[Many thanks to Gerry Gebel for giving me the nucleus for this post] In the midst of the ongoing privacy and security conversation, I pointed out last week that identity is the missing leg of the security/privacy stool. Identity is both a means of expressing privacy requirements and a necessary set of security controls, as well as a key to delighting customers and driving business engagement. A colleague pointed out that while security and privacy might be different halves of the same coin, identity is the coin itself. I’m not sure I fully agree with that but it gets to sentiment I have. The use and protection of identity data has strong footing in both the privacy and security worlds. And yet identity and identity management professionals are not a first class member of the conversation. Why is that? One reason, in my opinion, is because we didn’t expect the industry to stand alone for the duration.

Among the sessions in this year’s Computers Freedom and Privacy conference was a panel on the recently released National review of cyber-security. Ed Felten presented three related areas that he believes have to be improved in equal measure to improve overall cyber-security:

1. Product development
2. System administration
3. User behavior

But, to me, there was something missing from the list – product design. Too often I have seen products whose user interface, in fact its entire user experience, was constructed after the fact. First the special sauce gets codified, then the chrome is put on and product gets a face. It is easy to recognize products that have been built in this way as they tend to expose their internal data models to users, forcing users to adopt the metaphors of the engineers that built the product in the first place. These types of products make problems internal to the product problems for the end-user and this can lead to very bad things. See Three Mile Island as an example. Poor user experience design leads to so-called “user error,” but is it really user error if the end-user is confronted with meaningless alarms, confusing error messages, and misleading feedback? At CFP, I talked to Bruce Schneier his research that went into Beyond Fear to get a better understanding of the psychology of fear and its relation to security. As you probably know, humans (and other animals too) are fantastically bad about evaluating risk. Optimism bias and other factors cause us to either over or under-estimate risks. Combine this with the fact that how choices are presented directly influences how choices are made and you realize the crucial need to build better user experiences for security (frankly, all) products. “Is everything okay with the mother ship and should we blow up Russia?” This is the question presented Buckaroo Bonzai and I think I’ve seen a form of it as a dialogue box in Windows. Would it be considered user error if an end-user pressed the “Yes” button and nuked Moscow? Bad design is at the least confusing and at the worst dangerous. I did talk to Ed afterwards and he acknowledged the role of design in product development. As he said, if we only attempt to improve one of the three areas product devolvement or system administration or user behavior we won’t improve cyber-security; we have to improve all three. User experience design as a part of an improved product development processes can directly lead to better more informed user behavior. Okay you product managers and designers make your voices heard – better safer products through better design! (Cross-posted from Burton Group’s Identity Blog.)

Here is a short piece on how a researcher, Chris Paget, bought a $250 RFID reader on eBay and used it to clone ePassports while driving 30 miles an hour near Fisherman’s Wharf in San Francisco. I fully recognize that this demonstration doesn’t represent a method for fabricating complete paper-in-hand cloned passports. Cloning is just the first step, but it is a big step. More importantly, it is a step that the State department has is somewhere between impossible and unlikely. The following is a passage from the privacy impact assessment (PIA) of TDIS - the Travel Document Issuance System: The Department of State has taken extensive measures to prevent a third-party from reading or accessing the information on the chip without the passport holder’s knowledge. This includes safeguards against such nefarious acts as “skimming” data from the chip, “eavesdropping” on communications between the chip and reader, “tracking” passport holders, and “cloning” the passport chip in order to facilitate identity theft crimes. These safeguards are described in detail on the Department of State website. Apparently those safeguards aren’t very strong. I invite you to read the State Department’s FAQ on e-Passports. Notice the incredibly defensive tone in the opening of the answer to the question, “Will someone be able to read or access the information on the chip without my knowledge (also known as skimming or eavesdropping)?” Also notice the tacit acknowledgment that passport RFID chips can be cloned. Mr. Paget intends on driving around DC this weekend to see what he can clone, and with a macbre sense of humor, I look forward to reading his results. Until then, I’ll keep my paper passport.

If I wanted to print US Dollars at home, I’d need the printing equipment, the paper stock on which to do it, and the magical ink. To thwart me, the government controls access to the printing plates, blank paper stock, and ink. This, of course, hasn’t stopped people from trying to print money, but their produced fake money can be detected as fake because they do not have access to the real plates, stock, and ink. Because the government tightly controls access to the original materials and the flow raw materials into the printing process, our money can be trusted. (Financial crisis and the government’s predilection to just print heaps of dollars not withstanding.) The government has not implemented the same model in the case of identification systems: passports and REAL ID driver’s licenses. Consider this article from the Washington Times. The raw materials to make a new RFID passport, namely, the blank covers with RFID chips in them, originate in Thailand. They are then shipped here for printing and binding. The control over access to this supply-line seems to be very weak. The new RFID passports are part of a chain of trust. Border Control allows me to re-enter the country if the passport is trustworthy and valid. Cloning passports has been demonstrated to be a trivial process. So one trustworthy passport can become an infinite number of trustworthy passports. The chain of trust extends from me and the INS at the airport, back to the passport issuance office, to the State Department, to Thailand, and back to Europe where the RFID chips are made. If any link along the chain cannot be trusted, then the entire chain of trust breaks. And this seems to be the case. This is similar to REAL ID. In this case, municipal Departments of Motor Vehicles are responsible for protecting access to blank REAL ID stock. That, in and of itself, isn’t any different than what happens today. By transforming the driver’s license from a piece of plastic that says I am allowed to drive, into a proof of citizenship, REAL ID extends the chain of trust in new ways. DMVs have been and are relatively weak targets. This breaks this newly extended chain of trust. The government, if it wants to establish and extend chains of trust, it must control the flow of raw materials into the process and must ensure that each step is trustworthy. And if you think I am picking on the government, here’s a third example that doesn’t involve the US government. It appears that credit card readers we altered during their construction. These altered readers were indistinguishable from their unaltered peers. These altered readers sent account data to unknown people in Pakistan. Swipe a card to pay for groceries and off your data goes. In this case, the last stop in the payment card chain of trust was effected. If I cannot trust the card reader not to send my account information to someone I do not know, do not have a relationship with, and inherently do not trust, then I will stop swiping my cards and just order things online or pay cash. A system designed to broker trust must consider the extent of its chain of trust. Each link in the chains must be fully vetted and strengthened. Until I see evidence of that, I am still going to keep hold of my non-RFID passport.

Jeffery Goldberg of The Atlantic tries to get arrested at a variety of US airports… and fails. He even traveled with Bruce Schneier and you’d think by know that Bruce’s picture would have been handed to every single TSA employee with a caption like, “Known security expert. Known to claim that Kip Hawley isn’t wearing any clothes. Assume everything he tells you is a lie. Assume he knows your private key.” Now if someone can produce a mashup of people mocking security theater and John Hodgman’s SPAMasterpiece Theater over on boing boing TV, that would be awesome!

As you probably know, I live in Washington DC. I take photographs in DC as well. We’ve got a few quirky rules here about that. For example, if you are on National Park land, you cannot use any photographic equipment that touches the ground. As you can imagine using tripods becomes a bit tricky. But beyond that, I haven’t heard of many photographers getting harassed in the name of security, unlike Chicago and London. Then I read this piece in the Post today. Glad to see that Eleanor Holmes Norton getting involved. Her Open Society with Security Act bill is certainly intriguing.

I’m sure you’ve been following the Terry Childs case. Mr. Childs was a sysadmin in San Francisco who decided to change a few passwords and thus locked the city out of their new wide area network. Though it is still not clear why Mr. Childs did this, he had been recently written up for poor job performance. Among others, Matt Pollicove wrote about this and the need for trust. Matt asserts that trust is a must and I completely agree. That being said, the last two points in his post are mistaken. First he says:

Continuing my thread on CCTV cameras (here and here), Bruce Schneier wrote a solid summation of the issues of pervasive cameras.

Just a brief follow-up to my previous comments. DC has written its regulations for this camera consolidation. I have copied a version here. Nice to see that the footage will be remained only for 10 days and then destroyed. But it also seems like anyone can gain access to this footage if they ask nicely.

I am especially sensitive to this as one of these camera units is a block and half from my house. Questions that come to mind are:

• How long will the District retain footage from these cameras?
• Who will maintain this footage: law enforcement or emergency management?
• Can I as a citizen request to see footage as part of a FOIA request?
• Will INS/FBI/ATF/other Federal law enforcement agencies have access to these cameras on an ongoing basis?

As I mentioned there’s one of these cameras a block and half from my house. It sits on a very heavily trafficked corner. People stand there waiting for the bus. There is a huge amount of vehicular traffic that goes right by it. There is a 7-11 right there and there is always some flavor of law enforcement officer there. There is rare street crime in the area and when it does happen it happens blocks away on darker corners. There is no way this camera prevents crime in any way shape or form.