NO2ID has demonstrated how it is possible to clone the Home Office’s wonderful new ePassport while it is still in the post, without taking it out of the envelope.
The Home Office is unconcerned: with classic disingenuity its spokesman told The Guardian, which carried the first part of an unfolding story:
By the time you have accessed the information on the chip, you have already seen it on the passport. What use would my biometric image be to you? And even if you had the information, you would still have to counterfeit the new passport – and it has lots of new security features. If you were a criminal, you might as well just steal a passport.
But of course the Home Office does not care. If there is a conflict between your personal security and official convenience in logging the details of passports at borders – which is what it means by ‘improving the security of passports’ (note plural) – then there was never any doubt which would win.
An Anonymous Coward on slashdot pinned it down:
The basic problem isn’t the algorithm they choose. It’s that their goal is incompatible with security.
They wish to establish a world where all people can be instantly identified, correlated with commercial profiles, and tracked wherever they travel.
How can this be done “securely”? It cannot.
Thank you, Admiral Poindexter.
One of my staff activities is document security measures.
I’m sure it need to be formulated into a Law, with a Name, but after 25 years in this area, I observe
– that the secure life of a new document security measure is rapidly shrinking, and
– that as the value of the document increases, the secure life of any added security feature reduces even-more-quickly.
The security features added to US currency over the last 3-5 years – some of which are very technically-advanced – have already been seriously compromised by counterfeiters. Not broken and lying the in gutter, mind you, but already falsified so that they will pass 99% of the time.
I can think of only 2 anti-counterfeiting measures applied to cheques over the last 25 years that are still largely-secure – and one of them is not going to last more than another couple of years.
And, of course, the basic documents required for an alien to ‘pass’ in the US – I551, SSN card and driver’s license – are so compromised as to be laughable. I’ve been told that you can buy a full set of these, undetectable except by the most rigourous examination – for less than $100, ready in a couple of hours.
The ‘through the envelope’ angle is interesting but it’s a side issue. The real joy will be to intercept the passport, open the envelope, clone all of the data – not just the electronically-encoded part, but all of it – then send it on. At this point, the electronic data, when cloned, will actually serve to make the fake document appear more realistic – the exact opposite of what you want from a security feature. Especially if the biometric component can be hacked and altered.
The disingenuousness of the HO spokesweasel is hard to credit. You lummox – if a passport is stolen, someone’s going to notice! If a passport is cloned, it may pass undetected for years! And, if the clone is finally connected to criminal activity, it is a cast-iron certainty that the person who will suffer the consequences will be the innocent party.
Amazing.
llater,
llamas
The disingenuousness of the HO spokesweasel is hard to credit.
All too familiar. Disingenuity is the principal mood in the Home Office dialect.
After a couple of years of concentration, I’m now a fluent reader of Home Office, but cannot yet write it easily. It is a language in which sentences carry only the most obtuse meaning – especially in contexts where they are offered as reassurance or explanation – and in which individual words may have strange Newspeak values.
I heard John Reid on the Today Programme on radio 4 on Wednesday going on about ‘security’ and how it was a part of every facet of our lives. I suppose I shouldn’t be surprised that the interviewer didn’t pick up on this. I’m sure he plans to squeeze more and more surviellance into all the 30 odd bills mentioned in the Queens Speech. Gives me the shivers. I’m trying to find a suitable nickname for Mr Reid (I’ve already used the Gestapo angle with Jack straw due to his resemblance of Herr Flick from ‘Allo ‘Allo) Reidi Amin maybe… Suggestions welcome.
They may as well put ‘The Statabase’ in the public domiain from the get go as thats where its going to end up anyway. Something to note is that Hackers rarely hack for malicious reasons, they do it simply to prove that it can be done.
mandrill, The Gorbals Gobsh*te is one name for that unsavoury man that I have personally always favoured. The other name is the one used by the Home Office to describe him, namely using the educational suffices he is always so eager to maintain – M.A DPhil – resulting in his being generally known as ‘Mad Phil’.
One other angle which the HO fails to pick up on is the ever escalating level of internal theft by Royal Mail employees, regardless of whether the package is recorded delivery (which all passports are) or not. I am quite sure that it would be only a matter of time before a genuine passport can be sufficiently doctored or completely cloned – after all we do sometimes omit to remember the old adage that criminal technology tends to be 18 months ahead of the authorities’ own safeguards.
Their choice of key was laughable – “the equivalent of installing a solid steel front door to your house and then putting the key under the mat.”
Disingenuous is indeed the newspeak of NewLabour.
Maybe it is the plan – the passport is just a counterfoil…
A comment on the note of Admiral Poindexter. Total Information Awareness, a DARPA program that was killed under public pressure (and almost certainly restarted under a different name) only sought to take advantage of already available and legal public databases. The worst part of these databases is that the majority of the information in them has been supplied by the very people they detail.
As we head to the Surveilance Society, what modicum of privacy you have will come at a sacrifice to convenience. It’s difficult and a pain, but there are ways to give yourself a measure of public privacy. (For instance, never have your name associated with where you live [I’m not sure if this is possible outside the U.S. – I just don’t know]). If you want to know more, find the book “How to be Invisible” by J.J. Luna or go to the website of the same name.
All this is to say that while Nanny Government has been creeping further into our lives, we’ve been inviting commercial enterprises into our lives as well. Niether entity has our best interest in mind.
/rant
Personally I’m applying for the 2007 vintage low data rate small memory BAC (basic access controlled) ePass as in 2009 the fingerprints go on the ePass, using EAC (extended access controlled – with reasonable algorithms), so by the time I have to renew I’ll get my multi-megabyte high data rate long distance readable eGov ID and entitlement card in the far-off 2017. Also as more Biometrics are added there’s a push to make the docs valid for only 5 years….whilst still costing £93 or whatever!
please tell me, what is Security? this is a samll ans easy question i think. kindly send it to me i realy need it.