Category: security

New Research: Social Security Numbers (SSN) are Entirely Predictable

CybercrimeNew research published in yesterday’s Proceedings of the National Acadamy of Sciences has dramatic implications for Americans and identity theft.  Alessandro Acquisti is an Associate Professor of Information Technology and Public Policy at Heinz College of Carnegie Mellon.  He has spent the better part of two years with his colleague Ralph Gross, looking at social security numbers as both identifier and authenticator, something we have all known was a bad combination.  Professor Acquisti demonstrates just how bad of an idea it has been in the last twenty years.  In that time there have been two significant policy changes that have made numbers extremely predictable based on two pieces of information:

  • birth city
  • date of birth

The policy changes involve release of something known as the Death Master File (DMF), which was intended to prevent someone from expropriating a dead person’s identity, and the Enumeration at Birth (EAB) initiative, which has had the effect of allocating SSNs shortly after birth.  These combined with the facts that SSNs have structure based on location, and that the less significant components are serialized in allocation, and it makes for a predictable SSN.

This gets worse.  While it may be possible to fix this problem for future generations that use SSNs, either by randomizing all or lesser components, or by not filing applications upon birth, the millions of people who have assignments in this time period are in an extremely difficult spot, because the workaround is a change of number.  This argues for a new form of identity that separates authentication and identity, but the effort to do so requires that the finance, education, and medical sectors (not to mention government)  change their means of identifying individuals.  This will be no easy task.

This research is a remarkable piece of work by Professor Acquisti and his colleagues.

The TSA is Still At It.

courtA recent article in the Wall Street Journal brings to light continuing abuses by the Transport Security Agency of people’s freedoms.  In the article several cases are depicted in which the TSA expanded their role from protecting against terrorism on planes to general law enforcement.  Here’s the issue: the only reasons the Fourth Amendment of the Constitution allows anyone to screen at all in advance are that the screening is not viewed as a law enforcement activity, and that it is impossible to undo a successful attack.  The principle, then, should be that TSA should be required to invade our privacy to the minimum extent possible to protect against such attacks, so that we can continue to enjoy what little we have left of our rights to be free from unreasonable search and seizure.  The courts have held as such repeatedly, and it is the same logic used to uphold drunk driving checks.

Technology actually hurts and helps.  For instance, new scanners make it possible to see through clothing and detect all manner of substances.  On the other hand, because they can do so, there should be less need to open containers if those scanners have said that they are safe.  Similarly, technology can improve the way we identify individuals.  By doing so, quizzing people about their identity should become less necessary.  Just to be clear, I do not view anything having to do with RFID in such a vein.  We’ll discuss this more soon.

Secure SmartPhone? No Such thing

iPhoneToday’s CNN reports that President Barack Obama will supposedly get a secure smartphone that would be similar to his Blackberry.  The Sectera Edge, made by General Dynamics, has already received a seal of approval from the National Security Agency.  There is only one problem: either it’s not that smart or it’s not that secure.  You can have either one, but you can’t have both.  Smartphones are those phones that can provide some form of general purpose computing function.  It is that function that is subject to abuse.  While it is possible to develop and provide a general purpose computing function that is perhaps even provably secure, it will also be provably useless.

Another problem with the Sectera Edge is that it lacks the ecosystem that Mr. Obama may be used to with the Blackberry, or others might be used to with the iPhone.  I imagine that very few applications have actually been written outside of GD.  Looking at the iPhone, only a fraction of the apps for the iPhone are developed by Apple.

The Next Terrorist Threat: Canada Geese

Evil GeeseBut for some fancy flying by Captain Chester “Sully” Sullenberger and his co-pilot Jeffrey Skiles, a menacing flock of geese would have managed to pull of the same feat that Osama Bin Laden’s gang of thugs took pains to plan and execute.  La Guardia Airport is as close to Manhattan as an airport can get.  It wouldn’t have taken much for that plane to kill many people.  The geese almost got their way.

Now it has been shown that geese can wreak havoc on our infrastructure, especially those Canada geese that crap all over the east coast.  Probably the Canadians planned it that way.  Blame Canada, too.  Next we should probably invest in goose protection technologies.  I’m sure DARPA is already on it.  Harboring geese?  Better beware.  I’m sure you’re being watched already.  How do you think Bin Laden managed to get them positioned?  Did he pay them off?  Did he seed their trail right through Queens?  Let us flock to investigate and excoriate the guilty.

In the meantime, as we evict the 43rd president from the White House, a man who defined his administration by the war on terror, who led from a place of fear, and who capitalized on the fears of others, let us shut the door on this sorry chapter of our history by endeavoring to Goose Poopremember the miseries we have to go through at airports, the violations of our privacy that were made in our names, the destruction of our international reputation through the reckless disregard for human rights and international law, and now goose poop, which perhaps is best cleaned up with the editorial pages of the Wall Street Journal, as they have no better use.

And so now I’m on Facebook

FacebookHaving staved it off for years I’ve finally joined Facebook.  Here are a few initial thoughts:

I was disappointed that the only authentication method offered was old fashioned passwords.  We are still as an industry struggling with making the leap to a better means.  And it’s not like there are none out there.  OpenID and Infocards can no longer be considered new.  A question for a future blog entry might be why these technologies are not succeeding.  Indeed just this week SlashDot.Org ran a story about how OpenID is losing ground.

There is a whole different set of social rules on Facebook, and I don’t know what they are.  For instance:

  • One of my friends wanted to add detail about my previous employment experience, which is something I wasn’t prepared to do myself.  And so I refused.  Have I offended him?  I don’t know.
  • My initial “note” indicated that I don’t do much with FaceBook, and that people should see my blog.  This elicited a long discussion, not involving me.  If I don’t reply, have I offended?

Why is Facebook even necessary?  Isn’t this what we want the Internet to be in general?  Why should this form of communication be limited to one site?  For one, people are tired of spam on the Internet and so they are looking for an email replacement.  Beyond that, having one’s own web server is a royal pain in the ass.  But moreover, the comment I got more than once was that a blog is isolating.  Why is that?  What makes this blog isolating as compared to Facebook?