Re: Security-by-credential or security-by-inspection
There are so many misconceptions floating around here it's hard to know where to begin. But let's start with two points of agreement. First, airport screening is far from perfect. There is no way to detect all possible threats coming on the airplane. And given the technology and time available, it will always be possible to smuggle aboard knives, explosives and other dangerous devices more than sufficient to risk the lives of everyone on that airplane. Second, no ID based system is perfect, either. People can falsify their ID with varying degrees of expense and difficulty. Moving to biometrics can help but these can be spoofed as well. But to conclude from these points that we should just let everyone walk onto a plane with no more than the cursory inspection that has been used in the past is pure bullshit. Absence of perfection is no argument against a system. Someone once said that "all cryptography is economics." Well, all security is economics as well. Any argument which is based on the fact that loopholes and failures will exist is irrelevant. The point of security is to raise the cost of breaching it. That's all. Understanding and accepting this would raise the level of the dialog considerably. Given this fact, it makes no sense to intentionally blind screeners to relevant data when performing their security analysis. Those guards should have every scrap of information possible available to them. People who have a history of violence, who make threats, who are associates with known terrorists, all represent correspondingly greater risks. An efficient screening system will use this information to determine how carefully each passenger is examined. Resources are finite, and it is highly inefficient to apply exactly the same procedure to each individual. You'll have far more security for the same cost by allocating greater security resources to those individuals who pose the greatest risk based on the data available. They are the ones who need their bags hand-searched. They need the metal detector wand run over their entire bodies. They can empty their pockets and have their shoes removed and inspected. It is not practical to apply this level of scrutiny to every passenger. But by making use of public information, high risk individuals can be subjected to high levels of inspection. This is where the irony was pointed out, of cypherpunks calling for limits on the use of information! A group which prides itself on developing technologies that can keep damaging information alive is suddenly afraid, now that they may be the ones to suffer from their own past words. Tim May himself has called for the nuclear destruction of Washington, DC. He has expressed support for the actions of Tim McMay, sorry, McVeigh. He threatens death to judges, police officers, even reporters who misquote him. He has said that the local police have put him on their watch list as a potentially dangerous individual. Clearly, he would be a prime target for any selective screening effort. And this is entirely appropriate. Certainly many of us here would feel more comfortable riding on a plane with an unstable, violent individual if he had been searched thoroughly, preferably including body cavities. Some have claimed to object only because the government is involved in the search. That's a red herring in this case. Yes, the government is setting security policies, but they are only responding to public demand. Any fully private security system would see the same kinds of checks in order to get the flying public back into the air. No one wants to fly with someone who has a history of calling for the violent overthrow of the U.S. government at a time when planes are being turned into guided missiles. Then there is the absurd fantasy that if unregulated, some airlines would differentiate themselves by offering minimal screening in order to corner the lucrative market composed of all the Tim McVeighs of the world. Only a blind man would think that businesses work this way. In every industry there are a limited number of profitable market niches and companies fight for those. Fringe markets, like people who want to fly with unscreened terrorists, are not served. (Look at all the successful companies selling products to cypherpunks.) There would be no airlines seeking such a market. At a time when passenger levels have dropped precipitously the airlines will do everything they can to assure their passengers that they are safe. That means screening of exactly the type we are discussing. A few other irrelevant points have been made. Given that ID is not perfectly reliable, do we need to tattoo numbers on people's forearms? This is the fallacy of perfection. ID can be combined with a simple thumbprint for biometric identification (already widely used for cashing checks) and you will raise the cost of forgery considerably. Many of the hijackers would have been caught simply by cross-referencing their IDs against existing databases. That's what El Al does and they have an excellent safety record in the most terrorist-infested part of the world. What about Chaum credentials? Well, how would they help? Are you going to show a not-a-terrorist credential? No one is in a position to issue such a thing. And even if you had one, how would you prove it isn't stolen? If ID can be forged then so can any other sort of credential. The Chaum technology is nothing but a pipe dream anyway. It's never been used and never will be, because there is no incentive (see above re unserved markets). Then there is this whole "credential vs capability" debate. This is nothing but an ivory tower abstraction with very little relevance to the practical problems involved in screening real people before they get on an airplane. Here's an arab guy who looks shifty and nervous. They do a biometric face scan and run it through the customs database against known terrorists. Is that a credential? A capability? Neither, it's just good security sense and the use of all information resources available. When confronted with an unpleasant reality, cypherpunks retreat into their imaginary world of abstractions. That doesn't help when planes are falling from the skies. Try to stick with reality for a few minutes at least. Information which is available will be used. Screeners are free to use any and all information that is relevant in assessing risk. If cypherpunks would remove their blinders they would see that this is entirely in keeping with the ideas of Blacknet and information wanting to be free. What, is Blacknet going to refuse to sell to Argenbright? This is how far cypherpunks have come from their free market roots, that somehow they think that information can be kept under wraps just because it doesn't fit their ideology. It's amazing to see a supposedly pro-information group suddenly claiming that their own pasts should be off limits when faced with a life or death situation. Cypherpunks need to take a harder look at themselves and resolve this contradiction.
At 01:10 AM 11/9/2001 +0100, Nomen Nescio wrote:
[...] A few other irrelevant points have been made. Given that ID is not perfectly reliable, do we need to tattoo numbers on people's forearms? This is the fallacy of perfection. ID can be combined with a simple thumbprint for biometric identification (already widely used for cashing checks) and you will raise the cost of forgery considerably.
Bullshit. There's no real-time on-line database of ordinary citizen fingerprints available to match versus ID cards, even if the cards (which don't exist and haven't been issued) were available. Thumbprints taken in banks don't do anything to immediately ID the person cashing a check - they provide evidence about who got the money, if the check turns out to have been fraudulent or stolen .. but to be worth much, the fingerprint needs to be matched to a name (which is only possible if that finger of that person has been fingerprinted and archived before, and they're both good, readable prints), or to a physical body, which might happen after an arrest. They're evidence which is useful in court, but they don't do a thing to tell the bank whether or not the transaction is likely to fail. So, yeah, sure, thumbprints would let us know if the dead suicide bomber's "real name" was really the one he used to rent the truck or buy the plane ticket .. or if he just got started on his project early enough to get his stolen identity matched to his real fingerprint .. but how, exactly, is that going to Save the Children? I agree that it will help law enforcement agents make a nice crisp presentation in Congressional hearings about how they dug up the suicide bomber's Permanent Record all the way back to preschool less than 45 minutes after they turned a daycare center into a slaughterhouse .. but I don't really give a shit about that. The only way you can use fingerprints and ID cards to begin to prevent the killing in the first place looks like this: 1. Reliably fingerprint everyone on the planet and record their "true name", whatever that is, and issue ID cards to them with that data. 2. Cross-reference the data in (1) with existing criminal, intelligence, mental health data, making sure that in the process of doing that you don't screw up people's right to privacy in medical records, reveal existing investigations, or reveal intelligence sources/methods. 3. Distribute cheap and reliable fingerprint readers all over the planet (or maybe all over the US, though it's hard for me to imagine other countries will cooperate with (1) unless they get them too) so that people's fingerprints can be imaged locally. 4. Build a real-time database capable of storing & retrieving the data from (1) and (2) given fuzzy images from (3), and a network capable of providing simultaneous access for millions of clients. 5. Give access to (4) to everyone who needs it, but prevent them from using the data they gather (like fingerprint images and personal data) for ID theft or impersonation. 6. Develop either an algorithm/expert system which decides which people ID'd within the system are allowed to do certain things (like "board a plane", "buy av gas", "rent a truck", etc), or delegate that decision to many thousands of minimum-wage clerks, who will not be susceptible to trickery nor bribes. Can you get that up and running in, say, 60 days? California has been trying for years to get a vastly less ambitious system working even a little bit at the Department of Motor Vehicles - at one point (several years in) they figured out that they had to throw away everything they'd done so far and start all over again. A project like you propose in your casual, offhand manner is probably 100 times more expensive and more complicated that California's .. but that doesn't seem to scare you. The IRS's computer system is in similar disarray - they can't always find records or correlate things, and they've gone ahead and assigned everyone nice easy numbers, and they operate on a timeframe of months and years, not seconds ticking by at a departure gate or a gas station pump. The FBI tried to build a database of disqualified firearm purchasers for use in the "instant check" process and it's proved to have an error rate of between 5 and 10%. If the CA DMV, the IRS, and the FBI can't get these sorts of databases up and running given their already generous budgets (millions and billions) and timeframes measured in years, how can you possibly think that anything like this is even possible - even before reaching the "is it a good idea?" question.
Many of the hijackers would have been caught simply by cross-referencing their IDs against existing databases. That's what El Al does and they have an excellent safety record in the most terrorist-infested part of the world.
Hmm. Then it's funny that Mohammed Atta (likely the worst-looking on paper, since he's the guy who was meeting with an Iraqi intelligence agent in Prague and had outstanding criminal/traffic warrants) was able to clear Customs when he re-entered the country. The "ID card" fairy tale still loses. Further, your "perfection isn't necessary" argument would be reasonable if we weren't talking about trying to solve a terrorist problem - but it's my impression that's the context of this discussion. The interesting thing about terrorism is that its direct effects aren't especially important - it's the secondary effects on people not physically affected by the event which give terrorism its power. Losing 5000 people in one day to an identifiable cause - or the 3 or 4 that we've lost to anthrax - is absolutely nothing, statistically speaking. Red meat and cigarettes probably kill a WTC's worth of people every day in the US alone - and we probably lose an anthrax letter's worth of deaths every day to even more obscure stuff like bee stings or wading pools. Those events are powerful not because of the people killed and property damaged, but because of the fear that the other 230 million people in the US feel (+ more worldwide), because they're faced with the possibility of successful, similar attacks - and that's why a mealy-mouthed "my security system isn't perfect but it'll reduce the marginal success rate and that's still valuable" doesn't even come close to solving the problem, because people are already freaked out about a statistically insignificant risk. Reducing that infinitesimal risk further without eliminating it is a waste of time. (Accordingly, some measures do nothing to reduce the actual risk but make people feel better because of their superstitious beliefs about the power of guns or databases or the application of arbitrary screening and sorting rules. The placebo effect created by these measures isn't unimportant - but let's create it by more traditional and less risky means, like prayer and faith in supreme beings and/or ritual pledges of allegiance or other ceremonies, instead of wasting lots of time and money creating unstable oppression systems ripe for misuse or takeover.) -- Greg Broiles -- gbroiles@parrhesia.com -- PGP 0x26E4488c or 0x94245961 5000 dead in NYC? National tragedy. 1000 detained incommunicado without trial, expanded surveillance? National disgrace.
On Fri, Nov 09, 2001 at 01:12:59PM -0800, Greg Broiles wrote: [a lot of well-written stuff on ID cards etc. deleted. If you didn't read it, go back and dig it up]
(Accordingly, some measures do nothing to reduce the actual risk but make people feel better because of their superstitious beliefs about the power of guns or databases or the application of arbitrary screening and sorting rules. The placebo effect created by these measures isn't unimportant - but let's create it by more traditional and less risky means, like prayer and faith in supreme beings and/or ritual pledges of allegiance or other ceremonies, instead of wasting lots of time and money creating unstable oppression systems ripe for misuse or takeover.)
ID cards are another feel-good measure, nothing more. As you correctly point out, they won't add any real security against terrorism unless taken to very impractical lengths. But the people think they will help, just like the poorly-trained national guard troops in airports. Worse, the people have been sold the ideas that increased security means giving up freedoms and therefore anything that reduces freedom must be increasing security. Eric
----- Original Message -----
From: "Greg Broiles"
At 01:10 AM 11/9/2001 +0100, Nomen Nescio wrote:
[...] A few other irrelevant points have been made. Given that ID is not perfectly reliable, do we need to tattoo numbers on people's forearms? This is the fallacy of perfection. ID can be combined with a simple thumbprint for biometric identification (already widely used for cashing checks) and you will raise the cost of forgery considerably.
Bullshit. There's no real-time on-line database of ordinary citizen fingerprints available to match versus ID cards, even if the cards (which don't exist and haven't been issued) were available.
Then let's make proper use of technology. We want to make sure the ID card is issued by the correct authority, that's almost exactly what digital signatures were designed for. Just create some uniform way of computing the data from the card (easiest would be to just use a plain old-fashioned smartcard), and check the signature against a publicly known public key. It's really quite simple.
So, yeah, sure, thumbprints would let us know if the dead suicide bomber's "real name" was really the one he used to rent the truck or buy the plane ticket .. or if he just got started on his project early enough to get his stolen identity matched to his real fingerprint .. but how, exactly, is that going to Save the Children?
That is the far bigger problem. Identifying these people simply won't make any difference. If a person is intent on being a suicide bomber, they will blow other people up with them, no matter how well we can make an identification.
Can you get that up and running in, say, 60 days?
Couldn't get the thumbprint idea going that quick, but smartcards and smartcard readers are already in mass production making my idea not easy, but possible to get underway in 60 days. Completion though would be a matter of approximately a decade.
California has been trying for years to get a vastly less ambitious system working even a little bit at the Department of Motor Vehicles - at one point (several years in) they figured out that they had to throw away everything they'd done so far and start all over again. A project like you propose in your casual, offhand manner is probably 100 times more expensive and more complicated that California's .. but that doesn't seem to scare you. The IRS's computer system is in similar disarray - they can't always find records or correlate things, and they've gone ahead and assigned everyone nice easy numbers, and they operate on a timeframe of months and years, not seconds ticking by at a departure gate or a gas station pump. The FBI tried to build a database of disqualified firearm purchasers for use in the "instant check" process and it's proved to have an error rate of between 5 and 10%.
Very good examples of how not to go about it. My idea (while far from perfect or fully developed) lacks the same bottleneck points, the only information that needs to be accessed millions of times remains static across years, with a retrieval rate like that it would be more than possible to simply broadcast the key over a public broadcasting station along side the current time, since nobody is watching anyway you could easily take over the closed captioning for a few seconds to send out the key. I'm clearly not addressing certification of the key as correct but having the president read back a hash of it at the state of the union address (couldn't be any more boring than the rest) would certainly provide some evidence.
If the CA DMV, the IRS, and the FBI can't get these sorts of databases up and running given their already generous budgets (millions and billions) and timeframes measured in years, how can you possibly think that anything like this is even possible - even before reaching the "is it a good idea?" question.
Many of the hijackers would have been caught simply by cross-referencing their IDs against existing databases. That's what El Al does and they have an excellent safety record in the most terrorist-infested part of the world.
Hmm. Then it's funny that Mohammed Atta (likely the worst-looking on
Agreed. paper,
since he's the guy who was meeting with an Iraqi intelligence agent in Prague and had outstanding criminal/traffic warrants) was able to clear Customs when he re-entered the country.
The "ID card" fairy tale still loses.
I agree, no matter what method is chosen, the possibilities for abuse are excessive (some of these people can't even be trusted not to use a phone book improperly, give then some real power and who knows what will happen), and the value of the target is too great. Let's pretend that my idea is used. Let's say each card costs $10 to issue. How much is impersonation worth? Well for something of the impact of Sept 11 it could easily be estimated at billions of dollars. That will buy a massive amount of computer power, a large quantity of the world's best mathematicians, and a significant amount of time. I don't like the odds of DSA against that, it's too close to the wire right now, supplying a target of this size could be devastating. That leaves RSA varients, but for billions of dollars and a significant amount of time 2^80 work (SHA1) isn't that much, some less fully examined algorithm would have to be used, that presents it's own problems. Basically the target is simply too big for current standards, once SHA-512 is fully examined there may be a chance, but until then I just don't think the card everyone idea is cryptographicly feasible. The non-cryptographic methods would pose additional problems because anything that can be phyisically made by one person can be physically made by another.
Further, your "perfection isn't necessary" argument would be reasonable if we weren't talking about trying to solve a terrorist problem - but it's my impression that's the context of this discussion. The interesting thing about terrorism is that its direct effects aren't especially important - it's the secondary effects on people not physically affected by the event which give terrorism its power. Losing 5000 people in one day to an identifiable cause - or the 3 or 4 that we've lost to anthrax - is absolutely nothing, statistically speaking. Red meat and cigarettes probably kill a WTC's worth of people every day in the US alone - and we probably lose an anthrax letter's worth of deaths every day to even more obscure stuff like bee stings or wading pools.
That's true, we certainly lose more people to far more mundane things every day than the WTC tragedy caused. But at the same time you have to realize that most people don't think about bee stings as a cause of death, they don't even think about bed they sleep in as a cause of death (look up the statistics it's hilarious), and both of those cause vastly more deaths each year as terrorism on average. The problem is that the media has hyped this up, the president's handlers have told him that this is a big deal, as a result of this the general populus wants blood. Thinking people know taht we will never eliminate terrorism, well I guess on a technicality we could, but it would require extermination of all but 1 human.
The placebo effect created by these measures [is important]
I think that line says it all. Joe
At 01:12 PM 11/09/2001 -0800, Greg Broiles wrote:
At 01:10 AM 11/9/2001 +0100, Nomen Nescio wrote:
[...] A few other irrelevant points have been made. Given that ID is not perfectly reliable, do we need to tattoo numbers on people's forearms? This is the fallacy of perfection. ID can be combined with a simple thumbprint for biometric identification (already widely used for cashing checks) and you will raise the cost of forgery considerably.
Bullshit. There's no real-time on-line database of ordinary citizen fingerprints available to match versus ID cards, even if the cards (which don't exist and haven't been issued) were available.
They require the forger to have access to the format used by the fingerprint storage system, not that that's _too_ hard. They also require that a minimum-wage security guard be able to do fingerprint matching, which says that the system needs to be automated and somewhat error-tolerant. Besides, run this sort of scam on the public for very long, and you *will* have a database of fingerprints - not hard to put on line. The main thing it accomplishes is that it somewhat reduces theft of ID cards, and forces people who lose their Internal Passport to keep getting new ones with their own fingerprints or use better fake documentation when they reapply.
The "ID card" fairy tale still loses.
On Thursday, November 8, 2001, at 04:10 PM, Nomen Nescio wrote:
There are so many misconceptions floating around here it's hard to know where to begin. But let's start with two points of agreement.
First, airport screening is far from perfect. There is no way to detect all possible threats coming on the airplane. And given the technology and time available, it will always be possible to smuggle aboard knives, explosives and other dangerous devices more than sufficient to risk the lives of everyone on that airplane.
Second, no ID based system is perfect, either. People can falsify their ID with varying degrees of expense and difficulty. Moving to biometrics can help but these can be spoofed as well.
But to conclude from these points that we should just let everyone walk onto a plane with no more than the cursory inspection that has been used in the past is pure bullshit. Absence of perfection is no
No, it isn't. Since the rise of terrorism as a common practice among the worlds political underclass, what percentage of passengers died or were injured in such incidents? I'd bet (I don't have the relevant numbers at hand) that it approaches (but of course does not reach) 0.0 percent. And even further, I'd be that if *no* checks were done, that the number would drop even further, airline costs would drop (no need for expensive x-ray machines and expensive security guard payrolls (yes, I know they aren't paid that well, but to maintain the numbers of security personnel, support personnel for the security personnel etc. is expensive). The vast majority of people are not terrorists, are not willing to die for a cause, and are generally too afraid of the Law to commit dangerous levels of violence on an aircraft.
argument against a system. Someone once said that "all cryptography is economics." Well, all security is economics as well. Any argument which is based on the fact that loopholes and failures will exist is irrelevant. The point of security is to raise the cost of breaching it. That's all. Understanding and accepting this would raise the level of the dialog considerably.
While the above is relatively true, there are not, and would not be "Airline Hackers" as you have "Computer Hackers" today. The marginal cost of compromising a computer system is fairly small for the gains received, you don't have to leave home, you rarely get caught, you can get scripts which all you to try thousands of systems an hour etc. None of this applies to the Airline sphere. The costs are massively greater, as are the risks. You cannot "anonymously" hijack a plane (although planting a bomb could still be done) (side note, how hard would it be to bomb a US Postal service plane using several small packages all mailed to the same town, all set with a pressure sensitive switch what would cause the explosion at a certain air pressure?) you have to be there in person to wave the weapon around, and you expose yourself directly to a bunch of people who really don't want you to succeed. If even one of them is armed, you are going to fail miserably.
Given this fact, it makes no sense to intentionally blind screeners to relevant data when performing their security analysis. Those guards should have every scrap of information possible available to them. People who have a history of violence, who make threats, who are associates
How many people who have a "history of violence" (i.e. beat the shit out of a drunk pawing their date) fly routinely and never cause a problem?
with known terrorists, all represent correspondingly greater risks. An efficient screening system will use this information to determine how carefully each passenger is examined.
An efficient police system would have 92% if the population behind bars.
Resources are finite, and it is highly inefficient to apply exactly the
Resources are sufficient to give each passenger a .41 derringer loaded with 2 .410 shot shells. No more planes will be hijacked. Guaranteed.
same procedure to each individual. You'll have far more security for the same cost by allocating greater security resources to those individuals who pose the greatest risk based on the data available. They are the ones who need their bags hand-searched. They need the metal detector wand run over their entire bodies. They can empty their pockets and have their shoes removed and inspected. It is not practical to apply this level of scrutiny to every passenger. But by making use of public information, high risk individuals can be subjected to high levels of inspection.
They are also the most likely to have the resources and connections to spoof the system.
Some have claimed to object only because the government is involved in the search. That's a red herring in this case. Yes, the government is setting security policies, but they are only responding to public demand.
They are generating the public demand.
Any fully private security system would see the same kinds of checks in order to get the flying public back into the air. No one wants to fly with someone who has a history of calling for the violent overthrow of the U.S. government at a time when planes are being turned into guided missiles.
I don't want to fly on an airline who treats any passenger as a fucking criminal, who insists on a background check before boarding. And I'm putting my money where my mouth is. In december I plan on riding to the midwest to see my daughter, 2000-2500 miles each way in winter on a rather small bike *just* so I don't have to deal with the airlines and give them even more of my money.
What about Chaum credentials? Well, how would they help? Are you going to show a not-a-terrorist credential? No one is in a position to issue such a thing. And even if you had one, how would you prove
If no one is in a position to issue such a thing, then no one is in a position to institute the kind of data-gathering you would need for your scheme.
When confronted with an unpleasant reality, cypherpunks retreat into their imaginary world of abstractions. That doesn't help when planes are falling from the skies. Try to stick with reality for a few minutes
Really? how many have "fallen" in the last 30 years? And how many of those were mechanical failures as opposed to terrorist acts? "Planes are falling from the skies" is rhetorical fecees. Our government, and our country got the military equivelent of a black eye. Yes, it hurts, yes it's embarassing as all hell, but it's being used as an excuse for all the police state bullshit that the fascists under Reagan, Bush, Clinton, and Bush wanted. And you're at the trough lapping it up. -- "Remember, half-measures can be very effective if all you deal with are half-wits."--Chris Klein
participants (6)
-
Bill Stewart -
Eric Murray -
Greg Broiles -
Joseph Ashwood -
Nomen Nescio -
Petro