Slashdot Mirror
Mandatory Banknote Detection Code?
metamatic writes "The European Union is planning to introduce legislation to make it mandatory for software developers to add black-box banknote detection code to their graphics software.How will this apply to open source software? Is it time to get writing to your Euro-MP?"
It's interesting that now the EU wants to push problems with more
and more counterfeiting money appearing on the market to graphics
software makers...
How do they think, that this will improve the situation? Look at
what TODAY's Gimp, Photoshop, and others can do... All I would need
to do is stick with a current version and not upgrade, if I really
wanted to counterfeit money on my own. And if you would integrate
this into the printers, then I'll just print the banknote in two or
three passes (always just print another part of the banknote so
that the printer will never get to see the whole thing in one go).
Why not integrate this into the FUTURE banknotes (they already have RFIDs in there, don't they? All it would need to take would be to issue unique codes to EACH banknote so that they could verify the identity of the banknote there)
next time on CSI: man rendered invisible to the magic zoom-in photo software by wearing suit made of dollar bills
-You're wasting your time. Alfador only likes me.
Link here
got sig?
I'm not an OSS developer, but I would think they would ignore this. What's next? McDonald's pays software companies enough money to include their trademark detection? So you can't scan/recreate/modify/distribute their likiness?
I know they're probably attempting to stop (appearently) rampant counterfitting... but where will it end? I once scanned a dollar and sent it to someone on IRC as a joke (they said, someone DCC me some money). There has to be a better way. Like I said, isn't this really just admitting defeat?
FLR
...will software developers be required to keep up with new note faces? If old software blocks all note faces as of 2004, will developers face penalties for not updating their software in 2008 when the currency is redesigned?
I don't like the idea of being legally required to update old software. Will this happen?
Does anyone know of a source for T-shirts with this yellow five circle pattern? Any photo with you in it would be impossible to digitally edit with the new software.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Yes - it's been in the media over here in Europe. In Germany apparently a good number of forgeries were even re-distributed through ATMs of some banks, who - for the sake of saving a couple of Euros - reloaded the ATM cartridges themselves, instead of carting of the money to the German National Bank who would check the banknotes and fill the ATM cartridges with absolutely authentic banknotes. The issue behind this is that normal merchant banks and people on the street do not know EVERY security detail of the Euro banknotes. Seven details have been published, the others are being kept secret by the national banks so that forgers will not get to hear about them.
In an Open Source app, it can stop someone who don't know C from doing something, but if you know C you can simply remove the added code...
From the article:
The copies are often good enough to fool vending machines. By using a fake 20 note to purchase a 2 rail fare, the criminal can take away 18 in genuine change.
Follow this logic: While we can't make vending machines clever enough to tell the difference between real dollars and fake ones, we can make your computer smart enough to not let you do anything with money.
This'll work.....
How's that? Just because its Free doesn't mean OSS projects will be able to incorporate it. I didn't read anything about it being GPL.
The last thing we need is the government forcing OSS project to include some closed source code into every project that deals with graphics. If this goes through in the EU and not in the US then the EU is just going to having to do without OSS graphics software.
If you wanna get rich, you know that payback is a bitch
This is useless. Banknotes do, and should, have security markers on them that cannot be produced by normal software tools anyway (I am thinking of markers that have tactile feel, holograms, etc). Thus, you need advanced techniques to forge these: and anyone capable of such advanced techniques is going to be able to work around any of these standard software embedded countermeasures.
All these countermeasures are doing is addressing joe average who uses a scanner, photoshop and a printer to make poor forgeries: exactly the type of forgeries that are picked up easily.
Further: I'd like to hear more detailed assessment of forgery rates, nature of how forgeries are constructed and so on, to determine whether the cost of all of this is really justified.
The term for faking currency is "forgery" with fake currency being "counterfeit". "Piracy" has nothing to do with it.
Why not?
Wrong question.
Whenever restrictions are proposed, it is those who are for it who must answer the question, "Why?" It is not necessary for those who oppose a restriction to answer the question "Why not?"
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
Dear European Union,
I am an open source software developer. Could you please send me samples of all EU notes, so that I can include image protection in my software. 10-20 copies of each should be enough to complete the work needed.
http://www.kubuntu.org/
The FA mentions the fact early deduced, that these work by detecting a pattern of 5 small circles. So exactly how this is implemented isn't important or necessary to keep secret. More important from the bank's point of view is that OSS can simply be compiled from source with this code omitted (similar example is the code blocking printing of PDFs in Ghostscript, easily commented out).
*laughs*
OK. The last time this came up, it consumed about twelve straight hours of hackery. You can go ahead and play with some of the black boxed code using the demo version of Paint Shop Pro (or the latest Photoshops). Let me tell you: This has nothing to do with the circles. I was actually quite saddened by this fact, as I was planning to print up a "secure t-shirt" that would be unphotographable and unprintable by modern image manipulators. (It'd be a great excuse to talk at Black Hat wearing a T-Shirt *laughs*).
Alas, such adventures were not to be had. Experimenting with copy/paste between an unprotected app and the demo PSP, it quickly became clear that while some old copiers might indeed trigger on the inter-circle distances, counterfeiters now had a vastly more difficult system to fight. What there seems to be is some sort of size and position invariant image fingerprint function, probably wavelet based, that receives the full image after every large scale image transform, executes a fingerprint matching vs. a confidence value, and returns true or false depending on what the confidence threshold is set to. It's not perfect -- Stirmark does seem to cause the algorithm to occasionally stumble, though not consistently (see this gallery for details) -- but it's very good work nonetheless.
Certainly, it does not appear possible to manipulate the watermarking system to create new and unique images that appear, computationally, to still be money. That's a very good thing. And while it's somewhat problematic to have code refusing to obey its controller, the integrity of the financial system really is an important thing. Remember the privacy case for cash -- if paper money becomes something we all distrust, what exactly are we left with? The fault with the RFID approach is that it forces us to carry a reader to validate funds. If we cannot self-validate, we cannot trust (notably, the biggest weakness with the metal strip approach is that we cannot quickly notice that the metal strip has been removed -- the wealth is actually thus represented not by the bill but by an invisible strip of iron and plastic!).
I do not think that image manipulation software is the right place to put this code, specifically because it's too easy to write an image editor from scratch (what are you going to do, ban compilers?). Scanners and printers are however sufficiently single sourced that they're far superior places to trust that anti-counterfeiting logic will be in place. But then, that's just IMHO.
--Dan
There are a number of problems with adding such code to printers:
* It is difficult to update. All counterfeiters have to do is find *one* image that can get past the blocking code. Futhermore, there is a *huge* set of printers out there that have no such blocking.
* Printers have limited memory and CPU capabilities. I really think that HP will not be thrilled with blowing a bunch of each on doing "currency detection" on every chunk of every page for each country that latches onto this.
* Printers have only the ability to "block". "Blocking" penalties for a detection of counterfeiting is the *easiest* variety of protection, since people just poke at their images until they print. Photoshop or other can "phone home". Some folks might think ahead enough to have a fully-disconnected computer, but as network connectivity grows...and it only takes one "phone home" with a detected serial number of a page of bills that are showing up with bogus numbers to nail someone.
* Printers were never designed to be highly secure embedded devices (for example, a number have easily-replaced firmware slots). It's a good bet that printer manufacturers don't go to a lot of trouble to hide diagnostic data. Sure, no random counterfeiter might be able to crack such a system -- but (a) there's lots of money involved to hire such a geek, and (b) there are major "geek points" involved in figuring out how to break such a system, and legitimate reasons for doing so. Remember the Xbox -- yes, it was cracked so that people could put Linux on it, but it opens things up to piracy. What if people want to improve image quality, add their own rendering engines (because it's not like they can easily build modern printers in their basement)? When someone distributes detailed instructions for how to disable such protection, it won't take a brilliant counterfeiter to beat the thing.
I really think that this is more a case of "we need to do something new with our currency". Currency was designed in a day and age when it was hard to accurately reproduce detailed images on a piece of paper. It was a very good design for that environment. I think that if we had to come up with a new system, we'd have something wildly different today.
You know what *could* make a major improvement?
Smart cards replacing "stupid magnetic strip" credit cards.
Currently, the reason that you can't use credit cards everywhere is because the credit card companies rake in money on each card, and it imposes overhead that not every retailer wants to pay (in vendor fees and per-charge costs).
Smart cards (with *associated readers*) make credit card fraud much more difficult, and thus reduce credit card company costs, and ultimately reduce prices to retailers.
This will help produce smart cards be more commonly used.
Of course, the downside is the big credit card issue -- more easy tracking of money flow, which is a bit Orwellian. Technically, it's possible to build a system that doesn't track fund flows (and still has the hard-to-counterfeit benefits), even if your credit card vendor is malicious, but there is probably little public interest in such a property. Plus, given the commercial value of people's credit card records (and pressure from law enforcement to monitor them) I don't think that it will happen.
May we never see th
In fact, as far as I'm concerned, Chip and PIN is a potential nightmare.
Instead of mugging victims finding themselves relieved of their wallets and purses I can forsee muggers demanding PINs too, so that they can use the cards that they've stolen.
Right now, if a card is fraudulently used and the signature doesn't match that of the cardholder then the bill is footed by the credit card company, even if the card hasn't been reported stolen. Sure, the costs are passed onto the consumer (well, to those consumers that don't clear their card balances at least) but there's no chance of you suddenly being presented with a four- or five-figure debt for the spending that a card fraudster has run up on you card.
But, if you find yourself in a situation where you give an assailant your PIN, even if it's to avoid physical harm, then you're responsible for all spending they clock up before your card is eventually cancelled.
Frankly, as a credit card holder, this scenario frightens me, even though the chance of it actually happening to me is next to nothing.
Of course, the card issuers are being very quiet about all this, which is no great surprise.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg