Slashdot Mirror

https://www.icao.int/Meetings/...

You would never say "Thirty-three comma thirty-three". You would say: "Thirty-three decimal three three" or "Three three decimal three three". Or, and I am serious here, if you are using ICAO pronunciation, you would say: "Tree tree decimal tree tree".

The word "decimal" works whether you are using a period or a comma.

There is a table for consistent transliteration from Western and Cyrillic alphabets. It does seem like a shame that the original script isn't at least stored in the contactless chip, though.

Primary return data is most likely available for the initial part of the descent (maybe down to 10,000 AGL), regardless of SSR MODE-S data. The Gulf is covered pretty well radar wise (not counting military sets) Ref: See page 2. The difficulty is collecting, combining, and analysing all the CD2 data from the primary returns. Even then, the general public may not be advised of the outcome of the analysis until well after the search.

I concur that it did not break up at altitude, otherwise the debris field would of been located relatively close to the flight path.

Other notable water crashes took many years to determine their final outcomes. I agree with the sentiment, we need to be patient and let the experts do their work.

Oh, don't forget too, that different countries have different regulations about what FDR capabilities (in terms of data collected, length of storage before over-writing, and crash survivability) the airlines under their flags, which don't inherently affect the airplane's safety. So look forward to tieing things up in the courts for decades trying to apply this extraterritoriarily.

That's what ICAO (International Civil Aviation Organization) is for. It's something they can mandate the minimums for. The countries participating in ICAO have to pass laws that implement it, and can easily demand that aircraft flying through their airspace must follow all ICAO rules.

Flags of convenience aren't a huge thing for aircraft as they are for boats. Most American airlines, for example, will have standard N-numbers assigned to them, as would most airlines of the world would tend to have their aircraft callsigns from their base location. (ICAO hands out the country groupings, e.g, C-Fxxx and C-Gxxx are Canadian aircraft).

It's true for all international operations. Local operations may be in the local language, but as of 1 January 2008 all international operations have an English language requirement, and air crews and controllers serving those operations must demonstrate proficiency in English. Please refer to the ICAO discussion of Amendment 164 to Annex I for details.

> Air traffic control is ALWAYS in English. Not so. Pilots and controllers are also allowed to communicate in the language of the country in which airspace they are. You think they speak English when Air France lands in Paris?

Yes. They are required to. Annex I, section 164. International operations.

Please see the ICAO languages FAQ on the matter, and the ICAO discussion and adoption of Amendment 164. Quote:

• Therefore, pilots on international flights shall demonstrate language proficiency in either English or the language used by the station on the ground. Controllers working on stations serving designated airports and routes used by international air services shall demonstrate language proficiency in English as well as in any other language(s) used by the station on the ground.

Once on the ground, local languages may apply, but English is the language used in air-to-ATC communications, and all required phraseology for air operations is in English. This is the requirement for any airport engaging in international operations and all international flights.

A good summary is at this site, which specializes in training to the required proficiency.

> Air traffic control is ALWAYS in English. Not so. Pilots and controllers are also allowed to communicate in the language of the country in which airspace they are. You think they speak English when Air France lands in Paris?

Yes. They are required to. Annex I, section 164. International operations.

Please see the ICAO languages FAQ on the matter, and the ICAO discussion and adoption of Amendment 164. Quote:

• Therefore, pilots on international flights shall demonstrate language proficiency in either English or the language used by the station on the ground. Controllers working on stations serving designated airports and routes used by international air services shall demonstrate language proficiency in English as well as in any other language(s) used by the station on the ground.

Once on the ground, local languages may apply, but English is the language used in air-to-ATC communications, and all required phraseology for air operations is in English. This is the requirement for any airport engaging in international operations and all international flights.

A good summary is at this site, which specializes in training to the required proficiency.

You are wrong. All of those ridiculous units you use in the states haven't been used anywhere else for years. The metric system is the only one, therefore nm is nanometers. You are a stupid person for suggest otherwise.

I don't know why I'm replying to this as you seem a bit reluctant in other's opinion, but I'll try anyway.

The Nautical Mile is recognized internationally and used primarily in navigation, ie. marine & air (ISS is air, right?) The International Civil Aviation Association uses nm as its symbol ( Wikipedia page or the initial reference )

And should it matter - which I don't think it does - I am not a US citizen. I am working in the marine field, and the nm is the de-facto unit here.

Each contracting State agrees that all aircraft of the other contracting States, being aircraft not engaged in scheduled international air services shall have the right, subject to the observance of the terms of this Convention, to make flights into or in transit non-stop across its territory and to make stops for non-traffic purposes without the necessity of obtaining prior permission, and subject to the right of the State flown over to require landing. Each contracting State nevertheless reserves the right, for reasons of safety of flight, to require aircraft desiring to proceed over regions which are inaccessible or without adequate air navigation facilities to follow prescribed routes, or to obtain special permission for such flights.

Now, I suppose the US could legitimately demand that any flights crossing its territory make a landing, hence subjecting passengers to inspection per Article 9(b-c), but that's only supposed to be available on a temporary basis.

That's very... odd. Why would they require an on-line check to validate the signature? And why would there be a fee?

As understand it, it's because it's tied in with ICAO Doc 9303P1-1, which again, as I understand it, allows each passport-issuing state to have its own root CA. Now, a UK passport/ID card validator may not (and probably won't) know about the PKI for Tajikistan, say, so there needs to be a facility to allow offline checks of their passports/ID cards, based only on information the passport/ID card brings with it. Or not at all, in the case of Adam Laurie's modified clone (as some passport-issuing states may not even be signing their passports yet, or have any plans to do so). :-)

As for the fee, that's probably related to The chancellor, Gordon Brown, [making] it clear that the ID card scheme, which is estimated to cost at least £5.8bn, has to be self-financing.

The whole point of public key-based digital signatures is that you can publish the root public keys far and wide. Then anyone can validate the signature offline -- and it scales arbitrarily.
I'm not saying you're mistaken, but there's a piece missing here.

That assumes that a consensus can be obtained regarding the operation of a unified system of root CAs. Looking at disputes related to DNS and US government administration of ICANN, I don't think that's likely any time soon.

The security is in the passport, not the reader or the transport layer. There is an international standard for passport. The smartcard must also be certified before it can be used in a passport.

Yes, here's details on the English Language Proficiency Requirements for pilots:

http://www.anglo-continental.com/en/uk/courses/Aviation/aviation-english-division.htm#Standards
http://www.icao.int/icao/en/trivia/peltrgFAQ.htm

Just a few years ago, the same USA demanded that ALL passports to be used while entering the USA had to be machine readable and it is the case now.

What you say is true but widely misinterpreted. "Machine readable" doesn't mean contactless smartcards - the strip of OCR characters already present in most passports is machine readable according to ICAO regulations. Likewise for "biometrics" - the ICAO regulations don't require fingerprints, iris scans or DNA, just a digital photograph (and the photograph doesn't need to be stored on the passport itself, it can be stored in a database and called up by swiping the passport's OCR strip).

Most countries' passports already meet these standards and have done so for years. The push to adopt RFID, fingerprints, iris scans, DNA and an international public key infrastructure is not driven by ICAO regulations, although that's the excuse every government has been making.

I wrote a better document on this, but then I hit the [back] button on my browser:

BAC (Basic Access Control): not required but everybody uses it. Prevents skimming and eavesdropping. If the document number/expiry date and birthday can be easily guessed the protection is pretty weak, especially for eavesdropping (offline brute force attack). No identifying data is released by well designed ePassports before BAC.

PA (Passive Authentication): required. Prevents alteration of the info in the data groups. Works on X.509 compatible PKI (CMS/X.509 certificates). Fully uncrackable, but won't work if you don't have a trust store with the country signing certificates. You can get those by the PKD (Public Key Directory) but also by bilateral means, or even just by download from the internet.

AA (Active Authentication): not required, hardly implemented. Prevents complete cloning of the chip. Uses a private key stored in protected memory in the chip. Relies on PA, otherwise you cannot trust the public key stored in the ePassport to do the verification. Basically this is a challenge/response protocol. Also fully uncrackable at this time as long as the chip security holds.

Here are the standards, all public information:

http://www.mrtd.icao.int/images/stories/Doc/ePassports/PKI_for_Machine_Readable_Travel_Documents_offering_ICC_read-only_access_v1.1.pdf

Since the US and UK have mandated biometric passport data, they would be collecting biometric data anyway.

Funny, that's the same excuse they gave us in the UK! Seems like every government is trying to blame other governments for requiring biometric passports. Where does the requirement actually come from? The International Civil Aviation Organization. Why is an opaque, unelected and unaccountable committee dictating the domestic policy of major powers? Interesting question.

zero niner, foxtrot niner, wun wun, zero two, niner delta, seven fower, echo tree, fife bravo, delta eight, fower wun, fife six, charlie fife, six tree, fife six, eight eight, charlie zero or will I get sued by the ICAO for using their alphabet?

Yep some of your statements are correct for civialian frequencies (see the link freq Aloc chart). The FCC packs channels as tight as they can especially in the civilian space where there isn't that much bandwidth available. In the Avionics space the frequency spacing was based on the sensitivity of the filters at creation date and that was back in (1940s) for DME VOR TACAN (the cell phones nieghbour frequencies).

Example DME (distance measuring equipment) has 1 Mhz spacing in between channels. Thats huge when you look at how selective the modern filters are. Also the FCC puts a buffer between technologies example DME's lowest used frequency is 977 Mhz but the FCC alocated 960 as the lowest frequency. The highest frequency on the low band of cell is 850 Mhz,Thats 127 times the needed selectivity bandwidth.

http://www.icao.int/anb/panels/acp/wg/f/wgf16/ACP- WGF16-WP30-Rev2%20-%20Proposed%25

http://www.ntia.doc.gov/osmhome/allochrt.pdf

And that would have to do with the type of modulation. FM has that nice thing called capture that will actively mute weaker signals. In airlines with ATC, you dont want this*. AM would be preferable, as it allows everybody to be heard.

Not sure what you are saying here as Analog cell phones use FM modulation and they are pretty clean also no Air Traffic Communication (ATC) frequency band is close to the cell bands of 800, 850 or 1900 Mhz. The most commonly used Aircraft com device is the VHF radio at with the highest used freq of 108 MHz - 88Mhz.

I don't have the energy to refute all of the points in Tony Blair's response, but here are a couple of quick comments.

it is clear that if we want to travel abroad, we will soon have no choice but to have a biometric passport.

This is a red herring that is repeated with annoying frequency. ICAO requirements state that the only required biometric is a digitised photo, which new UK passports already contain. There's no need for fingerprints, retinal scans, etc.

Secure identities will also help us counter the fast-growing problem of identity fraud. This already costs £1.7 billion annually.

The majority of fraud reported as "identity fraud" is credit card fraud. ID cards will be no use at stopping this, unless you require people to show their ID when buying anything. In particular, the "£1.7 billion" figure is nonsense.

I also believe that the National Identity Register will help police bring those guilty of serious crimes to justice. They will be able, for example, to compare the fingerprints found at the scene of some 900,000 unsolved crimes against the information held on the register. Another benefit from biometric technology will be to improve the flow of information between countries on the identity of offenders.

Nice to know that the Government has already gone back on its assurance in 2005 that the ID register wouldn't be used for "fishing expeditions" - also nice to know that our details will be shared with some unspecified other countries.

The additional cost of the ID cards is expected to be less than £30 or £3 a year for their 10-year lifespan.

Not according to an independent report.

Who are the idiots that mod this piece of crap up? The data on the front page (the MRZ, or machine readable zone) is used to create master keys for BAC (Basic Access Control). Although these keys are not that well protected because the entropy is low, they are NEVER transmitted in plain.

CAN'T YOU IDIOTS JUST READ THE SPECIFICATIONS? THEY ARE AVAILABLE ONLINE:

http://www.icao.int/mrtd/download/documents/TR-PKI %20mrtds%20ICC%20read-only%20access%20v1_1.pdf

Many people here seem to make claims on RFID security without knowledge of the technology actually used. I have done some research on the subject so I think I can give some pointers. Details about the technology can be found at ICAO's web page and short presentation on the subject Jacobs/Wichers Schreur.

The communication between the password and the reader is encrypted using information in the Machine Readable Zone at the bottom of the passport. This is the basic way to authorize passport reading. The MRZ-information is generated from the information of the passport holder and random numbers. If bad numbering scheme is used, breaking the encryption is quite possible. If large enough random numbers are used, breaking the encryption with brute force is currently not practical.

The authentication is done using public key cryptography. Currently only Passive Authentication is mandatory, but Active Authentiacation is supported and it is mandatory when fingerprint information is contained in the passport. With only Passive Authentication cloning of MRZ-compromized passport is easy, but with Active Authentication it should be unfeasibly difficult.

Reading and cloning an European RFID passport which is using all available security measures (like the e-passports in Finland) is not as trivia as many people here seem to think. As long as there are no backdoors in the cryptography (e.g. for the intelligence agencies) I think the technology is quite sound. Not using all available cryptography is just bad choise by the goverment issuing the passports.

The scheme in TFA is nothing new and nothing revolutionary. If you have physical access to a passport with only Passive Authentication cloning is trivial, as pointed in TFA. This is actually how the technology was designed to work. Maybe the design is bad, but that is hardly big suprise, since the technology is compromize between many organizations and goverments. When someone clones a passport which has Active Authentication, then that is real news.

Posted as AC, because the headless "fsck informing myself before I have an opinion, what about our PRIVACY!!!" crowd is too annoying:
1: The data contained is: the data printed on the passport (name, date of birth, city of birth, expiry date, serial number) + high resolution JPEG2000 of your face + optionally some biometric. The biometric is not in common use at the moment, but can (and typically would) be encrypted and accessable to states your issuing state considers to have a need to know. So no, it is not that interesting as an identity theft item as that information is more easily gained another way.

2: Active reading (i.e. powering the ePassport) is limited to 30-40 cm in the theoretical case, in practice 10-15cm is quite a feat. The limiting factor is getting the power into the chip.
Passive reading (eavesdropping the authentic reading by the border inspection machines) is possible over much larger distances (4-5 meter demonstrated, more potentially possible).
However, in both cases there is a mechanism called Basic Access Control (BAC) that interferes with such an attack. It requires a contactless reader to authenticate by showing that it can optically read the passport (i.e. it is open).
The Active reading needs to effectively bruteforce VERIFY (i.e. try PINs) in a 2^30 range, the Passive reading needs to brute force DES keys for that range. Doable with significant effort, but hardly worthwile IMHO (as that information is more easily gotten from the car rental services for example).

3: Definately not possible to change the data, copying it is easy (that is exactly what a border inspection station does!) See, all the stored data is signed with an RSA key, that does not reside on the epassport itself. Changing data invalidates the signature. Copying it wholesome is of course possible. There is an optional challenge response mechanism called "Active Authentication" that addresses that. And yes, there is a check of the data against the optical data AND the person offering the passport.

3a: Additionally of course. This immediately raises the question why they claim the processingspeed will go down of course :-)

3b: The epassport is a relatively standard ISO14443 smartcard with an ISO7816 filesystem + some authentication commands. Making your own is technically not difficult (although requires some engineering skills). However the data (as above) cannot really by changed.

For more information the specs are available at http://www.icao.int/mrtd/. Pretty standard stuff for contactless smartcards, but potentially hard to read if you are not familiar with the technology.

The ICAO spec http://www.icao.int/mrtd/download/documents/Biomet rics%20deployment%20of%20Machine%20Readable%20Trav el%20Documents%202004.pdf is pretty vague, but the one thing that confuses me is the capacity for storing datafiles on an RFID chip. ICAO recommends at least 15-20KB (notice the big B as in Bytes) for recognizable images and 30KB for fingerprint bio templates...I would guess that iris bio templates are probably about the same. When I search for RFID tags, the highest capacity ones I can find a 64Kb (notice the small b as in bits.) Does this compute? Next, I am amusing that the passport number, birthdate, and expiry date make up the public key and that the software on the other side of the transaction (the RFID reader) would contain the private key (or at least have the ability to pass the encrpyted data off to the issuing state for decryption) and so, is the article's premise even valid?

Huh? You mean all of this personal info (PDF, see page 16) ??? You'll note that encryption is optional, but data integrity via a 1-way hash is mandatory.

rather than rely on the uninformed writer of the article, or your own spurious conclusions about what "must be" as a consequence, allow me to suggest that you read the standard for yourself. It is available at the link above.

ICAO has cryptographic key support through AA (Active Authentication); but the US and some other countries are not creating their passports with such key support. This has been turned off. Probably Germany is one of these countries not enforcing this AA because else it wouldn't be -that- easy to copy in the first place.

Probably because the PKI would be too difficult to deploy for an entire nation/risks of compromise?

This means; US passports and any passport without AA can (and probably will) be copied.
Why introduce new passports with a rfid chip which isn't even safe while the current system works as good?

The German passports do not employ the optional active authentication standard as specified by ICAO. Active authentication means that there is a private key within the passport. This private key can be used in a challenge-response authentication of the passport chip. The public key itself is stored in a data group on the passport, which is protected against alteration in the same way the biometric data is protected against alteration (a digital signature from the state).

Nobody seems bothered to even *look* at the ICAO specifications, including 100% of the previous responses on e-Passports on slashdot. Why the hell should politicians even bother with citizens if not even the technological top 1% takes an interest?

http://www.icao.int/mrtd/download/documents/TR-PKI %20mrtds%20ICC%20read-only%20access%20v1_1.pdf

Check out chapter 2.3.2, 3.2.2, Annex D, Annex G.1.2

It doesn't give away a lot, it doesn't have to. A passport must be inspectable by anyone so the spec on how to read it must be pretty much public. There is an (optional) electronic signature mechanism, but this predicates an international public key infrastructure. The bank where I work has enough problems getting one of those together, let alone an international organisation. PKI is very hard. Google for references on this.

Key compromise means that all issues documents are then compromised. Can you imagine a country recalling all its passports?

This is actually a very good question. The answer is twofold:

1) Most contact chips don't last past 5 years, and they wanted a longer validity (10 years in the US case)
2) The chip specification was for the 28 (?) Visa-waiver countries and each of them can have a different passport form factor, so it would be very difficult/expensive to implement a single contact based reader or set of readers for them all. Contactless solves this issue and allows each country to keep whatever form factor they want.

The specifications for this were acutally developed by the International Civil Aviation Organization. Anti-Skimming is not a part of any of those specifications, however data encryption schemes are.

OK OK here you go, but you will have to buy them:

http://www.icao.int/

And yet 747s are the most efficient known method for moving people from place to place. Funny how that works.

If you're speaking strictly of fuel efficiency, then bullshit. A 747 cruises at 650 mph. The highest number of seats currently in use on a 747 is 587 (most 747s have fewer seats due to first and business classes). This gives a maximum of 381,550 passenger miles per hour (source: Wikipedia).

A 747 burns, on average, 3,743 gallons of fuel per hour (source: International Civil Aviation Organization). This translates to 101 passenger miles per gallon.

My Corolla, on the other hand, gets between 37 and 40 miles per gallon on the highway. Since we packed 'em in like sardines on the jet, we might as well do the same for the car and stick five people in there. At the low end of the mileage range, that's 185 passenger miles per gallon. Pretty amazing feat Toyota has pulled off, eh? Almost doubling the efficiency of the most efficient mode of transportation ever conceived!

Even taking account the fact that a road route is longer than a great circle route, the car is still more efficient (15 gallons per passenger for the car, 24 for the 747 from JFK to LAX).

And if I recall correctly, trains are quite a bit more efficient than cars.

Now if you want to take time into account, or the infrastructure required to build a road/railroad across the country, then it's a slightly different story. But since the GP wasn't talking about those, it's a bit irrelevant.

The United Nations
The European Union
NATO
Interpol
World Health Organization
International Civil Aviation Organization
The International Telecommunications Union
The Red Cross

I don't know what to say about this one though:
International Network for Bamboo and Rattan (INBAR)

And more: Google it

Not to mention the sloppy rules for registration:

To register in the .int domain, the applicant must be an intergovernmental organization that meets the requirements found in RFC 1591. In brief, the .int domain is used for registering organizations established by international treaties between or among national governments. Only one registration is allowed for each organization. There is no fee for registering an .int domain name.

In the New Zealand passports, they already have. At the same time, they doubled the cost and halved the duration of the passport to five years. There was no period for public comment, it was presented as a fait accomplit, as they were concerned that there would be a rush on the non-rfid, cheaper, long duration passports. Well, duh.

The NZ passport data is not encrypted in any way, although they claim the passports have some "physical shielding" to minimise eavesdropping. Except that, of course, the passport will be opened to be read; so the shielding is useless to prevent eavesdropping.

They claim that the RFID part is to be compliant with the ICAO guidelines, but the guidlines only require biometric data, not contactless chips.

Yeah, this stuff is just great. I'm sure that nobody would ever misuse legitimate access to this data, or gain illegitimate access to it either. Yeah, real sure.

Information on the actual ICAO guidlines is available here - http://www.icao.int/mrtd/download/technical.cfm

1) How much does the US e-Passport draw from the framework drawn up for machine readable travel documents from the ICAO?

The ICAO machine readable documents use a PKI-based challenge/response mechanism to coax the data out. It would not be impossible to get all the pieces required, but it would be quite a good trick.

2) Can anyone who really understand radio propagation explain the factors involved in activating a passive RFID chip from a distance? I understand the distance-squared rule. What I do not understand is what the ramifications are for field strength at the transmitter. You would seem to have to have a lot of power at the transmitter, and you'd have to keep it somewhat portable. Good luck with that.

Under US pressure and the general terrorism FUD the German government decided to introduce new passport

Though the US is certainly playing a role in pushing this effort forward, it's actually not a US initiative, and Germany is a full participant in the standardization effort. The countries which are members of the ICAO Machine-Readable Travel Document Technical Advisory Group (TAG/MRTD) are:

1. Australia
2. Canada
3. Czech Republic
4. France
5. Germany
6. India
7. Japan
8. New Zealand
9. Netherlands
10. Russian Federation
11. Sweden
12. United Kingdom
13. United States

If it weren't for the US push, this process would probably be moving more slowly, but it would still happen.

Under US pressure and the general terrorism FUD the German government decided to introduce new passport

Though the US is certainly playing a role in pushing this effort forward, it's actually not a US initiative, and Germany is a full participant in the standardization effort. The countries which are members of the ICAO Machine-Readable Travel Document Technical Advisory Group (TAG/MRTD) are:

1. Australia
2. Canada
3. Czech Republic
4. France
5. Germany
6. India
7. Japan
8. New Zealand
9. Netherlands
10. Russian Federation
11. Sweden
12. United Kingdom
13. United States

If it weren't for the US push, this process would probably be moving more slowly, but it would still happen.

I understand that the system here is a bit different than regular RFID. One is that this system actually does have information in it, not just an ID.

Exactly, except that rather than saying "this is different from a regular RFID", the correct thing to say is "this is a contactless smart card, not an RFID".

And they do carry data, quite a bit of it. The ICAO standard body which defined the passport standard being implemented created a test data set which is used for evaluating the correctness of card and reader implementations. The "silver" set, which I've used in evaluating passport implementations, contains over 20KB of data, and it's likely that future real-world implementations may hold even more information.

Barcodes, even 2D barcodes, can't hold anywhere near that much data without being impractically large or so dense that they're very vulnerable to damage. Barcodes are also write-once, whereas these chips (can be) read/write.

I understand that the system here is a bit different than regular RFID. One is that this system actually does have information in it, not just an ID.

Exactly, except that rather than saying "this is different from a regular RFID", the correct thing to say is "this is a contactless smart card, not an RFID".

And they do carry data, quite a bit of it. The ICAO standard body which defined the passport standard being implemented created a test data set which is used for evaluating the correctness of card and reader implementations. The "silver" set, which I've used in evaluating passport implementations, contains over 20KB of data, and it's likely that future real-world implementations may hold even more information.

Barcodes, even 2D barcodes, can't hold anywhere near that much data without being impractically large or so dense that they're very vulnerable to damage. Barcodes are also write-once, whereas these chips (can be) read/write.

I understand that the system here is a bit different than regular RFID. One is that this system actually does have information in it, not just an ID.

Exactly, except that rather than saying "this is different from a regular RFID", the correct thing to say is "this is a contactless smart card, not an RFID".

And they do carry data, quite a bit of it. The ICAO standard body which defined the passport standard being implemented created a test data set which is used for evaluating the correctness of card and reader implementations. The "silver" set, which I've used in evaluating passport implementations, contains over 20KB of data, and it's likely that future real-world implementations may hold even more information.

Barcodes, even 2D barcodes, can't hold anywhere near that much data without being impractically large or so dense that they're very vulnerable to damage. Barcodes are also write-once, whereas these chips (can be) read/write.

This is rumor control with the facts:

The ICAO ePassport specification simply describes a card based on ISO 14443-B. The ePassport data is stored in specific DF/EFs, which is the smartcard equivalent of directories and files. The passport data stored in these files is rougly the same data as printed in the passport, only the image is at a higher resolution (JPEG). All this data is digitally signed so that changing of the data can be detected. The signing keys for this are outside of the ePassport, say in some secure government facility. The verification keys are exchanged just like the knowledge about detecting fraudulent paper passports is exchanged.

Now, in its minimal configuration, access to the data via ISO 14443-B is not protected in any way. This is the configuration that the US government chose earlier, I do not know whether due to the public pressure this changed. Effectively this means that anyone that gets physically (0.5m approx) near a passport can actively read it out with a standard reader and good experts can eavesdrop on the communication from 10+ meters (contrary to popular belief, this is not limited to 0.5m).

Most of Europe, Japan and other countries that consider this to be an unacceptable privacy risk, have chosen to implement the ICAO option called "Basic Access Control". It requires a reader to authenticate to the card before it is allowed to read the data. This authentication requires the reader to hash parts of the data physically printed on the passport and use that as the authentication key. With this authentication key, a session key is agreed on and this protects the further communication over the air.

Because the data leading to the key potentially has to be entered manually (when OCR fails) and it contains many low entropy parts (name, date of birth etc), the key actually has a limited keyspace, that depending on specific implementations of the passport numbering (one of the input parameters of the hash) is brute forcable for non-governments or not. That said, BAC is a reasonable protection mechanism that certainly makes attacking these cards much, much more expensive then just using an off the shelf card reader and a PDA.

More information on the protocols is available at ICAO:
http://www.icao.int/mrtd/Home/Index.cfm

Machine-readable passports are an ICAO standard, not a US government demand. Also, you can enter the US if your passport lacks an MRZ, but you need a visa in advance. Having a passport with an MRZ and being a national of an eligible country makes you eligible for the United States' visa waver program.

http://www.icao.int/icao/en/leb/Genev.htm
Iraq signed, Afgahnistan didn't. Moreover, the jihadists from various contries pouring in to fight the 'infidels' sure as hell don't fight for any recognized army or country, and aren't covered by any treaty whatsoever. Such types comprise most of the people with extended involuntary stays in cuba. They're just there to kill people. However, please post the links you have of stories of Iraq Army soldiers being 'tortured'.

Then you should also note that it is merely a response to same.

So you admit then that an uncivilized response can be warranted to an uncivilized opponent. That's a start. Barbarians can only be taught by neccesity, not by reason, logic, or emotional apeal.

Your (continued) vitriolic response is consistent with that notion.

Also, the tales of 'torture' I hear out of Gitmo sound like the lamest torture ever invented. Made to sit uncomfortably. blindfolded and forced to listen to static. scared by dogs. moved between hot and cold rooms. Cry me a river, i've put myself through far worse than any of that intentionally.

What impact does that have on keeping people incommunicado in chains for years on no evidence I am not quite sure

If they are proper prisoners of war as you suggest, then they should be held until the end of hostilities. No trial, evidence, or communication needed. They're simply being kept off the battlefield.

As for the reuters journalist, there's been more than once when the press has been tipped off about an impeding terrorist photo-op and dutifully showed up to film people getting murdered, instead of warning anyone. Reuters folks have participated in such activities.

Reuters can whine and stamp all it wants about demanding release, but I'm more inclined to believe our military has a good reason to hold onto them, then terrorist-sympathizing Reuters claim that he's completely innocent. The press are not fully of mystical impartial beings who are always innocent. They're just as capable of being filled with assholes with agendas as any other organization.

The reason is quicker transfer of more data (high resolution pictures of your face, biometric information like fingerprints) than can be achieved with the paper version.

It should be noted that it is only the US that does not deploy "basic access control", which effectively locks out RFID readers unless they can optically read the passport (e.g. it is on the scanner).

Europe and Japan are implementing this privacy protection. The irony is that especially for US citizens the threat of identity theft is (still?) much higher then for European and Japanese citizens...

Technically: the access to the data requires successful authentication against a hash of the four lines of data on your passport ("MRZ") and setup of an encrypted tunnel ("secure messaging" in smartcard terminology) before allowing access to the data. Effective strength is about 30-40 bits.

See http://www.icao.int/mrtd/ for more technical information (assumes working knowledge of smartcard protocols and tolerance of government talk).

Including (optional) anti-skimming measures and PKI.

Here

Now go and read into it.