The Department of State has taken extensive measures to prevent a third-party from reading or accessing the information on the chip without the passport holder’s knowledge. This includes safeguards against such nefarious acts as “skimming” data from the chip, “eavesdropping” on communications between the chip and reader, “tracking” passport holders, and “cloning” the passport chip in order to facilitate identity theft crimes. These safeguards are described in detail on the Department of State website.

Apparently those safeguards aren’t very strong.  

I invite you to read the State Department’s FAQ on e-Passports.  Notice the incredibly defensive tone in the opening of the answer to the question, “Will someone be able to read or access the information on the chip without my knowledge (also known as skimming or eavesdropping)?”  Also notice the tacit acknowledgment that passport RFID chips can be cloned.

Mr. Paget intends on driving around DC this weekend to see what he can clone, and with a macbre sense of humor, I look forward to reading his results.

Until then, I’ll keep my paper passport.

The government has not implemented the same model in the case of identification systems: passports and REAL ID driver’s licenses.

Consider this article from the Washington Times.  The raw materials to make a new RFID passport, namely, the blank covers with RFID chips in them, originate in Thailand.  They are then shipped here for printing and binding.  The control over access to this supply-line seems to be very weak.

The new RFID passports are part of a chain of trust.  Border Control allows me to re-enter the country if the passport is trustworthy and valid.  Cloning passports has been demonstrated to be a trivial process.  So one trustworthy passport can become an infinite number of trustworthy passports.  The chain of trust extends from me and the INS at the airport, back to the passport issuance office, to the State Department, to Thailand, and back to Europe where the RFID chips are made.  If any link along the chain cannot be trusted, then the entire chain of trust breaks.  And this seems to be the case.

This is similar to REAL ID.  In this case, municipal Departments of Motor Vehicles are responsible for protecting access to blank REAL ID stock.  That, in and of itself, isn’t any different than what happens today.  By transforming the driver’s license from a piece of plastic that says I am allowed to drive, into a proof of citizenship, REAL ID extends the chain of trust in new ways.  DMVs have been and are relatively weak targets.  This breaks this newly extended chain of trust.

The government, if it wants to establish and extend chains of trust, it must control the flow of raw materials into the process and must ensure that each step is trustworthy.

And if you think I am picking on the government, here’s a third example that doesn’t involve the US government.  It appears that credit card readers we altered during their construction.  These altered readers were indistinguishable from their unaltered peers.  These altered readers sent account data to unknown people in Pakistan.  Swipe a card to pay for groceries and off your data goes.  In this case, the last stop in the payment card chain of trust was effected.  If I cannot trust the card reader not to send my account information to someone I do not know, do not have a relationship with, and inherently do not trust,  then I will stop swiping my cards and just order things online or pay cash.

A system designed to broker trust must consider the extent of its chain of trust.  Each link in the chains must be fully vetted and strengthened.  Until I see evidence of that, I am still going to keep hold of my non-RFID passport.

Now if someone can produce a mashup of people mocking security theater and  John Hodgman’s SPAMasterpiece Theater over on boing boing TV, that would be awesome!

Among others, Matt Pollicove wrote about this and the need for trust.  Matt asserts that trust is a must and I completely agree. That being said, the last two points in his post are mistaken.

First he says:

This means, making sure there’s no orphan or rogue accounts in the systems.

While this is a generally accepted good practice, it would not have necessarily helped San Francisco keep from losing their network. Privileged account management would have been far more useful.  Discipline and control around how sysadmins gain access to and use root-like accounts, the bread and butter of privileged account management, would have helped avert some of San Francisco’s problems.

Second Matt says:

GRC tools will be a must in this verification.

This first thing that springs to my mind is a question: what aspect of governance, risk management, and compliance would have helped the city of San Francisco in this case? A good governance and risk identification and management process would have helped a great deal.  But we have to keep in mind there is no such thing as a GRC tool; there is no such animal.  In fact, GRC is starting to sound like the wonderful magical bacon animal that Homer Simpson dreams of. If pork chops, ham and bacon all come from the magical animal in the Simpsons, then privileged account management, orphan account management and provisioning all come from the magical GRC animal. Where does it end?  The reality is that the industry has confused the benefits of good governance processes and risk management capabilities with automation tools that aid, but never replaces, those processes and capabilities.

Privileged account management is not and should not be considered part of the marketing fog of GRC. Does the controlled management of root-like accounts constitute good operating procedure and help reduce risk?  Absolutely. But that doesn’t make privileged account management a GRC technology.  Is orphan account removal a critical process from a security and risk mitigation perspective?  Of course. However, that doesn’t mean the technologies to do that are GRC technologies.

Specificity of language is crucial. Telling the city of San Francisco that the solution to their problems lay within “GRC” would have done little except lengthen the time to finding what their real problems were.  Our industry cannot take the easy route and lump every possible technology and procedure under the sun onto the GRC heap or else we’ll find ourselves chasing Homer’s magical bacon animal.

• How long will the District retain footage from these cameras?
• Who will maintain this footage: law enforcement or emergency management?
• Can I as a citizen request to see footage as part of a FOIA request?
• Will INS/FBI/ATF/other Federal law enforcement agencies have access to these cameras on an ongoing basis?