Schneier on Security
A blog covering security and security technology.
« Federal Agents Using Spyware |
| Friday Squid Blogging: SQUIDs »
July 20, 2007
More Forged Credentials
I've written about forged credentials before, and how hard a problem it is to solve. Here's another story illustrating the problem:
In an apparent violation of the law, a controverisal aide to ex-Gov. Mitt Romney created phony law enforcement badges that he and other staffers used on the campaign trail to strong-arm reporters, avoid paying tolls and trick security guards into giving them immediate access to campaign venues, sources told the Herald.
When faced with a badge, most people assume it's legitimate. And even if they wanted to verify the badge, there's no real way for them to do so.
Posted on July 20, 2007 at 1:37 PM
• 28 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Additionally, even questioning the validity of a badge can get you labeled as a troublemaker, even by those who carry legitimate badges.
And given the various restrictions of recording people, you won't even have evidence of what was said after.
We need jail time for this crime. Lots of jail time.
It may not be the same for all jurisdictions, but if you feel uncomfortable about say, being pulled over for speeding, I think you can request a second unit arrive and confirm the identity of themselves and the first officer.
In this matter, calling 911 and asking for an officer to arrive to confim an identity is an idea, and may get the imposter spooked and stop what they're doing.
I agree with Brandioch, penalties for this should be severe.
From the Article:
"Under state law, it is illegal to use a badge without authority, an offense that carries a fine of not more than $50."
--Honestly, I'm extremely surprised that this doesn't happen more often, $50, that's it! A fake badge could potentially cost more than that!
Oops. Obviously wrong thread. Sorry. Reposted. Am suitably embarrassed.
Is this a form of identity theft (fraud)?
I think the California law on pretexting might apply. But only for CA jurisdiction, of course.
Also, if money was involved, even once, that would be fraud.
The real problem is that people with badges are given powers above that of us inferior citizens. That's not how the USA was founded or will survive!
No government employee** should be have any privileges or immunity different from a normal citizen. No one should be allowed to break a law or a moral principle to enforce a law.
** Possible, RARE, and time-limited exceptions would be only for SOLDIERS during a congressionally declared war.
One of the lessons of this incident should be clear; DON'T just automatically obey someone because they have "a badge". The person with the badge may, in fact, be breaking the law themselves or giving you, the citizen, very harmful advice.
Many citizens have been harmed when actual police officers have directed them through intersections where they were then killed by unseen vehicles.
Also, there have been cases where burglars got the victim to open the door claiming to be police officers. When the victims opened up, the robbers just walked right on in.
Sometimes, however it turns around and bites these "badge wavers" on the butt.
It's not enough to "Refuse to be Terrorized", we also have to refuse to be "BADGEred".
Mike got it absolutely right: the real problem with badges is that they are ALL fake.
The fundamental principle behind the legitimacy of US government (and, hence, delegation of its powers to its employees) is that it derives it's rights from the people.
But how people can give to anyone rights they do not themselves posess?
The answer is, of course, that the "rights" various badge holders posess in excess of what members of general populace do were not given by the people, they were taken by fraud or force. Not much different from someone simply pinning a fake badge and starting to boss people around.
I'm not a native speaker, and maybe I got this wrong, but as I understand it the $50 fine is for wrongfully using a (real) badge. Creating and/or using a fake batch may be a totally different thing. In Germany, that would be "Urkundenfälschung" (counterfeiting), punishable by 5 years (in severe cases 10 years) in jail.
Perhaps public key methods could come to the party. If a badge is digitally signed... Then folk that are concerned could buy some electronic verifier that OCR the "badge" number (So the number is human readable as well).
The problem with asking for a 2nd unit is that you have to stop first. I've seen at least two cases on the news in which ladies driving alone were signaled to stop. They put on their flashers, and drove slowly to a public place. Well, one drove home, which probably wasn't a smart 'public' place. In any case, the officer in both cases didn't have any sympathy for the single-female-drivers' point of view, and got pretty aggressive about their hand-cuffing and off-to-jail-ing.
So- if you don't feel right about the stop, you might want to proceed to a public place, but be aware that the cop knows he's real, and may not care about your concerns. Nor may the judge.
Hear, hear! "Mike" and "averros". Well said!
May I humbly take it upon myself to add:
If governments at all levels were limited to those powers which we all are actually capable of delegating to them (i.e., those powers which we individually already possess) law enforcement would not need to be left to specially-empowered citizens, but to all of us. Police powers are (in the case of a properly constituted government of delegated authority) simply the powers derived from our individual rights to self-defense. "Badges", in concert with the plethora of "victimless" crimes created by governments at all levels, weaken the intent of the 4th amendment, and ultimately, weaken our individual freedom and security.
Our governments at all levels have (as have all other governments in the history of this world) usurped powers not delegated to them by we, the people. They are not accountable to us for their actions (to wit: the vast amount of government actions hidden from us by being classified as government secrets, as well as secret meetings between policy makers and private business - ever heard of the Energy Policy Summit conducted by the Vice President in the summer of 2001?) How can any servant (e.g., the government) exercise delegated authority in secret, and remain accountable to its master? The simple answer is, they can't. The beast has grown bigger than its master, and it is at our own peril that we tolerate the tyranny. Almost daily, I hear tell of how grateful some folks are that police powers have been expanded - they imply that the lack of spectacular terrorist attacks in the U.S. since 2001 is the result of this expansion.
I would ask all Americans to awake and arise to an awful sense of their situation. We must use what remaining political voice we have, and quickly, to demand that governments at all levels revert to subservience to all of us. Myself, I sent a copy of "The Law" by Frederic Bastiat to the state representative from my district. I was happily surprised when he later approached me to thank me, stating that it has influenced his thinking on certain legislative issues.
This is the way to truly achieve security, both for ourselves, and our children. And we need look no farther than our own Declaration of Independence to see the arguments laid out with clarity, by folks who had as much reason as we to know.
Real badges are not necessarily safe. Think of George Michael Gwaltney, the only (at the time) CHP officer charged with committing murder while on duty. He was tried twice, with hung juries, in Barstow, California. Then the feds tried him for violating the civil rights of Robin Bishop by killing her, and got a conviction.
Basically, we civilians are screwed. It's the luck of the draw.
"Impersonating an Officer" is not a particularly serious crime; Maryland Code section 3-502 defines it as a misdemeanor.
Seems to me it should be a lot more serious.
It's a known scam in the UK to impersonate a service man from the utility companies to gain entry into a flat, usually praying on the frail and elderly.
Some scamsters are known to have decorated their vans to show British Gas logo etc.
One of the problems in relying on a phone number that the guy gives you is that it could be his mate's number who is in on the scam.
There was quite a lot of publicity on TV from the utility companies, but I'm not sure how effective they were.
People tend to feel like they are an inconvenience when calling about the gasman and I don't think I would call 999 to check and if everyone insisted, then I'm sure it would clog the system anyway.
When you are out on the street, unprepared - it's unlikely that you would confront an agressive man with a shield.
I guess what we need for dealing with this is some sort of national badge registry in which the details for all officially-issued badges are stored.
Someone flashes a badge at you anywhere in the US, you call a single number, type in the badge number and a number representing the issuing agency, and the automated voice on the other end reads back the name of the issuing agency and the name of the badgeholder.
This has to be easy and fast, as a badgeholder flashing his badge in your face isn't going to be wanting to spend an hour waiting for you waiting on hold before he can get you to respect his authority.
It also has to be secure enough to trust, and hard to abuse. How does one guarantee that the name of the person holding the badge is actually what the badge states? If the phone system tells you enough information to verify the badgeholder is who he says he is, how to you prevent people from mining this badge database for other purposes, like finding enough details to forge a badge?
Not an easy problem to solve Far easier to abuse in nearly any implementation
The thing is, it's actually not unreasonable that a Governor should have police as guards, and I'm sure he could have arranged for some. Indeed, he could probably have instituted a non-police, but official, corps.
For the civilian aide to fake law-enforcement badges... well, besides "impersonating a police officer", this could be seen as the Governor's office directly infringing on police authority.
This makes the Superbowl prank seem plausible.
I'm a UK journalist and have a Press Card issued by the National Union of Journalists. In order to prove my credentials with the police there is a number they can call (it's on the card but they also have it centrally) that will check a PIN code I give them. Not by any means foolproof, but some degree of authentication.
"Under state law, it is illegal to use a badge without authority"
I have a feeling there's a lot more legalese in there somewhere.
If I create my own personal badge, can I give myself authority to use it? What about employee ID badges for my company?
Questions, questions, questions.
The problem with the "central badge registry" idea is cost. It would only happen when the problem is percieved to be endemic and more damaging than something else worth spending money on.
Reminds me of the time I tried to check out a book at the university library, having just lost my student id. The librarian joked that they would accept "any official-looking piece of plastic". I never bothered to replace the student id...
I have worked in the public safety sector for a number of years as a paramedic, my father is a retired police officer. at no time have I or my father had any problem showing our Identification card/ paramedic license to verify that we are who we say we are.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.