The more they regulate and litigate the worse things get here.
Then why have violent crime rates dropped drastically since the 60s? I suggest you do actual research before making open-ended statements. A quick look at crime statistics shows this.
It seems to me, that we've only gotten freer and safer over time. Care to prove otherwise?
In an emergency people would let eachother out anyway, so it's kind of a silly point to make. It's not like someone would be an asshole and not leave the door open. And as you said, there are override systems. I'm pretty sure that they're legally required to have fire escape plans anyway.
Oh and it is an issue of egress rights. You design the door layouts so that if you can get into a given room, there's always and exit route that doesn't require any keys (the other side of the doors). So even if someone lets you in through say, doors A, B, and C, you can always exit the building through C, B, and A (opposite order).
If I was going out (buy groceries, meet with friends) I would probably avoid taking any un-needed keys or items.
That's pretty optimistic given that the whole purpose of an implant is to prevent employee screwups like that. Oh and screw ups happen, A LOT.
Not that it matters much, since they'll be spending a long time outside carrying it around because it's not like they make constant trips home. With the generation 1 RFID devices, which VeriChip is, all you have to do is walk by them while they have it on their keychain. Snap! You've gotten it.
A very unlikely scenario, why would someone who finds it want to break into your data center and pretend to be an employee whose identify they do not know.
Why would someone who happens to run across a guy with an implant want to break into your data center? BECAUSE THEY'RE FOLLOWING YOU. The same applies to both implants and non-implants. Exercise some critical thought here.
You think the idea of employees sharing keys is some great idea you didn't think of? Ok, why would they share keys? The only reason is if they forgot to bring it. Then, duh, that means sometimes they wear it around where they aren't supposed.
You seem to also forget that there is more than the main entrance to protect. There are different protected areas within a company. Employee A, with acess to a highly protected area, leaves his key lying around by accident. Employee B snags it, uses it and returns it. This is ignoring the added possibility of cloning.
All this before the company is alerted to the loss and disabled the key in question.
Before they're alerted that someone stood near a key for 3 seconds? How long before someone would use a key if they stole it anyway?
A more likely scenario, but still unlikely, scenario is some sort of planned theft of the key.
Theft is not needed for cloning, genius. If theft of the key was an issue, it would be one that would be thwarted by an implant. Remember, the only way to steal an implanted key is to CLONE it. If we are dealing with people who can clone, then none of what you say matters for non-implants.
It seems trivial to build one into the keychain, something that you can't do with an implant.
Trivial and yet not used. As you already conceded, people don't do well when handling keys, they forget to bring them. They also forget to cover them up. Honestly, how many regular people do you think abide by best practices? They have to remember to do it all the time, even if they choose to do it. It effectively reduces it to a keycard, in any case. Plus someone could always monitor the signals when it's used.
I already mentioned that it relatively trivial to block the tag when not needed.
It's also trivial to screw up and not use one.
Heck, you may even be able to get the thing to auto-disable itself when you leave the premises and require a manual re-enabling (turn a ring or something) once you enter them again.
Heck, you could even use a keycard!
I do have to admit your reply was funny, you go on about all of this and yet don't even get the most trivial hole in what I said (someone else did).
Oh I forgot, the unlikely scenario of employees willingly swapping keys, which doesn't actually present a security risk unless you take into account my asessment.
Of course, that would require thinking about why they use this stuff (I didn't think too much about this given it's Slashdot and all) and you seem to be unable to perform such abstract thought.
Does "abstract" mean "retarded" in this case? Aside from assuming that employees abide by best secrity practices, you also neglected that there isn't necessarily one level of access for the entire building.
Remember, it only takes one to get into the building. And you're, by default, assuming that they have RFID cloning technology. This is also ignoring that you've effectively reduced it to a keycard.
So before I needed to get close to an object (whatever had the rfid tag) which under normal circumstances an employee would not be carried around (say they were going home or something)
Who doesn't carry their keychain around all of the time that they're out of the house? The only time people take off their keychains is usually if they're AT home. An attacker stealing RFID is unlikely to want to or even gain an advantage by following them into their home. Besides, if you can get into their home, they're screwed in a variety of ways.
With an RFID keychain, you have the disadvantage of mistakenly taking it off somewhere and leaving it unattended. That's a weakness that an implant addresses.
could have it in a reader blocking case.
How many people actually put a block around their keychain?
Now, I simply need to get close to an employ anywhere at any time to copy their data.
That's an advantage, not a disadvantage. If an employee takes their keychain off and leave it unattended, that's a vulnerability.
Fucking brilliant, now I can steal their tag without anyone ever knowing, whereas before they'd know it was gone in a reasonable amount of time (I'd have to steal the physical object most likely).
HHAHAHAHA. Way to contradict yourself. With the non-implant version, they have to physically steal it, but with the implant version, they don't? That doesn't make any sense; it's the same technology. If you can steal it by coming near them and recording the transaction (and this can be done easily with all but the public key crypto forms which require you being near the 'official' reader), then it applies in both cases. Same technology....you didn't think this through, did you?
For less than they paid for the RFID system, they could have hired someone to log people in and out of the data center.
So, you know the costs of RFID systems and have done a cost-analysis? Show it to me. RFID means a couple of thousand dollars for the intial equipment and a few bucks per implant. Sounds pretty damn cheap to me.
Additionally, I question the validity of a system that restricts access to only those with an implant during disaster situations (fire, flood, and worse) where access rights and needs are rather different than in normal situations.
Ever heard of the concept of a lock working only one way? I have doors in my house that do that. You can open from one side without a lock, but not the other. Surely such an electronic equivalent would require Space Age technology worth BILLIONS!
Good security costs a lot of money, and you cannot replace the human element in the security chain.
And here you are, suggesting that we go the discounted method. Not the they're removing the human element from the entire security chain.
The RFID schemes won't prevent anyone following an authorized person into the data center, unless there is physical restrictions that would make working in the data center dangerous during emergencies.
Uh, how about the person noticing that some other random person is following them in? Or are these people blind and deaf? Sorry, didn't want to make assumptions about disabilities. And what the hell does following someone in have to do with emergencies?
In this case, the $10/hour guard is more flexible and cheaper than the high-tech answer, and more respectful of humans in general... or at least I think so
What happened to good security costs money? That's what they pay a higher level mcdonalds worker. Do you really want such an incompetent moron guarding everything? One who could be easily tricked, mind you.
VeriChip has been cracked. That's only because it didn't use cryptography. JHU researchers have cracked the Exxon Mobil Speedpass [research link] cryptographic RFID devices using brute force. It took 15 mintes per key, but this required 16 $200 FPGAs ($3200) working in parallel.
Ignoring the time taken to reverse engineer the protocol, it also requires extra equipment to do the analysis for the actual reverse engineering. To my knowledge, no code has been published publically.
At this point in time, it seems that cryptographic RFID devices, despite being cryptographically weak, are pretty secure from a practical standpoint due to a level of sophistication require to execute attacks currently.
Plus I must wonder a) how close you have to be to read/activate VeriChip devices and b) if the readers are inside of a faraday cage when they enter the facility. At the very least, this will remove the possiblity of using lost keys or ones that were left lying around unattended.
In other words, a more casual thief who knows little to nothing about RFID. He has to know how to clone it and your average thieve doesn't know how to do that. I love it when so-called "security experts" overlook the obvious because they think that security risk asessment means assuming that they must assume all of their attackers are very sophisticated.
Of course, being ignorant of RFID, you also didn't know that there are cryptographic forms of RFID. These don't transmit the same number every time they're pinged. So, of course, you have no idea what you're talking about. Using non-off-the-shelf and/or expensive technology which takes a great degree of sophistication to develop, you can crack after many hours of computation.
But hey, you're the security expert, this is probably all trivial with the latest RFID cracking and cloning devices you can buy at Wal-Mart.
Now the real question is, does VeriChip use cryptography? I know the answer, but it's clear you didn't even bother to check before making your generalizations.
Remember, they have to send this using your personal internet connection. They obviously can't be sending the gigabytes of data required for a regular GDS search nor required to reconstruct that much. Then again, it's probably enough just to get some import documents.
I say to reverse engineer the protocol and use it as essentially an inifnite internet storage space. Encrypt your data, of course.
Oh yeah, couldn't google encrypt the information client side to prevent abuse?
If it doesn't, then we can document when their user-agent is obeying it and ban that user agent completely. If they fake that user-agent, it can be detected because suddenly you'll see an alleged MSIE client downloading tons of pages from your website. If they try faking a real search engine, then we can just compare those ips against those known to actually be owned by the search engine company.
We can even keep a complete database of all IP addresses of indexing government computers.
Wikipedia says the controversy raises questions about whether it is ethical for those with a vested interest in the subject to edit entries about it.
The irony of this statement! Just a while ago the Wikipedia community was defending Jimmy Wales as he made controversial and factually incorrect edits to his article. Talk about double standards.
That won't happen. About a week ago LJ change its cookie scheme. This scheme places a cookie on www.livejournal.com which is what is required to post anything and to change account settings. All journals are under some other hostname, so it is impossible to use XSS to get that www.livejournal.com (ljmastersession) cookie unless a bug in a browser breaks its own security model (that's beyond the scope of anything a a website can do though). The also use HTTPOnly cookies for MSIE, which means that none of the cookies can be stolen for IE either (it's funny that Firefox refuses to implement this great idea just out of petty Microsoft hatred).
These new filters they're testing right now will include whitelisting of CSS. Whitelisting, of course, is a very powerful mechanism to mitigate XSS as well. This is in addition to potentially hosting all CSS on their servers.
Not just that, but they have implemented other features recently. One allows you to view recent logins. Another ties cookies to your subnet (in addition to the optional login option which lets you bind it to a specific ip). You can no longer change your e-mail address on your account without your password.
So LJ has now put quite a few mechanisms in place make things more secure. So please, before ignorantly suggesting that they go back and "design it correctly," maybe you should actually READ about all the new security features implemented, including the new ones that they're testing now. But hey, I don't expect a Slashdotter to actually read and research so they know what the fuck they're talking about. After all, if LJ has a contest, it's NOT AT ALL POSSIBLE that they're testing new features that you can easily read about.
People "aren't being made to disappear." I see no example of someone being detained under a secret law.
As for regulations, you DO know about the parts that affect you. You know that you need to show ID, go through metal detectors and so forth. You can't honestly claim that you didn't know that you needed to show IDs at an airport, it's been a de facto standard practice for decades. So what part of the regulations that affect you DON'T you know about?
P.S. That supposed quote from Bush about the constitution is a myth. It was rumored to have been said in a private meeting and leaked by some staffer. However, ABSOLUTELY NOTHING was able to confirm it as an authentic quote nor that it was even leaked by a staffer.
The fact that he wasn't "punished" this time doesn't mean that people won't be thrown into prison or just made to disappear when they refuse to bow down to secret "regulations" in the future.
Wild, unfounded and paranoid speculation.
Yes! Absolutly an "regulation" that effects me I have a right to know about!
Glad to see that you want to give away all of our classified information to our enemies. You *definitely* need information on how to infiltrate the NSA headquarters. Yeah. That's totally a constitutional right. And giving that information out will be so helpful.
The scenario that I outlined would have been laughable prior to the Bush Administration but now it's a real and dangerous possibility!
Yes, that's pretty much how it works, unless the constitution specifies that the government isn't allowed to pass certain laws. Please find me the part of the constitution which prohibits making laws requiring someone to show an ID at an airport. Until you can do that, you have no point.
By the way, please go campaign to dissolve every single regulatory government agency in existence, including the FAA, FCC, FDA, TSA and others. Because according to you, the existence of those is unconstitutional despite nothing in the constitution forbiding them.
Oh yes and that means dissolving 100% of policies ever issued by any governmetn agency, policies are illegal! I didn't know the framers of the constitution meant to illegalize policies! You know that policy the local court house has to require people to fill out certain forms to file certain charges? ILLEGAL! It's not explicitly written in the constitution that they can require you to fill out those forms, so THEY ARE ILLEGAL!
NEWSFLASH: All security is security through obscurity. That password you keep? It only helps because you keep it secret. The only time security through obscurity can be bad is when a) it's non-physical and b) you don't have the resources to review it.
You're suggesting needlessly exposing themselves for absolutely no gain. They have their own experts readily able to analyze defeciencies, they don't need wide public scrutiny which would ultimately just make it easier for people to break it. This is ESPECIALLY true when you're talking about changes which can be very time consuming and cost effective to implement.
While we're at it, let's published detailed blueprints and design information for the security layouts of the whitehouse, CIA headquarters and military installations. Lets also give away the blueprints for designs for all currently classified technology, because we can only improve it our stealth bombers and secret spy tools! Let's reveal all the secret spy methods our CIA agents use, that will help us greatly! Declassify EVERYTHING! Give all secrets to the enemies! Make everything easier!
Since a bunch of people who haven't researched the matter are relying on testimony from the man himself, I have made this automated reply debunking the completely and utter FUD.
There is no secret law. There is the law 49 U.S.C. 114(s)(1)(C) which authorizes the TSA to issue regulations that are kept secret.
Are you going to argue that you are allowed to know the security regulations of, for example, the NSA headquarters? Why should they make it any easier for you to break their security? It is obvious that they have a policy for ID checking, otherwise the the ***airline employees*** (who are the ones that did the actual checks in this case--RTFD) wouldn't be checking IDs. The details of the security procesudres are secret as "sensitive security information," however the actual information that they check IDs in the first place is NOT secret.
He was not punished or arrested. He was simply denied the ability to fly ***unless he underwent a "Selectee" process where he'd undergo more thorough checks in place of an ID***. THat's right, they gave him the chance to fly without ID if they did other checks. He refused. He did not commit a crime. No one is asserting that. He was pressed with no charges.
Quote from an official court document: "Pursuant to 49 U.S.C. 114(s)(1)(C) (2005), the Under Secretary of the TSA "shall prescribe regulations prohibiting the disclosure of information obtained or developed in carrying out security . . . if the Under Secretary decides that disclosing the information would . . . be detrimental to the security of transportation." This information is called "sensitive security information." 49 C.F.R. 1520.5(a) (2005). The Under Secretary classified as SSI "[a]ny security program or security contingency plan issued, established, required, received, or approved by DOT [Department of Transportation] or DHS [Department of Homeland Security], including . . . [a]ny aircraft operator, airport operator, or fixed base operator security program, or security contingency plan under this chapter" and "[a]ny Security Directive or order . . . [i]ssued by TSA." 49 C.F.R. 1520.5(b)(1)(i), (b)(2)(i) (2005)."
Since a bunch of people who haven't researched the matter are relying on testimony from the man himself, I have made this automated reply debunking the completely and utter FUD.
There is no secret law. There is the law 49 U.S.C. 114(s)(1)(C) which authorizes the TSA to issue regulations that are kept secret.
Are you going to argue that you are allowed to know the security regulations of, for example, the NSA headquarters? Why should they make it any easier for you to break their security? It is obvious that they have a policy for ID checking, otherwise the the ***airline employees*** (who are the ones that did the actual checks in this case--RTFD) wouldn't be checking IDs. The details of the security procesudres are secret as "sensitive security information," however the actual information that they check IDs in the first place is NOT secret.
He was not punished or arrested. He was simply denied the ability to fly ***unless he underwent a "Selectee" process where he'd undergo more thorough checks in place of an ID***. THat's right, they gave him the chance to fly without ID if they did other checks. He refused. He did not commit a crime. No one is asserting that. He was pressed with no charges.
Quote from an official court document: "Pursuant to 49 U.S.C. 114(s)(1)(C) (2005), the Under Secretary of the TSA "shall prescribe regulations prohibiting the disclosure of information obtained or developed in carrying out security . . . if the Under Secretary decides that disclosing the information would . . . be detrimental to the security of transportation." This information is called "sensitive security information." 49 C.F.R. 1520.5(a) (2005). The Under Secretary classified as SSI "[a]ny security program or security contingency plan issued, established, required, received, or approved by DOT [Department of Transportation] or DHS [Department of Homeland Security], including . . . [a]ny aircraft operator, airport operator, or fixed base operator security program, or security contingency plan under this chapter" and "[a]ny Security Directive or order . . . [i]ssued by TSA." 49 C.F.R. 1520.5(b)(1)(i), (b)(2)(i) (2005)."
Since a bunch of people who haven't researched the matter are relying on testimony from the man himself, I have made this automated reply debunking the completely and utter FUD.
There is no secret law. There is the law 49 U.S.C. 114(s)(1)(C) which authorizes the TSA to issue regulations that are kept secret.
Are you going to argue that you are allowed to know the security regulations of, for example, the NSA headquarters? Why should they make it any easier for you to break their security? It is obvious that they have a policy for ID checking, otherwise the the ***airline employees*** (who are the ones that did the actual checks in this case--RTFD) wouldn't be checking IDs. The details of the security procesudres are secret as "sensitive security information," however the actual information that they check IDs in the first place is NOT secret.
He was not punished or arrested. He was simply denied the ability to fly ***unless he underwent a "Selectee" process where he'd undergo more thorough checks in place of an ID***. THat's right, they gave him the chance to fly without ID if they did other checks. He refused. He did not commit a crime. No one is asserting that. He was pressed with no charges.
Quote from an official court document: "Pursuant to 49 U.S.C. 114(s)(1)(C) (2005), the Under Secretary of the TSA "shall prescribe regulations prohibiting the disclosure of information obtained or developed in carrying out security . . . if the Under Secretary decides that disclosing the information would . . . be detrimental to the security of transportation." This information is called "sensitive security information." 49 C.F.R. 1520.5(a) (2005). The Under Secretary classified as SSI "[a]ny security program or security contingency plan issued, established, required, received, or approved by DOT [Department of Transportation] or DHS [Department of Homeland Security], including . . . [a]ny aircraft operator, airport operator, or fixed base operator security program, or security contingency plan under this chapter" and "[a]ny Security Directive or order . . . [i]ssued by TSA." 49 C.F.R. 1520.5(b)(1)(i), (b)(2)(i) (2005)."
Since a bunch of people who haven't researched the matter are relying on testimony from the man himself, I have made this automated reply debunking the completely and utter FUD.
There is no secret law. There is the law 49 U.S.C. 114(s)(1)(C) which authorizes the TSA to issue regulations that are kept secret.
Are you going to argue that you are allowed to know the security regulations of, for example, the NSA headquarters? Why should they make it any easier for you to break their security? It is obvious that they have a policy for ID checking, otherwise the the ***airline employees*** (who are the ones that did the actual checks in this case--RTFD) wouldn't be checking IDs. The details of the security procesudres are secret as "sensitive security information," however the actual information that they check IDs in the first place is NOT secret.
He was not punished or arrested. He was simply denied the ability to fly ***unless he underwent a "Selectee" process where he'd undergo more thorough checks in place of an ID***. THat's right, they gave him the chance to fly without ID if they did other checks. He refused. He did not commit a crime. No one is asserting that. He was pressed with no charges.
Quote from an official court document: "Pursuant to 49 U.S.C. 114(s)(1)(C) (2005), the Under Secretary of the TSA "shall prescribe regulations prohibiting the disclosure of information obtained or developed in carrying out security . . . if the Under Secretary decides that disclosing the information would . . . be detrimental to the security of transportation." This information is called "sensitive security information." 49 C.F.R. 1520.5(a) (2005). The Under Secretary classified as SSI "[a]ny security program or security contingency plan issued, established, required, received, or approved by DOT [Department of Transportation] or DHS [Department of Homeland Security], including . . . [a]ny aircraft operator, airport operator, or fixed base operator security program, or security contingency plan under this chapter" and "[a]ny Security Directive or order . . . [i]ssued by TSA." 49 C.F.R. 1520.5(b)(1)(i), (b)(2)(i) (2005)."
It's not a secret law. As I outlined in my other comment, it's a law that allows the TSA to issue secret "security directives." This basically just means they have some procedural policies whose details are kept secret. It would be completely DISHONEST to suggest that these policies don't actually include requiring ID checks, as ID checks are the de facto standard for airports for a long time, before the TSA existed.
So it's obvious that they require ID in the directives, since all employees are required to do it, it's just the details of the procedures they follow in checking IDs/looking at x-ray scans/whatever are secret. That seems reasonable to me, in the same way that you keep other security information classified. Do you think the government should be forced to release information on the details of security for military installations, the CIA/NSA headquarters and so forth?
I don' think so. It unreasonably compromises security and for no good reason. The fact that the system isn't perfect doesn't mean it's worthless. Yes, some people got through with real IDs, but you don't know how many others were deterred from either stealing someone's ticket or from comitting a terrorist act. IDs are meant to be a casual deterrant and it's clear that these terrorists were extremely determined.
In any case, what benefit do you get from knowign the procedures? You knwo that they know your identification information. You know they run a check to make sure you're not on a No Fly l ist. Beyond that, what do you need to know about airport policies?
The ninth amendment ONLY applies when there isn't a law authorizing the government entity to restrict something, but in this case there clearly and obviously is. Pursuant to 49 U.S.C. 114(s)(1)(C), the Transport Security Administration has the authority to issue secret regulations regarding security procedures at airports.
If you read the sources provided, it becomes abundantly clear that not only does the TSA have authority to issue regulations, but that (DUH) they have regulations requiring ID unless you're willing to go through other more thorough searches (which Gilmore was offered as a "Selectee").
Did you honestly think that there weren't laws in place authorizing the TSA to issue such policies? You'd have to be a moron, especially if you're a paranoid conspiracy nut, to not realize that such policies would exist.
These were all enforced by Southwest and United Airlines employees. They required ID even before these regulations anyway and constitutional rights don't apply to private organizations so it would be a moot point anyway.
Applicable here are the TSA identification policy, CAPPS and CAPPS II, and No-Fly and Selectee lists.
Here is some information obtained from an official court document (linked below): *"The airline security personnel could not, according to the Government, disclose to Gilmore the Security Directive that imposed the identification policy because the Directive was classified as "sensitive security information" ("SSI")."
*3. Pursuant to 49 U.S.C. 114(s)(1)(C) (2005), the Under Secretary of the TSA "shall prescribe regulations prohibiting the disclosure of information obtained or developed in carrying out security . . . if the Under Secretary decides that disclosing the information would . . . be detrimental to the security of transportation." This information is called "sensitive security information." 49 C.F.R. 1520.5(a) (2005). The Under Secretary classified as SSI "[a]ny security program or security contingency plan issued, established, required, received, or approved by DOT [Department of Transportation] or DHS [Department of Homeland Security], including . . . [a]ny aircraft operator, airport operator, or fixed base operator security program, or security contingency plan under this chapter" and "[a]ny Security Directive or order . . . [i]ssued by TSA." 49 C.F.R. 1520.5(b)(1)(i), (b)(2)(i) (2005).
4. The No-Fly and Selectee lists are Security Directives. They were issued by TSA pursuant to 49 U.S.C. 114(l)(2)(A) (2005), which authorizes the TSA Under Secretary to issue Security Directives without providing notice or an opportunity for comment in order to protect transportation security.
"I have no leverage to end slavery, but I'll still hold slaves because if I expose them to Western culture and Christianity I've done them a service."
No, because they're abusing people in that case. Google is simply providing a limited version of a service that otherwise wouldn't be there. They have no authority to censor anyone but themselves. "Western cultre and Christianity" doesn't even come into it as an analogy, because Google offers information on a wide variety of topics.
For that analogy to work, the slaveholders would have to somehow enslave themselves (if that were possible) and they decided to do business with people who owned slaves, while simultaneously providing a helpful service for those slaves.
THat's been said time and time again and I've always pointed out that Wikipedia has trouble handling the load even without a Slashdotting. Haven't you witnessed its constant slowness and frequent bouts of database errors? On-peak hours it takes a beating and they're always playing this cat-and-mouse game where they keep adding more servers to prevent those things from happening.
Slashdot Mirror
The more they regulate and litigate the worse things get here.
Then why have violent crime rates dropped drastically since the 60s? I suggest you do actual research before making open-ended statements. A quick look at crime statistics shows this.
It seems to me, that we've only gotten freer and safer over time. Care to prove otherwise?
The difference is that this is a piece of software which runs on an individual person's computer.
"How is this any better than somesite.com, a normal anonymizing proxy?" This is nothing new.
What the govt can't do, is find out every IP address on the internet
running this software and block it.
They've done it with Tor, making it very difficult to find open nodes.
In an emergency people would let eachother out anyway, so it's kind of a silly point to make. It's not like someone would be an asshole and not leave the door open. And as you said, there are override systems. I'm pretty sure that they're legally required to have fire escape plans anyway.
Oh and it is an issue of egress rights. You design the door layouts so that if you can get into a given room, there's always and exit route that doesn't require any keys (the other side of the doors). So even if someone lets you in through say, doors A, B, and C, you can always exit the building through C, B, and A (opposite order).
If I was going out (buy groceries, meet with friends) I would probably avoid taking any un-needed keys or items.
That's pretty optimistic given that the whole purpose of an implant is to prevent employee screwups like that. Oh and screw ups happen, A LOT.
Not that it matters much, since they'll be spending a long time outside carrying it around because it's not like they make constant trips home. With the generation 1 RFID devices, which VeriChip is, all you have to do is walk by them while they have it on their keychain. Snap! You've gotten it.
A very unlikely scenario, why would someone who finds it want to break into your data center and pretend to be an employee whose identify they do not know.
Why would someone who happens to run across a guy with an implant want to break into your data center? BECAUSE THEY'RE FOLLOWING YOU. The same applies to both implants and non-implants. Exercise some critical thought here.
You think the idea of employees sharing keys is some great idea you didn't think of? Ok, why would they share keys? The only reason is if they forgot to bring it. Then, duh, that means sometimes they wear it around where they aren't supposed.
You seem to also forget that there is more than the main entrance to protect. There are different protected areas within a company. Employee A, with acess to a highly protected area, leaves his key lying around by accident. Employee B snags it, uses it and returns it. This is ignoring the added possibility of cloning.
All this before the company is alerted to the loss and disabled the key in question.
Before they're alerted that someone stood near a key for 3 seconds? How long before someone would use a key if they stole it anyway?
A more likely scenario, but still unlikely, scenario is some sort of planned theft of the key.
Theft is not needed for cloning, genius. If theft of the key was an issue, it would be one that would be thwarted by an implant. Remember, the only way to steal an implanted key is to CLONE it. If we are dealing with people who can clone, then none of what you say matters for non-implants.
It seems trivial to build one into the keychain, something that you can't do with an implant.
Trivial and yet not used. As you already conceded, people don't do well when handling keys, they forget to bring them. They also forget to cover them up. Honestly, how many regular people do you think abide by best practices? They have to remember to do it all the time, even if they choose to do it. It effectively reduces it to a keycard, in any case. Plus someone could always monitor the signals when it's used.
I already mentioned that it relatively trivial to block the tag when not needed.
It's also trivial to screw up and not use one.
Heck, you may even be able to get the thing to auto-disable itself when you leave the premises and require a manual re-enabling (turn a ring or something) once you enter them again.
Heck, you could even use a keycard!
I do have to admit your reply was funny, you go on about all of this and yet don't even get the most trivial hole in what I said (someone else did).
Oh I forgot, the unlikely scenario of employees willingly swapping keys, which doesn't actually present a security risk unless you take into account my asessment.
Of course, that would require thinking about why they use this stuff (I didn't think too much about this given it's Slashdot and all) and you seem to be unable to perform such abstract thought.
Does "abstract" mean "retarded" in this case? Aside from assuming that employees abide by best secrity practices, you also neglected that there isn't necessarily one level of access for the entire building.
Remember, it only takes one to get into the building. And you're, by default, assuming that they have RFID cloning technology. This is also ignoring that you've effectively reduced it to a keycard.
So before I needed to get close to an object (whatever had the rfid tag) which under normal circumstances an employee would not be carried around (say they were going home or something)
...you didn't think this through, did you?
Who doesn't carry their keychain around all of the time that they're out of the house? The only time people take off their keychains is usually if they're AT home. An attacker stealing RFID is unlikely to want to or even gain an advantage by following them into their home. Besides, if you can get into their home, they're screwed in a variety of ways.
With an RFID keychain, you have the disadvantage of mistakenly taking it off somewhere and leaving it unattended. That's a weakness that an implant addresses.
could have it in a reader blocking case.
How many people actually put a block around their keychain?
Now, I simply need to get close to an employ anywhere at any time to copy their data.
That's an advantage, not a disadvantage. If an employee takes their keychain off and leave it unattended, that's a vulnerability.
Fucking brilliant, now I can steal their tag without anyone ever knowing, whereas before they'd know it was gone in a reasonable amount of time (I'd have to steal the physical object most likely).
HHAHAHAHA. Way to contradict yourself. With the non-implant version, they have to physically steal it, but with the implant version, they don't? That doesn't make any sense; it's the same technology. If you can steal it by coming near them and recording the transaction (and this can be done easily with all but the public key crypto forms which require you being near the 'official' reader), then it applies in both cases. Same technology.
For less than they paid for the RFID system, they could have hired someone to log people in and out of the data center.
So, you know the costs of RFID systems and have done a cost-analysis? Show it to me. RFID means a couple of thousand dollars for the intial equipment and a few bucks per implant. Sounds pretty damn cheap to me.
Additionally, I question the validity of a system that restricts access to only those with an implant during disaster situations (fire, flood, and worse) where access rights and needs are rather different than in normal situations.
Ever heard of the concept of a lock working only one way? I have doors in my house that do that. You can open from one side without a lock, but not the other. Surely such an electronic equivalent would require Space Age technology worth BILLIONS!
Good security costs a lot of money, and you cannot replace the human element in the security chain.
And here you are, suggesting that we go the discounted method. Not the they're removing the human element from the entire security chain.
The RFID schemes won't prevent anyone following an authorized person into the data center, unless there is physical restrictions that would make working in the data center dangerous during emergencies.
Uh, how about the person noticing that some other random person is following them in? Or are these people blind and deaf? Sorry, didn't want to make assumptions about disabilities. And what the hell does following someone in have to do with emergencies?
In this case, the $10/hour guard is more flexible and cheaper than the high-tech answer, and more respectful of humans in general... or at least I think so
What happened to good security costs money? That's what they pay a higher level mcdonalds worker. Do you really want such an incompetent moron guarding everything? One who could be easily tricked, mind you.
VeriChip has been cracked. That's only because it didn't use cryptography. JHU researchers have cracked the Exxon Mobil Speedpass [research link] cryptographic RFID devices using brute force. It took 15 mintes per key, but this required 16 $200 FPGAs ($3200) working in parallel.
Ignoring the time taken to reverse engineer the protocol, it also requires extra equipment to do the analysis for the actual reverse engineering. To my knowledge, no code has been published publically.
At this point in time, it seems that cryptographic RFID devices, despite being cryptographically weak, are pretty secure from a practical standpoint due to a level of sophistication require to execute attacks currently.
Plus I must wonder a) how close you have to be to read/activate VeriChip devices and b) if the readers are inside of a faraday cage when they enter the facility. At the very least, this will remove the possiblity of using lost keys or ones that were left lying around unattended.
In other words, a more casual thief who knows little to nothing about RFID. He has to know how to clone it and your average thieve doesn't know how to do that. I love it when so-called "security experts" overlook the obvious because they think that security risk asessment means assuming that they must assume all of their attackers are very sophisticated.
Of course, being ignorant of RFID, you also didn't know that there are cryptographic forms of RFID. These don't transmit the same number every time they're pinged. So, of course, you have no idea what you're talking about. Using non-off-the-shelf and/or expensive technology which takes a great degree of sophistication to develop, you can crack after many hours of computation.
But hey, you're the security expert, this is probably all trivial with the latest RFID cracking and cloning devices you can buy at Wal-Mart.
Now the real question is, does VeriChip use cryptography? I know the answer, but it's clear you didn't even bother to check before making your generalizations.
Remember, they have to send this using your personal internet connection. They obviously can't be sending the gigabytes of data required for a regular GDS search nor required to reconstruct that much. Then again, it's probably enough just to get some import documents.
I say to reverse engineer the protocol and use it as essentially an inifnite internet storage space. Encrypt your data, of course.
Oh yeah, couldn't google encrypt the information client side to prevent abuse?
If it doesn't, then we can document when their user-agent is obeying it and ban that user agent completely. If they fake that user-agent, it can be detected because suddenly you'll see an alleged MSIE client downloading tons of pages from your website. If they try faking a real search engine, then we can just compare those ips against those known to actually be owned by the search engine company.
We can even keep a complete database of all IP addresses of indexing government computers.
Wikipedia says the controversy raises questions about whether it is ethical for those with a vested interest in the subject to edit entries about it.
The irony of this statement! Just a while ago the Wikipedia community was defending Jimmy Wales as he made controversial and factually incorrect edits to his article. Talk about double standards.
That won't happen. About a week ago LJ change its cookie scheme. This scheme places a cookie on www.livejournal.com which is what is required to post anything and to change account settings. All journals are under some other hostname, so it is impossible to use XSS to get that www.livejournal.com (ljmastersession) cookie unless a bug in a browser breaks its own security model (that's beyond the scope of anything a a website can do though). The also use HTTPOnly cookies for MSIE, which means that none of the cookies can be stolen for IE either (it's funny that Firefox refuses to implement this great idea just out of petty Microsoft hatred).
These new filters they're testing right now will include whitelisting of CSS. Whitelisting, of course, is a very powerful mechanism to mitigate XSS as well. This is in addition to potentially hosting all CSS on their servers.
Not just that, but they have implemented other features recently. One allows you to view recent logins. Another ties cookies to your subnet (in addition to the optional login option which lets you bind it to a specific ip). You can no longer change your e-mail address on your account without your password.
So LJ has now put quite a few mechanisms in place make things more secure. So please, before ignorantly suggesting that they go back and "design it correctly," maybe you should actually READ about all the new security features implemented, including the new ones that they're testing now. But hey, I don't expect a Slashdotter to actually read and research so they know what the fuck they're talking about. After all, if LJ has a contest, it's NOT AT ALL POSSIBLE that they're testing new features that you can easily read about.
Did you not honestly know in advance that you needed an ID? Everyone knows that. Now you're either lying our just plain stupid.
People "aren't being made to disappear." I see no example of someone being detained under a secret law.
As for regulations, you DO know about the parts that affect you. You know that you need to show ID, go through metal detectors and so forth. You can't honestly claim that you didn't know that you needed to show IDs at an airport, it's been a de facto standard practice for decades. So what part of the regulations that affect you DON'T you know about?
P.S. That supposed quote from Bush about the constitution is a myth. It was rumored to have been said in a private meeting and leaked by some staffer. However, ABSOLUTELY NOTHING was able to confirm it as an authentic quote nor that it was even leaked by a staffer.
The fact that he wasn't "punished" this time doesn't mean that people won't be thrown into prison or just made to disappear when they refuse to bow down to secret "regulations" in the future.
Wild, unfounded and paranoid speculation.
Yes! Absolutly an "regulation" that effects me I have a right to know about!
Glad to see that you want to give away all of our classified information to our enemies. You *definitely* need information on how to infiltrate the NSA headquarters. Yeah. That's totally a constitutional right. And giving that information out will be so helpful.
The scenario that I outlined would have been laughable prior to the Bush Administration but now it's a real and dangerous possibility!
It's still laughable, as it's never happened.
Yes, that's pretty much how it works, unless the constitution specifies that the government isn't allowed to pass certain laws. Please find me the part of the constitution which prohibits making laws requiring someone to show an ID at an airport. Until you can do that, you have no point.
By the way, please go campaign to dissolve every single regulatory government agency in existence, including the FAA, FCC, FDA, TSA and others. Because according to you, the existence of those is unconstitutional despite nothing in the constitution forbiding them.
Oh yes and that means dissolving 100% of policies ever issued by any governmetn agency, policies are illegal! I didn't know the framers of the constitution meant to illegalize policies! You know that policy the local court house has to require people to fill out certain forms to file certain charges? ILLEGAL! It's not explicitly written in the constitution that they can require you to fill out those forms, so THEY ARE ILLEGAL!
NEWSFLASH: All security is security through obscurity. That password you keep? It only helps because you keep it secret. The only time security through obscurity can be bad is when a) it's non-physical and b) you don't have the resources to review it.
You're suggesting needlessly exposing themselves for absolutely no gain. They have their own experts readily able to analyze defeciencies, they don't need wide public scrutiny which would ultimately just make it easier for people to break it. This is ESPECIALLY true when you're talking about changes which can be very time consuming and cost effective to implement.
While we're at it, let's published detailed blueprints and design information for the security layouts of the whitehouse, CIA headquarters and military installations. Lets also give away the blueprints for designs for all currently classified technology, because we can only improve it our stealth bombers and secret spy tools! Let's reveal all the secret spy methods our CIA agents use, that will help us greatly! Declassify EVERYTHING! Give all secrets to the enemies! Make everything easier!
Since a bunch of people who haven't researched the matter are relying on testimony from the man himself, I have made this automated reply debunking the completely and utter FUD.
There is no secret law. There is the law 49 U.S.C. 114(s)(1)(C) which authorizes the TSA to issue regulations that are kept secret.
Are you going to argue that you are allowed to know the security regulations of, for example, the NSA headquarters? Why should they make it any easier for you to break their security? It is obvious that they have a policy for ID checking, otherwise the the ***airline employees*** (who are the ones that did the actual checks in this case--RTFD) wouldn't be checking IDs. The details of the security procesudres are secret as "sensitive security information," however the actual information that they check IDs in the first place is NOT secret.
He was not punished or arrested. He was simply denied the ability to fly ***unless he underwent a "Selectee" process where he'd undergo more thorough checks in place of an ID***. THat's right, they gave him the chance to fly without ID if they did other checks. He refused. He did not commit a crime. No one is asserting that. He was pressed with no charges.
Quote from an official court document: "Pursuant to 49 U.S.C. 114(s)(1)(C) (2005), the Under Secretary of the TSA "shall prescribe regulations prohibiting the disclosure of information obtained or developed in carrying out security . . . if the Under Secretary decides that disclosing the information would . . . be detrimental to the security of transportation." This information is called "sensitive security information." 49 C.F.R. 1520.5(a) (2005). The Under Secretary classified as SSI "[a]ny security program or security contingency plan issued, established, required, received, or approved by DOT [Department of Transportation] or DHS [Department of Homeland Security], including . . . [a]ny aircraft operator, airport operator, or fixed base operator security program, or security contingency plan under this chapter" and "[a]ny Security Directive or order . . . [i]ssued by TSA." 49 C.F.R. 1520.5(b)(1)(i), (b)(2)(i) (2005)."
Read this comment for more information.
Since a bunch of people who haven't researched the matter are relying on testimony from the man himself, I have made this automated reply debunking the completely and utter FUD.
There is no secret law. There is the law 49 U.S.C. 114(s)(1)(C) which authorizes the TSA to issue regulations that are kept secret.
Are you going to argue that you are allowed to know the security regulations of, for example, the NSA headquarters? Why should they make it any easier for you to break their security? It is obvious that they have a policy for ID checking, otherwise the the ***airline employees*** (who are the ones that did the actual checks in this case--RTFD) wouldn't be checking IDs. The details of the security procesudres are secret as "sensitive security information," however the actual information that they check IDs in the first place is NOT secret.
He was not punished or arrested. He was simply denied the ability to fly ***unless he underwent a "Selectee" process where he'd undergo more thorough checks in place of an ID***. THat's right, they gave him the chance to fly without ID if they did other checks. He refused. He did not commit a crime. No one is asserting that. He was pressed with no charges.
Quote from an official court document: "Pursuant to 49 U.S.C. 114(s)(1)(C) (2005), the Under Secretary of the TSA "shall prescribe regulations prohibiting the disclosure of information obtained or developed in carrying out security . . . if the Under Secretary decides that disclosing the information would . . . be detrimental to the security of transportation." This information is called "sensitive security information." 49 C.F.R. 1520.5(a) (2005). The Under Secretary classified as SSI "[a]ny security program or security contingency plan issued, established, required, received, or approved by DOT [Department of Transportation] or DHS [Department of Homeland Security], including . . . [a]ny aircraft operator, airport operator, or fixed base operator security program, or security contingency plan under this chapter" and "[a]ny Security Directive or order . . . [i]ssued by TSA." 49 C.F.R. 1520.5(b)(1)(i), (b)(2)(i) (2005)."
Read this comment for more information.
Since a bunch of people who haven't researched the matter are relying on testimony from the man himself, I have made this automated reply debunking the completely and utter FUD.
There is no secret law. There is the law 49 U.S.C. 114(s)(1)(C) which authorizes the TSA to issue regulations that are kept secret.
Are you going to argue that you are allowed to know the security regulations of, for example, the NSA headquarters? Why should they make it any easier for you to break their security? It is obvious that they have a policy for ID checking, otherwise the the ***airline employees*** (who are the ones that did the actual checks in this case--RTFD) wouldn't be checking IDs. The details of the security procesudres are secret as "sensitive security information," however the actual information that they check IDs in the first place is NOT secret.
He was not punished or arrested. He was simply denied the ability to fly ***unless he underwent a "Selectee" process where he'd undergo more thorough checks in place of an ID***. THat's right, they gave him the chance to fly without ID if they did other checks. He refused. He did not commit a crime. No one is asserting that. He was pressed with no charges.
Quote from an official court document: "Pursuant to 49 U.S.C. 114(s)(1)(C) (2005), the Under Secretary of the TSA "shall prescribe regulations prohibiting the disclosure of information obtained or developed in carrying out security . . . if the Under Secretary decides that disclosing the information would . . . be detrimental to the security of transportation." This information is called "sensitive security information." 49 C.F.R. 1520.5(a) (2005). The Under Secretary classified as SSI "[a]ny security program or security contingency plan issued, established, required, received, or approved by DOT [Department of Transportation] or DHS [Department of Homeland Security], including . . . [a]ny aircraft operator, airport operator, or fixed base operator security program, or security contingency plan under this chapter" and "[a]ny Security Directive or order . . . [i]ssued by TSA." 49 C.F.R. 1520.5(b)(1)(i), (b)(2)(i) (2005)."
Read this comment for more information.
Since a bunch of people who haven't researched the matter are relying on testimony from the man himself, I have made this automated reply debunking the completely and utter FUD.
There is no secret law. There is the law 49 U.S.C. 114(s)(1)(C) which authorizes the TSA to issue regulations that are kept secret.
Are you going to argue that you are allowed to know the security regulations of, for example, the NSA headquarters? Why should they make it any easier for you to break their security? It is obvious that they have a policy for ID checking, otherwise the the ***airline employees*** (who are the ones that did the actual checks in this case--RTFD) wouldn't be checking IDs. The details of the security procesudres are secret as "sensitive security information," however the actual information that they check IDs in the first place is NOT secret.
He was not punished or arrested. He was simply denied the ability to fly ***unless he underwent a "Selectee" process where he'd undergo more thorough checks in place of an ID***. THat's right, they gave him the chance to fly without ID if they did other checks. He refused. He did not commit a crime. No one is asserting that. He was pressed with no charges.
Quote from an official court document: "Pursuant to 49 U.S.C. 114(s)(1)(C) (2005), the Under Secretary of the TSA "shall prescribe regulations prohibiting the disclosure of information obtained or developed in carrying out security . . . if the Under Secretary decides that disclosing the information would . . . be detrimental to the security of transportation." This information is called "sensitive security information." 49 C.F.R. 1520.5(a) (2005). The Under Secretary classified as SSI "[a]ny security program or security contingency plan issued, established, required, received, or approved by DOT [Department of Transportation] or DHS [Department of Homeland Security], including . . . [a]ny aircraft operator, airport operator, or fixed base operator security program, or security contingency plan under this chapter" and "[a]ny Security Directive or order . . . [i]ssued by TSA." 49 C.F.R. 1520.5(b)(1)(i), (b)(2)(i) (2005)."
Read this comment for more information.
It's not a secret law. As I outlined in my other comment, it's a law that allows the TSA to issue secret "security directives." This basically just means they have some procedural policies whose details are kept secret. It would be completely DISHONEST to suggest that these policies don't actually include requiring ID checks, as ID checks are the de facto standard for airports for a long time, before the TSA existed.
So it's obvious that they require ID in the directives, since all employees are required to do it, it's just the details of the procedures they follow in checking IDs/looking at x-ray scans/whatever are secret. That seems reasonable to me, in the same way that you keep other security information classified. Do you think the government should be forced to release information on the details of security for military installations, the CIA/NSA headquarters and so forth?
I don' think so. It unreasonably compromises security and for no good reason. The fact that the system isn't perfect doesn't mean it's worthless. Yes, some people got through with real IDs, but you don't know how many others were deterred from either stealing someone's ticket or from comitting a terrorist act. IDs are meant to be a casual deterrant and it's clear that these terrorists were extremely determined.
In any case, what benefit do you get from knowign the procedures? You knwo that they know your identification information. You know they run a check to make sure you're not on a No Fly l ist. Beyond that, what do you need to know about airport policies?
The ninth amendment ONLY applies when there isn't a law authorizing the government entity to restrict something, but in this case there clearly and obviously is. Pursuant to 49 U.S.C. 114(s)(1)(C), the Transport Security Administration has the authority to issue secret regulations regarding security procedures at airports.
If you read the sources provided, it becomes abundantly clear that not only does the TSA have authority to issue regulations, but that (DUH) they have regulations requiring ID unless you're willing to go through other more thorough searches (which Gilmore was offered as a "Selectee").
Did you honestly think that there weren't laws in place authorizing the TSA to issue such policies? You'd have to be a moron, especially if you're a paranoid conspiracy nut, to not realize that such policies would exist.
These were all enforced by Southwest and United Airlines employees. They required ID even before these regulations anyway and constitutional rights don't apply to private organizations so it would be a moot point anyway.
Applicable here are the TSA identification policy, CAPPS and CAPPS II, and No-Fly
and Selectee lists.
Here is some information obtained from an official court document (linked below):
*"The airline security personnel could not, according to the Government, disclose to Gilmore the Security Directive that imposed the identification policy because the Directive was classified as "sensitive security information" ("SSI")."
*3. Pursuant to 49 U.S.C. 114(s)(1)(C) (2005), the Under Secretary of the TSA "shall prescribe regulations prohibiting the disclosure of information obtained or developed in carrying out security . . . if the Under Secretary decides that disclosing the information would . . . be detrimental to the security of transportation." This information is called "sensitive security information." 49 C.F.R. 1520.5(a) (2005). The Under Secretary classified as SSI "[a]ny security program or security contingency plan issued, established, required, received, or approved by DOT [Department of Transportation] or DHS [Department of Homeland Security], including . . . [a]ny aircraft operator, airport operator, or fixed base operator security program, or security contingency plan under this chapter" and "[a]ny Security Directive or order . . . [i]ssued by TSA." 49 C.F.R. 1520.5(b)(1)(i), (b)(2)(i) (2005).
4. The No-Fly and Selectee lists are Security Directives. They were issued by TSA pursuant to 49 U.S.C. 114(l)(2)(A) (2005), which authorizes the TSA Under Secretary to issue Security Directives without providing notice or an opportunity for comment in order to protect transportation security.
Sources:
-Gilmore v. Gonzales CV-02-03444-SI Opinion [pdf]
-TSA: How the Process Works
-TSA: Passenger Security Checkpoints
-The Status Of The Computer-Assisted Passenger Prescreening System (CAPPS II)
"I have no leverage to end slavery, but I'll still hold slaves because if I expose them to Western culture and Christianity I've done them a service."
No, because they're abusing people in that case. Google is simply providing a limited version of a service that otherwise wouldn't be there. They have no authority to censor anyone but themselves. "Western cultre and Christianity" doesn't even come into it as an analogy, because Google offers information on a wide variety of topics.
For that analogy to work, the slaveholders would have to somehow enslave themselves (if that were possible) and they decided to do business with people who owned slaves, while simultaneously providing a helpful service for those slaves.
THat's been said time and time again and I've always pointed out that Wikipedia has trouble handling the load even without a Slashdotting. Haven't you witnessed its constant slowness and frequent bouts of database errors? On-peak hours it takes a beating and they're always playing this cat-and-mouse game where they keep adding more servers to prevent those things from happening.