----- Original Message ----- From: "Greg Broiles" <gbroiles@parrhesia.com> To: <cypherpunks@lne.com> Sent: Friday, November 09, 2001 3:12 PM Subject: CDR: Re: Security-by-credential or security-by-inspection
At 01:10 AM 11/9/2001 +0100, Nomen Nescio wrote:
[...] A few other irrelevant points have been made. Given that ID is not perfectly reliable, do we need to tattoo numbers on people's forearms? This is the fallacy of perfection. ID can be combined with a simple thumbprint for biometric identification (already widely used for cashing checks) and you will raise the cost of forgery considerably.
Bullshit. There's no real-time on-line database of ordinary citizen fingerprints available to match versus ID cards, even if the cards (which don't exist and haven't been issued) were available.
Then let's make proper use of technology. We want to make sure the ID card is issued by the correct authority, that's almost exactly what digital signatures were designed for. Just create some uniform way of computing the data from the card (easiest would be to just use a plain old-fashioned smartcard), and check the signature against a publicly known public key. It's really quite simple.
So, yeah, sure, thumbprints would let us know if the dead suicide bomber's "real name" was really the one he used to rent the truck or buy the plane ticket .. or if he just got started on his project early enough to get his stolen identity matched to his real fingerprint .. but how, exactly, is that going to Save the Children?
That is the far bigger problem. Identifying these people simply won't make any difference. If a person is intent on being a suicide bomber, they will blow other people up with them, no matter how well we can make an identification.
Can you get that up and running in, say, 60 days?
Couldn't get the thumbprint idea going that quick, but smartcards and smartcard readers are already in mass production making my idea not easy, but possible to get underway in 60 days. Completion though would be a matter of approximately a decade.
California has been trying for years to get a vastly less ambitious system working even a little bit at the Department of Motor Vehicles - at one point (several years in) they figured out that they had to throw away everything they'd done so far and start all over again. A project like you propose in your casual, offhand manner is probably 100 times more expensive and more complicated that California's .. but that doesn't seem to scare you. The IRS's computer system is in similar disarray - they can't always find records or correlate things, and they've gone ahead and assigned everyone nice easy numbers, and they operate on a timeframe of months and years, not seconds ticking by at a departure gate or a gas station pump. The FBI tried to build a database of disqualified firearm purchasers for use in the "instant check" process and it's proved to have an error rate of between 5 and 10%.
Very good examples of how not to go about it. My idea (while far from perfect or fully developed) lacks the same bottleneck points, the only information that needs to be accessed millions of times remains static across years, with a retrieval rate like that it would be more than possible to simply broadcast the key over a public broadcasting station along side the current time, since nobody is watching anyway you could easily take over the closed captioning for a few seconds to send out the key. I'm clearly not addressing certification of the key as correct but having the president read back a hash of it at the state of the union address (couldn't be any more boring than the rest) would certainly provide some evidence.
If the CA DMV, the IRS, and the FBI can't get these sorts of databases up and running given their already generous budgets (millions and billions) and timeframes measured in years, how can you possibly think that anything like this is even possible - even before reaching the "is it a good idea?" question.
Many of the hijackers would have been caught simply by cross-referencing their IDs against existing databases. That's what El Al does and they have an excellent safety record in the most terrorist-infested part of the world.
Hmm. Then it's funny that Mohammed Atta (likely the worst-looking on
Agreed. paper,
since he's the guy who was meeting with an Iraqi intelligence agent in Prague and had outstanding criminal/traffic warrants) was able to clear Customs when he re-entered the country.
The "ID card" fairy tale still loses.
I agree, no matter what method is chosen, the possibilities for abuse are excessive (some of these people can't even be trusted not to use a phone book improperly, give then some real power and who knows what will happen), and the value of the target is too great. Let's pretend that my idea is used. Let's say each card costs $10 to issue. How much is impersonation worth? Well for something of the impact of Sept 11 it could easily be estimated at billions of dollars. That will buy a massive amount of computer power, a large quantity of the world's best mathematicians, and a significant amount of time. I don't like the odds of DSA against that, it's too close to the wire right now, supplying a target of this size could be devastating. That leaves RSA varients, but for billions of dollars and a significant amount of time 2^80 work (SHA1) isn't that much, some less fully examined algorithm would have to be used, that presents it's own problems. Basically the target is simply too big for current standards, once SHA-512 is fully examined there may be a chance, but until then I just don't think the card everyone idea is cryptographicly feasible. The non-cryptographic methods would pose additional problems because anything that can be phyisically made by one person can be physically made by another.
Further, your "perfection isn't necessary" argument would be reasonable if we weren't talking about trying to solve a terrorist problem - but it's my impression that's the context of this discussion. The interesting thing about terrorism is that its direct effects aren't especially important - it's the secondary effects on people not physically affected by the event which give terrorism its power. Losing 5000 people in one day to an identifiable cause - or the 3 or 4 that we've lost to anthrax - is absolutely nothing, statistically speaking. Red meat and cigarettes probably kill a WTC's worth of people every day in the US alone - and we probably lose an anthrax letter's worth of deaths every day to even more obscure stuff like bee stings or wading pools.
That's true, we certainly lose more people to far more mundane things every day than the WTC tragedy caused. But at the same time you have to realize that most people don't think about bee stings as a cause of death, they don't even think about bed they sleep in as a cause of death (look up the statistics it's hilarious), and both of those cause vastly more deaths each year as terrorism on average. The problem is that the media has hyped this up, the president's handlers have told him that this is a big deal, as a result of this the general populus wants blood. Thinking people know taht we will never eliminate terrorism, well I guess on a technicality we could, but it would require extermination of all but 1 human.
The placebo effect created by these measures [is important]
I think that line says it all. Joe