Handicap of a head start?

The Netherlands seems to be having some serious problems lately with ‘new’ technology. The troubles started in 2006 when the We do not trust voting computersfoundation showed that the voting machines used in polling stations in the Netherlands were not transparent, did not provide the possibility of a recount and were very insecure – making it relatively easy to hack into them (either to play chess against them or to change the election results). Even worse, the ‘Regulation for approval of voting machines 1997′ said nothing at all about the security of the systems and only regulated that you should be able to drop the machine from a certain height, or that you could spill water over it and more of such mishaps. The campaign against the voting machines (used by 99% of the population) resulted in all the voting systems being decertified, and a withdrawal of the 1997 Regulations. The Dutch population will be voting by pencil and paper ballots again for a while to come. Isn’t it a reassuring thought your vote gets cast the way you want it and a recount is possible? 

Having dealt with the nasty e-voting issue, the government is now faced with more technology disasters. A lot of money has been invested in creating plastic tickets with embedded RFID chips for use by frequent travellers in the Netherlands. This new systems was to be introduced on all trains, buses, trams and subways by 1 January 2009. The idea is that people can upload money on these tickets and an RFID reader will determine the cost of the journey and deduct the necessary amount. This public transport card uses the Mifare Classic Chip with cryptography produced by Trans Link Systems. During the Chaos Computer Club conference in Berlin last December two German hackers discussed how they reverse-engineered the cryptographic components of the chip, showing that it would only take minutes to find the secret keys to the cards. This makes counterfeiting of the cards possible, allowing Dutch citizens to free-ride the public transport system. In January students of the Radboud University showed that they could also hack the single-use cards (which don’t use cryptography). Maybe the existing system of paper tickets wasn’t so bad after all? Wouldn’t it be a relief to have no centralized record of all your movements?

The hack of the Mifare Chip caused a ripple effect throughout the country leading to the discovery in March by researchers from the Radboud University in Nijmegen that they were able to hack into the passes used to enter government buildings and other important locations. Millions of these contactless ‘swipe-cards’ are used to get into ministries, universities, laboratories and large companies. It seems that access control will have to be done by old-fashioned porters again. 

And as if this wasn’t enough bad news, the final blow came at a Mastercard Europe Conference last week where it was announced that the Dutch PIN cards are probably the most insecure ones in the world. Most of these bank cards use magnetic strips and these can be easily skimmed (illegally copied by criminals). All banks will now have to incorporate chips on their cards, but how vulnerable will these turn out to be?

In each of these cases we see the same pattern when it is discovered that the technology is flawed. The vendors deny that there is a problem and become very defensive instead of taking the often well-meant advice and warnings at heart. Usually the revelations by hackers and researchers are followed by questions in parliament. It takes a couple of months or weeks for the truth to sink in: this technology is worthless now that the code is out and anybody could hack into it. ‘Security by Obscurity’ is no longer a valid security mechanism.

So what is going on? The Netherlands has always been an early adopter of new technologies. The voting computers I described have been in use since the 1980s and Dutch consumers have been able to pay for their purchases with PIN cards since 1987. There are 20 million PIN cards in use in the Netherlands, which means that with a population of about 16 million people, most adults have one or more PIN cards which they can use in nearly 225.000 shops and ATMs. Alas, being a forerunner of technology means that you are also likely to become the first one to see the drawbacks of these innovations. I think a useful way of explaining the current problems is Jan Romein’s Handicap of a head start which he described in his essay ‘The Dialectic of Progress’ (1935). In this publication the Dutch historian explains that it can be a real drawback to be advanced. Romein means that a head start may lead to stagnation, while an initial lag in development may lead to a leap forward. Trotski said it as follows: “The privilege of historic backwardness – and such a privilege exists – permits, or rather compels, the adoption of whatever is ready in advance of any specified date, skipping a whole series of intermediate stages” (1932). Obviously these ideas were based on different units of analyses (development of societies) but apply to new technologies as well. When you are the first one to embrace new systems, they can become so fixed that they hinder the development of different and possibly better systems. Another problem is that governments often implement new technology out of some sort of progress ideology. But maybe it is time to realise that in some situations going back to the starting point (paper and pencil for voting, porters for access control and paper tickets for travelling) is real progress – at least for the time being. Countries that have not yet adopted electronic voting or public transport systems with RFID better keep a close eye on the early adopters and take the lessons learned into account. 

 chess 

Playing chess against a Dutch voting computer

One thought on “Handicap of a head start?

  1. Pingback: More RFID vulnerabilities at Anne-Marie Oostveen

Leave a Reply