Log in

No account? Create an account
04 April 2005 @ 05:56 pm
Really, it does  
RFID Kills. This is another example of just how poorly our government plans / thinks about / executes security policy.
Hoc Est Qui Sumusdiscoflamingo on April 5th, 2005 07:07 pm (UTC)
The point to any security system is to identify and authorize people.

I've been reading Bruce Schneier a lot lately, and he makes the point that there are three major tasks we are trying to accomplish with an ID system - identification, authentication, and authorization. Some systems try to do all three when they only need to do two, and some don't do three when they only do one. A system needs to be designed, from the ground up, to do exactly what its users need it to do. This is why using Social Security cards/numbers and mother's maiden names as identifiers rarely works as authentication mechanisms, since all it gets you is a unique number that is (essentially) public information.

What we need is a fast and accurate system that can identify people WITHOUT the need for cards or chips. Palm readers or retinal scanners are probably a better step towards eliminating identity theft. Those systems aren't perfect yet, but I think the R&D in that area would be time/money well spent.

Biometrics only work in this area with access to a large database of accurate information taken from willing people (i.e. non-terrorists). This creates another problem of securing that database. Also, palm and finger prints change over time, so false negatives will be a significant problem. In a situation like this, you need multiple tokens to authenticate a person easily - taking a fingerprint scan and comparing a photo id may be more useful than comparing the fingerprint to an existing one, since it makes the system less brittle.

I could go on about this in a more focused fashion, but I'm a little wired from caffeine lately.