Friday, August 15, 2008

NEXUS Please

Returning to Canada through a busy airport I found myself in a customs hall packed with travellers. The wickets at the end of the room differentiated between residents and visitors, but although there were two snaking lines, there was no compliance with the tiny sign indicating that one was for residents and one for visitors. I really wished I wore a company uniform, because the line for diplomats and uniformed aircrew was wide open. The other line that was open was the NEXUS line, for people who have paid extra to be scrutinized by Canadian and American authorities and earned a speedy bypass of border lines. It works at land crossings too. I wrote down on my to-do-when-I-get-home list "NEXUS pass." An hour and fifteen minutes later, when I reached the wicket, the customs agent suggested herself that I apply for NEXUS. And now I am.

The application process requires navigating a government form, and an American government for at that, because you apply to the US, then they share the data with Canada and they both have to say yes for you to get the pass. And in order to apply to the US you have to create an account on GOES the umbrella for all the US fast lane customs systems, for Canada, Mexico and International (i.e. other than Canada or Mexico) And to create an account on GOES you need to create a password that conforms with the following rules.

# Minimum Length : 8
# Maximum Length : 12
# Maximum Repeated Characters : 2
# Minimum Alphabetic Characters Required : 1
# Minimum Numeric Characters Required : 1
# Starts with a Numeric Character
# No User Name
# No past passwords
# At least one character must be ~!@#$%^&*()-_+={}[]|;:/?.,<>"'`

That made me laugh as well as roll my eyes, because it reminds me of a very old joke.

And then, because no one is ever going to remember the password they generated in compliance with those rules, and because most people will lose where they wrote it down, they present a list of security questions, clearly chosen by the most stable and boring bureaucrat in the word. You must choose five of the following and provide answers that will remain inviolate in your mind.

What was your childhood home address?
What is/was the name of your first pet?
What is/was your father's profession?
What is your favorite vacation spot?
What is your favorite movie?
What is your favorite restaurant?
What was your favorite subject in school?
What is your place of birth (i.e. city, state)?

If you were raised by a single mother who moved a lot and couldn't afford to feed a pet, and your tastes vary with time, there is only ONE question to which you could provide a permanent answer. You have to pick five. If you were raised in a stable household with one address during your childhood, and your father had a steady career in one profession that has one name (i.e. you won't put "doctor" now and get it wrong later with "physician,") and you have owned a pet, and your first pet acquisition was of a single pet, (not say, two kittens or six fish), then you still can't necessarily select five questions that you will always answer the same way. Unless you had a clear favourite subject in school (I didn't), you are not permitted to change your tastes from now until the application process is complete.

The next challenge was to provide a five-year employment history. The only fun part of looking up the addresses of everyone who has failed to continue to employ me over the past five years is giggling at the fact that they all have addresses on Airport Road. All different Airport Roads in different cities and mostly different provinces. Some employers no longer exist, but phone numbers were mandatory so I gave them the last known phone numbers. The person who designed the form lived in a stable universe where every employer exists forever.

And then the last stumping question asked me to provide details of my conveyances. I'm not being flowery here. Thе word was conveyances. There is a Type drop down at the top, but the only choice in the dropdown is "Vehicles." So what's a conveyance? I enter my seldom-used car then wonder if they want my bicycle, too? The airplanes I fly for work? My friend's skateboard? If they mean automobiles, why didn't they put that? In the end I just enter the car, because they demand a VIN for each conveyance, and I can't find the serial number on my bicycle.

In six to eight weeks I'll know if I'm an undesirable.


Sarah said...

Ah passwords. The only system that works for me is a phrase, of which I use initial letters + special character salt.

Borders... What, no finger-print or blood draw? Retina scan? Sheese. Just wait until the TSA gets started on your "background check". Border patrol(s) requirements actually sound reasonable.

TSA/GA proposal

amulbunny said...

God I hate those passwords. Being a federal employee you have to change it every 90 days. I have more old postit's lying around with passwords and dates on them.
TSA seems to think now that GA is a target along with RC airplanes and helicopters. And they are still obsessed with water.
Good luck and I hope you can get your NEXUS/CLEAR or what ever they've called it this week or wear your uniform and jump the crew line.

ward said...

The advice from security expert Bruce Schneier is to pick good passwords, write them down, and treat them like credit cards - be careful not to lose them and take action immediately if you do. I keep an encrypted file w/ a copy of all my pws with me (e.g. use PGP or any number of other programs), so for the GOES passwords and questions (or is GOES the Canadian site? I can't keep them straight) I just typed them into the text file.

We (me, wife, daughter) got Nexus passes a couple months ago... the process of finally getting the cards was interesting, we had to go to a Canadian office (at YVR) where they checked all the documents against what we'd submitted, then we went to the US office and they did it again, asked some questions about criminal records (they smiled about it, but they did make us answer for our 4-yr-old), took a lousy picture w/ a web cam which they then printed on the RFID card.

Lord Hutton said...

Our current password advice at work is that you can't use any of the past 27 you may have used. IMHO that just encourages you to write down the latest effort. Bloody teenage fascist jobsworths in Toronto/Washington/London etc, Badly thought ought nonsense making the fools in government look like they are doing something, like tanks at airports are effective too. Just for the right wing press. I am going to live in a tent and sod them all.
What are we coming to?

Matt said...

For my Air Traffic Control security check I had to comply with a 7 year work history, 7 year education history, and 7 years of living history... Guaranteed I'll still get stuck at customs every time!

Soaring Student said...

Hint for passwords... you can't use words, because then your account is susceptible got guessing (kid's names are a favourite).

But do pick a really easy word, and then do substitution. Use @ for a, 3 for e, ! for L, or 1 for l. "Aviatrix" is not a valid password, according to their rules, but "4vi@tr!x" is OK.

And I agree with the other posts... requiring frequent changes of end-user passwords, and requiring overly-complex passwords, simply results in people writing them on post-it notes and putting them under the keyboard. And defeating the entire purpose.

Soaring Student said...

Comment #2 (re those security questions):

There are companies that spend a lot of time devising appropriate questions.

The simple requirements are that the answers be known to the individual, not readily known to others, not readily researchable by others, and that they don't change.

As an example, "What's the name of your youngest child" doesn't work, not only because some people don't have children, but because the name of your youngest child changes when you have another.

Sarah: NEXUS requires a retina scan. Or, it did when I looked at it... but I haven't been travelling much this year so I never got around to doing the paperwork.

steve said...

Pah! Just go with "A" uniform!

It worked for Frank Abagnale, there's no reason to believe they now employ a higher standard of jobsworth to check your credentials,-so go for it!

A fetching shade of puce should go well with the green hair and blue skin...and it'll show off your 5 gold rings nicely (well, if you're doing it,you may as well go OTT )

CYOW + CYVR said...

Another relevant part of Bruce Schneier's commentary is his concept of 'security theatre.'

Complex passwords are only useful to protect against attacks that rely on cryptographic brute force or dictionary attacks. Neither brute force or dictionary attacks are possible against online authentication schemes (such as Nexus) because the authentication system will lock out an attacker after a handful of bad password attempts. This is why ATM PINs are secure despite being a mere 4-6 digits: brute forcing 500 PINs for one bank card will result in the bank card being disabled long before an attacker will find the right PIN.

The sheer inconvenience of mandatory complex passwords makes end users and managers feel more secure because these people are ignorant enough to fixate on the possibility of passwords being guessed or 'cracked.' Complex passwords will never be guessed. In actual fact, however, guessing passwords isn't a viable attack vector for online services in the first place and forcing users to choose complex passwords adds inconvenience but no security.

Anonymous said...

1. The conveyance is if you want to use your car to cross the border. However an agent later said that this info doesn't matter anymore, and it was applicable to the old system.

2. Yes, they take retinal scans for the airport point of entries. It's somewhat difficult to take a proper scan at first. At the land port of entries you scan your card.

3. Your NEXUS card will get deactivated shortly before your passport expires.

4. Finding NEXUS booths at unfamiliar airports (especially at transit points) is somewhat annoying.

Good luck!

Ward said...

On saturday, the lineup at the Peace Arch crossing was 90min, at the truck crossing about an hour, but the Nexus lane was empty. It only takes a couple of those to make the Nexus cards worth the cost.

re: expired passports, what they told us was that if any of the information they have on file changes - pp #, credit card, address, etc. - you have to go to a Nexus office and get it updated. We did this a week ago after renewing our daughter's passport and it took about 10 min. No appointment needed, just go to the office at YVR and show the new pp to the Canadian then the US side.