archives/2004/10/rfid_passports.html
"Normally I am very careful before I ascribe such sinister motives to a government agency. Incompetence is the norm, and malevolence is much rarer. But this seems like a clear case of the Bush administration putting its own interests above the security and privacy of its citizens, and then lying about it." I have a different threat model. I suggest that incompetence is _often_ deliberate and, at least to those who orchestrate such things, is designed to leave or provide cracks in arbitrary systesm that will be expoited. This may be defensible in cases where someone wants to encourage child molesters to expose their operations to sophisticated intelligence and surveillance activities, but is harder to defend when such policies affect the integrity of the money supply, or the transportation infrastructure, or ....
Interestingly, even the on-document keying scheme doesn't address the fundamental problem. Nowhere is it said that the whole of the remotely readable data will be encrypted. If a GUID is left in the clear, the passport is readily usable as a taggant by anyone privy to the GUID->meatspace map. Without access to the map, the tag still identifies its carrier as a U.S passport holder. Integrating this aspect into munitions is left as an exercise for the reader.
The only way I see it making a difference is perhaps in the physical layer...encryption + shielding is probably a lot more secure than encryption without shielding, given an ID "phisher" wandering around an airport with a special purpose briefcase.
This isn't about phishing. That's just a bonus.
Yep. Regards, Steve __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com