« An oldie but a goodie | Main | Merciless »

Doing it wrong

Three tenuously-related pieces of news have caught my eye recently.

Firstly: NDNAD, the UK's National DNA Database, run by the Forensic Science Service under contract to the Home Office contains DNA "fingerprints" for lots of folk — 5.2% of the population as of 2005, or 3.1 million people. Some of them are criminals; some of them are clearly innocent, but were either charged with a crime and subsequently found not guilty, or had the misfortune to be detained but not subsequently charged (that is: they're not even suspects). The Home Office takes a rather draconian view of the database's utility, and objects strenuously to attempts to remove the records of innocent people from it — it took threats of legal action before they agreed to remove the parliamentary Conservative Party's Immigration spokesman from the database (which he'd been added to in the course of a fruitless investigation into leaked documents that had embarrased the government) — so if senior opposition politicians have problems with it, consider the prospects for the rest of us.

In use ...

Whenever a new profile is submitted, the NDNAD's records are automatically searched for matches (hits) between individuals and unsolved crime-stain records and unsolved crime-stain to unsolved crime-stain records - linking both individuals to crimes and crimes to crimes. Matches between individuals only are reported separately for investigation as to whether one is an alias of the other. Any NDNAD hits obtained are reported directly to the police force which submitted the sample for analysis.

Now, this in itself is merely a steaming turd in the punchbowl of the right to privacy: but its use as a policing intelligence tool is indisputable. While there are some very good reasons for condemning the way it's currently used (for example, its use in the UK has sparked accusations of racism ), I can't really see any future government forgoing such a tool completely; a DNA database of some kind is too useful. So what interests me here is the potential for future catastrophic failure modes.

I'd like to note in passing that the cost and effort required to conduct DNA sequencing is dropping like a stone, following a path faster than Moore's Law — the price of sequencing has fallen off a cliff, and an exhausting personalized genome sequence can now be had for around $50,000 and a couple of weeks' work. For comparison, back in 1998 or thereabouts the same job had taken several years and $100M. We're en route to hand-held realtime sequencers within the very near (5-10 year) future. And, aside from medicine, the consequences will be interesting ...

This week sees the publication of a paper that suggests that standard molecular biology techniques such as PCR, molecular cloning, and recently developed whole genome amplification (WGA), enable anyone with basic equipment and know-how to produce practically unlimited amounts of in vitro synthesized (artificial) DNA with any desired genetic profile. See also: faking up a crime scene. Because of the nature of DNA evidence it's actually physically easier to distribute it around a location than it would be to fake conventional forensic evidence such as fingerprints.

Meanwhile, in Australia ... oh, this one almost beggars belief:

Police computer security experts claimed responsibility for taking over the r00t-you.org cybercrime forum as part of a sting operation on ABC's Four Corners TV programme ... The Feds had reportedly configured their own systems as a honeypot designed to track and trace denizens logging into the forum. Police gained access to the forum not through infiltration but after raiding the Melbourne home of the forum's alleged administrator last Wednesday. ... Unfortunately the wheels fell off the scheme, because the officers involved failed to set a password on the database behind the honeypot site.

Yes: they tried to guddle a bunch of hackers and forgot to set the root password on the MySQL database they were using to store the evidence.

Combined with other instances of mind-boggling stupidity this is beginning to convince me that policing and IT security work are incompatible; that is, that the culture, training, and career structure of policing is generally inimical to understanding IT security. The vast majority of police work is about tracking down and apprehending lawbreakers after a crime has been committed; the vast majority of offenses are committed on the spur of the moment by not-terribly-bright folks with poor impulse control: and police are frequently expected to multi-task and deal with multiple cases in parallel. But in the INFOSEC sector the paradigm is turned on its head — it's necessary to carefully consider and plan to defend against attacks that haven't happened yet and to work on the assumption that the attacker is intelligent, tenacious, and has invested a vast amount of effort in advance planning. Even if they haven't, even if the attacker is merely a script kiddie playing with a tool someone else invented, you're up against the inventor's brain rather than the idiot attacking you — the rifle designer rather than the trigger man.

What are the risks of a national DNA database maintained for policing intelligence purposes, once DNA evidence faking becomes possible?

Well, one possibility is that, if sequence information for a named individual can be obtained from the database, your upper class of criminal might well use it to frame rivals — spreading it around the site of a bank robbery or wholesale drug distribution hub, for example.

Another possibility is that if the database is inadequately secured — and with cops waving handheld scanners with live broadband connections around, that's not a wild stretch — we might see some alarming injection attacks on the database, along the lines of short tandem repeat sequences tied to the name and other details of extremely violent criminal. If you really hate someone and want to fuck them up, stick their DNA in such a database, tagged as belonging to a violent serial rapist or armed robber.

Why do I think this is a problem? Well, the NDNAD is a single, fat, juicy target for hackers: to do its job it must remain accessible to police officers all over the country, which in turn means it has to be online, and therefore difficult to secure. To a wily hacker it's a priceless target: one they can use to both mislead ongoing police investigations and assault their rivals (using the police as a proxy). And the singular nature of the database makes it a single point of failure for the forensic science service.

This leads me to a fairly important conclusion: the can of worms — the hackable, fakable, fallible DNA database — is already here, and the law of bureaucracy says it isn't going away. But it needs to be secured. To do so, it's essential that it not be used as an authentication tool for identifying individuals. Moreover, DNA evidence can no longer be seen as sufficient on its own to secure a conviction in court. Online checks will still have a place — but only if they're used to match individuals against evidence found at crime scenes, and even then, only as an indicator (not as evidence in its own right).

| Permalink