The author doesn't say the sky is falling, he is commenting on potential privacy-eroding technology (which the US does not legislate against) and some of the links even offer solutions.

RFID tags have been standardized and that is what he is talking about with range-v-size so your reference to large devices is off-topic. One artice (linked I believe) states that a 9 meter ranged prototype for standard RFID tags has been constructed.

If I buy jeans in a store, the store's database will have that meaning next time I walk in (through the electronic security gates most stores have) they can track that I walked in. They can link what I buy and build a profile; if they share the data a la DoubleClick, then quite a profile can be collected. Anytime ID is taken and someone has a purse or handbag with an RFID tag, there is the potential for linking this data.

This is the privacy concern but it is not a sky-is-falling prophecy. Even if the ID-person match is not available, tracking where a pair of jeans goes can reveal advertiser-interesting data. The whole concern is after-checkout tracking (which will be valuable).

Why couldn't tires be checked at border crossings and then at toll booth stops (or traffic lights or what have you). If I was the INS, I would think about this for tracking the cars of visitors to ensure that they did not stay too long -- or track criminals -- or simply as an alternative way to pay tolls -- or to pay for gas -- or to track rental cars.

If you open your mind just a bit, you will realize that RFID technology is really neat and it has a lot of potentials. Security practitioners (CISOs, security administrators, security analysts, firewall specialists, etc. etc. save privacy compliance officers) will not need to pay professional attention to the risks of RFID given that they have limited resources and there are many wiser places to use them (ie. get rid of the low hanging fruit before worrying about the next big problem).

However, policy makers and citizens should be concerned about such things as well as the manufacturers and users (so they can have more secure alternatives ready to sell in those situations where such alternatives make sense).

About my byline: You engaged in your comment in an opening hard criticism of the author and by including your company in your signature, implicated these rude and ill-considered views to those of your employer. There is no reason to ignore security against liability and bad press and taking a dump on the author is quite uncalled for. There is nothing wrong with summarizing other work and linking to it.

I have also found that CISSPs tend to have the required knowledge, maybe some business skills or ambition but not necessarily strong analytical skills, background, and the ability to view the big picture. I had one CISSP come to me who thought DES was an inherently insecure cryptographic algorithm and challenged me when I said it was a good algorithm save that the bitlength is too small -- hence triple-DES (and then I went on to explain in my presentation about why three-key triple-DES is not the same strength as an algorithm with triple the bit length) in a presentation on the business uses of cryptography.

You definately prove the point in your last sentence.

- A former applied cryptographyer/security analyst at a large bank

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/169/20693#20693