Thursday, June 30, 2011

It is the Age of Combining Business and Pleasure

We are in a new world, just this week I was standing behind a guy who was using his new iPad 2 as you or I might use a camera. Photos of his girl friend with Trafalgar Square in the background, I don't know why it just seemed so strange and of course although it was a cloudy day you could barely see the screen, well from where I was anyway.

What has this got to do with smart cards, identity and security I expect you're wondering? Well it's because things like smart phones and tablet computers have become a part of our life. A few weeks ago we were doing the tourist bit in Paris, at the Moulin Rouge the doorman was busy searching for cameras, why waste your time, just about everybody there had a smart phone and have you ever seen a smart phone without a camera?

The thing is that these smart phones and tablets have confused the boundary between business and domestic life. Everybody wants to use their phone (or tablet) as a tool to do both. Please can I have my corporate email on my iPad so that I can check my email while playing Tap Zoo? You haven't got it yet? Oh boy it's addictive, the email that is!

Now to the more serious side, so here we have it, industry leaders combining business and pleasure on their mobile phones and tablets. Should they (we) be worried? You bet they should because malware can exist just as well in this portable world as the old fashioned PC or even desk top if you still have one. I keep on asking the question, if these mobile devices are so insecure why don't we hear a lot more about malware?

The truth is that it is just starting to happen, Google over the last few months has had to withdraw about 50 infected Android applications but not before they had been downloaded 10s of thousands of times. There is a fundamental law here, if you allow an open system it will get malware. The IT departments of course know this and they are hanging on to executive control of the phone for dear life, the user meanwhile wants to do his thing whatever that might be.

So where is all this going to end up? It is clear that unless you have spent the last couple of years on some desert island that the user is going to win this game. Do you remember on inauguration that Barack Obama was told to give up his Blackberry by the security service specialists? He kept his phone so it can be done it's all about behaviour. They all say it, don't keep sensitive data on your phone, don't do things with it that might expose your work (or your private life come to that). Actually all these things are actually quite easy to achieve and you can do wonders with a cryptographic MicroSD card, secure email, secure data storage, the list is endless. Ah yes I was forgetting that the iPhone doesn't have a MicroSD card but there are other ways.

The thing is that the most vulnerable part of most information systems are the users, it's no good having 12 digit passwords if people have to write them down. You have to create a security culture, people have to want to get it right and apply just the basic techniques well. If sensitive data is encrypted for storage and communications with a sensibly chosen password then really you don't have to worry.

Then you just have to ask why is it so many people lose their laptop or memory stick with some unbelievable data base stored in plain text, medical records, HR records, Prison records, you name it because its all happened in the last couple of years.

So part 2 of the plan has to challenge where the aggregated data is stored, surely not on the iPad, roll on Cloud Computing. I know it's a buzz word but you know what I mean! And then dear readers we get around to it, how do you adequately authenticate a user with an iPad? A MicroSD card will do nicely thank you, oh but we haven't got a slot!

Tuesday, May 31, 2011

Should Human Beings be Chipped to Avoid Identity Crisis? What's Your Say

What is identity? Everybody seems to be talking about it as if it was some process where we can just verify some artefacts and bingo we know who you are.

I think the definition is rather easy. It is the measurable properties of an object that are adequately unique to distinguish a given object from the total population of objects.

So if I were to put 5 £20 notes on the table you could tell the difference between them and easily recognise a particular note if I presented it again in a different set of £20 notes. We would of course do this just from the number printed on the note which we know to be unique.

Taking the matter further if I printed a number on everybody's forehead with non removable ink at birth then I could always identify the person. At the same time of course in my database, I would probably record some more information about the person such as their name, parents, date of birth, etc. In fact, not too different from what we do in a birth certificate.

You can see where we're going, in today’s world you turn up at the bank or whatever clutching your birth certificate and you say that's me, as described on this bit of paper. The trouble is there is absolutely nothing to connect you with the bit of paper. The bank representative cannot possibly tell if it's you on that bit of paper or not. Even then you don't even really know if the document is authentic, if somebody gave you a birth certificate document how would you know it's genuine?

Well, we're not going to stop there, please bring two utility bills with you, does this really offer any value? With today's technology, I would have said it's the easiest thing in the world to produce a couple of fake utility bills.

Then of course you can get somebody to vouch for you, as for a passport application some trusted professional who has known you for at least 2 years will sign your application form. Excuse me, what value does that have? A reference point of 2 years is meaningless on any normal scale assuming a life span of 80 years, just a couple of percent!

Several people have suggested that you should take somebody's DNA at birth and use that as the reference point. It sounds a little impractical right now, but in the future who knows? At least you are starting to measure the properties of the subject you are trying to identify or more usually verify.

Biometrics must have a place here somewhere. This at least measures some properties of the subject, but to make any sense it has to start from birth. Can anybody think of any biometric you can apply to a baby that will follow their complete life cycle reliably? The truth is we can't really do it successfully for much shorter parts of our human life cycle at least not in a way that can cover the complete population.

Dog owners will see where this is going, we have no problem in chipping our dog at birth and it stays with them for their complete life cycle. Could we apply this to humans? I don't see a problem there but how about those people who want to change their identity, you can imagine re-chipping stations popping up all over the place. However, the fraudsters would still need to get hold of an authentic chip and what that should mean is that they would have to rely on removing chips from those no longer with a need (trying not to be too gruesome here).

Probably, we just need to close the loop. When you get chipped at birth your DNA is also taken and entered on the chip suitably protected with cryptography of course.

So there you have it, a working identity system reliable for the life of the subject that can be used anywhere from setting up bank accounts to claiming social services.

Do we really think that is going to happen any time real soon? No, but you could apply it to a subset of the population that need it the most, so to speak!

Patsy & David

Saturday, April 30, 2011

Age of Tablets

The media this month is full of stories on smart phones and tablets all seemingly competing with Apple. Just at the end of the month however we have heard the problems that Sony has had with ntruders on their network revealing the personal details of 77 million users as described in our lead article. And not to be overlooked Nokia is now facing those difficult decisions necessary for re-engineering the organisation, today they have announced 7000 people will be leaving the company.

The tablet revolution is interesting. I always felt that a small light touch screen device was the ideal portable computer. The other half of the household is even more gadget mad and has been experimenting for the last 10 years or more, the NEC Versa comes to mind as one of the early candidates for Microsoft's tablet software. We have gone through many incarnations including a more recent HP touch device with Windows 7 but none of them really captured the imagination. Then came the iPad, I can honestly express a totally unbiased view, perhaps even a little cynicism but hey this device is great. It is what you always wanted as a really useful PDA (I'll bet you've forgotten – Personal Digital Assistant, do you remember the Palm Pilot?). Anyway it seems like I'm to get the iPad one when he upgrades to the iPad 2. Apparently you have to have a camera – why?

Not only does it do email, calendar and web browsing but you can even read books under the Amazon Kindle banner. There really isn't a problem carrying 20 books around with you and unlike the Kindle they can be in colour. OK hands up I admit that in the full midday sun that screen is a bit hard to read but in the shade with a gin and tonic its shear bliss, just waiting for my own machine, sharing is a pain!

Now watching the others trying to catch up is interesting, Google's Android OS is of course gaining momentum but there is no obvious challenger to give Apple a problem just yet. With the iPad 2 people complain, the camera is not good enough, there is no Flash and much more, but let's not kid ourselves this device works with a vengeance. Everything is more than fit for purpose and I've long since been educated this is the way to think in business.

The Flash argument seems to cause the most excitement but it's really not a problem, if you want to watch Flash videos there are browsers like Skyfire and iSwifter that can handle that plus applications from many content providers that handle their content directly such as the BBC for example. What I hadn't fully appreciated was the problems that you can have with Flash animation on a touch screen where you have to decide what to do between hovering and touching, apparently this is going to be a problem with all touch screens when trying to work with Flash animation.

Back at the ranch we have been having lots of security discussions about these new smart phones and tablets, they are of course going to have problems, I think we all agree that but actually we think the biggest understated problem is lost (and stolen) phones and laptops/tablets. Both Apple and RIM have their enterprise solutions for security and without arguing the finer points we really wonder why Nokia has missed this angle. Clearly they miscalculated the explosion of smart phones and should have reacted much quicker but where is the enterprise offering, presumably it's going to be Windows? I suspect a lot more people are going to jump ship than the 7000, and somehow or other Nokia's strategy just seems like too little too late.

Wednesday, March 30, 2011

Mobile Phones To Do Anything!

David Birch is starting a war on cash and this was the theme behind this year's Digital Money Forum held in London on March 2nd/3rd and arranged by Consult Hyperion. A report of the event is given elsewhere in the Newsletter.

At times it was hard to hear a good word about cash, vitriolic reverberations would tell you that cash is bad and is the invention of governments to control the economy and to surreptitiously devalue the assets of its citizens as and when required. It must be a crusade because it wasn't obvious exactly how mobile payments are going to solve this and yet it seemed with few exceptions to be the general view of the room that mobile payments will be the saviour of mankind.

I must confess that the Digital Money Forum has brought about its fair share of excitement over the years but this year it was quieter, the odd spat but actually none of the battles that perhaps the organisers might have hoped for. There was to me a strange acceptance that cash is going to be replaced, not totally you understand, and that the mobile phone is everything. Look no further the future is clear.

I want to argue that both assumptions may be wrong, and there is no evidence that I can think of that would prove that physical cash will continue to exist. Do we really believe that cash as it currently exists will still be around in 50 years time? The protagonists here assume that the products from Visa and MasterCard will move into the cash space and will mop most of it up leaving just the very bottom end behind which is totally uneconomic to process. This of course assumes that nobody puts forward a real cash alternative.

The second argument is to think about how the mobile phone might develop over the next 50 years, will it be a fundamental part of our life? Of course it will be an integral part of our day, just as much as the computer is today but with an even wider capture of the population. The thing is that you need to just stop and think what's going on here. The mobile phone or at least the smart incarnations now dominating the mobile phone sales are capable of providing a voice channel as and when required and here's the new bit (well relatively new) it can also store, process and communicate data.

Now here is my argument, the mobile phone could do anything, take my electronic toothbrush, it's pretty sophisticated, it has Bluetooth, with data and processing ability to ensure I get the right amount of brushing but I wouldn't actually want my mobile phone to act as my tooth brush. When necessary I'm quite happy to carry a separate object in my bag. The main argument of the mobile futurists is that we the citizens only want to carry one object, the mobile phone, because it can do everything. In addition they can show through market research that we never forget our phone whilst other objects like our wallet might well get left behind.

Of course, I deliberately picked an obscure situation with the toothbrush but I think the assumption that you must have your wallet and by inference all your payment items in the mobile phone is equally flawed. At the very least surely we want to distribute risk?

Security is one of those subjects that many find easy to ignore, as long as it hasn’t happened to me then it will be alright. I remember once a good friend explained to me that selling security was like trying to sell a bad smell, you certainly don’t get long queues. In the news today there are stories of Google removing malicious applets from the Android market and the Zeus Trojan infiltrating the Blackberry phone and effectively taking control, there have been earlier reports of it attacking both Symbian and Windows Mobile phones as well.

My next proposition is that Mobile phones will become the prime target for malware (actually they probably already are the target) and it will not be easy to stop. Any device that allows the user to download executable code is going to have a problem that is not going away any time real soon. You might imagine that it would be possible to security audit software before allowing the modules to be downloaded, that’s a problem that people have been looking at on PCs for at least the last 20 years with no silver bullet in sight. Of course you could restrict the software to do very little but then nobody would want it.

But it’s a fun world ahead of us,
David (on behalf of Patsy)

Monday, February 28, 2011

Mobile World Congress - Joint Stand On NFC

Well the weather in Barcelona for the annual Mobile World Congress (MWC) may have been a little disappointing but the mobile phone weather barometer inside was anything but, and yes I do have an app on my phone that does this. Our lead story this month surrounds the happenings at Nokia and the announcement of their tie up with Microsoft. A problem for Nokia perhaps but an incredibly positive picture from the industry as a whole.

Smart phones and mobile apps were the order of the day along with tablet objects to compete with Apple's iPad. Apple was nowhere in sight but I guess they argue they don't need a stand and whoever has heard of Barcelona in sunny Cupertino California, site of the Apple headquarters. However they still won the best mobile device award for the Apple iPhone 4. I'll bet you're desperate to ask so I'll let you in, the best mobile app award overall on all platforms went to Angry Birds (and yes I've got that on my phone as well).

There were queues everywhere, my activity barometer is based on the length of the queues for the toilets and oh they were long. So although the organizers provide the facts and figures on their web site I can tell you it was a busy year.

The last few trips to Cartes in Paris have been disappointing, I think the atmosphere has been dull. People are not really interested in smart cards as such it's much more the application business and people struggle to fill in the bits. I almost hesitate to say it but I think people may have forgotten what the smart cards are for, perhaps I'll ask that question in Paris later this year.

But the MWC conference was really quite different, the stands were m
anned by people who were anything but bored, it's an exciting world and the smart phone opens up avenues for all parts of the industry.

There were lots of things going on but I know you would want me to keep you informed on NFC. Well I think we have passed some tipping point, NFC in the phone was pretty well a given. Everybody agrees that lots of smart phones will have NFC over the next few years but that mass applications have still got some way to go. The huge signs all over the place for the Samsung Galaxy S II just kept reminding you that NFC was now in the forefront. But here was the interesting point, even though perhaps 50 million or more NFC phones will appear on the market this year (yes I believe it, the chips are being made) nobody for one minute tried to suggest that we will all be paying with our phone at the end of the year.

In fact I actually obtained an unbelievable consensus from those most closely involved in the industry. Location and social network services, that's where it is all going to happen. The location bit is referring to the idea of having RFID tags dotted around all over the place so that you can tap your phone on them to get more information on a particular historical site, some advertised event or just plain goods for sale on some advertising hoarding.

The social networking angle is even more interesting, the location bit is old hat really and I'm sure it will happen but bumping into somebody or I guess more politely bumping our phones together to exchange contact information (or anything else I guess) now that sounds interesting. Do you remember the early days of mobile phones, there was the advert of the boy meets girl, she was in one train he in the other and their eyes met. Well you can guess what happens, they both get out their phones and point them at each other to line up their infra-red link. Of course the train moved at the wrong moment so the link was lost before the vital information was passed from phone to phone. Actually I'm not sure if NFC would solve this problem but I'm sure there are many more.

Anyway the consensus from the conference was this year will produce between 50 and 100 million NFC phones. It is also pointed out that the only standard agreed is for the Single Wire Protocol (SWP) which is the connection from the NFC chip to the SIM which then acts as the secure element. But it was also agreed that we are still years away from having any general agreements between network operators and the sharing of the SIM with application providers such as financial institutions.

So all this was really quite consistent, the move to NFC is now really under way but it will be several years yet before we see any mass applications. Samsung is hedging its bets as to whether you need a separate secure element in the phone (to the SIM card). The Nexus S has the NXP PN65K NFC chip which includes the SmartMx as a secure element while the latest Galaxy S II has the PN544 SWP chip without the secure element.

If I were a betting girl my money would be on the separate secure element not the SIM card, this will give more power to the phone manufacturers, but this will also take time because it is currently devoid of standards.

Patsy (from a very wet Barcelona)

Monday, January 31, 2011

Update A Person’s Biometric Every Hour!

Well it’s nearly time for the GSM conference in Barcelona now renamed as the Mobile World Congress. For those of you thinking to attend it’s from the 14th to the 17th of February.

I would have to say it has been a particularly interesting month with conversations wandering into the realm of science fiction. It all started with the mobile phone now an essential part of everyday life but which might have been looked on by many as ‘sci-fi’ back in the 70’s or even 80’s. In fact I even know a few people who didn’t expect it to take off even in the 90’s. So we started off imagining what phones would look like in 50 years time, same sort of thing really but with a more modern fashion statement, perhaps some snazzy wrist band and of course speech recognition and all that, there was no need to press buttons or even play around with touch screens.

Now here comes the first run up against biometrics, do we believe that in 50 years time that our electronic gizmos are going to have near perfect speech recognition? I think we do and in my snapshot of family, friends and colleagues this was not seriously in doubt. I would just mention that people have been actively working on this for the last 30 years and in various ways for at least the 20 years before that. So in the last 50 years we haven’t got there, so what’s going to make it happen in the next 50 years?

It is the advances in technology, we are moving much faster than we have ever moved before and at the end of the day there is no fundamental breach in the law of physics. Starting at home we often have this conversation, if it can happen it will happen and if people realise they need it then it just comes a bit faster. So from the novice side of the counter, will speech recognition be perfect (i.e. without errors) in 50 years time. Well again I think we all agree that it won’t be perfect but near it and maybe just 1% error or less. But as my friendly bank manager used to remind me, if you take instructions from 100,000 people in a day that means on average 1000 people are going to have a problem! This was when we wanted to use finger prints for authentication at an ATM.

Now the thing is that this may not matter, in practice the English language has enormous redundancy. There are many examples but here is one,

Aoccdrnig to rscheearch at an Elingsh uinervtisy, it deosn't mttaer in waht oredr the ltteers in a wrod are, olny taht the frist and lsat ltteres are at the rghit pcleas. The rset can be a toatl mses and you can sitll raed it wouthit a porbelm. Tihs is bcuseae we do not raed ervey lteter by ilstef, but the wrod as a wlohe.

And so to our speech recognition, if we can start handling this form of redundancy in spoken context then why not 100% for comprehension and that’s all that really matters.

So then we move to identity, a fundamental necessity for payments.

In 50 years time we are not going to have smart cards and the like. It’s all going to be in the phone and then we just need identity on the assumption that our money is in some form of a bank account. Now do we believe that will be true in 50 years time? Anyway assuming in the sci-fi world we need to prove our identity in order to get our ration of kwala powder, how do we do it?

Back to biometrics, not speech recognition this time but voice or speaker recognition. This is a totally different problem to the speech recognition that we referred to earlier. I remember once at a seminar hearing the words of wisdom from one of the leading luminaries. I won’t name him because he might be embarrassed but anyway he said that biometrics can only ever be a compromise because the human body is dynamic, it is constantly changing and therefore our biometrics are also changing. Unless you can update a person’s biometric every hour or so then you are likely to have additional errors to the intrinsic measurement error that you will get whether you like it or not.

In the world of sci-fi you can put your hand or finger on the plate and bingo in you go. I guess it’s going to happen in 50 years time, I’m just not sure how?

See you in Barcelona,

Patsy.