Saturday, March 27, 2010
Then we have the big cybercrime bill put forth by.. Senators Rockefeller and Snowe (updated, since there are two separate cybersecurity bills, and its the Rockefeller/Snowe one that has people scared), that tries to deal with the "serious threat of cybercrime." But, of course, it already has tech companies worried about the unintended consequences, especially when it requires complying with gov't-issued security practices that likely won't keep up with what's actually needed:
"Despite all [the] best efforts, we do have concerns regarding whether government can rapidly recognize best practices without defaulting to a one-size-fits all approach," they wrote.
"The NIST-based requirements framework in the bill, coupled with government procurement requirements, if not clarified, could have the unintended effect of hindering the development and use of cutting-edge technologies, products, and services, even for those that would protect our critical information infrastructure."
They added the bill might impose a bureaucratic employee-certification program on companies or give the president the authority to mandate security practices.
This is one of those bills that sounds good for the headlines (cybercrime is bad, we need to stop it), but has the opposite effect in reality: setting up needless "standards" that actually prevent good security practices. It's bills like both of these that remind us that technologically illiterate politicians making technology policy will do funky things, assuming that technology works with some sort of magic.
And for those who would rather not have their food broadcast radio waves after getting it home, fear not. Tour says the signals can be blocked by wrapping groceries in aluminum foil. [BTC-Or just don't buy from grocers who endorse corporate surveillance technology.]
Researchers from Sunchon National University in Suncheon, South Korea, and Rice University in Houston have built a radio frequency identification tag that can be printed directly onto cereal boxes and potato chip bags. The tag uses ink laced with carbon nanotubes to print electronics on paper or plastic that could instantly transmit information about a cart full of groceries.
“You could run your cart by a detector and it tells you instantly what’s in the cart,” says James M. Tour of Rice University, whose research group invented the ink. “No more lines, you just walk out with your stuff.”
RFID tags are already used widely in passports, library books and gadgets that let cars fly through tollbooths without cash. But those tags are made from silicon, which is more expensive than paper and has to be stuck onto the product as a second step.
“It’s potentially much cheaper, printing it as part of the package,” Tour says.
The new tag, reported in the March issue of IEEE Transactions on Electron Devices, costs about three cents to print, compared to about 50 cents for each silicon-based tag. The team hopes to eventually bring that cost below one cent per tag to make the devices commercially competitive. It can store one bit of information — essentially a 1 or a 0 — in an area about the size of a business card.
That’s not much compared to computer chips, but Tour says this tag is just a “proof of concept.” Study coauthor Gyoujin Cho of Sunchon National University, along with a team from the Printed Electronics Research Center of the Paru Corporation in Suncheon, Korea, are working to pack more transistors into a smaller area to ultimately squeeze 96 bits onto a 3-square-centimeter tag. That would be enough to give a unique identification code to each item in a supermarket, along with information like how long the item has been on the shelf, Tour says.
The tags were made possible by the creation of semiconducting ink, which contains carbon nanotubes that will hold an electrical charge. A transistor needs to be completely semiconducting to hold information, Tour says. If there are any bits of conducting metal — which moves electric charges around easily — mixed in, the information-holding charge will leak out quickly.
The mixture of nanotubes created in Tour’s lab includes both semiconducting nanotubes and conducting nanotubes. Separating out the conducting nanotubes is “a horrid experience,” Tour says. “They’re very painful to separate.” So instead, the team devised a way to coat the conducting nanotubes in a polymer to protect the electric charge and allow the ink to be purely semiconducting.
Once they had the ink, Cho and his colleagues built roll printers to transfer ink to the final material. The tags are printed in three layers, and one of the remaining hurdles to making the tags store more memory in less space is to improve the alignment of those layers, Cho says.
“The work is impressive,” comments Thomas N. Jackson of Penn State University in University Park, who is also developing flexible electronics. He thinks it will be difficult to compete with silicon, which is well established in the realm of consumer products packaging. But similar technology could be used to do things silicon can’t do, he says, such as make smart bandages that can sense infections or freshness-sensing food packaging.
And for those who would rather not have their food broadcast radio waves after getting it home, fear not. Tour says the signals can be blocked by wrapping groceries in aluminum foil.
Read More http://www.wired.com/wiredscience/2010/03/rfid/#ixzz0jOwqhrL8
Thursday, March 25, 2010
"This was by far, the most obvious outside attempt to maliciously pre-empt us in the program's history. Based on where our program was rerouted it appears politically motivated by those entertained by neo-conservative talk." - WakingUpOrwell
Wednesday, March 24, 2010
In the years that followed the attacks on New York and Washington, the European Union, as with many international powers, was eager to embrace the technology. In 2004, the European Commission proposed technical specifications for a harmonised e-passport system, first requiring digital facial image as as a mandatory biometric identifier for passports and later requiring fingerprint data.
Airport: EU passport security has been placed under the microscope (Photo: dacba10)
But in the wake of the Dubai targetted killing of a Hamas commander, in which a team of some 27 assassins used fake EU and Australian passports in the course of their cloak and dagger escapade, the security of the passport has been placed under the microscope.
Beyond the Dubai murder, Europol has warned that despite the biometric changes to passports, counterfeiting still remains a major problem for criminals or others "who are determined to do so," with the provision of documents for irregular immigrants being the main driver of the activity.
In 2008, the latest year for which data is available, some 16.7 million passports were on an Interpol database of stolen or disappeared passports.
Magnus Svenningson, the CEO of Speed Identity, the company that provides the biometric data capture platform to the Swedish, Luxembourg and Lithuanian governments, in an interview with EUobserver reveals how passports can be forged.
"The EU passport is a very, very secure document. EU countries have invested a lot in the document. It's extremely expensive and difficult to forge, although not impossible," he said.
What makes it so hard is one would have to clone the certified chip of the issuing government: "This requires machine-supported verification of the documents."
Famously, in August 2008, after 3,000 blank UK passports were stolen and British authorities said that without the chip, the documents would have been useless, the Times newspaper hired a computer researcher to successfully clone the chips on two British passports. Passport reader software used by the UN authority that establishes biometric passport standards believed the chips to be genuine.
This is designed to be countered by checking the chip at a border crossing against an international database of key codes, the Public Key Infrastructure, but only a minority of countries have signed up. So a would be counterfeiter should choose a state that does not share these codes.
The level of counterfeiting difficulty varies from country to country, said Mr Svenningson: "In some countries, it's very easy, others not so easy, but every country has their own loopholes."
First of all, the inclusion of the biometric identifiers is binding only for those countries in the Schengen area, of which the UK and Ireland have opted out and which Cyprus, Bulgaria and Romania have yet to join. These specifications are also binding on European Economic Area countries Norway, Iceland, Liechtenstein and Switzerland.
According to the EU regulation, countries were to have included both facial imagery and fingerprints in their systems by July last year. The British e-passport meanwhile only uses a digital image and not fingerprinting, although this is currently under consideration by authorities.
UK foreign minister David Miliband said that the Dubai passports taken from British citizens were in any case not biometric, which makes the forgery process that much easier. But Mr Svenningson said that one of the easiest methods is to acquire a duplicate passport - "a real fake passport" - rather than to forge one.
"The problem is enrollment and lies with the breeder documents. These are the documents that make you a for example a British or German citizen," such as a birth certificate or naturalisation papers. "These documents plus the biographic data and the biometric data are then unified and stored in a passport tied together, forming a proof of identity."
According to Mr Svenningson, you should choose a victim that roughly matches your appearance, and then photoshop an image of yourself so that it appears closer to what the original person looks like, something in between you and the other person.
This process is aided by "the transfer of a paper photo to a digital one, which involves a huge loss of quality, resulting in a photo that makes it very easy for others to use."
"When all this is done, you apply for renewal of your victim's passport and file a new application with your tailored picture. Then you wait at his or her mailbox of until the new passport arrives by mail and snatch that particular letter." He added that a postbox that is separate from the apartment or house is best.
This method is the most common, he said. The advent of biometric passports has had an effect: "There has been a big shift in the last five years from counterfeiting to applying for a real one," because of the additional hurdles set up by biometry.
Fingerprints can be fooled
But those countries that require fingerprints included on the chip can still be fooled.
"Fingerprints are possible to fake for a low cost. The easiest way is to obtain a print from something someone has touched, a glass or a mobile phone."
From this you can extract a picture of the ridges that you see on your fingertip. This picture can be moulded onto a piece of plastic, which can then be subtly placed on the fingertip during enrollment or verification of the data to make you appear like someone else.
Even retina scans are not impossible to fake.
"This is difficult. The process involves taking a picture of the retina with infrared light at very close distance. But it is still not impossible. You could hold some kind of eye-like object with a picture of the retina in front of the camera. Of course if the process is supervised, it then becomes quite difficult."
But he says that this supervision, making sure that the photo, fingerprints and other biometric data are captured at the same moment that you apply for a passport: "So that all the data is tied together and impossible for the applicant to alter."
"It's very important to have the whole enrollment process take place in one sequence via an officially supervised process. Any time you break up this sequence, you introduce a window for individuals to undermine the security of the passport."
Of course, Mr Svenningson's business model is precisely that - all-in-one biometric data capture - so he has an interest in suggesting its importance. He jokes that photography shops, who do not sell as many rolls of film any more and for whom the €8 set of four passport photos is an increasingly substantial part of their business, do not particularly like the idea.
But it will still take many years before even the current generation of e-passports is widely adopted.
Five to 10 year window
"When it comes to non-biometric passports, there is an even weaker tie between the document and its holder, and while biometric passports are common now, the large bulk of EU passports in circulation are non-biometric because they aren't out of date yet, and won't be for a number of years. It will take at least another five to 10 years for all EU passports to be biometric."
Still, nothing will be able to stop those who have the time and money to invest in counterfeiting, he said: "The intelligence services have the expenses and the capacity to do this."
Last week, the Australian Broadcasting Corporation interviewed Victor Ostrovsky, a case officer at the Mossad in the 1980s, who said that the Israeli spy agency had its own "passport factory," a company established within the Mossad headquarters.
"They create various types of papers, every kind of ink. It's a very, very expensive research department," he said.
© 2010 EUobserver.com. All rights reserved. Printed on 25.03.2010.
Tuesday, March 23, 2010
The initial forecast was that biometric passports could be issued as from Monday to Mozambican citizens - but the quality of the first passports produced by Semlex was so poor that the government has demanded improvements.
The deputy national director of immigration, Leonardo Boby, told "Noticias" that the passports produced by Semlex contained serious defects which had to be corrected before they could go into mass production.
There were spelling mistakes, Boby said, and the model used by Semlex did not provide enough space to write the names of Mozambican passport holders. Semlex had not bothered to familiarize itself with Mozambican names, and seemed not to realize that many citizens have names containing four or more words.
To take just the most well-known example, the full name of the leader of the Mozambican opposition is "Afonso Marcacho Marceta Dhlakama" - which is too long to fit in the space allocated by Semlex. According to Boby just three words will fit in the space.
In some cases, the names would run onto the space provided for the passport photograph, which is not acceptable.
On a passport, no name should be abbreviated, and so Semlex has been told to redesign the passport so that even citizens who use six or seven words in their names can fit them all in.
Boby added that the Semlex passports contained insufficient security features, and the company had bungled the images of Mozambican wildlife used.
"We would require all U.S. citzens and legal immigrants who want jobs to obtain a high-tech, fraud proof Social Security card. Each card's unique biometric identifier would be stored only on the card; no government database would house everyone's information." - Senators Lindsey Graham and Chuck Schumer
BTC- I hope someone will tell these Senators there was already a billion dollar effort to create a national to international FBI database to house the most comprehensive biometric catalogue in the United States. It is 2 football fields long and the public is not allowed to know where it is. How's that for "transparency"? It's been around since 2007.
Unfortunately, the term "transparency" is being twisted around against the American people not to mean "government accountability" but somehow to mean a super institutionalized state. In this type of state the only rights of the nation are the institutional rights and permissions granted by that state. Everyone is exactly equal: prisoners, immigrants, workers and government workers. This is the piece where the biometric worker ID card fits.
[Was this your idea of freedom, America?]
It's part of the Always On Surveillance Society and it might make you wonder if the 2010 Census is just a dog and pony show. It's globalized policy; which makes it more important than ever that you guard your private information and do everything you can to jamm up any assumptive networks using your 4th Amendment.Unfortunately, fascism is commonly defined as Statist power as corporations rule the government, which legislates only for them and seeks only their interests.
Monday, March 22, 2010
"How quickly will this database go from being strictly to prove employment eligibility to being used by police departments to gather fingerprints while circumventing the warrant process and Fourth Amendment rights of search and seizure?" - Michelle Ngo, EPIC
Where to begin? First, the senators say, “Each card’s unique biometric identifier would be stored only on the card; no government database would house everyone’s information.” But that seems unlikely. What if someone hacked a real card and added their biometric data (fingerprints, eye scans, whatever is chosen by the government) to the card? Their fingerprints would match the fingerprints on the card, so they would be “identified” as the name on the card. There would likely need to be a database to check for accurate credentials.
Altering a biometric digitally by breaking into the system is just one security problem with biometric identification. Individuals could use false identification at enrollment or a biometric could be altered physically.
The senators state that they need “a tamper-proof ID system” to fix the immigration problem. But there is no tamper-proof ID system. You can strengthen ID systems, but they’ll still be forged by people with means and motive. Former Homeland Security Secretary Michael Chertoff said that the fact that REAL ID and other strengthened identification cards can be forged is a security problem:
I certainly have seen intelligence that tells me that sophisticated criminals and sophisticated terrorists spend a great deal of time learning to fabricate and forge even these improved cards. The net effect of this may be that it’s going to be harder for people on campus here to get a drink when they’re under 21, but unfortunately it’s not going to be that much harder for the most sophisticated dangerous people to counterfeit an identity card.
What the senators would be creating is a trusted card that could and would be forged by sophisticated criminals. Even if you allow the senators’ contentions: the tamper-proof card would have the biometric credential only on the card so there would be no national database, we must then look at the cost of this system. There would need to be computer systems set up for the new high-tech cards, strong encryption, special paper, special readers to 7.4 million employers in the United States, training for employers and employees, and other costs, as well. This would cost billions, perhaps trillions.
And how quickly would this employment verification card be expanded to many more uses beyond employment verification? It is to be “a high-tech, fraud-proof Social Security card,” and Social Security data is used for numerous uses today. Your Social Security number is used to open a bank account, credit account or even cellphone account. How soon before these entities say, “I need you to prove your identity by scanning your high-tech biometric Social Security card”?
How quickly will this database go from being strictly to prove employment eligibility to being used by police departments to gather fingerprints while circumventing the warrant process and Fourth Amendment rights of search and seizure? Who else could have access to your fingerprint and iris scans? The United States already has discussed sharing fingerprint and other biometric data of suspects with European countries. It’s a small step to opening up a national employee biometrics database to other countries.
Besides the security problem, there is also a substantial problem for U.S. citizens and others who may legally work in the United States. During the REAL ID national identification card debate, critics of the REAL ID program noted there is the false positive problem. U.S. workers were having problems with an employment eligibility verification system using Social Security and Homeland Security error-filled databases.Several federal (pdf) government evaluations (pdf) noted problems with database checks that lead to initial rejections for individuals who are legally eligible to work in the US, causing significant problems for eligible workers and their employers, who have done nothing wrong.
I must reiterate: This biometric identification system, where you must prove to the government that you are eligible to work, is proposed for all U.S. employees, not just immigrants. It is a terrible proposal that will not solve the immigration problem, but instead create substantial employment problems for U.S. citizens at a time when many need help to find employment, not more barriers against it.
TELL CONGRESS WHAT YOU THINK