Shostack + Friends Blog Archive


Lapel Pins?!?

There is an AP article in todays Washington Post about Cynthia McKinney, a Georgia Congresswoman who was in a scuffle with the police today after refusing to identify herself upon entering one of the House buildings in the “Capitol Complex”. The truly scary part of the article was this:

Members of Congress do not have to walk through metal detectors as they enter buildings on the Capitol complex. They wear lapel pins identifying them as members.

National security is being protected by lapel pins? What’s the deal with that? It’s comforting to know that we’re having our international phone calls tapped and that anyone with the right lapel pin can walk right into a capitol building with a lapel pin on.
(Photo cred: AP Photo/Ric Feld, File)

3 comments on "Lapel Pins?!?"

  • There are only 435 members of Congress and 100 Senators, and there is very little turnover from one year to the next. The Capitol police should be able to recognize them on sight.
    Believe me, everyone in DC can’t help but notice that that only the black members of Congress get hassled.

  • It’s not so stupid, even if Alice is wrong. Map this back to security policy, and then apply some good behavioral theory.
    The pin is an identifier. The security guard authenticates it on inspection. You argue that since it is easy to forge, it must be flawed authentication system.
    But even if guards authenticate on pin and pin alone, the identifier is a *public* signal. There are enough people in DC who have memorized the Congressional Facebook and spend enough time thinking about a large set of legislators to make sure that no one wears the pin without actually being a member. I am sure that if I were to slap on a suit and lapel pin and start wandering in the neighborhood of the capital, 1) some one would notice and 2) they would mention this to the Capital Cops, who would probably want to have a word with me. This is *definitely* true inside the Capital building.
    So the enforcement mechanism on authenticating the identifier is not 100% at any one point of failure, but it is distributed and enforced by a bunch of people with a strong social interest in protecting the validity of the system. I would argue that this is, in total, fairly robust.

  • JiggaDigga says:

    Great reading, keep up the great posts.
    Peace, JiggaDigga

Comments are closed.