Slashdot Mirror


Schneier on National ID Cards, Key Escrow Locks, E-voting

Schneier's Cryptogram newsletter this month touches on a lot of subjects near and dear to our hearts: national ID cards, TSA-approved luggage locks, a cost-benefit analysis of stealing an election via hacking evoting machines, a nifty credit with audible security, etc.

17 of 400 comments (clear)

  1. Hard to verify out-of-state ID cards... by LostCluster · · Score: 5, Insightful

    We already have multipurpose-use government-issued ID cards in our wallets in the form of drivers licenses or non-driver photo ID cards issued by our states.

    The biggest problem with all of these is that there are 51 different issing bodies, one in every state plus one for Washington, D.C. Within each state, there are at least two formats to make non-drivers distinct from drivers, most states also have special "funny formats" for those under 21 so that they're more easily rejected when they try to purchase alcohol.

    But, with more than a hundred formats for the best ID system we have, it's impossible for anybody to be an expert on what security measures to look for and be able to notice when they're absent.

    No, this isn't an issue that'd protect us from suicide bombers or airplane hijackers... but being able to properly identify people is essential to financial transactions, and telling illegal immigrants that they don't belong here. It's not exactly a constitutional right to be able present a false ID as your own. The various issuers of drivers licenses should at least be able to agree on a common standard so those cards all look alike from jurisdiction to jurisdiction.

    1. Re:Hard to verify out-of-state ID cards... by crackshoe · · Score: 5, Insightful

      The problem with that is that you'd be infringing on what is traditionally state territory, which rarely ends well. On the other hand, the federal government got unwilling states to roll over on drinking age, so it could be possible. It is possible to get a federal ID -- its called a passport, and they're a bit more stringent on who they give them out to (although i'd in no way gurantee that there aren't hundreds or even more fake US passports about). We are still working on figuring out if you can refuse to show a cop your ID, though.

      --
      Don't worry - its just stigmata. Pass me a napkin and don't you dare tell my mother.
    2. Re:Hard to verify out-of-state ID cards... by cuiousyellow · · Score: 5, Informative
      Schneier said it better than I could so I'll just quote the article you failed to read...
      The first problem is the card itself. No matter how unforgeable we make it, it will be forged. And even worse, people will get legitimate cards in fraudulent names.

      Two of the 9/11 terrorists had valid Virginia driver's licenses in fake names. And even if we could guarantee that everyone who issued national ID cards couldn't be bribed, initial cardholder identity would be determined by other identity documents... all of which would be easier to forge.
    3. Re:Hard to verify out-of-state ID cards... by DonGar · · Score: 5, Interesting

      I was recently told that it's illegal for an adult to walk round in public without some form of government id such as a driver's license. I was in California at the time.

      I have no idea if this is true, or (if true) which level of government is imposing this rule.

      I'm not sure which is more disturbing to me. That I can't tell if it's true (and don't know how to find out), or that the US citizens I was speaking with considered it acceptable for citizens to be required to carry their 'papers' at all times.

      --
      plus-good, double-plus-good
    4. Re:Hard to verify out-of-state ID cards... by pantycrickets · · Score: 5, Insightful

      Don't most driver's license cards have barcodes on the back that liquor stores, etc. can scan?

      Yes, and like everything else, there are tools on the net to generate fake ones. :)

    5. Re:Hard to verify out-of-state ID cards... by kfg · · Score: 5, Interesting

      Yes, and /. covered the story. It is legal, by California law, for a policeman to demand ID. This is not the same thing as requiring you to have one on your person.

      If you do not have one on your person the police officer, again by California law, is legally empowered to take you into custody to determine your ID.

      So carrying ID may save you a night in the pokey, but it isn't required.

      The idea that you can even be required to produce ID, or be taken into custody for refusing to present it, is the issue currently on the docket of the Federal Supreme Court. The very fact alone that have decided to hear the case is evidence that the consider the issue has real Constitutional merit, at least to the extent that it requires federal review (the Supreme Court is only required to hear those strictly federal cases delineated in the Constitution itself. They can, and do, simply refuse cases that they don't consider worth their time).

      As a general rule (there are, of course, certain exceptions, but they are exceptions) one does not have to provide a police officer with anything other than nonresistence to arrest.

      When a bartender asks for ID he is doing so because the law requires him to certify legal age. He is not required to check your ID, he is only required to check your ID if you order a drink, and you are free not to order one. (It is a myth that those who are under the legal drinking age cannot legally go into a bar. Think about all the restaraunts and diners that serve alchohol. No problemo. Some bars refuse entry to those underage because it makes life simpler for them, and because many local law enforcement agencies don't understand this point themselves. Some bars I know only card on the weekend and the rest of week only card when a drink is actually ordered. There's no accounting for the behavior of people).

      In the past anything that could serve as a legal document showing age was accpetable. On my eighteenth birthday I bought a bottle of wine with my birth certificate ( I poured the wine down the drain. I wanted the bottle to put a ship in. It was crappy Mogan David anyway. Just the right bottle though). I have also used my passport.

      The sticky wicket is the lack of a photo on the birth certificate (not that it would do any good if one were included), thus the ease with which one person's ID can be used by another.

      We're getting really frickin' paranoid about all this ID shit, and according to my bank my federally issued passport no longer, in their interpretation of the law, qualifies for photo ID according to the PATRIOT Act.

      And, in theory at least, your passport is certified and issued to you by the frickin' Secertary of State.

      In future I suppose I'll also need, along with my driver's license (technically this cannot be required for any purpose other than operation of a motor vehicle. Well, that idea seems to have gone by the boards. In my state you cannot get a nondriver's ID is you already have a driver's license. You may keep an expired driver's license (with a hole punched in) as a "nondriver's ID" if you wish. Yeah. Right.), a federal ID card, a note from my mayor, the President himself; and my mommy.

      KFG

    6. Re:Hard to verify out-of-state ID cards... by kfg · · Score: 5, Interesting

      Well, in the California case in question the law does actually require that the police officer have some just cause for suspecting you of a crime, and in this case he had an actual complaint and witness and made the request in investigation of that complaint. Mind you that's a pretty big hole you can drive through, and anybody can make any complaint against anybody else. That's one of the reasons we have judges, juries, and a presumption of innocence until found (not actually proven mind you, found. This is a bit of tricky legal philosophy.IANAL. I am accused of being a philosopher. By lawyers.) guilty.

      Again in the case in question the person was formally arrested and convicted of commiting a crime (that's why it can be appealed to the Federal Supreme Court), not the one at issue in the complaint, but rather the crime of obstructing justice for not showing his ID, a rather blatent misapplication of law in order to be able to charge him with something if I've ever seen one, and I rather suspect the Supremes will jump on this issue to overturn the conviction, rather than deal directly with the Constitutional issue of requiring ID (they like to do that sort of thing. They will, as a rule, always look for the lowest level they can overturn a ruling with, even in those cases where they know it is overturnable on Constitutional grounds).

      Note also that in some states it is legal to detain people for up to 48 hours just because (or at least it was the last time I looked. Things change session by session. Even lawyers have to recheck every law for every case, just in case), perhaps "for your own protection." ( Take heart though in knowing that in such cases you will be treated just as fairly as any other person taken into custody, in other words, just like a bank robber. "Alright, bend over and spread your butt cheeks.").

      The cynical might have a hard time differentiating this practice from governmental endorsed kidnapping. I've been accused of being a cynic.

      There is a fine point of legal philosophy here as to just what being taken into custody means, and what it does not necessarily mean is that you have been accused of some crime.

      It's also perfectly legal to throw you in the slammer for merely violating some code or other, which is not technically a crime at all. Say, a parking ticket you picked up while visiting Podunk.

      And, of course, being accused of a crime has no direct bearing on whether you have actually commited one, or might be found guilty of same (as per above these are not necessarily the same thing. See also the O.J. case, which rather reverses the issue. Just because you have been found not guilty doesn't mean you didn't do it, and provision that you should be treated as innocent until found guilty only applies to the law, and not private opinion. "Guilty" is a legal state, not one of fact).

      KFG

    7. Re:Hard to verify out-of-state ID cards... by Alter+Relationship · · Score: 5, Insightful
      Actually, this is not funny - it's the truth. It spells out "bad guys will always use fakes and avoid the system, while simple Joe's will be screwed up and abused - identity theft, data mining, you name it".
      If you outlaw privacy, only the non-law-abiding people will have it. </obvious>
  2. Is it really necessary? by icypyr0 · · Score: 5, Interesting

    I don't thing that it is really necessary to have standardized national ID cards.. the money required to implement such a massive project would be substantial.. and the gain is not clear. Why would having national ID cards help TSA identify people any better than state ID cards such as drivers licenses, and government issued IDs such as military identification cards?

  3. Yes, and the devices collect the data by SuperBanana · · Score: 5, Interesting
    Don't most driver's license cards have barcodes on the back that liquor stores, etc. can scan?

    Yup, and there are a number of companies that are happy to provide them to bartenders for nearly free. Look closely and you'll find most have a modem port and a label with instructions on how to let it "phone home".

    That kind of use needs to be made illegal reaaaal fast. I'm required by law to present my ID, but it'll get scanned and some company gets a number of pieces of personal information.

  4. Re:Windows Source not really closed? by theM_xl · · Score: 5, Insightful

    Not necessarily... We only see zero-day hacks that are detectable. Going through the trouble of getting the Windows source code suggests you're after something else than just the average virus worm... Remember those are in it for the short haul. Do a lot of damage before the virus scanners catch up with you. The black-hats gaining access to the source would likely not be in it for the short haul, but looking for longer-term profit. An exploit would be worth a lot more if it wasn't discovered criminals were using it, and could be used on choice, hand-picked targets only. True, compromising a few hundred or thousand computers isn't anywhere near as spectacular as Code Red. But the criminals aren't in it for spectacle, they're in it for money or power.

  5. It is necessarry... by ddavis539 · · Score: 5, Interesting

    Because several states now allow illegal immigrants to obtain drivers licenses using two very insecure forms of Identification: A consular identification card issued by foreign consulate offices, or the ITIN Number supplied by the IRS to people who can't qualify for a social security number.

    The consular card is recognized by the FBI as an insecure document. The only reason they are needed is because the recipient entered the U.S. illegaly and does not possess a valid visa, passport or other identification provided through legal channels. There have been cases where people have been arrested carrying multiple copies of this ID, with the same picture and differing names.

    The ITIN number can be obtained by calling a 1-800 number and providing a name and address. The IRS does nothing to verify the information given and has stated multiple times that this tax number should ONLY be used for paying taxes. This is not meant to be an Identification number, especially for obtaining a drivers licenses. They sent out a letter this past December to all governors and heads of the driver license division in each state to ask them to stop this practice. Despite this request, states like Utah refused to modify their laws to fix this security problem. This combined with the "motor voter" laws can lead to other problems such as voter fraud.

    Because the drivers license is used for many other purposes other than proof that an individual knows the basic driving rules, we either need to go back to only issuing it for people with verified documentation, or creating a national ID that is only given out to citizens. The national ID would be used instead of a drivers license for employment, boarding planes, voting, etc....

  6. Redundant, possibly unconstitutional, and insecure by Fortran+IV · · Score: 5, Interesting

    It seems to me that a national ID would be an additional form, not a replacement for a state ID. Don't qualifications for a driver's license differ between states (in such things as vision testing, vehicle classifications, and so on)? In fact, it seems likely that a state ID would be one of the accepted identifiers when you apply for your NID.

    Schneier's article hints that he expects such an ID system to be mandatory if implemented. That brings to mind the interesting case of Dudley Hiibel, currently before the U.S. Supreme Court. Is one obligated to identify oneself at all, if one chooses not to?

    The database for such a system would necessarily provide online access to state and local law enforcement, rendering it a prime target for hackers and other criminals. And can we really be certain that the Sheriff's Office or the Department of Finance of Bugtussel County can't be bribed for direct access?

    A side note: The little item about license plate shields questions whether these would be legal. The last I knew, even most of the little plastic frames that carry a car dealer's name are illegal in my state, although there are millions of them - they obscure a small part of the lettering on the plate.

    --
    I figure by 2030 or so my 6-digit UID will be something to brag about.
  7. Hong Kong = "National" ID Card by Dr.Hair · · Score: 5, Informative
    Hong Kong actually has a "national" ID card. Since so few people here drive, you can't use a driver's license as a form of identification. The new smart ID cards have a chip in them that stores the digitised thumbprint and signature among other information. They also function as a national library card and you can apply for a free e-cert (PKI) administered by Hong Kong Post

    Yes, the police are allowed to randomly ask you for your ID card. Most of the checks seem to be for immigration violations by mainlanders. On the other hand the HK government is putting in place fast immigration checkpoints, where you run your ID card through a scanner and provide your thumbprint and you're on your way without ever being questioned by immigration officials.

  8. So why not give everyone a green card? by TygerFish · · Score: 5, Interesting

    This has been one of the more interesting threads I've seen in a while. I mean, this is something I actually know about: I do security in a bar.

    I've seen cards from pretty much every state in the Union as well as quite a number of ones from many European nations. Recognizing what is and what is not a valid I.D. card is a hard task that I've found a lot of people who do what I do simply don't know enough to deal with.

    The great number of state I.D.s, their variations in the quality of their anti-counterfeiting features. The scanner, the color copier, the laminating machine and the simple willingness of people to lie to your face make it hard to be sure that what you're looking at is real.

    The current series of California Driver's license/I.D. card is, IMHO the most secure driver's license in the U.S. in terms of anti-counterfeiting features; the series immediately preceding it is a piece of crap.

    The new current series of New Jersey Licenses that I've seen, maybe, five of in the last two months is *very* secure if the person looking at it has an ultraviolet light on him and is actually aware that there is a new series to look at while the preceding series is the most easily and most convincingly counterfeited I.D. I've ever seen, and I see it over, and over and over.

    A national I.D. card would certainly eliminate the problem of having to have real expertise to spot fakes and anyone who says otherwise is engaging in wishful thinking.

    The most current version of the the United State's green card has anticounterfeiting features that I don't even know the names of, but I know their absence would be easy to spot.

    Couple this with mag-strip technology to store information and you could standardize one or more pieces of equipment that any bar or other place that had to determine age or identity would have present that would instantly and permanently remove the guesswork. Put biometric data on the card and give me a thumbprint scanner and underage drinking is pretty much over until counterfeiting technology gets better.

    That's how good the current green card, or some variant of it would be as a national I.D card. It would make my job ridiculously easy.

    Now here's why I hate it.

    First off, the article makes one really interesting point: for a really determined person, someone who wanted to hijack planes or steal a million or what have you, no card will be completely secure everywhere up the line to the point where you get one.

    Someone with enough cash, or enough juice with the right people, or willing to put in enough work will be able to get either a valid I.D. in a false name, a borrowed/stolen card or a relatively convincing forgery if it is important enough to them.

    Viewed this way, a national I.D. card can be said not to provide greater national security but greater control for people with access to the information that a national I.D. card would provide. In terms of anything important, really important--a real, immediate threat like the 9/11 attack--a national I.D. card would be useless.

    In terms of centralized information processing, a national I.D. card would be an enormous Christmas present to big brother, providing governments with a key to interweaving databases, giving anyone in authority all the power they need to pressure anyone who isn't into being a more perfect citizen.

    Under the current system, a kid with a really, really good fake I.D. can get past me and that's fine. It's a game. I win most rounds. I'm sure the kids win a few and that's the way things should be.

    Getting stopped by the cops for taking a desperation leak on a wall at five A.M. and having them know everything about you from whether or not you did your last round of jury-duty to your cholesterol is not something I'm looking forward to.

    --
    To mail me, remove the 'mailno' from my email addy.
    "Yeah. It smells, too..."
  9. conditioning by zogger · · Score: 5, Interesting

    You got it, it's called conditioning or brainwashing. they do it to the cops and military until they are conditioned them selves, then they pass it on to "civvies".

    The special forces are all getting chipped soon, then the nations police forces, so when it comes your turn, they will say "WE got chipped, it's legal and you must do it!!" Might take a few years, but it's coming.

    Right up above, in another post the oft repeated by thoroughly wrong "driving is a privelege and not a right". That's BS, but the entire nation got conditioned into it, now it's accepted that you DON'T have a freedom to travel without their permit or "permission". Ridiculous? Nope, just the one step at a time deal. Would you apply for your "speech" permit? Ridiculous? Most states you need a "permit" for your second amendment "right". Well, if you need the state's permission, it sure ceased to be a "right", yet it's "the law" almost everywhere in some form or another, only one state, vermont, has followed the "born-with right" concept there. What's the difference? The numbering in the constitution? 1-2-3-4, the order in which they strip them doesn't matter as much as they HAVE been doing it and once gone, it stays gone. The goons will just take the easier ones first, that's all. That's what they have been doing. A "permit" to travel, to drive your property on a public road, a road you partially own by being the "public" and pay for via fuel taxes anyway, yet you need a "permit" for your "born-with right to travel" and everyone eats it up, because that right got stripped gradually and turned into needing "their permission".

    One at a time freedoms get stripped, people excuse it, they get wishy washy on it, society wimps out, eventually like in all other despotic regimes down through history, you wake up one day and you have no more rights, you are their chattel, and you wonder why it happened, how it snuck up on you. "You" being a generic of course. It's because people just REFUSE to follow through with a normal extrapolation of causalities, events, and provocations. They will not put 2+2 together, they fall into the now cliched "cognizant dissonance" state. It's not that they can't see it, they don't WANT to see it, they pull a turbo ostrich head in the sand, if it's pointed out to them they will vehemently deny the obvious, all the way into absurdity.

    Just since I've been a kid we've have lost a TON of rights, now we even put up with "random checkpoints" stuff I was taught in school was only done in places like soviet union or east germany. It was something to revile against,. to thank ourselves and congratulate ourselves we didn't live under such a regime and culture of brutality and exploitation. but now we put up with it, every excuse in the book, but the fact remains, it's now "the LAW" and the US public meekly submits. We wimp out.. Now it's "normal" and the dudes in blue (or black) willingly just "follow ze orders" and "swear an oath to the constitution", yet hardly any of them know it, understand it, or see how they are being used to force the people into obedience to the state.

    And this "the people"? More concerned with entertainments mostly, and way too scared to do much about it, they will even put up with obvious vote hijacking and fraud, and with having a controlled parroting media mostly. They put up with hijacked money, stolen labor, rigged elections, wars created by a single tin pot dictator, "executive orders" and never ending and overlapping "national state of emergency" decrees, confiscation of property on a whim, the denial of even a right to property in a lot of cases, obvious and overt bribery being how the nations political business is done, and on and on and on.

    It all happened one step at a time, though, not all at once, never enough to get the people alarmed and disgusted enough to "just say no" back at them.

    It's sorta sad, but really, you can sort of understand it when you see they will make an example of anyone who dares actually say "no" to illegalities being

  10. Social engineering and ID cards by menscher · · Score: 5, Interesting
    One concern I've had with the current state of ID cards is that nobody seems to know what's acceptable. For example, is my school ID acceptable? No? It's a state school... does that make it count?

    As an experiment, whenever I fly I try to use a non-standard ID card. It was issued by the federal government (not a state government), so technically it should be legal. It is accepted about 80% of the time. The disturbing part, though, is that I can guarantee that they're accepting it in order to cover their own shame at not recognizing it. In fact, usually the conversation is something like:

    ID, please? [I show my ID] No, we need a government-issued ID card.
    That *is* a government-issued ID card.
    Really?
    Yes.
    Oh, okay. Go ahead.