Slashdot Mirror


Fighting Terrorists Through Software, Anonymously?

Silwenae writes "MSNBC has a story online from this week's Newsweek about Jeff Jonas, founder of System Research and Development. SRD's software attempts to verify a person is who he says he is, and then tries to determine who that person may be connected with. Originally used in casinos, the CIA has invested in SRD for use in the war against terrorism. Apparently, Jonas has developed a system that can anonymize the data being analyzed through hashing, so the government can share this information with the private sector to look for hits, without the private sector seeing the specific data."

8 of 257 comments (clear)

  1. NO WAY! by paramecio · · Score: 5, Interesting
    Apparently, Jonas has developed a system that can anonymize the data being analyzed through hashing, so the government can share this information with the private sector to look for hits, without the private sector seeing the specific data.
    I think we are reaching a point where it would become safer for us all to have the private sector playing freely with our data and sharing the anonymized hashes with the government!
  2. Uh-huh.. by Ketnar · · Score: 5, Interesting

    Still don't like it.

    Just because they are searching for hash matches instead of plaintext doesn't mean profiling en-mass is right. It just means nosey companys who are being 'asked' won't know WHAT they are being 'asked' about.

    Gee, bob the builder knowns mahek alzis. Mahek is a suspected link betwene so and so, and then he works for this manager, and then these people. Hmm, we better start asking alot of questions..see who else matches our '(personal network) search criteria'

    What, you think i'm kidding? :)

    (And yes, some of you are going to explode that this sort of search-and-peck is not profiling, when it really is. Look it up. Searching through personal *profiles* and *information* to find any people who match enough of the criteria = profiling.)

    This sort of thing is bull, It really is. Instead of doing real investigative work, they can just whip up a list of 'possible hits',snatch them all up, and then queston and otherwise probably scare the shit out of all of them - hoping their deeper searches find a hit in the crowd.

    Welcome to the nightmare, please don't choke on the red pill while the door is hitting you in the ass. :)

    [/tinfoil-hat]

    --
    My new top secret key -> C>N|KB
  3. Does not work by Anonymous Coward · · Score: 5, Interesting

    There is really nothing new to this technology. It does not do what it claims. Hashing has been around for while, and so have techniques to defeat the attempted security of this type of system. Interestingly, I have seen around five stories from various forums reporting on SRD in the past week or so. It seems like some marketing department is working pretty hard.

  4. Hashing & Privacy by PingKing · · Score: 5, Interesting

    I thought the whole point of hash encryption was that it's not able to ever be unencrypted, even by the legitimate users?

    In order to check if there is a matching telephone number, you would first have to run the encryption algorithm on the number and then match this against every encrypted number you have in your data store. So if the two encrypted strings are equal, you have a match. But there is no way to know what the encrypted number is unless you have something to test for in the first place.

    But I'm not sure how much use that is. Wouldn't you then need to be able to see who's number that is, i.e. decrypt the person's personal data?

    Also, it would be interesting to see what the reaction to this software would be in the EU what with its Data Protection directive. Storing personal details about someone is prohibited except for certain circumstances... long term storage of someone's personal data for distribution to companies is not one of them. Whether the encryption of the data would make this acceptable or not would make for an interesting argument.

    --

    Patriotism - the last resort of scoundrels.
  5. Brute-forcing hashes and Spelling by billstewart · · Score: 5, Interesting
    It's possible to do things with salt or cryptography that at least mean that each recipient of the list of hashes gets a different list, and that hashes take a little while to calculate, though Moore's Law makes that a short-term advantage only (like Unix password hashes.) But sure, you can run the names of a Million Usual Suspects through any standard hashing program pretty fast, and one name through extremely fast. If it takes a second per hash, then running those million names through it is two weeks of background load, and if the hash isn't artificially slowed down, it's more like 20 minutes for your Million Usual Suspects and under a week for All Living Americans.

    And then there's the problem of extra data hidden in the hashes - some of the signature algorithms, for instance, can carry a bunch of hidden "subliminal" bits, like the one that says you're a Jew or black or Dues-Paying Republican or a Federal Agent or a Known Troublemaker.

    Spelling is a real problem. I have enough trouble because my ancestors or their relatives were either illiterate or at least using names like "Stewart" "Stuart" "Steward" and "Steuart" before English spelling became relatively standardized. But Americans munging the names of people who use other alphabets, like Arabs, or who don't use alphabets at all, like Chinese, can't just use simple hashes, because any misspelling can either let somebody whose name is the same as a Real Suspect not get flagged, or let some non-suspect whose name is close to a Real Suspect get flagged, and any terrorist smarter than the Shoe-Bomber knows to use an alternative spelling of his name or get some fake ID. You probably know Chinese people who use different names in English and Chinese, either as immigrants or kids of immigrants; I knew a Hakka Chinese family from Vietnam who also had Vietnamese names, and in at least one of their languages, they had an alternate set of names for use within the family (approximately "Number One Son" etc.) And then there's the problem of exactly which name parts to use if you've got more than three, and nicknames, etc.

    And then there's the problem of people whose names are the same as Real Suspects' names, and people who ever had their wallet stolen. Just spend a day in traffic court listening to DMV-screwed-up-and-I-got-arrested-by-mistake cases some time if you weren't already worried, or read any news article about identity theft.

    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
  6. We have zero problems by irikar · · Score: 5, Interesting
    ...a scheme that races through oodles of data to figure out if people are connected with unsavory characters. And it does all this in mere seconds. The casinos were delighted. "The record speaks for itself," says Mirage spokesman Alan Feldman. "We have zero problems.

    Zero problems, but how many innocent people wrongly flagged as being unsavory?

    How does this SRD system measure the accuracy of its conclusions?

  7. Re:Stealth Snooping by R.Caley · · Score: 5, Interesting
    Also, see the Schnier's discussion in Beyond Fear of the effects of the massive number of false positives such systems must throw up (because actual terrorists are so very rare in the population).

    BTW, definitely a book everyone should read, worth it just for the anecdote of the guy who has been flying around the US using a photo ID which says he is the martian ambassador, and only had a problem when they started checking for an expiration date. Wouldn't want the Ex-martian ambassador on your plane!

    --
    _O_
    .|<
    The named which can be named is not the true named
  8. Re:Stealth Snooping by jtwJGuevara · · Score: 5, Interesting
    So we've recreated the 2nd Red Scare, and this system, or one like it, is the one that is going to find and convict our next Sacco and Vinzetti(sp?).

    Basically, we have another instance of the current government administration taking advantage of the fact that our "freedoms are threatened" by terrorism to implement some sort of control and monitoring device on the entire population. I'm almost immune to the talk of it by now though, as we've had countless instances of things like this being proposed.