Scott Alan Miller

Wednesday, August 31, 2005

CMP Publishing and Cold Calling

A few weeks back, I received a phone call from some proporting to be calling on behalf of CRM Magazine. Now, I have subscribed to CRN for several years as it is a pretty popular publication amongst the VAR/System Integration crowds covering the going-ons in the VAR relations industry. CRN is a free magazine. One of those publications that makes all of its money through advertising - a model which I totally appreciate as it allows industry professionals like me to receive a large amount of published works without having to spend a significant fortune to subscribe to them. I probably get a dozen or maybe fifteen trade magazines in this fashion.

Recently, I have started to reconsider the number of publications that I receive in this manner. I find that I often do not have the time to dedicate to read them and I often, at best, skim them for one useful article and hope to throw them out while I am at the office or a client site so that I don't have to pay to have them all disposed of at my home (currently there are two giant stacks of them waiting to be recycled as it is.) Even moreso, I have recently noticed that a staggering number of the articles are not technical or business related at all but are actually unprofessional writers filling space with political rantings. It was brought to my attention by a developer friend of mine that over half of all of the articles in Software Developer had absolutely nothing to do with software development but were sexist, left-wing political soap boxing complaining about hiring practices in the software development industry. Not only was it political, but almost every article pointed the finger at developers, not hiring managers, educators or anyone else who is creating the "so called" problem. But they blamed the professionals who are doing the work for being better than other more deserving but unqualified people who need money. They even went to far in one article to point out that the people not getting jobs were not at all qualified and, more importantly, didn't want the jobs. But that didn't matter. So, we agreed that SD was a worthless rag and let it go. But the story continues.

In a recent issue of CRN, I had been offended by an article written by someone clearly uninformed about the industry and desperatly attempting to fill some space or to meet a deadline. The article itself wasn't necessarily disagreeable but I was not happy to find an article in a magazine such as CRN making such statements. I get industry trade magazines for a reason. In addition to this, I have often compained that CRN is published in an annoyingly large scale, much larger in physical form than a regular magazine. This makes it unwieldy, difficult to pack and, in all honesty, a little embarrassing to read in public. It is like the Rolling Stone of the IT industry - well known, too showey and full of pictures of rich, trashy people complaining about being rich and having nothing useful to tell the rest of us. So I had decided to stop receiving CRN when my subscription ran out - I would simply not fill in the subscription form again and all would be well. Or so I thought.

But then this phone call came. The woman said that she was calling to talk to me "about my subscription to CRN" as if she knew that I had one. I said "Ok" and she began to ask me questions about myself and my business (not exactly talking about my subscription to start with.) I politely informed her that I was not interested in receiving the magazine anymore. She informed me that I did not receive this magazine. Now, this may be true. The CRN that I receive might actually be in another employee's name and I might just steal it from them. I do that with some magazine and I just can't remember which one it is. But more importantly, if I did NOT receive this magazine according to CMP Media, its publisher, then why were they "calling to talk about my subscription" instead of calling to offer me one? I continued to explain that I did actually receive it but that I was not interested in receiving it anymore because... and the caller hung up on me. She actually hung up on me. I was about to tell her the useful information that I found the paper on which the magazine was printed to be large and cumbersome but apparently CRN isn't interested in knowing why its readership decides to leave it. No big loss, I didn't want to receive CRN anymore anyway. But it got me thinking.

So, I dug out my magazine archives. Yes, I keep magazine archives. And I started going through them looking to see which magazines I liked and which IMHO were just full of fluff, were poorly written or, in a rare few cases, actually crossed the line into offensive and inappropriate to maintain in a business environment. Now, up until now, I have received a large number of subscriptions many of which are extremely similar in look, feel, style and content and I have found it very difficult to distinguish between them. But now I really sat down and took the time to determine which ones were good and which ones were not. Lo and behold, I discovered almost instantly that none of the magazines that I felt had high value were coming from CMP, even though I subscribed to EIGHT of their publications including CRN, Information Week, Network World, Network Magazine, Software Developer, Dr. Dobbs Journal and a few others. Of all of these, only Dr. Dobbs had any quality to it at all but even that I found to be highly irrelevant and not a useful way to spend my time.

So what was the final outcome of this rude phone call? Well, I immediately stopped subscribing to all CMP Media publications. Even those that fell on the fence I felt compelled to no longer support. I have better ways to spend my time. And, more importantly, now you too know about CMP Media. There are plenty of good, high quality, free or low cost publications available so there is no reason to waste time on pulp like CMP.

Tuesday, August 09, 2005

The Inherent Danger of Radio IDing Children

In recent months, the US government looked into the possibility of putting active RFID tags into all US passports. Fortunately, this program appears to be a no go. But now, apparel maker Lauren Scott California is beginning to put active RFID tags into children's sleepwear that should be headed for retail outlets around Christmas of this year, according to Information Week magazine.

Now, a little background on RFID. There are two types of RFID tags in general, active and passive. Passive tags are simple and cheap. They are roughly analagous to barcodes. You must get incredibly close to them and blast them with a burst of energy in order to get them to "reflect" a signal that identifies one tag from another. Active RFID tags are quite different and contain their own power source and broadcast their identification sometimes over very short distances but potentially over extremely long distances. The real distance is a factor of the design of the tag as well as the reading device.

Lauren Scott California is going to be putting active RFID tags into chilren's sleepwear using a solution from SmartWear Technologies Inc. The idea, as claimed by the clothing manufacturer, is to give parent's the ability to know that their children are safe in their homes by purchasing a $500 monitoring package that will tell them that their children are still in their bedrooms. This, however, is not what a technology like this does at all. What will actually be told to the parents by this monitoring system is that their children's clothing is still in the room and will give parents a false sense of security.

The harsh reality of putting an active RFID tag into children's clothing is that anyone can get an RFID reader, or even make one themselves. And with active tags that, in this case, broadcast location and identification information 30 feet in every direction, a potential kidnapper can sit outside of the house (or place an RFID reader there so that they only need appear in person to actually commit the crime) and know exactly where the child is without ever having to peer into a window and make his or her presence known. And then, knowing that the parents believe the child to be safe can take off with the child leaving the RFID sleepwear behind in the bed giving the kidnapper an eight hour head-start on authorities as most parents won't check in until morning.

To make matter worse, SmartWear is working to come up with newer technology that will allow the garments to broadcast for closer to 600 feet! This is a far enough distance that kidnappers could monitor multiple homes at once or even monitor a child's movements from another building. SmartWear hopes to increase the use of these RFID tags for use in military and law enforcement uniforms. Imagine the glee of high tech criminals once they are able to detect the approach and identification of police coming to nap them! Always being able to stay one step ahead of the police because you know exactly where they are at all times. The implications of IDing humans is enormous.

And, if that wasn't enough, SmartWear is planning to implement a child database that will carry detailed information about each child (through a voluntary system with parents sending in the information, of course) that will be made available to law enforcement agencies, Amber Alert or potentially other companies. The real concern here is, if this company is already willing to make your child a top target for kidnapping, how much effort are they really going to put into securing this database? Sure, they might do a wonderful job and it might never be hacked. And they might never share that information with anyone inappropriate. And all of those people that they share the list with might likewise protect it with the utmost of security. Or, it might be hacked in the first week and all of the information about children including their tag ID's, addresses, names, ages, sex, etc. will be available for potential child slavery rings in a a nice convenient format with hooks into the ID tags so that kidnappers can look up the child that they are about to kidnap on their laptop and make sure that they fit a high profit profile. Few ideas have more potential for horrific failures like this one does.

This follows on the heels of a high school that decided to require students to carry active RFID ID badges in order to enter their high school. Fortunately, the danger of the situation was realized before any students were actually hurt because of the program. What was happening was this: since students had to have active RFID tags in order to enter the school, that meant that they must also carry the tags with them as they travelled to and from the school. Because the tags were active, they were broadcasting the indentification and location of each of the students. Because all students had to have them, the system could even be used to identify students as being in a group or travelling individually. Since the tags were active, they could also be used to find student's homes, in theory, although this would be extremely difficult but very much in the realm of possibility.

The greatest fear to arise from this program was that of the many students who would travel, on foot, past wooded areas of town where there was very low visibility. Using an RFID reader, a potential abductor could, over a period of days, identify students that he was interested in abducting. Then, while hiding in the cover of the woods, could utilize RFID to determine when the student that he was after had been left alone by other students. The ease of abducting student during their travels to and from school was at an all time high. Imagine when parents realized that their students safety was at high risk and that the system had no security advantages over far cheaper and simpler solutions like barcoding or mag-striping. Someone in the district likely thought that RFID was "hot" and that a system like this would be a ticket to a promotion. As adults we need to be aware of the dangers of broadcasting the identity and location of our children. Any technology that uses radio frequency can be seen by anyone using extremely low cost equipment.

Another example, fortunately not involving children, that did end in disaster was that of a government agency in Mexico City. This certain Mexican government agency decided that in order to be absolutely sure that only autorized personnel were able to gain access to their office building that they would have active RFID tags inserted under the skin of their employees. At first, this sounded like a great idea, at least to those who did not have to have the surgery performed on themselves. However, it took very little time before the problems of a system such as this began coming to light.

Criminals seeking to gain entrance to the department found that they were able to frequent the local bars, restaurants and coffee shops and were able to identify department personnel from their RFID broadcasts. Using this system they would also have been able to learn their break patterns, clothing, hair styles and other information necessary to impersonate someone. Then, they were able to make their own matching RFID tags that they could simply slip into their pockets. Using their RFID readers they would then determine when a person had definitely left the government building and had entered a restaurant or bar and then would enter the building themselves. There were security guards in place who would look at the badges and, one would hope, would recognize the people that they saw every day. But, because of the false sense of security providing by an RFID system, the guards stopped checking people as carefully and criminals were able to easily come and go in the buildings with the sense of security of knowing that at least THEY were aware of the movements of the people that they were attempting to impersonate and could be sure that they had not tried to re-enter the building yet.

The bottom line in RFID is that the use of active tags is great for items like palettes of canned goods, dorm refridgerators, car parts, etc. They are great for tracking all kinds of objects. But when it comes to tracking people, active RFID is extremely dangerous. There is a reason why, in the past, only seriously dangerous criminals were ever tagged with a system such as this. Only criminals dangerous enough that the public deemed their safety of little concern. We should hardly treat our children in the same way. These were systems not designed to protect criminals from the public but to protect the public from the criminals. Tagging children or children's clothing is hardly going to protect any adults on a cold night in a dark alley from being jumped by four year olds looking for a wallet and car keys.