Me at the EastWest Institute

Back in May, I attended the EastWest Institute's First Worldwide Cybersecurity Summit in Dallas. I only had eight minutes to speak, and tried to turn the dialog to security, privacy, and the individual.

EDITED TO ADD (9/1): Commentary.

Posted on August 27, 2010 at 12:47 PM • 19 Comments

Comments

BF SkinnerAugust 27, 2010 1:13 PM

The difference between oppressive tyranny and freedom is who controls the tech.

When Ma Bell ruled we behaved like my rats dropping everything even dinner when the phone rang. When we got answering machines we chose whether or not to answer.

When caller ID revealed the identity of the caller boiler room operators started to argue against thinking (rightly) people wouldn't answer their calls. They turned to robo dialers that became aware if they were being answered by a machine or a person.

When the 3 TV networks were it we planned our nights around their schedule. When video recorders became cheap we recorded endless amounts of programming that we never watched.

Come a day there won't be room for naughty men like us to slip about at all.

AppSecAugust 27, 2010 2:57 PM

@BF Skinner:
That's not Ma Bell and the original three are not tyranny. It's mind manipulation. Big difference, though your underlying point is understood.

GregAugust 27, 2010 5:59 PM

This is the second time I've seen you bring up the idea we are not Google's customers, but their product.

Keep preaching the gospel Bruce, maybe one day the individuals whom this most concerns, the lay public, will hear it as well.

Jim OckersAugust 27, 2010 6:33 PM

I liked Bruce's insight about how the present privacy situation is similar to the pollution generated by the industrial revolution!

Personal data is being collected and scattered about and stored indefinitely with no regard to privacy or potential future mis-use. This could have the same far reaching negative effects on society as the pollution generated during the industrial revolution and its long term harmful effects.

Paul RenaultAugust 27, 2010 8:10 PM

Yes, great insight, Bruce! Well presented. I'll be sharing it with others.

Greg: Chomsky, in a similar vein, has been reminding us for years that the readership is a newspaper's (tv newscast's/whatever's) product.

If you keep this in mind while reading/watching/retching-at the news; the meta- level of modern corporate news media's incoherent offerings starts to become coherent: The news media job is not to inform, but to deliver this product, the audience, to the advertisers.

Oh eah, Bruce, the beard's looking good!

MarkyAugust 29, 2010 2:22 AM

As an individual (security professional), this was quite the rambling affair. The first four minutes seemed more like the deranged observations of a conspiracy theorist (this is a comparison, not a classification)--your audience already knows these things so you don't have to list them again. Just get to the point!

Yes, technology changes things. We know this, and even the people who don't (my aunt, the college kid's parent) are going along with it anyway. Throughout this entire clip I just wanted you to talk about the IMPLICATIONS of these issues, besides just that "things are different now!!!".

Clive RobinsonAugust 29, 2010 11:37 AM

Bruce,

I think you are wrong that we are Googles product we are not in the same way steel plate is not GM's/Ford's/any other auto manufactures product.

We or others supply the raw material for Google et als product they add value to it by filtering and inference drawing about us and what we do and likewise those we chose to have contact with for whatever reason.

Once upon a time GIGO was a recognised issue and people where very wary about inference data treating it as suspect if the raw data was unavailable.

Today people hand over extrodinarily large amounts of money for anonymized results where they never see (or care about) the raw data.

Inferences are drawn according to the shade of the glasses worn by the inference rule maker. The rules are given a "gold standard" if they can be shown to hold for some almostly infinitesimal subset of individuals.

Whilst this poor practice might just be acceptable to target an audiance for a generalised mail shot, it is not acceptable to use it to discriminate which customers do and do not get discount vouchers.

But we have people in positions of power seeing these flaky inferences as being some magic bullet to find what they regard as "deviant behavior" in the general populous and then use them to discriminate against individuals that these flaky inference rules highlight.

The only way we can stop this problem becoming a significant devisor of the populous is to give ownership of the data back to the data subjects.

However the likes of Google and their down stream inference generating customers will fight tooth and nail to stop this happening. Not because they have any real belief in what they do (most don't) but they very much believe in it as a way to generate large sources of income from others considerably more gullible than they.

That is they know that what they are selling is not fabric of substance cut from fine whole cloth but fancifuly spun words that delude their customer in the same way the faux tailors gulled the Emperor.

Nick PAugust 29, 2010 11:31 PM

@ Clive Robinson

"We or others supply the raw material for Google et als product they add value to it by filtering and inference drawing about us and what we do and likewise those we chose to have contact with for whatever reason."

Actually, that part is a nice spin on Bruce's point. I don't think it's actually true for Google: targeted advertising is their main revenue-generating product and that makes us collectively product. Your point is true for other companies though. Mainly those that do "analytics" and stuff.

It's funny how people think these "free" companies are serving them when in actuality they are serving others. I've always known Google and Facebook aren't serving me: if they were, they wouldn't serve my data to untrusted third parties. Cui bono? Who benefits? They used to say follow the money. Now, we should say follow the money *and the data*.

Clive RobinsonAugust 30, 2010 5:53 AM

@ Nick P,

" They used to say follow the money. Now, we should say follow the money*and the data*"

Ahh the not so ephemeral data...

A few of us are coming to terms with the idea of a spy in our pocket (mobile phone) because we think we have the illusion of being in control in that we can turn it off by pressing a button. Not realising that in fact we are doing no such thing it is not a real power button but a software defined button the action of which the Mobile Operators can change at whim.

But how many realise that turning the phone off or even leaving it at home or in the office is it's self damming data?

Simply because it is not normal behaviour for us as defined by the breadcrumb trail we have left previously of our everyday lives. Thus not normal can be viewed by some analyser of our data as abnormal or aberrant behaviour and thus an indicator of guilt by us or those around us.

But guilt of what you may well ask, and if I say of some action yet to be defined at some point in time if required by the analyser of the data or those they work for, you might think me paranoid.

And I would agree with you if it had not already happened, not just with the likes of East Germany and the old Communist Block, but also in the US with "Reds Under the Beds" fear giving rise to the senetorial witch trials by Joseph McCarthy.

For some strange reason every few years some one with political ambition feels the way to move forward is as a "heroic carrier of the nations flag against a foe" and if there is not a foe handy they create one.

George Orwell made much of this in his essays and books from observing behaviour in the BBC in London during the Second World War. And sadly he found in later life he had become a colabarator to a witch hunt.

But soon it will not be just our phones it will be every part of our lives such as what we spend...

The only thing stopping it is the cost of "Data entry", which untill recent times has been a limiting factor. Not just the financial cost but the political cost caused by having humans in the loop who might "betray the higher purpose" our political "betters" have decided is "for our own good"...

However where as data collection by the state is rightly viewed with deep suspicion, that by a business by way of a financial transaction is regarded as benign.

Few consider that a business might see profit in selling on this transactional data to a Government.

But they are wrong, this is exactly what we are now starting to see in the UK the official line has been "Fraud identification" but the real intent is "Taxation".

The "Land Tax" payed on every dwelling to the "Local Authority" (we call it "Council Tax") has in the past been judged on the "rentable value" or "rate" of the property. But this was not bringing in enough money, so it was changed to an estimate of what the property would be worth not where it was but in an average place in the area (based on property sale value).

This was again not enough money so the previous Government where looking at making it linked to disposable income as found by "store loyalty" and "Credit" card transaction data. But their idea was leaked and a public outcry followed.

So they switched to plan B and where in the process of setting it up for Northan Ireland. Put simply an "Inspector" will visit and if they think you have a nice home with all the mod cons, a quite street and nice views, then you will pay more. It is the modern day equivalent of the "window tax" and "soap tax" which did so much damage to our nations health in the past and like the Poll Tax was universaly hated.

But it gets worse...

Businesses want to reduce costs in the retail sector the two big easily changed costs are man power and stock. Bar codes on the packaging where the original front runner in this but they have disadvantages. One of which is finding and scanning them which is a manually intensive task that represents a significant cost to a business.

The solution as we know is Radio Identification (RFID) devices which contain identifing information for a product. most people do not consider what this means to their privacy not just in shops but public spaces and ultimatly their private lives as it strips away their anonymity.

Back in the early 1980's there was an article in Wireless World about Radio Tags and privacy. What has changed since then...

Well we now call them RFID's and we are now becoming aware of just how intrusive they are becoming not due to an Orwellian desire but due to "conveniance".

RFID's are actually cheaper than bar codes when built into the product during manufacture as it saves on packaging costs. At their cheapest they are a unique serial number at the expensive end they are as capable as smart cards (more so in some cases).

Most people would say "so what" or "what harm can they do?"

Well the answer is a lot. One aspect of RFIDs being used is to cut down stock loss. At the moment expensive items have "store tags" or "anti theft" tags attached these are even more costly than bar codes as they have to be manually removed at the point of purchase.

Well if every product has a built in unique serial number that can be detected at a reasonable distance then problem solved. You know what serial numbers come in as stock and get entered on the inventory, and you know when they are sold at the till. With appropriate gates at the store entrances and exits you know when an item leaves, if it's not paid for set off the alarm...

Sounds good and the likes of WalMart are looking into it very closely as it could represent a stock saving close to 10% of sales value...

But also it allows for those "self check out" tills to become much much less painfull. You just push the shopping cart through the unmaned checkout it reads all the RFID's (including your credit cards). gives you the total and you press the accept button and it debits your account...

Sounds good for the business and gives conveniance to the shopper sounds like a "win - win" unfortunatly it's not.

The thing about unique numbers in objects like your socks and underpants is they don't get deactivated so they get read as you walk through the checkout as well. It provides an instant analysis of you as a person such as expensive suit cheap underware, all of which tie you to your past purchases so your whole life style is revealed including associations to people you walk through a door with and send gifts to.

We know that there are already data mining products out there that can track these associations and derive information such as the one Bruce bloged about for phone records.

It will not be long untill similar is available for RFIDs. And yes hose businesses will happily sell the data to who ever wants to buy it.

And guess what not one jot of it is currently considered to be Personaly Identing Information currently and is thus compleatly unregulated...

What's the betting we will never get legislation to make it so?

Then how long before we get legislation making the collecting of such dat and forwarding it to the Government compulsory for "anti-terror" or some such...

As Bruce notes about crypto "the attacks get easier" well the same applies to privacy.

As you say,

"Cui bono? Who benefits?"

Like all Faustian Bargins we think we do untill we realise to late we have sold our souls for a short term minor benifit.

Clive RobinsonAugust 30, 2010 3:22 PM

@ John N,

That's all right.

@ Nick P,

Whilst I remember you might be interested in an addition for FreeBSD 9.x called Capsicum,

http://www.cl.cam.ac.uk/research/security/capsicum/

To use the developer words,

"Capsicum extends the POSIX API, providing several new OS primitives to support object-capability security on UNIX-like operating systems"

They talk about "sandboxs" and angels", me I still prefer prison cells and warders ;)

Nick PAugust 30, 2010 3:26 PM

@ Clive Robinson

As John said, truly an outstanding commentary on the state of RFID and directions it's taking. Thanks for the reply, a I'm sure someone will benefit from reading it.

Nick PAugust 31, 2010 2:13 AM

@ Clive Robinson

It appears that you posted while I was writing my post to about John's comments. I just now saw the post you made between John and I.

Thanks for link! I rarely miss projects like this and somehow I didn't see this one. I love their approach: capabilities; BSD; POSIX extension; real-world app examples. It makes a nice "medium robustness" style addition to my collection. I would like some independent people good at vulnerability analysis to look at how their extensions interact with other POSIX elements to see if any interactions or design issues invalidate the security of Capsicum. If no flaws are found, then I'd recommend the next move to be porting a production version of Capsicum to Linux (RHEL, SUSE & Ubuntu), OpenBSD, NetBSD, and the POSIX/Linux layer of certain safety-critical RTOS's and microkernels.

It might also be useful in Dom0 of Xen to increase the assurance of that huge chunk of "trusted" code. Matter of fact, I think that's the best first use as Xen is widely deployed and extension code and app security policy could be reused when porting to Linux in general.

RobertAugust 31, 2010 11:35 PM

@Clive,
Lots of FUD about RFID tags, but a bit short on the details of how to fix the problems the tags create.

While it is true that Walmart wants RFID in lots of products, it is not true that RFID is cheaper than barcodes. Indeed Walmart wants RFID BUT is unwilling to pay extra for the inclusion of this into any products. Walmart argued that its suppliers needed to absorb these costs and should justify the added expense by the benefits that RFID offers the maker / wholesaler.

The truth is wholesalers derive little value from RFID so they do not willing add the chips. If this situtation ever changes than RFID will be absolutely ubiquitous.

Now for possible fixes:
1) "fuseable" deactivation links are possible, would not be an actual fuse, rather a mode that for instance disables the input voltage regulator this would cause an "over-voltage" fail of the tag (typically a gate-oxide punch-through)

2) Activated coatings that result in a the release of a chip surface oxidizing agent, release enabled at the time of purchase.

3) Intentionally leaky EEPROM's for the ID. instead of 10 year data retention they only offer 3 month retention.


Clive RobinsonSeptember 1, 2010 3:07 AM

@ Robert,

"Lots of FUD about RFID tags, but a bit short on the details of how to fix the problems the tags create"

Hmm FUD is an overly easy counter to make, which is one of the reasons I gave a lengthy explanation of my view point.

Although in a restricted sense I'd agree with "Uncertainty" in Retail product RFIDs, as they are still very very thin on the ground at present, and it is not known in which direction they will go other than lowest possible cost to retailers. It is this asspect that WalMart appear to be using as "uncertainty" as a negotiating tool (afterall they want the systems for zero cost to themselves).

As for "Fear" well yes and no, although predictions of ubiquitous RFID use have been made every year for just about the last quater century they have not happend in the way pundits have predicted. So any downsides of the technology is still theoretical not actual as the systems are not in place to be exploitable.

As for "Doubt" it depends on your viewpoint of what doubt is. RFID technology is not going away the Banks and others involved in financial transactions are making certain of that.

Interestingly mobile phone manufactures are sufficiently confident in RFID technology that they are now adding it in a programable form to mobile phones.

Although this is aimed more at contactless payment systems currently the leisure industry can now get hotel systems with door locks, mini bars, checkin systems etc that can exploit the functionality in a phone. Which enables you to book and pay for your room with your smart phone and the Hotel sends you a "txt" with a unique identifier for your visit such that your phone serves as a token to access services. It offers a variety of savings not least of which is not having droves of reception staff at all hours of the day.

What we are seeing in established retail businesses however is adoption at a price point based not on extra utility but labour saving or other cost reduction methodology. And it was from this particular view point I was extrapolating.

For instance the retail of clothing, does not usually have "packaging" and the bar codes lables and anti theft tags are seen as damaging to the items and image in high end outlets with 1000USD items being the norm. Here sewing a RFID in the hem or seam is easy and invisable and alows a crossing of technology such as the guest checkin systems alowing personalised meet and greet and "personal shop assistants".

Which is great for the wealthy patrons of such establishments and the establishments owners.

However what about the run of the mill "marts" or "supermarkets" they have thin margins and theft and labour make a very significant difference to their bottom line.

We know (certainly in the UK) that large retail outlets such as Tesco's, Asda (WalMart), etc that "self checkout" is being rolled out. This is supposedly for "customer conveniance" however it is known to be more for staff number minimisation for "quick checkout" customers such as those buying ten items or less on either end of the (public transport) commute or at lunch times.

The limiting problem is self checkout is not in it's current form easily extensable to more than a hand basket load due to "anti theft" features. Thus the saving in one area can easily be lost in another area and this "gimps" the technology thrust.

ID systems that are "non emmissive" such as bar codes offer no anti-theft benift, thus these self check out systems rely on weighing systems detecting the weight of the "item placed in the bagging area". Such systems are notorious for being either unreliable or inaccurate.

However "emissive ID tags" such as RFIDs will fairly easily remove this limitation and further improve the general checkout speed as "bar code hunting" should become a thing of the past.

It might also alow "push through" checkout of whole carts where every item is scanned in the cart (although I have doubts on this with the current technology implementations).

Thus I think it is fairly certain within the next few years that RFID in retail goods such as clothing will become a certainty and will then devolve downwards through other high value items down to just about all items except unpackaged food.

Which brings me around to your point about stopping the RFID's becoming a problem before they start.

Put simply "conveniance is a cost" and it has to be paid one way or another and I think it's a point we agree on.

The question is thus "how is it to be paid"...

Large retail outlets have low margins and in many cases rely on low "item price" compared to their competitors thus the cost is not likley to be a direct addition to item cost. Thus selling the data is a very valid way such a retail outlet can pay for the "convenience cost" without increasing item cost.

This means there is a reasonable probability that the systems will be driven by the needs of the data aggregators and their analysts seeking to add value to the raw data. And to quote a line from the NSA cheif scientest "we can never have to much data". Thus I expect this view point to be the primary driver.

Which is one of the primary reasons why I think that RFID "kill systems" won't happen.

Further RFIDs will inherit some of the restrictions of serial numbers and "makers lables". That is removal will invalidate any warranty on the items.

Then there is the additional cost of such technology in the RFID, as you know silicon real estate costs as does specialised packaging for it so those systems are not going to be competative.

Thus I have the fealing that such technology will only happen if there is a significant need for it. Such a need being against the general aim of both the manufacturing and purchase side of the RFID industry would would probably require legislation that in all honest I cannot see coming through the Current Political climate.

George Orwell was right in many of his predictions but I think he missed out on the fact that we as consumers would for the sake of mear conveniance alow his all seeing authoritarian state to come into existance and chearfully pay for it...

I could be wrong but lets review it every five years for the next quater of a century and see.

RobertSeptember 1, 2010 4:43 AM

@clive
"Hmm FUD is an overly easy counter to make"

Agreed FUD was a cheap shot, however my point stands that there are technical solutions to the "infinite" life time of RFID tags. Unfortunately what is missing is Industry and legislative interest in forcing these security features, like "Kill switches".

I can assure you that it adds zero manufacture cost to make 900Mhz RFID tags with kill capability. The problem is zero demand for the feature.

WRT retailers deriving value from tracking their customers movements and "data mining", that is certainly desired within their own stores, however I've never heard of any retailers wanting to somehow know if you visited a competitors store.

Tag costs. A big part of tag costs is still the chip wire bonding, all the systems to bypass chip wire bonding have not proven effective so tag costs cant fall until new bonding technology is developed.


Clive RobinsonSeptember 1, 2010 8:08 AM

@ Robert,

'... however my point stands that there are technical solutions to the"infinite" life time of RFID tags. '

Yes there are many some are simple and some are not. You'll here no dispute from me on that (apart from cost and reliability of implementation down stream of product purchase)

Thankfully in many cases a user can effect their own "kill" with a few seconds in a microwave, a hammer and two blocks of wood or for those with external coils a sewing needle to either break tracks or to bridge tracks with 40AWG tinned copper wire (5 amp fuse wire ;)

However they work on the not always correct assumption that the RFID is added near the surface or the object it is embedded in is microwave safe. For instance I can't see anybody putting a pair of 500USD "hand tooled" half Cuban Healed Italian shoes in the microwave or digging around inside the heal with a probe to break the RFID.

As you note,

'Unfortunately what is missing is Industry and legislative interest in forcing these security features, like "Kill switches".'

This is the real issue that has to be overcome before the retail outlet use of RFID's gets going.

Even clasifing the data as PII after sale might have issues (thing about warranty registration) unless the appropriate legislation (ie person owns their PII not the person who collects it) is in place.

And you can bet a pair of Italian shoes that I'd prefer a hard kill switch over a legislativly inspired "honour system" every time.

The problem with legislation is the vested interest of the Markiting and alied industries who let's face it have some of the strongest lobbying muscle going.

The heart of the issue as you correctly observe,

"WRT retailers deriving value from tracking their customers movements and "data mining", that is certainly desired within their own stores, however I've never heard of any retailers wanting to somehow know if you visited a competitors store"

That is they don't want to know where you have been but they do want to know your lifestyle and purchase habits to better "market to you".

They cannot do this from just the RFID data in products you have not purchased from them but a data aggregater can, because they get the ID to product matching info from all retail outlets.

Whilst this form of data aggregation is mainly annoying at best discriminatory at worst when sold on to other retail outlets, you have to ask what other "data products" the aggregators can come up with from the raw data...

And it's this area that realy worries me it could easily get you on the equivalent of a no fly or terrorist watch list, for no better reason than you where in the same retail outlet as somebody else on the list a couple of times in a year...

We know the human eye & brain can produce images out of clouds or the static on an analogue TV screen. This ability is spread through out the human brain and as a result we can see patterns in data that are not realy there, we tend to say "it's just coincidence" or "the luck of the draw" when we see it happen but mostly we miss it altogether.

The problem is deciding when a pattern is real or coincidental and the closer to the noise floor the harder it is to decide with sparse data sets. We have seen this happen with forensic data where results are said in court to be "positive proof" turn out to be nothing of the sort (think of metallurgical matching of bullet fragments to batches of ammunition, finger prints, etc).

With "terrorism" or any other "Oh my gawd" criminal you get a simple urge to CYA and "play safe" by the unseen hands of bureaucrats, who anyway cannot understand what the data aggregators are doing or the strengths or weaknesses of their results.

The result at best there is a waste of resources and your life becomes effected and you don't get to travel or a new job etc, worse a quick flight and an orange jump suit, through to your relatives wonder about your premature death or disappearance.

All of which is said to have happened in recent times in the Good Old USA and other WASP nations. And similar is a matter of historical record in nations south of the border, most of Asia, Africa, Eastern Europe and some Western Nations such as France (Rainbow Warrior assassinations) and presumably else were where the nations are not inept enough to get caught.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..