April-May 2005  

Special Report on Eurosec 2005 in Paris
Interview: John O'Leary
Director of Educational Programs, CSI
(Computer Security Institute)

As Director of Educational Programs of the Computer Security Institute, John O’Leary is a longterm security practitioneer and a security person since the 1970’s. Evry year he comes to Paris to give lectures at the Eurosec Forum on new topics interesting the security of the computer supported modern world. This year John talked on RFID, which is one of the biggest opportunities in Computer Business for the coming years, but also a risk in term of privacy as he strongly pointed out that issue

Founded in 1973, the CSI, the Computer Security Institute is the first ever membership organisation dedicated specificly to Information Technology. It has about 5000 members worldwide. According to John O’Leary, its Director for Educational Programs, this Association is « open to individuals working for companies, some very technical, some managerial and some in administration business. All members are interested in fostering the cause of IT Security. Any government agency are there, not just in the US. However it is  more corporate than agencies, with also scientists as well as business management persons».

John, it is a great pleasure to have you in Paris. Before starting our questions game, we would appreciate to get a few words on the reason why you joined Eurosec again.

John O’Leary : I try to come evry year and try to get and bring a worldwide perspective. As we serve international firms, I want to know what realities are in the different parts of the world, for me and my classes.

Last year at the AMCF meeting in New York, Lanny Cohen from Capgemini unveiled that RFID would certainly be the next breakthrough in supply chain and retail, and at least a growth relay for IT after the end of blockbusters like Y2K, Euro or ERP deployment... You gave this year a lecture and participated to a round table on RFID, so as most of us dont know what that technology is all about, may we have an introductory word ? Any relation with the Barcode ?

John O’Leary : Basicaly it is a tag fitted to an items you check out. So yes, it is related to bar code. But a Barecode is printed and a reader read it. If it is covered nothing can be read. With RFID (Radio Frequency Indentification Device) you can be read with no interference. A transponder will activate your RFID when in the vicinity and the tag will then act almost like a mobile phone and give informations about your item, nature, code related to price, etc ...

So,  it seems to be cheap Science Fiction over the counter. But you  and peers
seemed more cautious yesterday

John O’Leary : Well you must understand that the RFID tag activates only but cannot be asked for special purpose. And there lies the real danger as long as you dont know when and what it transmits. You can carry something without knowing the system enter a read zone.

So you mean there is a real privacy problem ?

John O’Leary : Exemples. You go to California into a grocery store and ask for headache pills, you check-out and suppose you still have the tag not deactivated... If somebody is collecting he knows you went to the chemist store and get the pills on one day... and then you receive emails for pills ads or have a call from a health organization, and worth your insurer start questioning you on your health. The possibility of advert effects is there. And this is why people worry about RFID

So what can we do and what a specialist would recommand ?

John O’Leary : We can make sure that the act of scaning deactivates the tag or have a portal for deactivating. Another possibility is time deactivation but it is expensive and make trouble with the inventory activity. We can also reactivate but it is not safe, your security profile being lowered. If we reactivate and it does not work it is not a problem of privacy but of safety.

What extent this priacy/safety problem can reach ?

John O’Leary : We can imagine that you can have the lecture of your access card if someone can read the information. The problem of security is linked to the wireless transmission ans  so far data are not encrypted.

May we change the content of such RFID tags, or have the content changed by someone without knowing it?

John O’Leary : No, but it is moving in that direction

What difference with a credit card or any card of that sort ?

John O’Leary : A device some three feet away can activate the reading

So the safety question keeps open. What about the expected market for those devices ?

John O’Leary : It is going to be very large. But we dont know it at the moment. It is potentialy huge if you consider that any item comes with a tag ! WallMart for instance  or Target or JC Penney are forcing their suppliers to use RFID tagging on skids they send. Nearly 100 of the largest suppliers have been asked this year on January. All suppliers to be on those big accounts will have to comply.

John, we slightly shifted from the customer to the supplier. That’s intersesting. Is RFID intrinsically more devoted  to supply chain than retail ; in other words to B2B than B2C, with maybe less privacy problems?

John O’Leary : Oh, B2B might work fine. But tags will continue to work after delivery... It is going to be common in B2B and lead to troubles in B2C.

Procurement, Supply and Retail are rapidly changing in a world of growing services. We have recently seen Accenture buy a Marketplace it contributed to develop, namely CPGMarket. How RFID is going to impact the way we order on the internet, be it B2B or B2C ?

John O’Leary : Well, marketplaces, portals, it is all a matter of correct time and cost saving. Eliminating the need for warehouses which is costly. RFID is going to cover this entire supply chain as a part of the IT system.

Does it mean it is going to be the next tiket to the Holly Grail for consultancies,

John O’Leary : It will be a product for consultancies and a driver of hiring for the next 5 years in a definitly growth area : distribution, supply -chain and purchasing.

John, your institution is  located in Plano Texas, a State made famous for spaceactivity as well as IT through the Texas  Instrument Company. We heard that TI might lead the RFID supply market.

John O’Leary : Toyota and Ford will use tags, start-up keys and anti theft  that come from TI.

Editors of supply-chain softwares seems to be out of the RFID business. Your viewpoint?

John O’Leary : Right now it is not a large market. As they will see the market grow they will step in! The reason it is taking off in the US is that WallMart as well as DoD (the Department of Defence) are asking for the device for all purchasing. This in turn trigger the market and makes safety mandatory. In military applications you need the capability of turning off the tags in unsecure areas. The concept is simple but implementation is complex, which explains the slow start.

During the round table VerySign as been quoted a few times. Could you explain the relation between the PKI companies and the RFID issue ?

John O’Leary : At the origin you had two companies in PKI business (private and public keys, certification, repudiation) : Entrust and Verysign. They picked-up PKI to make money on the internet. If we use PKI in tagging we can look at encrypted data which is safer. This is when they comes in. Verysign wants to improve the protection of the data and take a piece of the cake.

Which somehow remind us that behind the shopfloor might rage a standards war

John O’Leary : Right. WallMart is setting the standard by default. Also some others as the DoD. 

As a conclusion of Eurosec 2005, what would be your main advice on RFID tagging ?

John O’Leary : Get ready because it’s coming ! It will come at your organization whoever you are, and privacy is the fear.

Words collected by Bertrand Villeret
Editor in chief, Consultingnewsline
Partner to Eurosec 2005

To know more:
Computer Security Institute, Covington Lane, Plano Texas USA

Whoswoo: John O'Leary

Copyright Quantorg  2005
pour ConsultingNewsLine
All rights reserved
Reproduction interdite

John O'Leary

XP Conseil