Slashdot Mirror
Schneier on National ID Cards, Key Escrow Locks, E-voting
Schneier's Cryptogram newsletter this month touches on a lot of subjects near and dear to our hearts: national ID cards, TSA-approved luggage locks, a cost-benefit analysis of stealing an election via hacking evoting machines, a nifty credit with audible security, etc.
We already have multipurpose-use government-issued ID cards in our wallets in the form of drivers licenses or non-driver photo ID cards issued by our states.
The biggest problem with all of these is that there are 51 different issing bodies, one in every state plus one for Washington, D.C. Within each state, there are at least two formats to make non-drivers distinct from drivers, most states also have special "funny formats" for those under 21 so that they're more easily rejected when they try to purchase alcohol.
But, with more than a hundred formats for the best ID system we have, it's impossible for anybody to be an expert on what security measures to look for and be able to notice when they're absent.
No, this isn't an issue that'd protect us from suicide bombers or airplane hijackers... but being able to properly identify people is essential to financial transactions, and telling illegal immigrants that they don't belong here. It's not exactly a constitutional right to be able present a false ID as your own. The various issuers of drivers licenses should at least be able to agree on a common standard so those cards all look alike from jurisdiction to jurisdiction.
It just goes to show that there are a lot of nice sounding reasons for us to give up some freedom and have it nickled and dimed to death, but there is one main reason to keep freedom and that is freedom. Unlike these other things, liberty is an end in itself - it derives from the fact that people are creatures of choice and not like the animals. There is no such thing as too much liberty ... it would be like saying that science is too rational.
So here's a shocker. The federal government sets or negotiates a common anti-counterfeit system to use on driver's licenses. Like a 2-D barcode with cryptographically signed info and a special hologram.
Ever notice how we're getting closer and closer to east germany? I mean hell, the local cops already sit at the town border running license plates(yay in-car cruiser terminals!) and checking for DWB.
Please help metamoderate.
I just wish that these ID systems were more secure. Instead of using easily stolen and duplicated plaintext identifiers (like an SSN and mother's maiden name), I'd like to see a secure encoded number that is unique to each application. This unique number (different each time it is asked for) would be resolvable to a single identity inside secure back-office applications or through access to a central secure server.
A smart ID card would hand-out unique numbers and log who got which ID. That way any theft of identity is traceable to the source. The card owner could then use the card to trace who was using their data.
I'm sure there are a million potential vulnerabilites with the idea, but the current approach seems much more insecure than this proposal.
Two wrongs don't make a right, but three lefts do.
Well the police already have the right to bust down my door if they have a warrant, but I won't be giving them a key any time soon. They already have *legal* channels to go about getting into the luggage. This is just stupid. Breaking the lock on every suitcase they come across? What's the advantage? Between xrays and chemical detectors and geiger counters, why do they even need to be able to go through the luggage? And why is this being done after it's checked if it's so important? Why not when it's checked in, so at least the owner can open the lock with the key instead of having it destroyed, or at least know that their lock is being broken.
do not read this line twice.
Not necessarily... We only see zero-day hacks that are detectable. Going through the trouble of getting the Windows source code suggests you're after something else than just the average virus worm... Remember those are in it for the short haul. Do a lot of damage before the virus scanners catch up with you. The black-hats gaining access to the source would likely not be in it for the short haul, but looking for longer-term profit. An exploit would be worth a lot more if it wasn't discovered criminals were using it, and could be used on choice, hand-picked targets only. True, compromising a few hundred or thousand computers isn't anywhere near as spectacular as Code Red. But the criminals aren't in it for spectacle, they're in it for money or power.
Option 4: lock your bag with both the TSA lock and an ordinary lock. Then you can detect all forms of intrusion (assuming that your bag is suitably well-built).
DROS - Open-Source Robot Software
Why must everything be on a national scale?
People in different parts of the country have different ideas about the balance between security, freedom, and privacy.
I don't see why there couldn't be "zones" where local people decide just what that balance should be. Maybe it would work best at the city or town level.
The people of LA, SF, and New Orleans, for instance would probably be willing to take more risk than the people of Nashville or Lakeland, FL. Why can't they have different standards?
Now I realize it might be impractical for things like air-travel. A plane can fly coast to coast, so everyone under it's path has an interest in the standards used to admit passengers, but there are plenty of other things that can still be a local decision.
If the people of LA don't want ID cards, then let them take the risks associated with not having those cards. If the people of Nashville want cards to feel safer, then let them.
So long as people are allowed to choose what set of rules they want to live under, I don't see a problem.
The pictures showed both a keyed version with a serial number, and a 4 digit roller lock (didn't see a serial, but I imagine there is one)
The locks are as easy to pick, I imagine, as previous luggage locks.
The four digit combination only has 10k combinations. It would take awhile, but it's possible to get all the serial numbers matched up to 4 digit codes. Although they, hopefully, used a longer serial and like a hash function there will be many serial numbers that go to 4 digit codes so you'd have to create a much larger table, or discover the hash/encryption method and key.
-Adam
I think that estimate neglects just how few votes really decided the last election. It'd only take adding 538 additional votes for Gore in any combination of Florida districts to overturn the entire result.
If you're going to bias the election in favor of either of the two major parties, you have no need to attack the states in which your candidate is already going to win. You only need to bias enough close states to top the electoral vote balance, the popular vote doesn't matter.
As much as we say this is a nation of one-person-one-vote, that's never been the way a presdiential election is really scored.
Whenever I think of ID cards, the solution that pops to my mind is to have something with flash-like memory with three blocks of data:
1) A section with my pertinent identification data (picture, description, date of birth, name), in plaintext but cryptographically signed by the government. Anyone that wants to verify my identity can read this area, check the signature, and match the data there against the person standing before them.
2) A for-gov't-eyes-only section, signed and encrypted by the government. This could contain information that should only be revealed to other parts of the government, potentially with different sections and keys for different levels of access, for things like your SIN, passport information, etc. Maybe you're a secret agent and want a way to prove you are, but only to other branches of the government...
The 'spooky' part here would be that if random people can't read the data, then the person holding the card can't read it either so he doesn't even know what's in it other than what the government has told him. I don't think it's really that big a deal though since it's not like they couldn't put anything they want to hide from you in their own hidden databases anyway.
3) And finally, a user block, where a person with an appropriate I/O device can put whatever data they feel is important to keep on them. Medical conditions, organ donation status, favourite type of flowers for the funeral, pictures of your cat, whatever!
Heck, standardize the interface, commoditize it, and let people make their own ID cards and read and write the card themselves. If you don't like that creepy gov't-only block, don't write it to the card. As long as that first, signed block is there, it'll serve its primary purpose.
http://alternatives.rzero.com/
"Sir, just for ID verification purposes, I need your Social Security number."
"Sure, it's ###-##-####."
Even a skript-kidd1e ought to be able to see what the problem is here. I think that someone who knows your Social Security number shouldn't have any more on you than some who who knows, say, your phone number.
Wh47 d1d j00 541, 31337 15n't t3h r0xor5 ne m0r3???
You're telling me they don't have security checks at airports in Europe? Even when you're just traveling to a different city in the same country? I call bullshit.
Here is another story at findlaw. another more in depth look, citing previous cases and courts findings. This writers take is that it IS a "broad sense" case, and he cites his reasons for that opinion. Me, I think a better test case could have been found, but, in modern soviet USA, "best test cases" find YOU!
They probably do submit anything notable that they find back to Microsoft, though.
They probably do no such thing. Every patched bug is a bug the NSA can no longer use againt other countries. It is not in their best interest to better secure the Chinese, the North Koreans, the Cubans, or any other nation on earth. That makes intelligence gathering and intentional espionage tougher.
.sig: Now legally binding!
I agree with the rest of your post, but driving really is a privilege, not a right. Not having a drivers' license does not impair the freedom of movement, it only takes one method of movement away. If you don't have a license, you can still take a plane, call a cab, take a bus, ride a bicycle, or worst case, walk.
I'm in favor of difficult drivers' tests with the intent of taking away drivers' licenses from those who clearly cannot safely operate a car. If you can't drive a car without presenting a risk to yourself or others, you don't deserve to operate a motor vehicle, period.
-- Joe
While it is true that a lot of money is raised in elections, not all of that could be invested in a project to steal an election
Yeah, that's one reason why he picked $100M instead of the total of $500M that was raised between the two parties last time around. He never said ALL raised money would be spent on the attack.
Furthermore, the $500M was the amount of money actually reported to the election commision. If a serious attack was planned, the money spent would be off the books to begin with and so not limited by even the $500M figure -- a cadre of the upper class, a billionaire boy's club, might easily toss a cool $1B at such a project if they felt the ROI would justify it.
Look at how immensley profitable George Bush has been for the military-industrial complex. That group of companies could easily afford $1B to put Bush into office -- if they did, they have certainly made back their investent tenfold.
When information is power, privacy is freedom.
Boy, you'd make a great little apparatchik, wouldn't you? Listen to yourself: "Why does the state have to let you"?
There already are other measures for collecting parking tickets, such as requiring them to be paid off before you can renew your tags, or towing a car that's illegally parked.
Tell me, what do you think of using drivers' licenses to control public dissent?
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
It has been demonstrated that ID cards are completely ineffective.
ID cards didn't make a blind bit of difference to the terrorists who took out that train last month. They don't make any difference to Al-Qaeda or to ETA for that matter.
ID cards are just a kneejerk reaction by politicians who have to be *seen* to be doing something. ID cards must make us more secure... Right?
Government of the people, by corporate executives, for corporate profits.
Spain also has a national ID card.
You get fingerprinted when they give it to you. Hasn't made any difference at all. To security obviously, with ETA and the recent train bombing, but also to the level of illegal immigration from Morocco.
Government of the people, by corporate executives, for corporate profits.
The reason governments can controll who gets to drive and who cannot
This not the reason why governments can control who drives or not. They can control who drives or not because America is a democracy where the people allow the government to administer the public space for the general good.
The rest of what you said is the reasoning behind the driving licence requuirement, which I completely agree with in principle. Driving is a right, which can be removed if you drive in one of a manner of a strictly described set of ways, eg repeatedly recklessly.
ATH0 Bitcoin: 1DnwFLXczVZV8kLJbMYoheUrpqHesjxrSi