[ISN] Don't touch, don't enter, don't spoil

From: InfoSec News (alerts@private)
Date: Fri Dec 22 2006 - 23:29:42 PST


http://www.lamonitor.com/articles/2006/12/22/headline_news/news06.txt

By ROGER SNODGRASS 
Monitor Assistant Editor
December 23, 2006

One of the world's oldest preoccupations, right up there with the 
question of how we got here, has to do with whether anybody has been 
messing with somebody's stuff.

A Los Alamos scientist who is a leading authority on the subject of 
tamper detection imagines hunters returning to their cave after an 
expedition and checking the ground for bear tracks. Some of these 
inventive humans may have swept the ground outside their dwelling to 
make it easier to spot traces of an intruder.

Later, as civilization developed, priests and magicians may have needed 
ways to make sure their ritual materials or instruments had not been 
contaminated by unworthy handlers.

"It was less important to stop them than it was to find out if they had 
been messing around," speculated Roger Johnston, who leads a team called 
Advanced Diagnostics and Instrumentation in the lab's chemistry 
division.

Johnston is not only a practitioner of seals and other devices for 
ascertaining the security of nuclear materials, among the world's most 
dangerous stuff to tamper with, he is also a scholar of the 7,000 years 
of history behind the notion of tamper-proofing objects.

In an article in the current edition of American Scientist, Johnston has 
traced the technology back to ancient Middle Eastern property contracts 
written in cuneiform on clay tablets and enclosed in clay envelopes that 
were stamped with the personal seals of witnesses - 3700 years ago.

"Tamper detection is a very old field, but it doesn't get a lot of 
recognition or attention," he said recently. "I wanted people to 
appreciate it as an interesting area that goes way back."

It is also a technology that is so common it is almost beneath notice. 
Johnston estimated that on average more than 40 million seals are either 
set or checked on each day in the United States. Counting tamper evident 
packaging (TEP) used for drugs and other ingestible items, he wrote, the 
daily number goes up to more than 200 million.

The packaging security that is now required for all over-the-counter 
medicines sold in the U.S. was an outgrowth of an unsolved crime in 
1982, when the death of eight people was traced to a stock of 
cyanide-laced Tylenol.

Johnston said that TEP is surprisingly immature and easily spoofed or 
defeated, considering the consequences and especially given the added 
risks theoretically posed by terrorists.

A smart undergraduate student working with Johnston's team, with no 
special skills and using mostly her own ideas, was recently able to fool 
72 experts in the field who were unable to say which products had been 
tampered with.

Johnston said he wasn't surprised that she was able to do that.

"What really disturbed me is how little research has been given to the 
subject," he said, "especially considering that people in the 
pharmaceutical industry are sitting on billions of dollars in 
liabilities, if somebody tampers with them."

Johnston was honored with a LANL Fellows Prize in 2004 for his 
"ingenuity" and "path-breaking work."

His team of about 10 people includes two industrial psychologists and 
has recently added Jon Warner, a new technical staff member versed in 
electronics and microprocessor techniques. They do work for the 
International Atomic Energy Agency, the Department of State and Defense 
and the intelligence community.

Johnston is also the editor of the on-line Journal of Personal Security. 
He prefaced an introduction to the first edition with a mind-bending 
quote from Yogi Berra that seemed to sum up the kind of thinking that is 
required in the field of tamper-thwarting.

"In theory, there is no difference between theory and practice," Yogi 
said. "In practice there is."

Johnston explained that physical security seems so simple, like taking 
out the garbage, that if it fails, it's because somebody screwed up. In 
fact, what is lacking is rigorous theory and scientific study that can 
help separate the theory from how things work.


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Fri Dec 22 2006 - 23:48:14 PST