Gubmint Tests Passport RFID...

Steve Thompson steve49152 at yahoo.ca
Tue Aug 9 15:02:24 PDT 2005 

--- "Roy M. Silvernail" <roy at rant-central.com> wrote:

> Quoting Tyler Durden <camera_lumina at hotmail.com>:
> 
> > And since one's passport essentially boils down to a chip, why not
> implant
> > it under the skin?
> 
> You say that as though it hasn't been considered.

Good point.  As many of us know, there are groups of well-educated people
who spend all their time on the analysis of technology: think tanks.  Who
can possibly say what sorts of universal, 'machine-readable'
identification systems are considered, and which modes of use they
imagine?  Many of the studies that are conducted under the umbrella of
think tank resarch is, of course, proprietary and restricted in
distribution.  Knowledgable individuals can do only so much (in their
spare time, for instance) towards doing their own analysis of leading-edge
technology use and misuse, and most people know this.  So, why is it that
there seem to be no open source groups who, like people in the free
software movement might write software, produce non-trivial papers on the
results of their brainstorming sessions?

If we can agree that the research of closed NSA think-tank groups might be
of immense interest to people with a vested interest in the use or misuse
of emerging technologies, then it follows that open source intelligence
analysis of technology is a field that is both very much wide-open for
exploration, and also quite critical.  People like Bruce Schneier do a
good job more or less on their own in their respective fields, but it
seems that there is likely a significant quality gap in what can be done
by individual experts, and what might be accomplished by groups of savvy
intellectuals.  

However, the playing field is such in the public realm most discussion and
analysis of these kinds of issue are relegated to science fiction,
academic journals, mailing lists, and of course blogs.  There seems to be
a reluctance on the part of a great many people to bring a more rigorous
and wide ranging type of analysis to such fields, and I am not quite sure
why.

Nevertheless, for those who are at all aware of the kind of product
produced by conventional think-tank groups, it is evident that there are
large gaps in the areas of consideration and fields of study covered by
the open-source analysis field.  This obviously affects the quality of
debate in the public sphere.

> > As for the encryption issue, can someone explain to me why it even
> matters?
> 
> It doesn't, actually.  There is no clear and compelling reason to make a
> passport remotely readable, considering that a Customs agent still has
> to
> visually review the document.  And if the agent has to look at it, s/he
> can
> certainly run it through a contact-based reader in much the same way the
> current design's submerged magnetic strip is read.
 
> > It would seem to me that any "on-demand" access to one's chip-stored
> info is
> > only as secure as the encryption codes, which would have to be stored
> and
> > which will eventually become "public", no matter how much the
> government
> > says, "Trust us...the access codes are secure."

>
http://wired-vig.wired.com/news/privacy/0,1848,67333,00.html?tw=wn_story_related
> 
> This story says the data will be encrypted, but the key will be printed
> on the
> passport itself in a machine-readable format.  Once again, this requires
> manual
> handling of the passport, so there's *still* no advantage to RFID in the
> official use case.


 
> > (ie, they want to be able to read your RFID wihtout you having to
> perform
> > any additional actions to release the information.)
> 
> Yup. Bruce Schneier nailed the real motivation almost a year ago:
> 
> http://www.schneier.com/blog/archives/2004/10/rfid_passports.html

"Normally I am very careful before I ascribe such sinister motives to a
government agency. Incompetence is the norm, and malevolence is much
rarer. But this seems like a clear case of the Bush administration putting
its own interests above the security and privacy of its citizens, and then
lying about it."

I have a different threat model.  I suggest that incompetence is _often_
deliberate and, at least to those who orchestrate such things, is designed
to leave or provide cracks in arbitrary systesm that will be expoited. 
This may be defensible in cases where someone wants to encourage child
molesters to expose their operations to sophisticated intelligence and
surveillance activities, but is harder to defend when such policies affect
the integrity of the money supply, or the transportation infrastructure,
or ....
 
> Interestingly, even the on-document keying scheme doesn't address the
> fundamental problem. Nowhere is it said that the whole of the remotely
> readable
> data will be encrypted. If a GUID is left in the clear, the passport is
> readily
> usable as a taggant by anyone privy to the GUID->meatspace map.  Without
> access
> to the map, the tag still identifies its carrier as a U.S passport
> holder. 
> Integrating this aspect into munitions is left as an exercise for the
> reader.
> 
> > The only way I see it making a difference is perhaps in the physical
> > layer...encryption + shielding is probably a lot more secure than
> encryption
> > without shielding, given an ID "phisher" wandering around an airport
> with a
> > special purpose briefcase.
> 
> This isn't about phishing. That's just a bonus.

Yep.


Regards,

Steve


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the cypherpunks-legacy mailing list