Cut Prices

The pricing will get only worse, judging from a survey I recently received from Adobe Systems, which has entered into an agreement to acquire Macromedia. Based on the choices offered in the survey, a "useful" suite of tools would approach $2,000--not something I'd be willing to pay. I hope the pricing folks are listening!

Don M. Culbertson
Business Owner/Software Developer
Company name and e-mail address withheld by request

Rob Preston should know better than to say "it's virtually impossible for an RFID wearer's identity to be stolen or for the individual to be tracked illegally" ("RFID Makes Waves", July 7). His words remind me of Oracle's "unbreakable" claim.

Don't get me wrong: RFID is an enabling technology. But let's start with the simpler deployments first. RFID has yet to be deployed widely in the retail arena, where it really makes sense. So isn't it premature to talk about tagging kids?As recent events have taught us, nothing is really secure. If it can't be broken, it can be circumvented, or vice versa. ChoicePoint wasn't broken into; its measures were circumvented--and so we know the rest. All that's needed is motivation and half a clue. Maybe you yourself can't think of ways kidnappers could make use of a youngster's RFID information, but chances are they can.

Truth is, it isn't hard to imagine what might be going through a stalker's head. For example, why take time observing a schoolchild over the course of a few weeks? Just get the data stored in some principal's office. Good grades in art class? Entice the kid with some related activity. Hey, look! This kid's last name is like that VIP's who happens to live in the same area ... and over here is the child's schedule ... and here's when the child usually gets to school.

Assuming RFID technology is unbreakable, how's this for a scenario? News flash: A laptop belonging to a school administrator was either lost or stolen. It contained a database of RFID data on students' schedules ...

I'm sorry, but a harebrained, half-baked deployment scheme like tagging kids is one sure way of killing this technology even before it has time to mature.

Ed Chavez
Director
Company name and e-mail address withheld by request

Rob Preston replies: Ed, you raise valid points, but let me clarify some of the arguments I made in my column.

RFID networks can be reliably secured using encryption and mutual authentication. The problem today isn't that attackers are breaking RFID security; it's that advanced RFID network security isn't always specified. I argued that government and private-sector implementers must deploy such security techniques if they're to gain the public trust.

The ChoicePoint breach, as you point out, wasn't a technical breach but a "social engineering" one: Crooks posing as legitimate businesses duped company employees into handing over private customer information. In the school case, the potential kidnapper using social engineering techniques could get access to only the child's name and school grade--not letter grades, as you suggest.

As for learning the child's schedule/pattern, a potential kidnapper could far more easily just watch from his car. He doesn't need to dupe school officials or hack into the school RFID network to figure out when the child comes and goes. Regardless, I argued that parents had every right to vote down the tagging program.

Tell Us How You Really Feel

Send e-mail to [email protected], fax to (516) 562-7293 or mail letters to Network Computing, 600 Community Drive, Manhasset, NY 11030. Include your name, title, company name, e-mail address and phone number. All correspondence becomes the property of Network Computing.