Interesting People mailing list archives
IP: Re: Ellison's Identity Cards
From: David Farber <dave () farber net>
Date: Tue, 25 Sep 2001 11:10:59 -0400
From: "Jonathan S. Shapiro" <shap () eros-os org> To: <farber () cis upenn edu> Cc: "Allen Wagner" <a_wagner () uclink4 berkeley edu> Subject: Re: IP: Ellison's Identity Cards Date: Tue, 25 Sep 2001 10:41:15 -0400 X-Mailer: Microsoft Outlook Express 5.50.4807.1700 Dave: Allen Wagner copied me on the note he sent to you for IP. I think he has raised a valid question, and one that has been posed to me privately by several others following the original note. I would like to answer it if you feel it will benefit the discussion. >I'm struck by the comparison: Ellison offers >a vision that challenges our technical ability; >Shapiro's rejection by raising some obvious >questions is twice endorsed. So where is the >academy? No alternative solution or other >positive perspective [to ID cards] is offered. >Do the academics' believe there is no feasible >technical solution? I believe that there is no feasible technical solution, because this isn't a technical problem. Few things in the security technology arena are absolute, but let's imagine, for a moment, that the technology existed to produce identity cards that were perfect. We don't know how to do that in the real world, but we can agree, I think that if they existed we would use them. The question to ask is: "Would that help?" The answer is no. The problem lies in the process by which the card is issued. Ellison proposes issuing a card to everybody. This means that there will be thousands of people out there with the authority to create such cards. As with any other sensitive activity involving large numbers of people, a few will regrettably turn out to be people who can be bribed or threatened. We know now, for example, that one of the people involved in the earlier WTC bombing took over an identity by killing a young student and his entire immediate family, and removing every photographic and written trace of the victim. Place yourself for a moment in the position of the card issuer. Do you imagine that a committed terrorist would hesitate to put a gun to your child's head, demand that you issue the card, and then kill both of you to keep you quiet? If you resist, do you suppose that the next card issuer will also resist? How long do you suppose it will take for your body to be discovered? Certainly hours, perhaps days. The terrorist only needs one or two hours. So now we have the following situation: the people at the airline security gate (or whoever) aren't information security experts, and they don't really understand any of this. They *think* they are relying on the cards when in fact they are relying on the integrity of the human process by which the cards are issued. Unfortunately, but there is a natural human tendancy to look at a card that says "secure ID" and believe that it is secure without considering the implications. If you are a security guard, and you check several hundred of these cards a day, how many times will you stop and ask someone "Did you threaten a card issuer to get this card?" When the response is: "Don't be silly, do I look like a smiling terrorist wannabe?", how will you know? The card, in short, provides no confidence at all **even if it is technically perfect.** It can only mislead the security guard into confidence in false security. And consider something else: We have seen a tendancy toward rising gun use in petty crimes. Criminals know that dead victims don't testify, and they have a pretty clear notion that it's very unlikely they will be caught. If you make the price of identity theft be murder or bribery, you may find that many criminals are willing to pay that price. Viewed from the criminal's eyes, it has the potential to be a perfect crime. There is absolutely nothing to link the card issuer to any particular criminal. If you are a law enforcement officer, all you really know is that you have a dead card issuer on your hands, and you don't find this out until it's too late to matter. > >Those who solve > >problems deserve recognition and if that is there motivation let's bless > >them with what they seek and not disparage their motive in our time of > >need. Be assured that if Ellison or anyone else actually comes up with a workable social system, I (and, I think, others) will be eager to acknowledge and reward it. Such a system has serious potential social dangers, but it also has very real potential value. This does not mean that we should look uncritically at proposals. When we see a skunk in the road, shall we call it a skunk, or pretend that it is a cute wriggling puppy? A skunk by any other name, I suspect, still smells like a skunk. This is never more true then when we were hoping desperately for the puppy. The thing is: Larry is a very smart guy. He knows everything I've just explained to you. So you have to ask: why does Larry want to give out free identity cards? He gives them all free samples, Because he knows full well. That todays young smiling faces... Will be tomorrow's clientele. - The Old Dope Peddler, Tom Lehrer Jonathan S. Shapiro Assistant Professor, Department of Computer Science Johns Hopkins University Information Security Institute
For archives see: http://www.interesting-people.org/
Current thread:
- IP: Re: Ellison's Identity Cards David Farber (Sep 25)