Language Selection

English French German Italian Portuguese Spanish

GAO study of RFID technology, policy seen flawed

Filed under
Security

A recently released Government Accountability Office study of radio frequency identity device security is flawed because it omits discussion of technologies and federal policies in the arena, according to smart-card industry executives.

GAO defended the report, saying it relied on information provided by other federal agencies and did not delve deep into individual RFID programs that the agencies are implementing.

The GAO report, titled Information Security: Radio Frequency Identification Technology in the Federal Government, discusses privacy and security aspects of RFID tags used for inventory control as well as contactless smart cards used to make personnel credentials. GAO issued the report May 27.

The report cites several privacy and security issues that RFID units can pose, such as "tracking an individual's movements, profiling an individual's habits, tastes or predilections and allowing for secondary uses of information." According to GAO, "While measures to mitigate these issues are under discussion, they remain largely prospective."

But as Patrick Hearn, business development director for Oburthur Card Systems of Chantilly, Va., stated, federal law, regulations and policies mandate many privacy and security protections for the use of smart cards in federal credentialing programs.

"The security measures-encryption and authentication-listed [by GAO as 'prospective'] all exist today and are incorporated into programs such as the State Department's e-passport program," Hearn wrote in an e-mail comment on the GAO report.

Hearn also cited the existence of the Federal Information Processing Standard 140-2, which applies to contactless smart cards issued to federal employees and contractors, as well as privacy and security rules mandated in the Federal Identity Management Handbook.

Hearn noted that the standards that apply to federal use of contactless smart cards mandate compliance with the Privacy Act of 1974, the e-Government Act of 2002, Office of Management and Budget memorandums relevant to the topic and National Institute of Standards and Technology standards for smart-card security and privacy.

Full Article.

More in Tux Machines

Lessons learned from the failure of Ubuntu Touch

With the death of yet another open source/free software/Linux-based mobile platform, Ubuntu Touch, clearly it is time for us to sit down and have a frank discussion about what we in the free software world can reasonably accomplish in a mobile platform. One of the biggest issues—if not THE biggest issue—with Ubuntu Touch was that it simply had goals that were far too aggressive to reasonably achieve. It suffered from the all-too-common malady known in software development as feature creep. Read more

City Cloud gets Ubuntu Certified

European Infrastructure as a Service (IaaS) provider City Network, has joined the Ubuntu Certified Public Cloud (CPC) programme. This is the second very big European win for Ubuntu after it signed up OVH earlier this month. As an Ubuntu CPC partner, City Cloud will no longer need to create, curate, patch and maintain Ubuntu images. This will all be done by Ubuntu who will then provide them to City Network. Read more

Open-spec networking Mini-ITX has 1, 2.5, and 10 GbE ports

SolidRun’s “Marvell MacchiatoBIN” is a $349, Mini-ITX networking SBC that runs Linux 4.4 on Marvell’s quad -A72 Armada 8040, and supports ODP, OFP, and NFV. SolidRun, which is known for its NXP i.MX6 based HummingBoard SBCs and Marvell Armada 38x based ClearFog Pro and scaled down ClearFog Base networking boards, has spun a $349 (and up) Marvell MacchiatoBIN SBC that showcases Marvell’s high-end Armada 8040 SoC. The 170 x 170mm “community” Mini-ITX board ships with schematics and layout files, and offers an open source, mainline Linux 4.4x BSP. Read more

Leftovers: OSS