Slashdot Mirror

← Back to Stories (view on slashdot.org)

Aussie Speed Cameras in Doubt Because of MD5

Posted by timothy on from the son-do-I-know-how-fast-you-were-going? dept.

An anonymous reader writes "A speeding case has been thrown out in Australia after the Roads and Traffic Authority admitted that it could not prove the integrity of speed-camera photos. 'The case revolved around the integrity of a mathematical MD5 algorithm published on each picture and used as a security measure to prove pictures have not been doctored after they have been taken.'" I wonder if Australian police are as (radar gun) trigger happy as they are in certain parts of the U.S.

8 of 1,004 comments (clear)

  1. Depends on the state by log2.0 · · Score: 3, Informative

    I live in South Australia (thats the name of the state, they werent that original when the pohms came here :)

    Anyway, we now have speed cameras on traffic light intersections and any random car parked on the side of the road *could* be a speed camera.

    In Victoria (where Melbourne is), they are even more tough. As soon as I cross the border to Vic, I don't speed at all.

    So the answer is "yes", they are very very trigger happy and in a lot of cases, there was no trigger, just an automated photo.

    --
    Can your karma go above being Excellent?
  2. Mmm... by iamdrscience · · Score: 3, Informative

    Just to make it clear, this guy didn't prove something was flawed in their system, so much as the courts didn't bother to find an expert witness.

  3. Re:This won't pass muster. by Dwedit · · Score: 3, Informative

    The MD5 of course needs salt, otherwise anyone could self-sign their own stuff.

  4. Fun times for all. by Anonymous Coward · · Score: 5, Informative

    I live in Victoria, Australia (the state Melbourne is in) -- these refer to cameras in New South Wales (the state Sydney is in). There's been a rather strong backlash against speed cameras here; the margin has been lowered to 3kph. If you do exceed the speed limit by more than 25 kph, you lose your license for a month; more than 35 kph is six months; more than 45 kph is twelve months. The fines are harsh: $131 (Australian) for less than 10kph; $210 for less than 25 kph; $278 for less than 35kph; $377 for less than 45 kph; and $451 for more than 45 kph.

    There have been cases of cars being clocked at speeds greater than they are physically capable of doing, and a great brou-ha-ha about how travelling "five kph above the speed limit" doubles your risk of crashing (with some people extrapolating that to an exponential curve). (For the record: the research is five kph above the prevailing speed of the traffic, and it's not exponential.)

    If speed camera evidence is deemed untrustworthy, you can see a large chunk of government revenue fly out the window; they'll be onto it as fast as they can get their snouts out of the pork barrel.

  5. As usual... by TheOriginalRevdoc · · Score: 5, Informative
    ...the facts are less interesting than the headline.

    http://www.smh.com.au/news/national/motorist-wins- case-after-maths-whizzes-break-speed-camera-code/2 005/08/10/1123353388395.html

    A Sydney magistrate, Laurence Lawson, threw out the case because the Roads and Traffic Authority failed to find an expert to testify that its speed camera images were secure.


    I.e., it wasn't thrown out because MD5 is suspect; it was thrown out because the government couldn't find an expert witness to be cross-examined, for some reason we don't know. In fact, I'd read that statement as meaning that the magistrate wanted to examine the entirety of speed camera security, not just MD5.

    The motorist's defence lawyer, Denis Mirabilis, argued successfully that an algorithm known as MD5, which is used to store the time, date, place, numberplate and speed of cars caught on camera, was a discredited piece of technology.


    That part of the story is just a lawyer's opinion, not a fact. "Successfully", in the context of the previous quote, just means that his argument was unopposed in court.

    My understanding is that it is easy to generate multiple messages that have the same MD5 hash, but only if you get to choose both messages. It's still very hard (i.e., an infeasibly large number of CPU cycles for most of us) to generate data that yields the same MD5 hash as some other, arbitrary document.

    It all sounds to me more like a case of blinding a magistrate with science, than some kind of victory for common sense. (Well, lawyers are involved, so commonsense isn't relevant, anyway.)
  6. Details by Effugas · · Score: 5, Informative

    OK, I'm partially responsible for people seeing applied attack against MD5, so I'll comment for a second.

    Basically, in 2004 Xiaoyun Wang released two different files with the same MD5 hash. This has been predicted since around 1996, when Hans Dobbertin showed the hash was broken -- but it took a while for the actual attack to show up.

    Alot of people said there were _no_ applied uses. Not true. For instance, the following two pages have the same hash:

    Lockheed Martin
    Boeing

    What's important to realize about the above content is that both web pages are included in both links; the difference between the source files (which MD5 is blind to) is just used to determine which page is displayed. What that means is that, for forensic purposes, it's trivial to rule out the best known attack against MD5 -- just look at the content being hashed.

    Thats not to say we should keep using MD5. It's broken, we need to move on. But attempts to claim that MD5 is broken, so we have no idea of any link between hashed content and real material -- that's just ridiculous. We have plenty of idea, especially with human-guided forensic operations.

    That being said -- if you can doctor a photo, you can doctor a hash. This is one of the things that makes files hosted on a single server w/ MD5 hashes "verifying" them a little silly...if you can alter the file, you can alter the .md5 file as well. (Files on multiple servers are a little different, because you can go elsewhere to see the deviating MD5 hash.)

  7. Kind of related... by Goth+Biker+Babe · · Score: 4, Informative

    In the UK the deployment of speed cameras is at the discretion of the chief constable (the boss) of the local constabulary (usually with the jurisdiction of the county they are situated in). Interesting one or two counties in the UK don't have speed cameras. Even more interesting is that in the last set of figures, those counties without them actually saw a drop in injuries and fatalities whereas those with saw a rise.

    The thing about speed limits and cameras is that they are set an arbitrary value which, on average, appears to suit the road. But it's like seat belts, there are times when wearing one is worse than not wearing one but on average its better to wear one. My particular bug-bear is speeds on motorways. A nice sunny Sunday morning when the road is empty 100mph is not dangerous. 50mph in the fog in rush hour is. Speed cameras don't generally account for that. Speed doesn't kill. Inappropriate speed kills.

    There is one section of one motorway in the UK that has it right. A section of the M25 has adjusting speed limits and cameras to suit. I would like to see them on all motorways, moving from 30mph at the lower end to 100mph at the upper end. (Why 100 because that's the top speed of some small cars and having cars with differing speeds is also dangerous).

  8. Re:loophole? by Wakko+Warner · · Score: 3, Informative

    It's funny how the pro-welfare Democrats can balance the budget, but the anti-(personal) welfare Republicans can't.

    The people in office right now are Republicans in name only. Don't let their idiocy confuse you.

    - A.P.

    --
    "Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"