Monthly Archives: September 2006

Security

Peeing on the digital fence

Leave a comment

Will Rogers once said:

There are three kinds of men. The ones that learn by reading. The few who
learn by observation. The rest of them have to pee on the electric fence for themselves.

Interesting to note that he suggests learning only comes from input. I suspect output also can teach. We certainly learn from doing…

His last category fits Ranum’s notion about security and user education, although Ranum might have sounded more like “users have to pee on the digital fence…”, which of course would be electrified.

Security

Preparing for another presentation on Nigerian Scams

1 Comment

As I prepare for my upcoming presentation “False Harmony: Racial, Ethnic, and Religious Stereotypes on the Internet”, together with Dr. Harriet Ottenheimer, I am looking forward to discussing some remarkable new methods used by the Nigerian Scam artists since we started this project over four years ago.

We have noticed important changes since we began recording and dissecting the language of scam/fraud email messages. Actually, it is hard to believe so many years of research have already gone by and that we have already presented two papers on this topic (at ethno and anthropology conferences). I guess, time flies when you’re fighting fraud. Well, more detail will be given at this upcoming presentation. In particular, I hope to highlight change and discuss how offensive/defensive measures are able to feed off one another — adaptive tactics, if you will.

In related news, someone posted a BBC video report of a Nigerian EFCC (Economic and Financial Crime Commission) and armed police takedown of a 419 club. Good to see others working on documenting and providing analysis of the issue. By the way, I couldn’t help but note minute 1:24 when one of the EFCC appears to violently hit a suspect in the back.

As I think about it I am tempted to categorize this post as “history” since the Nigerian fee fraud scam is now probably so well known that people and the media are becoming quite attuned to these particular risks. Nonetheless, the problem persists.

Come see us present our latest findings at the international ethnic studies conference in Turkey this November, if you’re interested.

Food, Security

Elementary school switches to biometrics

Leave a comment

All in good fun, of course, under the noble cause of saving time at the lunch line, according to the Associated Press.

Two things are going on here, it seems to me. First, either the school administration is overly concerned with the efficiency of lunch lines or they are obscuring more significant justifications such as trying to cut down on lunch “fraud”. Second, kids are apparently consenting to exchange some form of biometric data without being informed of the true trade-off and future consequences and without parental consent:

Rome City Schools is switching to a scanning system that lets students use their fingerprints to access their accounts. In the past, students had to punch in their pin numbers.

“The finger’s better because all you’ve got to do is put your finger in, and you don’t have to do the number and get mixed up,” said Adrianna Harris, a second grader at Anna K. Davie Elementary School.

The system “lets” them use their fingers. Hard not to jump to conclusions about an administration trying to entice kids with a particular view of privacy and “good-for-you” security at a vulnerable age. “Do you want to eat? Just give me your finger…” At least one parent is notably concerned:

“It may be perfectly secure, but my daughter is a minor and I understand that supposedly the kids have the option to not have their prints scanned, but that’s not being articulated to my daughter,” said Hal Storey, who’s daughter is a 10th grader at Rome High.

Minors are allowed to decide so very few things for themselves when it comes to privacy and identity and yet this system relies on them to decide whether they want to give away some form of their biometric information. Even if you make the argument that drivers licenses capture the same information later in life you have to admit that it differs in at least two ways: 1) adult consent 2) exchange for transportation/mobility

When you are seven years old less time in the lunch line might seem worth it. But what will you think when you become a teenager (adulthood in some cultures) or later on, long after your teenage years? Will you look back and say “I sure am glad my fingerprint was stored by the school” or will you say “I wish I had known more about information security before I agreed to give my fingerprint data to the school and they were breached”. To be fair, the company paid to install the system points out that it does not intend to store a full fingerprint but instead record a digest made from a few spots expected to be unique:

The computer converts the fingerprint into an algorithm and scans six to eight unique points of the print, said Shawn Tucker, the technical support manager of Comalex, which is the company supplying Rome’s new system.

The data stored in the system is not an image of the child’s fingerprint like something you would find in an FBI database, he said. It is a list of points that together distinguish the child’s finger from that of other students.

No, not something you would find in an FBI database…yet. Of course, if the system is truly recording a unique identity for all the students it really doesn’t matter how it goes about it since the FBI (or anyone else for that matter) would just need a copy of the database and then they have access to unique biometric data as good as fingerprints, right? This is one of those “it’s highly accurate when used for good but it’s not really accurate when used for bad” arguments you have to watch out for from biometric companies.

I’m not saying I am opposed to the plan, but based on this story it does not sound like the privacy rights of the children or their parents are being well valued or properly discussed by those who will be most impacted. Perhaps the idea was conceived by a fan of the TSA plan for speedier/preferential treatment of certain passengers. While that system is flawed for a number of other reasons, in comparison to this plan the idea of loss of privacy in exchange for mobility is a far cry from loss of privacy in exchange for a little more time at lunch, no? I’d like to see the school publish the trade-offs they considered, especially since they said this system was to benefit the students…

Another parent said, in the Rome News-Tribune, his biggest issue was the lack of transparency and communication prior to the decision to take his child’s biometric data:

If he had been notified and informed about the technology before it was put in place, Storey said, he might have been fine with the new system.

“At this moment my plan is to instruct them because they don’t have parental permission, to remove my daughter’s scan and have alternative means,� he said.

This gives “there’s no free lunch” a whole new meaning.