March 29, 2008

Secure ID

Identification card issues have come to my attention lately. The Department of Homeland Security (DHS) is trying to bludgeon states into committing to implementation of Real ID, a yet to be defined system to be implement sometime in the middle of the next decade, at state expense. State governments in the libertarian mountain West and in the cranky Yankee Northeast have passed legislation rejecting participation in the program. DHS has been scrambling to save face by declaring these rejections to be equivalent of apply for an extension in committing to the program. Wyoming Governor Brian Schweitzer dismisses the DHS Sturm and Drang, in particular the threat to declare driver licenses from non-compliant states invalid for getting on a commercial aircraft, as bureaucratic bluffing. I have a DK diary up about Schweitzer's stand.

At the same time, I received email from someone who wanted to know whether he should participate in a new private sector ID card, called FlyClear. The idea is that you get a secure ID, complete with embedded biometric information that is pre-cleared. At the airport, a proprietary device transmit you ID to the current TSA watchlist, confirming that you are not on it. The question from the person sending me the email reminded me that most people don’t understand, at all, how a well designed biometrically driven ID system would work.

A good ID card would be unique and universal. It would contain biometric information encoded, and encrypted, on the card and nowhere else. It should not be stored on a central, (or distributed) database. A digital fingerprint or iris scan should never be transmitted anywhere. The whole ID of a biometric identification mechanism is that it is always with you, and never anywhere else.

The way it would work is you’d swipe your card through a reader, and then put your thumb in the reader. If the thumbprint matches the digital thumbprint that is on the card, then a green light goes on (“The person holding this card is the person whose thumbprint is on the card.”) If anything further needed to be done, like a lookup of your presence on the TSA watchlist, or your card’s available balance checked, then a unique ID assigned to you is transmitted to the entity doing the lookup. The key is that the authentication should always be entirely local, between the card, the reader and physical biometric input.

Storing or transmitting the digitized biometric ID means a copy of your thumbprint exists. But the whole point of using your thumb is that it doesn’t exist anywhere else. Storing or transmitting the digital image creates the possibility that someone else may obtain the digital print, becoming you in the process. Transmission is clearly the greater risk because transmission is necessarily less secure than storage for capturing the digital rendition. Much more important, though, is that with a transmission system, you can no longer be certain that the source of the digital rendition is in fact the physical, analog object being rendered. If you permit a digital image of your thumb to be transmitted, then that transmission can be simulated without your thumb.

How well do the two ID systems I mentioned above implement these design rules? There’s no way to know for sure how the Real ID system will work, because the system isn’t designed yet. However, as Schweitzer points out in an NPR interview that’s linked in the DK diary above, the reliability of the Real ID will only be as good as the identification documents that are used to obtain it. He notes that half a dozen teenagers in a Kinkos can do a reasonable job of forging the birth certificate that is a primary source for the planned Real ID. A more important indication of the quality to expect from a Real ID program (if it is ever implemented, which I strongly doubt) is the way the program is proceeding. Good security tools, like encryption methods, are created with a great deal of public scrutiny. Bureaucratic authoritarians do not use such systems; they tend to prefer what is called security by obscurity working in secret. Security by obscurity is the design philosophy that led to a SONY CD music encryption technology that was cracked by using a magic marker on a disk.

There is a host of other reasons to believe that 50 individual state implementation of “standards” set in Washington will fail.

The FlyClear system is actually pretty good. The biometric information is indeed stored on the card. The authentication process at the airport does indeed consist of local authentication against a digital biometric signature on the card, and then sending of an identification number to a database updated with TSA information. The digital thumbprint is not transmitted, only the ID is. The only problem is that they do store the biometric information in a “secure” database. There is, of course, no such thing. It’s possible to conceive of a series of security measures that one would have to take to be sure that the information is in fact secure, involving complicated measures for protection from everything from disgruntled employees to off-site backups.

They do it this way because it makes creating the end product easier; they have to do a bunch of pre-processing with the TSA before they issue the card. It’s easier if they have the biographical and biometric data in the database, and then create the card, than to create the card first, and then modify it. This also makes it easier to recreate a lost card. (Note that a lost card is of no value to anyone else, and that making a false replacement card request doesn’t do a bad guy any good, because the card is only useful to somebody with the user’s thumbprint.)

I haven’t said a word about DNA here. DNA would indeed play a role in a well-defined identification system, but it won’t work as a biometric authentication method on an ID card, because, unlike your thumb, you leave lots of copies of your DNA everywhere you go. I’ll write something up about how you’d work DNA into a national identification system later on. In the meantime, the one sentence takeaway is “If someone offers you a biometric ID card that does not do its authentication locally, back away slowly.”

If you have any further interest in this topic, and you should, because the numbskulls running DHS have no understanding of good security practice, a good source is Bruce Schneier, who wrote a very good book Secrets and Lies and maintains an excellent web site ( where you can signup for a monthly e-newsletter.

March 22, 2008

On the Democrats' Nomination Process

There's been a lot of tooth-gnashing over the Democratic nominating process. There are complaints that there are too many caucuses, the caucuses are unrepresentative because of low turnout, delegate allocation rules are arcane, the process lasts too long, and on and on. But you have to realize that the nomination process is not about just one objective. If the objective were to pick the most popular candidate among Democrats at a single moment in time, then it would be easy. If the objective were to pick the candidate the party elders thought had the best chance of winning, it would also be easy. The trouble is that those are both objectives, and they are in conflict. The nomination process is replete with conflicting objectives like this. So if you want to talk about what reform should look like next time (and believe me, there will be changes made), you need to keep in mind that the nomination process is not just a method for picking a presidential nominee from a pool of candidates.

You need a process that, among other things:

1) Picks a candidate who reasonably represents the party rank and file

2) Provides an opportunity for low name recognition/low initial money candidates to compete

3) Picks a candidate who has a reasonable chance of winning the general election

4) Provides enough time to assess the relative strengths of candidates, to engage in on-the-job national campaign training and for dirty laundry to be aired.

5) Picks a candidate the party can embrace as a whole, including party leaders and key voting blocs

6) Has reasonably balanced regional appeal

7) Picks a clear winner

8) Grows and strengthen the party

9) Provides an unambiguous nominee

These objectives conflict. 1 and 6 are met by a national primary decided by popular vote, but directly conflicts with 2, 4 and 8, for example. If you think about other systemic change, I think you will see that no method satisfies all these objectives. That’s why the process is constantly being modified, because one or the other objective is not met in most competitive nominating cycles. This year, “picking a clear winner,” which is almost certainly the first and most important objective, is at risk, which is both divisive and upsetting. However, over-reacting to that potential failure is a risk. The last time the party over-reacted, in 1968, it gave Gary Hart’s McGovern campaign an inside track, picking a candidate who was probably not the best choice. In particular, railing about the undemocratic nature of the current process misses the point. It is not just about picking the most popular candidate among the rank and file at a particular moment in time.

For what it's worth, if I were made Democratic Flying Spaghetti Monster for the day I'd drop IA, keep NH, add a primary in a low population state west of the Mississippi shortly after NH. Let those primaries be open. Then I’d divide the rest of the country into quarters by state, randomly, and have closed primaries on the same day, 3-4 weeks apart, winner take all in each state. Delegate allocation identical to the electoral college. Non-state voters, like PR and DC, are assigned delegates proportional to population, and vote in the last superprimary. In the event of no clear winner, a closed national run-off of the top two in delegate count, straight popular vote.

Such a reform would weaken the state parties considerably, which would have to be addressed in other ways. The caucuses create interest, and provide a public and meaningful role for state conventions, especially in low population states. The national convention becomes officially meaningless in the presidential selection process defined here. Any kind of reform will have negative side effects, as thisone does, which reformers need to acknowledge, and deal with, if they are to be taken seriously.

March 21, 2008

Debbie We Hardly Knew Ye

Back in the day, early 2006, when the liberal netroots were trying to get themselves organized, there were some actions organized by different blogs. One of my favorites was the Republican Rubberstamp action, where an enterprising FireDogLaker set up an account at a rubber stamp manufacturer, commissioning a stamp that said "Rubberstamp Republicans."

This was great symbology. In fact, it's become a permanent part of the lexicon, as witness today, when House Intelligence Committee Chairman Reyes called out Crazy US Rep Michelle Bachman for lying about the House version of the FISA legislation in Minneapolis Star-Tribune:

The congresswoman suggests that Democrats should simply pass the bill the Senate approved. But the people have elected us not simply to rubber-stamp the actions of the Senate, but to exercise our judgment and pass bills that are in the best interests of the American people.

One of the netroots' favorite Members also picked up on the symbology. Debbie Wasserman-Schulz gave a great, very funny speech about the stamps, including my favorite bit:

Mr. Meeks has a much bigger rubber stamp.... I feel privileged to hold it, but I don't want to hold it too long, because it will rub off.....The people on the other side of the aisle come into this room, they're checking I don't know their brains, opinions, their convictions at the door."

And now, as a Co-Chair of the Red to Blue Program, Rep Wasserman Schulz seems to have forgotten those rubberstamp days. It seems that, after all, it did rub off.

Two years is about a decade ago in Internet years, but it's just one Congress ago in political years. How can she have forgotten, so quickly, how the members of her delegation refused to stand with her on issue after issue. Instead, they rubberstamped the dictates of the Republican leadership, putting their constituents behind party loyalty on their list of priorities. We have challengers who will represent their constituents. If there are votes, or issues, where they, and Representative Wasserman Schulz feels the need to vote the economic interests of her district, or her region, in opposition to the Democratic leadership, that is something we all can understand.

But to refuse to support Democrats for these seats is to forget those days of the brainless, arm-twisting, deeply corrupt Rubberstamp Congress.

McCain on al qaeda deconstructed

It's taken me a while to figure it out, but last night, during an interview with mcjoan for my Virtually Speaking program, I finally understood what's going on with McCain wrt to Iraq, al qaeda and Iran. What's going on is he is having trouble getting on message. The messaging on Iraq is very tricky, because what the message is supposed to convey is something false, but you're not supposed to actually lie while delivering the message.

So when Bush uttered the 16 words about yellowcake acquired by Iraq, he didn't say that Iraq had acquired yellowcake. He said that British intelligence had reported that Iraq may have acquired yellowcake. This way, the audience took away the yellowcake acquistion, but he could still say that he hadn't lied. Likewise, he didn't say that Iraq had a nuclear weapon, he said that we didn't the first proof to be a mushroom cloud.

When talking about Iraq, al qaeda and Iran, you're supposed to say something like this:

"Waving the white flag of surrender would leave Iraq in a perilous position, with an operational, aggressive enemy of America, al qaeda growing in strength. Likewise, we must remain in place to stop Iran from training extremists in their country, and then sending them across the border to kill American troops. Al qaeda is an existential threat the we must defeat, and we will defeat. This is not the time to give up."

His problem is he keeps forgetting that he's not supposed to put "Iran" and "al qaeda" in the same sentence. It's important to convey, especially to media superstars like Kyra Phillips, that al qaeda and Iran are linked. The Sunni al qaeda is much too fundamentalist to make common cause with the heretic Shi-ites. And Iran, despite its membership in the the "axis of evil" club, doesn't pose any threat to the US. The country does threaten Israel, but given Israel's nuclear capability, even that threat is hyperbolically overstated.

None of the reality of any threat enters into this political manipulation of language. The idea is simple: Say al qaeda, Iran, al qaeda in consecutive sentences. Lieberman understands it; he stepped up during the press conference in Jerusalem and audibly gave him the "extremist" talking point. (Leave aside as well the idea that any Iraqi fighting against an occupying force is an "extremist.")

McCain is either too dumb, or too unused to robotically repeating talking points, to keep straight this very simple strategy of misleading the media, and the voters into believing that Iran, too, in its support of al qaeda, was somehow involved in the 9/11 attacks.

Employees Good, Contractors Bad

There has been a concerted effort by the Bush administration to replace civil service worker with contract employees. I've been hearing about it around the extended family dinner table for years. I have a relative who works for a Federal regulatory agency who has said this has been policy from day 1.

There are good reasons for this, from a Bush perspective, especially wrt regulatory agencies:

1) Directing Federal funds to cronies, as the agency providing the contractor takes its cut. This is obviously a real potential boost to fund-raising.

2) Providing a channel to influence how people working at civil service rather than politically appointed jobs. Contractors have two bosses, the one at the agency, and the one at the office.

3) Weakening institutional memory and stability. By using short-term contractors, the administration makes it more difficult to use agency experience with past events to more wisely deal with current issues.

4) Making it easier to shrink the agency. It's hard to fire civil servants. It's easy no to renew a contract.

5) Making it easier to influence civil servants to break work rules. One of the reasons rules controlling access to, say, passport records, have teeth is that if you do break the rules, and are fired, you stop contributing to your pension, stop accumulating service time toward retirement and are booted out of a great health care plan. If your contract is terminated, all that happens is your employer sends you to some other assignment.

The Obama passport snooping incident is made more suspicious because the perps were contractors. The sanctions that applied to them are weaker than those applied to civil service staff, they could well have more loyalty to the interests of the agency that put them into the job.

Of course, the use of contractors creates the possibility of dirty tricksters penetrating the agency intentionally. It's a lot harder to turn a civil service employee than it is to introduce a mole.

March 20, 2008

Clinton Bets Her Stake

As we watch Clinton try to keep her hopes alive in the minds of the press and the superdelegates, you have both admire her persistence, and shake your head about the train wreck to come.

She had to win on March 4th, take both Texas and Ohio in the primary, and win one of them reasonably big. March 4 was do or die day. She could not afford to think strategically, at all. She had to find a way to take Obama down no matter what it took, and so she adopted the kitchen sink approach. This meant hauling out tactics that would win the OH and TX contests, without regard to what that would mean on March 21. The worst of her positions, the ones that would not stand scrutiny over time, were pulled out on the weekend before the primary.

So, just before the primaries, she pulled out the NAFTA card, with a boost from the Conservative Canadian cabinet. She doubled down on the 35 years experience business, making specific claims about foreign policy initiatives she claimed to have been involved with. Also, if you were in comments sections that weekend you saw what looked like proponents with talking points that included a claim that she was Bill's real Vice President, referring to a metaphor Gail Sheehy used in a Vanity Fair article.

Taken individually, these are all weak arguments. To attack NAFTA was to attack the Clinton administration that she claims as her virtual incumbency. The foreign policy claim was ridiculous; she was not even cleared to read secure cables coming in from embassies around. The nearly VP claim was absurd,especially given the unprecedented role Gore played in the Clinton administration.

One by one, they arguments all kinda suck But taken together, these things were even worse, because she had to claim to be inconsequential on NAFTA, while terribly consequential on Kosovo and that Gore spent his time in office on the equivalent of playing golf with Dan Quayle.

The campaign recognized these were bad arguments, and they dropped them immediately, switching to "ZOMG he's BLACK" and therefore can't win, pitching to the press and to the superdelegates that his race made Obama fundamentally flawed. This was done using surrogates, and does not in the least bit imply that Clinton, or her most prominent surrogate, Geraldine Ferraro, is racist. Clinton was prefiguring the coming race, getting a boost from the cable television constant looping of the Wright content. (Chris Bowers confirms that Clinton is pushing the Wright story.)

Obama's Unity speech ended that attack, at least for now, and answered questions superdelegates had about Obama's capability under fire. However, polling indicates that she has raised doubts among key demographic groups in PA. Obama may not be able to repeat his past performances of closing an initial polling gap to either win, or lose narrowly.

We are in danger what several commentators have called the worst case scenario, a candidate selected in a less than transparent way, or a candidate with lagging, even negative momentum. A lot depends on how Obama's big speeches this week play out in the media over the next week.


There are things you know you shouldn't do. You've done them before, and nothing good came of it. You tell yourself never to do it again. I'm not talking about mind-altering substances, or ill-thought out liaisons that don't look so good just before sunup. I'm talking about reading stuff that makes your brain hurt.

Edward Rothstein, who writes about culture is someone I really try not to read. And when I do forget, and read him, I mentally kick myself and swear never to do it again.

But today I saw the headline, and I had to read it. Mistake, but this time my brain didn't hurt as much as I got angry.

On the death of Arthur C. Clark

He starts out very nicely, actually:

“Absolutely no religious rites of any kind, relating to any religious faith, should be associated with my funeral” were the instructions left by Arthur C. Clarke, who died on Wednesday at the age of 90.

This is, of course, not easy to do. It's very difficult to keep religion out of death. Death's avoidance is at the heart of religious belief, whether it is through personal immortality or immortality through your offspring. So it's a challenge to fend it off.

So what does Rothstein do? He writes about he religious elements of Clarke's work, declaring, at the end:

For all his acclaimed forecasting ability, though, it is unclear whether Mr. Clarke knew precisely what he saw in that future. There is something cold in his vision, particularly when he imagines the evolutionary transformation of humanity. He leaves behind all the things that we recognize and know, and he doesn’t provide much guidance for how to live within the world we recognize and know. In that sense his work has little to do with religion.

But overall religion is unavoidable. Mr. Clarke famously — and accurately — said that “any sufficiently advanced technology is indistinguishable from magic.”

Perhaps any sufficiently sophisticated science fiction, at least in his case, is nearly indistinguishable from religion.

The body of the article is about some of the stories Clarke wrote that had religion in them, like the famous short story "The Nine Billion Names of God" where two computer technicians help an Eastern sect print out all God's names, thereby ending the universe.

Along the way he peddles this tripe:

Mr. Clarke’s writings were the most biblical, the most prepared to amplify reason with mystical conviction, the most religious in the largest sense of religion: speculating about beginnings and endings, and how we get from one to the other.

The fact that Clarke noticed that other people believed in this stuff, and that there was fodder for irony and pathos doesn't make him mystical or religious. Another story he might have mentioned, "The Star," is about a Jesuit astronomer who discovers that the nova that Magi followed destroyed a thriving civilization. (I happen to think this story inspired George RR Martin's "The Way of Cross and Dragon," which is about another Jesuit who has challenges to his faith).

But the fact that Clarke was a keen observer of what motivates people, had the strong sense of irony that makes for a great short story writer--the best of the Golden Age authors at that length--doesn't in anyway make him religious, any more than Larry Niven creating a compelling alien makes him a Pearson's Puppeteer.

It's an insult to Clarke's memory to put his work in this frame, and Edward Rothstein should be ashamed.

Of course, if he knew shame, he wouldn't keep writing.

March 18, 2008


I enjoy give and take in comments. I'm not real big on pronouncements from above. So my blog attempts have always been abortive. But, lately, I find I have more to say, at greater length, than fits into blog posts. So I'm gonna take another crack here.