Be
on the wave or under it™
The News – 07/18/02
|
In this Issue: |
Recommended Reading |
|
I realize this is the only newsletter you’ll ever need, but if you want more in-depth detail, check out: Stan Hustad’s Taylor Harkins Group’s Management Signature's |
They That Can Give Up Essential Liberty
“They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.”
Ben Franklin said it, and security guru Bruce Schneier makes it relevant to our times in his recent Crypto-Gram newsletter.
Schneier proposes seven changes our government and our intelligence agencies could make to improve our defenses against terrorism without compromising our freedom. In addition to pointing out that the mission of the FBI (investigate past crimes) is not a good fit for preventing future crimes, Schneier proposes some fundamental changes in how the United States copes with international terrorism:
Much as the Bush Administration would like to ignore the constitutional issues surrounding some of their proposals, those issues are real. Much of what the Israeli government does to combat terrorism in its country, even some of what the British government does, is unconstitutional in the United States. Security is never absolute; it always involved tradeoffs. If we're going to institute domestic passports, arrest people in secret and deny them any rights, place people with Arab last names under continuous harassment, or methodically track everyone's financial dealings, we're going to have to rewrite the Constitution. At the very least, we need to have a frank and candid debate about what we're getting for what we're giving up. People might want to live in a police state, but let them at least decide willingly to live in a police state. My opinion has been that it is largely unnecessary to trade civil liberties for security, and that the best security measures – reinforcing the airplane cockpit door, putting barricades and guards around important buildings, improving authentication for telephone and Internet banking – have no effect on civil liberties. Broad surveillance is a mark of bad security.
I wish all our law enforcement and government officials would live by that last aphorism: Broad surveillance is a mark of bad security. Establishing national biometric databases (fingerprints, retinas, faces) and using them to scan millions of law-abiding citizens will do little to prevent crime and a whole lot to enable a less-than-benevolent government (or businesses) to control the masses. See Minority Report for Steven Spielberg’s take on the dangers of a society that has surrendered its rights for security.
As long as I’m quoting Schneier, let’s see what he said back in 1998 about biometrics:
Biometrics is great because biometric measurements are really hard to forge. It's hard to put a false fingerprint on your finger or make your retina look like someone else's. [Ed. Note: Possibly not so hard. See below.] Some people can mimic others' voices, and Hollywood can make people's faces look like someone else, but these are specialized or expensive skills. When you see someone sign his name, you generally know it is him and not someone else.
But Biometrics is also lousy because biometric measurements are so easy to forge. It's easy to steal a biometric after the measurement is taken. In all of the applications discussed above, the verifier needs to verify not only that the biometric is accurate but that it has been input correctly. Imagine a remote system that uses face recognition as a biometric. "In order to gain authorization, take a Polaroid picture of yourself and mail it in. We'll compare the picture with the one we have in file." What are some potential attacks here?
Easy. To masquerade as Alice, take a Polaroid picture of her when she's not looking. Then, at some later date, use it to fool the system. This attack works because while it is hard to make your face look like Alice's, it's easy to get a picture of Alice's face. And since the system does not verify that Alice was aware that the picture of her face was taken, only that it matches the picture of Alice's face on file, we can fool it.
The key here is that, with any authentication system other than person-to-person, the authentication device transforms the biometric measurement into a digital stream of data. That data stream can be intercepted, replaced, or forged. As Schneier says, you not only need to verify that the biometric measurement is accurate, and that it has been input correctly, but also that the digital “chain of evidence” is unbroken and untampered-with.
Even if you accomplish this, there are even more possibilities for tampering further up in the digital stream. All I need to do is convince whichever computer controls the desired access that a good scan has occurred. Given the security of most computer systems these days – roughly comparable to the systems R2D2 easily hacks in the Star Wars movies – an attack at the server level is very likely a miscreant’s easiest path to intrusion.
And let’s not even get started on the idea that your biometric credential could be stolen! Leaving aside the gruesome possibility of a stolen body part, there is also the potential for someone to steal your digital thumbprint. Now what do you do? You only have two thumbs.
What’s even worse is the incredible ease with which current biometric authentication devices can be fooled. As reported in a previous SNS, the US Department of Defense testing concluded that the best false detection rate (FDR) for facial recognition systems was 33 percent, with a false acceptance rate (FAR) of ten percent. Recently, Japanese security researcher Tsutomu Matsumoto created a fake finger using gelatine and a plastic mold. The bogus digit, imprinted with a fingerprint lifted from a glass, fooled 11 commercially available fingerprint biometric systems fingerprint detectors four times out of five.
So when John Ashcroft comes to the American people and asks us all to sign up for a national biometric database we need to remember Ben Franklin’s quote. Our civil rights are way more important than the small improvement in security such an effort would provide.
Briefly Noted
- Shameless Self-Promotion Dept.: Finally I’ve
put up the Nanotechnology
Resources directory I promised last November.
Also, check out the article I wrote for the Taylor Harkins newsletter entitled, Do you hate your customers? It continues the theme from my earlier article, analyzing the media industry’s response to file sharing.
- Global Wireless Network Stats: Wireless communications consultant and industry analyst Frederick "Fritz" Jordan, Jr. maintains a database of global GSM-based mobile networks, top 20 global network operators, major public wireless companies, major VC-backed wireless companies, and major wireless VC providers. His most recent update produced the following statistics:
|
GSM Mobile Networks*: |
GPRS Mobile Networks*: |
WCDMA Mobile Networks*: |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
*includes operational, licensed/planned networks and MVNOs.
For access to the entire database, email Fritz
fritzjordan@earthlink.net
The lead article in the July 19,
2001 edition
of SNS was P2P Use May Be Even More Illegal Than You Thought, a
consideration of the sad case of David
McOwen, a former employee of DeKalb Tech, part of the Georgia
state university system. McOwen was threatened with years in prison
and more than $400,000 in fines and restitution because he loaded
a peer-to-peer (P2P) distributed processing application on the school’s
computers. As the result of a January, 2002 settlement, McOwen will
receive one year of probation for each criminal count, to run concurrently,
make restitution of $2,100, and perform 80
hours of community service unrelated to computers or technology.
Also in that edition was the article, Nokia and Motorola in Turkish bath, about the two wireless giants’ problems with Turkey’s Uzan family, which controls Telsim, the country's second largest mobile operator. Telsim had defaulted on some vendor financing and the companies were suing to recover what they were owed. In February, Judge Jed Rakoff of the US District Court in New York changed his preliminary ruling that required the Uzan family to deposit shares accounting for a 73.5 percent stake in Telsim with the court. Motorola and Nokia had sued several members of the Uzan family in January, charging them with borrowing $3 billion (EUR3.45 billion) with no intention of paying it back. In May, the judge again ordered that the shares be seized. He also prohibited Uzan Holdings from transferring the telco's assets elsewhere or from carrying out transactions that could decrease the value of its shares. When the family failed to comply with the share deposit order, Nokia and Motorola initiated contempt proceedings. That’s globalization, buddy.
If you subscribed to CTOMentor’s Just the Right Stuff™ newsletter, over the past few months, you’d have received news nuggets like the following, along with expanded analysis. Your personalized Information Needs Profile would determine which of these items you’d receive. For more information, check out CTOMentor.
- Palm shows off Bluetooth
Palm's drive to make Bluetooth wireless technology ubiquitous shifted into high gear with the announcement of a marketing partnership with Sony Ericsson and the release of a Bluetooth add-on card for users of its handheld devices.
ZDNet
-
Gartner: New Mobile Technologies Set to Arrive in 2002
In 2002, more than 30 million Bluetooth chipsets will be shipped, more than 10 million new wireless LAN PC connections will be installed and prices in the US of color Pocket PCs will have dropped by year end to about $200.
GartnerGroup
-
Wireless Gaming Market to Grow to $2.8 Billion Worldwide by 2006
In-Stat/MDR says wireless gaming will permit network providers to create additional revenue through increasing subscribers’ usage levels, reducing churn, and enhancing the overall user experience.
In-Stat/MDR
Get this Stuff as it happens, not months later. Subscribe to CTOMentor today. Charter subscription discounts still available.
Return to Mike’s Take
|
House for Sale
$569,000
|
|
Looking to light up your office, your business, or your city? The WiMAX Guys™ can help you easily provide secure wireless Internet to your customers. The WiMAX Guys specialize in designing and running wireless networks. We're experienced, we're quick, and we won't cost you an arm and a leg. Give us a call today provide your users a wireless Internet experience tomorrow. Call
Mike Ellsworth |
Alert SNS Reader Hall of Fame
About The Author
Announcing CTOMentor, a New Service from StratVantage
Can’t Get Enough of ME?
In the unlikely event that you want more of my opinions, I’ve started a Weblog. It’s the fashionable thing for pundits to do, and I’m doing it too. A Weblog is a datestamped collection of somewhat random thoughts and ideas assembled on a Web page. If you’d like to subject the world to your thoughts, as I do, you can create your own Weblog. You need to have a Web site that allows you FTP access, and the free software from www.blogger.com. This allows you to right click on a Web page and append your pithy thoughts to your Weblog.
I’ve dubbed my Weblog
entries “Stratlets”, and they are available at www.stratvantage.com/stratlets/.
Let me know what you think.
Also check out the TrendSpot for ranking of
the latest emerging trends.
In Memoriam
Gerald M. Ellsworth
March 14, 1928 - July 5, 2003
In Memoriam
Jane C. Ellsworth
July 20, 1928 - July 20, 2003
Copyright © 2000 - 2007, StratVantage Consulting, LLC. All rights reserved.
Please send all comments to 
support@stratvantage.com.