Re: The paradox of our security measures

["I)ruid" <druid () caughq org>]

On Fri, 2008-05-30 at 17:59 -0400, Dave Aitel wrote:
> Like Anti-Virus and IDS, RFID is another cool example of how adding a
> security measure ends up reducing your security. 

You're statement is a little misleading regarding scope.  The mechanism
is meant to increase security of the Olympics by (supposedly) creating a
mechanism for provable identity, and I'll give them the benefit of the
doubt without reviewing the overall security system that the
identification mechanism is intended for that it does so, however what
it does do is effectively reduce users' personal *privacy*
(security://confidentiality) due to vulnerabilities of the
identification mechanism itself.  Adding the mechanism didn't
necessarily reduce the security of the system it was intended to be used
within, as the privacy of the users was probably not one of their design
goals (they probably just care about identifying people traversing
security checkpoints).  Rather, it just had a really nasty side-effect
which undermines a lot of protections and controls of different system
altogether (reasonable expectation of personal privacy and the existing
protections thereof).

Anyhow... RF snarfing people's dox as they use their vulnerable ID to
traverse a security checkpoint has a special kind of irony to it, and is
funny as hell.  Bonus points to whoever turns one of the jumbotrons at
the games into an Olympic wall of sheep and broadcasts the snarfed info
directly to it. (:

BTW, is Laurie on this list?  I'd really like a tour of his bunker next
time I'm near London...

-- 
I)ruid, C²ISSP
druid () caughq org
http://druid.caughq.org

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave