Thursday, April 17, 2008
Thursday 17 April 2008
Latest from NO2ID
The government is currently rolling out ‘invitation-only Ministerial consultation events’ to allow local businesses and civic leaders the opportunity to learn more about the proposals contained in the recently published National Identity Scheme Delivery Plan 2008 and also for the organisers to get feedback. The recent Cambridge event certainly provided plenty of negative feedback when the number of protesters to the ID scheme greatly outnumbered the invitees. The local Cambridge NO2ID group got local BBC radio to attend and pose direct questions to the ID minister, Meg Hillier. NO2ID is keen to find out when other ministerial consultations are due to take place in order to stage similar protests and confrontations.
The German government believes that adoption of the EUs directive on data retention would help improve up the crime clear-up rate. Despite the estimated cost of 332m euros to implement the scheme - which of course comes out of the German taxpayers pockets - it is only expected to increase the conviction rate by 0.006%. They can’t be serious!
Last February, the ID Minister, Meg Hillier told the Home Affairs Committee that "The National Identity Register, essentially, will be a secure database; ...hack-proof, not connected to the Internet... not be accessible online; any links with any other agency will be down encrypted links." But by the time the transcript of her presentation was published and duly posted on the web, the wording had changed to "The National Identity Register, essentially, will be a secure database; it will not be accessible online; any links with any other agency will be down encrypted links." Some key assurances missing there. You’ve got to watch them, they’re up to every trick in the book to deceive.
E-passport security is not all it is made out to be. According to John Leyden reporting in The Register. "Most newly issued passports carry an embedded RFID containing digitally signed biometric information. Access to this chip is wireless, which introduces a security risk, the possibility that an attacker might be able to access data on a person’s passport without the owner knowing.
Security precautions ought to prevent unauthorised access to data held on a next-generation e-passport. But a trio of researchers from Lausitz University of Applied Sciences, Germany and Radboud University, in The Netherlands, have shown that its trivial to at least remotely detect the presence of a passport and determine its nationality. "Although all passports implement the same international standard, experiments with passports from ten different countries show that characteristics of each implementation provide a fingerprint that is unique to passports of a particular country," the researchers explain.
To frustrate wireless reading of passport content without an owner’s consent, e-passports use a mechanism called Basic Access Control (BAC). The approach means that in order to read data from the RFID chip you need to optically read a key, printed in passports. This key is based on a passport serial number. Subsequent communication between a passport and a reader is then encrypted to prevent eavesdropping. All EU passports implement BAC.
Weaknesses in the encryption mechanism used in BAC in withstanding brute force attacks have already been reported.
The latest research uncovers a different shortcoming - the possibility that thieves could use technology to detect the presence and nationality of passports in a crowd, the sort of information that might be useful for a hi-tech pickpocket.
"This turns out to be surprisingly easy to do," the researchers report. "Although passports implement the same standard, there are differences that can be detected, especially by sending ill-formed requests, before Basic Access Control takes places."
HSBC is the latest high-profile organisation to lose data. A computer disk containing the details of 370,000 of its customers, including names, dates of birth and their levels of insurance cover has disappeared.
A German court has ruled against a law that empowers German police to scan car licence plates. The use of ANPR scanners in trying to identify stolen cars has been declared a violation of human rights.
In a more light-hearted vain but with a serious message, senior politicians’ fingerprints are being sought. In the UK NO2ID is running a series of posters offering cash to anyone who can legally obtain the fingerprints of both Gordon Brown and/or Jacqui Smith. Meanwhile in Germany, a hacker club reckons it already has the fingerprints of the country’s Interior Minister, Wolfgang Schauble, who happens to be a staunch supporter of the collection of citizens’ unique physical characteristics as a means of combating terrorism.