Who can you believe?

I was disturbed to read about Adam Laurie’s claim that he successfully cloned and changed the data on a UK Identity Card. I was also concerned to read the Home Office response that “This story is rubbish”.

It’s sad that neither side can articulate a respectable account of the claimed weakness and why or not this might present a problem. Publishing a sensational account in a national newspaper is certainly not a professional way of managing a potential security weakness. But neither is a simple four-word denial from the Home Office.

All technologies, standards and implementations have weaknesses. The science of security management trick is to apply defence-in-depth controls to mitigate the associated risks. Without an insight into these controls, it’s impossible to tell if a system is adequately secure. Personally, I would be astounded if the system was as wide open as Adam Laurie suggests, given the considerable expertise available to the Home Office.  

One trend this story does reflect is the inevitable growth in FUD, spin and disinformation that is an intrinsic feature of an information society. It’s just unfortunate to see this happening within the information security profession.