baldysblog.co.uk

Do I object to Identity Cards in Basic Principle ?

The answer is no, my objections rest purely on the grounds of practicality and costs. The main problems would arise from the technical efficiency of any such system and my approach is from the perspective of an experienced IT Project Manager who has always split his time 80/20 on any project, 80% on the ‘business’ and the people involved in it and 20% on the technology.The reason for this ratio is simply that you can do anything you like technically but for a successful outcome, the technology should be empathetic to the “business model” and the people involved in that because people are an integral part of any IT system.

It Is About Structures

Whilst this may come as a surprise to people not familiar with IT projects, it is quite logical because despite all the “marketing hype”, whilst hardware and software does improve and has over the years, the basic principles behind it all, were pretty well established long ago, we all stand on the shoulders of the people who have gone before us. To put this in another way, in purely technical terms, the Gloucester Meteor jet fighter that entered service with the RAF in 1944/45 is a world apart from the Typhoon Euro Fighter of today but in basic function, a jet fighter, no difference even if it flies faster, better and so on.

If we look at the ID Card about which all the fuss is made with its biometric data, what we are looking at is the “sizzle” not the steak, it is what people see, hold and use, it is the thing which the Government has bought. Let us say that the biometric data comprises of an Iris print, finger print, DNA and anything else you like, the point being whilst all these things in combination would be unique to any individual and therefore making each ID Card unique, does it provide any security ? On the surface, the answer would be a Yes, but in reality the answer is a rather big NO and the reason is one any lay person but not a politician can probably understand.

Hole In The Wall Machines

Think about going to a Bank Hole in the Wall machine: Put your card in and enter your PIN number and the system “recognizes you” but how ? In simple terms, it reads the card itself and the first check is that it is not on the lost or stolen list, if that clears okay, the account details and your PIN must match and then you can make transactions on that particular account. In fact with both credit and debit cards, the systems are rather more sophisticated but clearly what lies behind all of this is a database where these details are recorded however, these systems are only protecting one account at a time, your bank account, and/or your credit card account.

ATM ‘scams’ centre around the thieves inserting some unobtrusive kit on a cash point so that when someone uses it, they can pick up the electronic data embedded in your card whilst also picking up your PIN number as you enter it. Armed with this information, they can clone a blank card and it will work in any cash point for some days or at least, until the real card holder spots that he is losing £250 a day through cash withdrawals at ATMs at which point, the system will outlaw that card/pin combination right across the banking system. The essential key to the defence this system offers is a combination of the actual card, the PIN, a real and active “account”, a restriction on the cash withdrawals each day and that the “victim”, the card holder who, will act as a trip wire in the event of a security breach.

Debit & Credit Cards are Active…

Debit and credit cards are ‘active’ identities in that, but to be honest I really don’t know the actual figures but people who have them, probably use them at least once a week or at least, several times in a month whereas by its very nature, an ID Card is ‘passive’ in the sense that it doesn’t do anything as specific such as drawing cash out of your bank account so in the majority of cases may only be used once a year or for some people, hardly ever in the whole their lives. So with a passive system, just how do you break or manipulate it ? The answer is actually childishly simple, you attack the database and either implant or supplant data with the most likely and safest tactic to “implant” if you were say a spy or a terrorist because you want to blend in and not be found but if you are a criminal, “supplant” would be better because you are after identity theft so that you can make serious money in a short time.

Therefore the real “problem” as this week’s events have demonstrated is the question; “Just how secure is our data in the hands of any Government Agency ?” The answer is that it is not in anyway and it is this particular issue that the Government should address before all others and most certainly, before even trying to bring an Identity Card system.

The Weakest Link Is…

If a junior 22 year old clerk can access a main (for it’s specific purpose, could be the DLVC, TV Licenses, NS – Premium Bonds…), database of any kind in its entirety and without any further check, duplicate the details of 15 million UK citizens to a CD or DVD this particular system is clearly, as insecure as it gets. It doesn’t matter whether this chap sent the disks unrecorded via TNT and they didn’t arrive at their destination so, a second set was sent and so on, all of this is the “human error” side of the equation but now, we should be truly worried if not terrified !

The Following is a Projection which in no way, suggests that currently this is the case but is “offered” so that people can understand the scope of the potential problem.

The current “data loss” has come to light because the various people involved have decided that the loss or potential loss, is a significant enough to threaten their Civil Service pensions so everybody has “put their hands up” over it all so, well done them it sort of shows that “cock-up” still rules in the UK rather than “conspiracy”. The point being that if our “22 year old” had been “at it” as they say, the very last thing that he would want is any attention drawn to a “problem”, silence, smooth and no problems is what he would want, please do mull over this a bit.

You need a Security Model for People Too…

Now imagine our 22 year old sitting inside an ID system to which he has “administrator rights” so that without any ‘over-sight’ he can both create and modify ‘records’ which I referred to earlier as “implant or supplant”. But suppose that he has been “recruited” by people who give him a car, girls and a nice place to live, for a lifestyle he has now become a mole. He wouldn’t want any suggestion that there is a security breech, he wants it to be publicly all smooth and plain sailing so that he can continue creating and modifying records at the will, whim and wish of his criminal pay masters who unbeknown to him, happen to be Muslim Terrorists who in reality are Hell bent on destroying the UK…

The hard facts are that a “system” of any kind is not just the IT, it includes people who operate it, how they behave and what they do. Before that happens comes a “system design” based upon desirable outcomes, before that come politicians and their hunger to remain in office. No rational human being would authorize any further work and public money on a system that is guaranteed from outset to fail unless, his name is Gordon Brown.