I have been working on the implementation of a small security system based on the PAC Access Control System (www.pac.co.uk) and came across a major security vulnerability which if found on credit cards, would see banks answering very tough questions. Before anyone criticises the choice of PAC, this was due to legacy reasons not related to this issue.

PAC is an access control system which operates on (among other technologies) proximity card/tokens as identifiers for access. Almost everyone will be aware of these as they are used in most offices nowadays and are similar in use to the Oyster card. Most PAC readers are simple black boxes you present your tag to, and after checking with their controller, they grant or deny access and unlocking the door as appropriate.

The company also supplies a “PAC + PIN Reader”, a special type of device which also requests that you type in a four-digit PIN code after presenting your token to the reader. This is another level on the security ladder, the tag being “something you have” and the PIN being “something you know”. There are however two major problems with this system:

1. Each PAC token (a card or key fob in this case) has a token code which identifies it to the reader (e.g. 20184201AD). There is then a formula which uses this code (dropping the first ‘20′ bits) to generate a PIN (a hash of the token code). This means that anyone who knows your token code (i.e. anyone who has run your token past a reader, and the standard read distance of a few centimetres can I’m sure be extended with enough thought; or anyone who has access to a system on which you are registered if you happen to use multiple systems) can work out your PIN code just by using the PAC EasiNet software. This means that the PIN code is no longer ’something you know’.. it’s just a code written on the PAC token but “in ink only visible under ultraviolet light” in comparative terms. Anyone who knows this just brings a UV light and they have your PIN (i.e. using PAC EasiNet Software)
2. The communication between the PAC PIN reader and the controller appears to only send information when the PAC has been presented and the PIN has been typed correctly. If you type the PIN incorrectly, it is the keypad itself which blacklists you after three attempts but only from that keypad. This means there is no security logging of failed PIN attempts (not that this should happen in any organised attempt to subvert the system due to the first problem). I have not studied the communication in detail so it is possible this is just not visible in the software I was using, but it does seem to be handled by the reader itself.

I think PAC may be offering user-set PIN codes in newer systems. PAC do have a fingerprint reader (“something you are” on the security ladder, also known as biometrics) and a non-biometric Mifare-based smart card system which is a more secure form of RFID proximity access. Nonetheless ever releasing a system which is based on such flawed security basics is worrying.

Whether you are in a contract negotiation or you are trying to come to a consensus within a group as to a way forward, strategy & tactics often come into play, the so called ‘politics’ of human interaction which waste time but serve to make all the parties feel content (whether to themselves or their stakeholders) in having contributed to an outcome which is more favourable to them than it would otherwise have been.

From early on in life, the ability to compromise is very important in any aspect of life, whether it is the ability to share a toy with a friend, agreeing how to share a car between siblings, or haggling for a price in the market. There is however a side effect which I have over the years found frustrating that encourages strategically extreme views in order to achieve an outcome that is more advantageous to your position.

As a simple example, many traders will mark up the retail prices in the expectation that customers will haggle, and feel they are getting a bargain when they negotiate a discount. When you buy something at 50% off you feel like you’ve achieved something.
In negotiations between multiple parties it is strategically advantageous for each party to make their initial positions further extreme to ensure that the final ground for ‘compromise’ is not lost. Participants often adopt such positions naturally to defend their territory rather than thinking about the game theory behind it.

Let’s assume we have two people, A and B who have a range of views on a particular issue which can be scale from 1 to 10 across a line:

|--------------------A-------x-------B--------------------|

In the above example, the ‘middle ground’ (where presumably A and B will end up if both compromise to the same extent) is marked ‘x’. Now the incentive is for each one to start with a position which is more extreme than their actual desirable outcome.. If B does this (marked ‘B2′ below), the middle ground (after compromise) is marked ‘y’ below:

|--------------------A-------x----y----------B2-----------|

As you can see, the outcome ‘y’ is far closer to B’s original position as a result of B shifting its initial position to B2. Obviously if A moves their position to A2 (by adopting a more extreme position, we’re back to the central point of agreement being in the middle:

|-----------A2-------A-------x-------B-------B2-----------|

This is precisely the same model as haggling on a price if you imagine the scale from zero to infinity. Obviously knowing where true positions lie is part of the art of negotiation (or science as some will argue). Problems can also arise where A and B act differently. In some cultures, negotiation is expected whereas in others it is more of a taboo–If one party takes a more extreme position in preparation of compromising, they may feel the other who is holding out is not playing fair whilst they picked a starting position more tuned to their target outcome rather than strategically positioned to result in the outcome.

Things can be further complicated by bringing in a third party C (and D, E, F, G, etc.) who can influence the position.. If A or B have a greater degree of influence over these additional parties, it can fine tune the resulting compromise into one more aligned with the wishes of the said party.

This is one of the reasons why I don’t like sales people–It’s nothing personal.

I have been frustrated quite often about the inability of many individuals to understand the value of domain names. I’ve just had a discussion that went something along the lines of..

“I’ve just registered my domains with Company X because they allow me to use PayPal so I don’t have to give my credit card details to an unknown U.S. company”

I have intentionally left out the name of the company as this issue is not about the company (who I know nothing about) but about the perceptions of users as to the value of their domain. This particular user (who is very typical) feels uncomfortable giving their credit card details to an unknown company, yet they would trust the said company to manage their domain name. A well developed website is likely to be worth far more than the credit limit on many cards, and in any case credit card fraud costs are not directly borne by the victims.

Don’t assume that the domain cost (be it £1.99 or £99) is actually the same as the value of the domain, and treat it based on its value, not its initial cost.