Radio tags spark privacy worries

I recently wrote a parody post where I took some text from a livestock tracking supply company and changed it to talk about people instead of catlle. It was written in response to a BBC article on RFID tagging at airports.

Unveiling the study, EU commissioner Viviane Reding said citizens needed re-assuring that radio tags would not lead to large-scale surveillance.

My concern here is really not so much large scale surveillance, although to some extent I worry about it. My true concern is from the identity/privacy standpoint, and the possibilty of remote undetected reading of the data on the tag.

Posts of note, who in general have expressed thoughts I agree with/find interesting/thought provoking:

Reading RFID Cards at Yards Away (and previous articles at bottom of entry)
DEFCON RFID World record attempt... (69 feet)

BBC NEWS | Technology | Radio tags spark privacy worries

Air passengers 'could be tagged'

Not quite security theater, maybe not at all, but I can't say that the idea of tagging everyone in
an airport with RFID chips appeals to me at all. (Or really that the idea of tagging everyone with RFID chips anywhere appeals to me)

Dr Paul Brennan, an electrical engineer, is leading the tagging project, known as Optag.
He said: "The basic idea is that airports could be fitted with a network of combined panoramic cameras and RFID (radio frequency ID) tag readers, which would monitor the movements of people around the various terminal buildings."

A noted issue that has to be addressed is "ensuring the tags cannot be switched between passengers or removed without notification",
we may have the answer to that problem already in hand.  Someone should purchase stock in ear piercing parlors.

Age and Source Verification Necessary For Public Safety, Consumer Confidence

The future of the security is headed toward global identification and source verification of origin of all types of Personnel and usage of electronic identification systems to help with disease tracking and to improve public safety. Our rfid ear tags are International Standards Organization(ISO) compliant and we offer Full Duplex(FDX) and Half Duplex(HDX) transponders as well as high temperature RFID tags. The Company is in the process of becoming an authorized tag reseller to help  surveillance organizations integrate electronic identification with the National Security Identification System and Management System. The NSIS will oversee the implementation of a National EID system for many types of animals including Personnel, beef and dairy cattle, swine, sheep, goats, elk, alpacas and llamas.


BBC NEWS | Technology | Air passengers 'could be tagged'
Electronically tagging passengers at airports could help the fight against terrorism, scientists have said.

RFIDtagstcc.com Has no connection to the parody content of this page and does not endorse it in any way.
However if you have need of livestock tagging equipment and such I am sure they would be glad to help you

New Secure Communications over Fiber? Probably not for FTTH

This looks interesting, but only for a point to point connection. Which means that with my fiber to the home, I cannot send new extra sneaky messages to my neighbors. Especially since I am on switched ethernet over fiber and I probably can't afford the hardware.

I took a quick look through the document, and I am sure I missed most of it, but off hand I don't see how you get past any network device or repeater (assuming that the repeater is not repeating noise).



A method for secure communications over a public fiber-optical network

Abstract
We develop a spread-spectrum based approach to secure communications over existing fiber-optical networks. Secure transmission for a dedicated user is achieved by overlaying a covert channel onto a host channel in the existing active fiber link. The covert channel is optically encoded and temporally spread, and has average power below the noise floor in the fiber, making it hidden for a direct detection thus allowing for cryptographic and steganographic security capabilities. The presence for the host channel in the network provides an ad hoc security expansion and increases the difficulty for an eavesdropper to intercept and decode the secure signal.

CEC: RBAC Demystified

Brian Bianquart and Darren Moffat

style="font-weight: bold;">Role Based Access Control

What is a Role: An account on the system

Cannot directly login


Could be root (or any user)

What is a Privilege: An attribute of a process

Checked by Kernel

Authorization: given to users directly or through profile

...Cutting back on
following/outlineing until I see
something that I am less sure is readily available online and in docs...

One exec_attr table can be
used across Solaris 8 and 9,
Trusted Solaris (8) and Solaris 10

Here we have a
graphic I have never seen
before...took a picture but it will probably be lame.


I think maybe hand drawings scanned and added to the slides.

href="http://www.flickr.com/photos/shawnferry/261252689/"
title="Photo Sharing"> style="border: 0px solid ; width: 800px; height: 600px;"
src="http://static.flickr.com/113/261252689_892fac0221_o.jpg"
alt="A picture of an RBAC slide">

style="font-weight: bold;">Q:
Can we make it such that user and role profiles can be modified while
the user is logged in or the role is in use.


A: Yes, that
is a bug fixed in update 3...changes may not take effect until next
login, but you will be able to make the change.

Standard RBAC
example:

Execute with elevated
privileges...Start Apache as a regular user on port 80


(As opposed to start as root and drop privs)

I think I was
hoping for more in depth technical details, still time yet we will see

/usr/bin/pfexec is the
closest thing to sudo only without authentication (yet)

pfexec will use the first
profile found....that is the ALL role should be last, otherwise don't
bother to define other profiles.

SMF demo: Allow a user to
change the running state of a service but not the boot state


e.g.

ALLOWED: svcadm enable/disable -t

DISALOWED: svcadm enable/disable (no -t)

DO NOT MODIFY SYSTEM
SUPPLIED PROFILES


File a bug if you think it should be changed


OR


Create your own profiles

Privileges

Kernel no longer only
checks for UID==0


48+ privileges checked instead

Now privilege
sets, next how the privileges flow not really going to note that
down...I know it is well documented I have read it.

Note: Dark Red on
black...hard to see, shouldn't do colors that evaluate to black

Use ppriv -D to debug
privilege access. (Yes this is commonly known)

ACLs

Solaris 10 NFSv4/ZFS ACLs
now match those as implemented in Windows NT/XP=

More info 

There is a RBAC and SUDO
comparison slide

Strengths and weaknesses
on both sides the most common requested deltas are being addressed.

Authentication and Netgroups are on/near the top of the list.

security-discuss@opensloaris.org
 and Sun blueprints

Encrypted FS on Solaris 10, Ugly Hack

This is an off the cuff solution to encrypted file systems on Solaris 10 in response to OpenSolaris Adventures which mentions concerns about file security given physical access to a device.

Until zfs has crypto support or encrypted lofi is available, you could set a bios password. Or create your own loopback file based fs. Of course if the file is decrypted and the attacker steals your laptop you are out of luck. So only having the decrypted data in /tmp would offer some protection.

The poor man's version would be something like:

1) Make a source file (Preferably in /tmp)

2) Create a Loopback

3) Layout a filesystem

4) Add content

5) Encrypt (To not /tmp)

6) Delete source file

Ongoing Usage scripted as:

1) decrypt /var/tmp/encrypted.current to /tmp/decrypted

2) create lofi and mount

3) encrypt to /var/tmp/encrypted.new

4) delete decrypted file

5) Move encrypted.current to .bak and new to .current

Steps 1 - 4:

t2000-10# mkfile 10m /tmp/foo

t2000-10# lofiadm -a /tmp/foo

/dev/lofi/1



t2000-10# newfs /dev/lofi/1

newfs: construct a new file system /dev/rlofi/1: (y/n)? y

/dev/rlofi/1: 20468 sectors in 34 cylinders of 1 tracks, 602 sectors

10.0MB in 3 cyl groups (16 c/g, 4.70MB/g, 2240 i/g)



t2000-10# mkdir /tmp/foo_mnt

t2000-10# mount /dev/lofi/1 /tmp/foo_mnt

t2000-10# cat /usr/man/man1/* | nroff -man > /tmp/foo_mnt/important.txt

Content is visible to the casual viewer:

t2000-10# cat /tmp/foo | strings | head -100

...

Moi2

a subcommand and no arguments is

an error. This guideline is provided to allow the

common forms command --

p, command -?

?, command

--

n, and command -V

V to be accepted in the

command-subcommand construct.

Several of these guidelines are only of interest to the

authors of utilities. They are provided here for the use of

t2000-10# umount /tmp/foo_mnt

t2000-10# lofiadm -d /dev/lofi/1

Step 5:

t2000-10# time encrypt -a 3des -v -i /tmp/foo -o /var/tmp/3des_encrypted

Enter key:

[..................|...................|...................|...................]

Done.

encrypt -a 3des -v -i /tmp/foo -o /var/tmp/3des_encrypted 4.44s user 0.63s system 60% cpu 8.434 total



t2000-10# rm /tmp/foo

Simple check to see if data is still accessible:

t2000-10# lofiadm -a /var/tmp/3des_encrypted

lofiadm: size of /var/tmp/3des_encrypted is not a multiple of 512



t2000-10# file /var/tmp/3des_encrypted

/var/tmp/3des_encrypted: data



t2000-10# cat /var/tmp/3des_encrypted| strings

...

Accessing Encrypted Data:

t2000-10# decrypt -v -a 3des -i /var/tmp/3des_encrypted -o /tmp/decrypted_fs

Enter key:

[..................|...................|...................|..................]

Done.



t2000-10# cat /tmp/decrypted_fs| strings | head -100

...

VkQP

a subcommand and no arguments is

an error. This guideline is provided to allow the

common forms command --

p, command -?

?, command

--

n, and command -V

V to be accepted in the

command-subcommand construct.

Several of these guidelines are only of interest to the

authors of utilities. They are provided here for the use of



t2000-10# lofiadm -a /tmp/decrypted_fs

/dev/lofi/1



t2000-10# mount /dev/lofi/1 /tmp/foo_mnt

Checking Contents:

t2000-10# cd /tmp/foo_mnt

t2000-10# head important.txt



User Commands Intro(1)



NAME

Intro, intro - introduction to commands and application pro-

grams