** some security compromise suggestions
Topics: foreign policy
28 Sep 2001
From: Ervan Darnell
It was obvious from the moment of the terrorist attack of Sep 11 that we would be losing not only security, but civil liberties and substantial wealth as well. In the case of civil liberties, I have some suggestions, mostly technological approaches, for how minimize the loss while achieving most of the security goal that full compromise would achieve.
1) A law, or possibly amendment, that says "no information gained via anti-terrorist laws or procedures can be used for any domestic law enforcement purpose, neither as evidence at trial or cause for obtaining a warrant." Search intrusively if you must, but don't let the random drug find be used. Of course, enforcing such a rule is probably difficult. As Dan L. pointed out, this was already de facto the case with the spooks operating outside the law but only interested in national security issues. Perhaps the best that could be made of this is to expand CIA jurisdiction (ugh), without expanding that of local law enforcement.
2) Why the heck can transponders in commercial planes be disabled? They should be in the nose cone or somewhere that no one can access them during flight. Any transponder that ceases to function or reports a deviance from the planned flight route results in a military jet being scrambled.
3) The black box data, instrumentation and voice, should be broadcast continually. Why worry about recovering the black box? All too often we fail to find it. Of course, that transmission would need to be encrypted. Also, the pilots deserve some sense of privacy, even while on the job in the cockpit. That could be addressed by having such transmissions all recorded at a central place (e.g. FAA in D.C.) and only they have the keys to decrypt the transmission. We could set whatever standard seems most appropriate (e.g. crashes or hijack code is sent or plane deviates from flight plan) to then tap those conversations.
I suppose there used to be a technological question of allocating enough radio frequencies for all commercial traffic. That should no longer be an issue. A direct application of TDMA cell phone technology could carry all black box conversations on only a couple of frequencies.
4) Biometrics for the pilots: build yokes that monitor fingerprints. Before every flight, the airline must program the yoke to accept only those people designated to fly this plane (and it can only be done in such a way that no one board can change it). Any other hands on the yoke would cause the plane to revert to level-flying auto pilot. I suppose there is some small risk that both the pilot and co-pilot die, terrorists are not in control, and some passenger could fly the plane. There is also some risk that the identification system could fail to operate. In those cases, ground control should be able to remotely release the biometric yoke, after scrambling a jet. One might worry about a dual failure, where the identification system fails and ground control cannot send the disable signal because the radio receiver on the plane is broken. To address that, the default could be reversed. The ground must continuously send a signal saying "do/do not respect the biometr
ics". If that signal is absent, normal control would be returned. No terrorist could rely on that sort of double failure happening on any given flight.
5) Guns: yes, have pilots carry guns, with the same restriction: biometric grips so that terrorists cannot arm themselves once on the plane. For that matter, have one in the tail too so that some particular flight attendant can access it. That makes the lone hijacker almost impossible.
6) Mandatory avoidance: This was Cormac's idea as filtered by me. Put a database of all tall buildings, etc. into the plane and coordinate it with the GPS. Have the plane refuse to fly near any of those places. The GPS could fail. Generally, GPS's know they are failing. Use two. The probability that both fail, both report they are not failing, and that both report the same wrong coordinates is incredibly low. If any of those conditions are not met, the avoidance system is disabled. And, as in the previous suggestion, the mandatory avoidance system could be arranged to be enabled only so long as a positive signal is received from ground control. At air traffic control's discretion, it could be disabled and a jet scrambled.
There is another risk: the avoidance computer could fail positively and grab the controls (no matter what the database or GPS says) steering the plane wildly. In part, this issue has already been settled as the modern airbuses are "fly by wire" (meaning it's all electronically controlled servos and not hydraulic/mechanical linkages to the flight control surfaces). That seems to be reliable. Obviously the cut-off signal should be on the safe side of the avoidance computer, but there would remain some small risk of another control layer failing.
I think there is one pilot on the mailing list, perhaps he will comment on these suggestions.
7) Zero information national ID cards. It appears that most of the suicide bombers were in this country illegally. That has prompted calls for national ID cards. We could makes cards that have a picture, a thumbprint, current status (e.g. citizen, H-1, tourist visa), a valid date, and nothing else, no birthday, no name, no SSN. The card then contains a cryptographically secure hash code of the information. The police, airport security, etc. are provided with "verifiers" that scan your thumb, the code on the card, and verify you are that person, but they know nothing else about you. The verifiers could be made by a single (or limited) national source, and given to civil liberties groups to reverse engineer and guarantee their properties. The hash code would be a trap-door cipher. Seizing and reverse-engineering a verifier would not allow one to produce a fake ID. The actual production of IDs could be distributed, but a central service would have to dispense the actua
l hash code (e.g. the local DMV scans the info, sends it securely to the FBI, which then replies with the hash code to stamp into the license). Even a security breach at the DMV would not compromise the system.
Ultimately, the master encryption password would leak out, so the cards would have to be updated periodically with new keys and hash codes.
Of course, the police could quietly track that hash code D503DEADBEEF was here, then there, then went to the airport where he showed a driver's license and now we know who he is. They would have to reverse engineer the verifier or build their own scanner to make this happen, and presumably that would be illegal. Keeping it that way would be the trick. With a more expensive card with a built-in computer (and not just static information), it could use a challenge protocol where the actual ID exchanged is different every time, but verifiable, and yet the full sequence of such challenges is not predictable (short of breaking the crypto). Then, there would be no way to track a person by serial #. For the tech people on this list, I'm thinking of "zero knowledge proofs", though perhaps that's overkill. It might be adequate to simply to hash the date as part of the protocol (but then clock skew requires some careful thought).
===============================================================
Ervan Darnell |"Term limits are not enough.
ervan@kelvinist.com | We need jail."
http://www.kelvinist.com/ | -- P.J. O' Rourke
Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Home