[LINK] Schneier: Renew Your Passport Now!

Mon Oct 16 23:36:04 AEST 2006

welcome to turbo charged government growing at the rate of gdp. an
endless stream of innovations designed to keep themselves in jobs...

Roger Clarke [Roger.Clarke at xamax.com.au] wrote:
> I scrapped my current passport last year, before the RFID-chip came 
> in, and got a new one.  Why?  Because I don't know what's in the 
> chip, and I don't know how the scheme works - and I have the 
> professional competence to understand this technology, and I was a 
> participant in the farce that the Passports Office pretended was a 
> consultation process.
> 
> I write a bit, and people read it (not up to some people's scores, 
> but 3.5 million hits this year presumably means something).  So I 
> should have explained to people what I did, and why.  I didn't. 
> Bruce Schneier has.
> 
> (I'm doubly-embarrassed, because I conscientiously object to the new, 
> grossly-invasive Census, and arranged not to be anywhere on Census 
> night.  But I haven't got around to writing that up either).
> 
> 
> http://www.schneier.com/crypto-gram-0610.html
> 
> >** *** ***** ******* *********** *************
> >
> >      Renew Your Passport Now!
> >
> >If you have a passport, now is the time to renew it -- even if it's not
> >set to expire anytime soon. If you don't have a passport and think you
> >might need one, now is the time to get it. In many countries, including
> >the United States, passports will soon be equipped with RFID chips. And
> >you don't want one of these chips in your passport.
> >
> >RFID stands for "radio-frequency identification." Passports with RFID
> >chips store an electronic copy of the passport information: your name, a
> >digitized picture, etc. And in the future, the chip might store
> >fingerprints or digital visas from various countries.
> >
> >By itself, this is no problem. But RFID chips don't have to be plugged
> >in to a reader to operate. Like the chips used for automatic toll
> >collection on roads or automatic fare collection on subways, these chips
> >operate via proximity. The risk to you is the possibility of
> >surreptitious access: Your passport information might be read without
> >your knowledge or consent by a government trying to track your
> >movements, a criminal trying to steal your identity or someone just
> >curious about your citizenship.
> >
> >At first the State Department belittled those risks, but in response to
> >criticism from experts it has implemented some security features.
> >Passports will come with a shielded cover, making it much harder to read
> >the chip when the passport is closed. And there are now access-control
> >and encryption mechanisms, making it much harder for an unauthorized
> >reader to collect, understand and alter the data.
> >
> >Although those measures help, they don't go far enough. The shielding
> >does no good when the passport is open. Travel abroad and you'll notice
> >how often you have to show your passport: at hotels, banks, Internet
> >cafes. Anyone intent on harvesting passport data could set up a reader
> >at one of those places. And although the State Department insists that
> >the chip can be read only by a reader that is inches away, the chips
> >have been read from many feet away.
> >
> >The other security mechanisms are also vulnerable, and several security
> >researchers have already discovered flaws. One found that he could
> >identify individual chips via unique characteristics of the radio
> >transmissions. Another successfully cloned a chip. The State Department
> >called this a "meaningless stunt," pointing out that the researcher
> >could not read or change the data. But the researcher spent only two
> >weeks trying; the security of your passport has to be strong enough to
> >last 10 years.
> >
> >This is perhaps the greatest risk. The security mechanisms on your
> >passport chip have to last the lifetime of your passport. It is as
> >ridiculous to think that passport security will remain secure for that
> >long as it would be to think that you won't see another security update
> >for Microsoft Windows in that time. Improvements in antenna technology
> >will certainly increase the distance at which they can be read and might
> >even allow unauthorized readers to penetrate the shielding.
> >
> >Whatever happens, if you have a passport with an RFID chip, you're
> >stuck. Although popping your passport in the microwave will disable the
> >chip, the shielding will cause all kinds of sparking. And although the
> >United States has said that a nonworking chip will not invalidate a
> >passport, it is unclear if one with a deliberately damaged chip will be
> >honored.
> >
> >The Colorado passport office is already issuing RFID passports, and the
> >State Department expects all U.S. passport offices to be doing so by the
> >end of the year. Many other countries are in the process of changing
> >over. So get a passport before it's too late. With your new passport you
> >can wait another 10 years for an RFID passport, when the technology will
> >be more mature, when we will have a better understanding of the security
> >risks and when there will be other technologies we can use to cut the
> >risks. You don't want to be a guinea pig on this one.
> >
> >This op-ed originally appeared in the Washington Post.
> >http://www.washingtonpost.com/wp-dyn/content/article/2006/09/15/AR2006091500923.html
> >
> >Rebuttal:
> >http://www.mercurynews.com/mld/mercurynews/news/opinion/15637460.htm
> >
> >My previous writings on RFID passports:
> >http://www.schneier.com/blog/archives/2006/08/hackers_clone_r.html
> >http://www.schneier.com/blog/archives/2004/10/rfid_passports.html
> >http://www.schneier.com/blog/archives/2005/04/rfid_passport_s.html
> >http://www.schneier.com/essay-060.html
> >http://www.schneier.com/blog/archives/2005/08/rfid_passport_s_1.html
> >
> >
> >** *** ***** ******* *********** *************
> ...
> >** *** ***** ******* *********** *************
> >
> >CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
> >insights, and commentaries on security: computer and otherwise.  You can
> >subscribe, unsubscribe, or change your address on the Web at
> ><http://www.schneier.com/crypto-gram.html>.  Back issues are also
> >available at that URL.
> >
> >Comments on CRYPTO-GRAM should be sent to schneier at counterpane.com.
> >Permission to print comments is assumed unless otherwise stated.
> >Comments may be edited for length and clarity.
> >
> >Please feel free to forward CRYPTO-GRAM, in whole or in part, to
> >colleagues and friends who will find it valuable.  Permission is also
> >granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.
> >
> >CRYPTO-GRAM is written by Bruce Schneier.  Schneier is the author of the
> >best sellers "Beyond Fear," "Secrets and Lies," and "Applied
> >Cryptography," and an inventor of the Blowfish and Twofish algorithms.
> >He is founder and CTO of Counterpane Internet Security Inc., and is a
> >member of the Advisory Board of the Electronic Privacy Information
> >Center (EPIC).  He is a frequent writer and lecturer on security topics.
> >  See <http://www.schneier.com>.
> >
> >Counterpane is the world's leading protector of networked information -
> >the inventor of outsourced security monitoring and the foremost
> >authority on effective mitigation of emerging IT threats. Counterpane
> >protects networks for Fortune 1000 companies and governments world-wide.
> >  See <http://www.counterpane.com>.
> >
> >Crypto-Gram is a personal newsletter.  Opinions expressed are not
> >necessarily those of Counterpane Internet Security, Inc.
> >
> >Copyright (c) 2006 by Bruce Schneier.
> 
> -- 
> Roger Clarke                  http://www.anu.edu.au/people/Roger.Clarke/
> 
> Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
>                    Tel: +61 2 6288 1472, and 6288 6916
> mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/
> 
> Visiting Professor in Info Science & Eng  Australian National University
> Visiting Professor in the eCommerce Program      University of Hong Kong
> Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link