Slashdot Mirror
Chipped Passport Cloned In Minutes
Death Metal Maniac writes "New microchip passports designed to be foolproof against identity theft failed the test when a researcher was able to manipulate one in minutes. The cloned passports were accepted as genuine by the computer software recommended for use at international airports. According to the article: 'A computer researcher cloned the chips on two British passports and implanted digital images of Osama bin Laden and a suicide bomber. The altered chips were then passed as genuine by passport reader software used by the UN agency that sets standards for e-passports.'"
Is anyone surprised? At all? Seriously...
Evolution is a state-sponsored, state-protected religion.
I'd like one, preferably with a large memory chip added, so I can combine all my fake passports into one.
Oh, and I'd like some fake passports.
that went well!
In the tests, a computer researcher cloned the chips on two British passports and implanted digital images of Osama bin Laden and a suicide bomber.
The software was supposed to scan faces? I thought it was only supposed to scan the code.
... when you can be a respectable "computer researcher"?
It shows the benefit of this kind of outside security analysis, which should have probably been executed during the development process.
Better the issues be uncovered now than when the issuance is widespread.
There's always a loophole.
Are these electronic passports related to electronic voting?
It's becoming obvious that low-tech paper is preferable in both elections and passports.
Fata viam invenient.
Captain Hammer will save us.
The researcher replaced the digital signatures on the passports with ones of his own creation when altering the photographs... if the equipment used to test had actually compared the digital signatures to those on file, it would have immediately spotted the tampering. Problem is most countries aren't sharing their signatures yet, making those checks impotent. For now, at least (and not saying there aren't other vulnerabilities).
I say we take-off and slashdot the site from orbit... it's the only way to be sure
I'm head of retail logistics, so I have to get back to stocking shelves now.
see, that's why you should take a hammer to that sucker. And when the border guard asks you what happened... say that you sat on it :)
-- All this knowledge is giving me a raging brainer.
Their outright failure to do so for at least a year for the UK and perhaps many more for other countries means that the digital information is less valid than the information imprinted on the card. Less valid because it's far easier to change, and shows no signs of alteration.
In other words, countries that don't authenticate, and rely on the digital information alone are *MORE* insecure and open to falsification than those who do authenticate.
Security: Not a tradeoff of civil liberties, but an intelligent application of a variety of techniques.
Authentication: When available USE IT, don't just put it off and trust easily-modifiable data. When in doubt look at the printed picture and the text. *THAT* is harder to change without showing signs of alternation.
Encryption: I guess if they can't get the key database working for simple authentication (or even a #$&*(#$ hash) they're not going to figure out the encryption stuff either.
Hi Bruce.
Ehud
I distinctly remember RFID passports not all that different from these (at least in principle of being "hack-proof" and "secure") getting broken maybe a year or two ago. The exact date escapes me at the moment. I'm fairly certain it was something being done in the EU. Feel free to correct me on any of this. That aside, just what did you expect? There is no white knight or magic pill to the problem of airport or travel security. That includes magical passports that somehow make it completely impossible for people to forge identity or fool the system.
Oh, believe me. The IRS will extract all that and more to fund this and other Federal boo-boos.
The best strategy is keep smiling.
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
Come up with a lame technical 'solution' to identity theft to help stop the completely over-hyped global terrorism threat, and then make the whole thing even easier by allowing easy cloning of existing passports. Be in several places at the same time! All you need is one loophole and it propogates.
Additionally, I see no improvements to the initial checking of who is eligible for a passport to try and sort out the Day of the Jackal fraud:
http://en.wikipedia.org/wiki/The_Day_of_the_Jackal
Using some form biometric system that seems to be implicitly trusted is even more dangerous, since if you can get your bogus identity trusted then people aren't ever going to question it.
We have said since day one, if you're that determined to cause untold misery for millions, you will find a way to do it, no matter what. Silly bits of "paper" won't stop you!
Obviously, the problem is that there aren't *enough of these spoofable chips. We should have them in our passports, cars, cellphones, and under the skin. 'Cause of terra.
My turnips listen for the soft cry of your love
This was all over the BBC News yesterday. What took so long?
Hey now! This is Slashdot. Taco and Neal and the gang were busy confirming every aspect of the story before they posted it to the front page.
This guy's the limit!
...at least not human technology.
Without exception, everything we try to lock up with a key can be unlocked by someone else. I'd like to hear it from anyone else that they recognize the fact that locks only keep honest people out and then perhaps we can move on to the bigger issue of why they are trying so hard to control honest people.
Who needs passports to get into a country anyway?
lol: You see no door there!
The article says that the problem is that the public keys to the chips aren't being used. Every country maintains their own database of public keys used to identify the passwords. The databases aren't all properly set up to synchronize, so the system must accept all chips from countries that have not synchronized, basically rendering the encryption moot if you know which countries haven't authenticated properly. So the chip itself hasn't been cracked, it's more a question of the international passport encryption network being worthless. Even if everyone was synchronizing properly, such a system sounds highly vulnerable to a cache poisoning attack of some sort.
Don't forget the painstaking grammar and spelling checking.
Plus they had to go through all the archives to make sure it wasn't a dupe.
The creator of this post (Jacob Smith) hereby releases it, and all of his other posts, into the public domain.
But does it run Linux?
This to me, confirms one thing...
If one man can do something, then there is at least one other one who can do it as well.
I offer this as a solution:
Implant the user's thumb print on the passport and have the computer software used at airports verify identity by referencing a central database. What can be better than this?
Ha Ha Ha Ha. Sorry, after the read, I I am now suffering from uncontrollable laughter.
BrickerEnterprises.Com - Innovation at work
Here's how:
Simply match a document to thumb print if you are interested in having relations with my country, the USA.
Just a few years ago, the same USA demanded that ALL passports to be used while entering the USA had to be machine readable and it is the case now.
Why is it that one after another after another after another of these government-sponsored security systems keep failing? I just don't get it. We give them infinite amounts of money to spend protecting us from something FAR less dangerous than ourselves (compare # of US gun crime victims to # of US terrorist victims sometime), and they consistently do a half-assed job.
In about 1960, we decided to go to the moon. In 1969, we were there. Done and dusted -- and a government program, at that. Has America just lost its technical know-how, or what?
I piss off bigots.
I think we're overlooking a very important reason for this sort of screwup. Yes, they're incompetent. And yes, it's theater. But consider this: if security measures are ineffective, sooner or later there'll be another successful attack. And what happens then?
Hi Bruce.
Ehud
What is going on here? what hash? "Hi Bruce"?
Now I could be wrong, but I thought all the 9/11 bombers were legally allowed to be where they were, and were using valid documents?
I think what might have been the case is that they HAD used fake passpports in the past. The way this phrases it though suggests that a better implementation might have helped avoid 9/11, which is news to me.
No matter what they seem to claim, the state cannot protect us. One of the main justifications of the state's existence, security, falls flat on its face every time. When it comes right down to it, bureaucrats are very poor at what they are supposed to be doing.
The UN sets the standards for e-passports? Let me guess - the software is sold by Ban Ki-moon's nephew. Does it support automatic debits from the checking accounts of western citizens yet? God knows the UN has a real boner for corruption, nepotism, decadence, and finding ways to tax the west.
I think he has a future as a management consultant or an adviser in the Bush Whitehouse for the remainder of his term.
If only someone would invent a device capable of automating those tasks.
I wrote a better document on this, but then I hit the [back] button on my browser:
BAC (Basic Access Control): not required but everybody uses it. Prevents skimming and eavesdropping. If the document number/expiry date and birthday can be easily guessed the protection is pretty weak, especially for eavesdropping (offline brute force attack). No identifying data is released by well designed ePassports before BAC.
PA (Passive Authentication): required. Prevents alteration of the info in the data groups. Works on X.509 compatible PKI (CMS/X.509 certificates). Fully uncrackable, but won't work if you don't have a trust store with the country signing certificates. You can get those by the PKD (Public Key Directory) but also by bilateral means, or even just by download from the internet.
AA (Active Authentication): not required, hardly implemented. Prevents complete cloning of the chip. Uses a private key stored in protected memory in the chip. Relies on PA, otherwise you cannot trust the public key stored in the ePassport to do the verification. Basically this is a challenge/response protocol. Also fully uncrackable at this time as long as the chip security holds.
Here are the standards, all public information:
http://www.mrtd.icao.int/images/stories/Doc/ePassports/PKI_for_Machine_Readable_Travel_Documents_offering_ICC_read-only_access_v1.1.pdf
One big problem with America today is that it's too US-centric. As an example, TFA is about the UK, but you just assumed it was about the US...
This really does make you wonder how we sent human beings to the moon without involving either fiery or airless death. I know that it is not a matter of technology as much as it is political pretense, but good lord, if we are going to use technology in our polite public fiction then wouldn't it be nice if it were well implemented and deployed?
Currently, passports are still difficult to copy and someone looks at the passport to confirm that it is real. What do you think will happen when a TSA monkey can just slide the passport under a reader? They are not going to look at anything! They will just do whatever the screen tells them to do, which, I suppose, is the way that our current overlords want it. They get to pull the strings, all the way to the ground-level.
In other words, once again, in our attempts to appear as though we have everything under control, we have added a layer of complexity and simultaneously a layer of vulnerability which can and will be exploited by those who have the appropriate incentives.
It's win-win really: Terror: 1, Fear-mongering: 1.
If you don't know what you're doing, you can't make mistakes.
So the chip itself hasn't been cracked, it's more a question of the international passport encryption network being worthless.
Technically accurate. But. The chip by itself is worthless. It's only worth something if it counters some kind of threat. This is why security isn't about products or techniques, it's about working systems. If the "chipped passports" don't have a working PKI, then there's really no point to the chips. They go together.
ObQuote: "Security is a process, not a product." -- Bruce Schneier
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
"In other words, countries that don't authenticate, and rely on the digital information alone are *MORE* insecure and open to falsification than those who do authenticate. "
Maybe, but are you going to gamble on the country not to have the certificates set up? Because if your signature fails, it is *certain* that your digital data has been altered. And in that case you can expect security personnel to take some real interest in you.
The simple fact that the government so strongly desires to completely and accurately establish your identity should be cause enough to make you hesitant to allow it.
Information from the researcher who investigated the passport can be found at
http://www.os3.nl/
I'm not a complete idiot.
Yes, you are.
Plus they had to go through all the archives to make sure it wasn't a dupe.
I think it took them so long because they were busy looking for the dupe and only gave up after 24 hrs.
Sorry, we're just well conditioned into the response. "Oh, government fucked up? Must be ours..."
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
So now we can look forward to seeing thousands of people all sporting Osama Bin Laden pictures on their passports. It'll be as fashionable as Che Guevara t-shirts.
The TSA will love it because they can announce that they've caught Bin Laden every day for the next 20 years, thus justifying their continued existence.
I'm not tense. I'm just terribly, terribly, alert.
The first week that chipped passports are deployed, most of the staffers will check both the paper contents and the chip contents. After a month, staffers will still check most of the paper passports, but if the line is long, they will just check the chip contents, because "it's faster." (Hey, that's why they're doing this, right? Faster and more "secure"?) After a year, staffers will probably ignore the paper copy for about half of the checks, and after two or three, they'll use "spot checks" and only check one paper passport in 100 or so. And then it won't really matter what the paper copy looks like, as long as it roughly approximates the size and shape of a passport.
If memory serves can't the US confiscate anything that contains digital data at their border, therefore couldn't they now just take your passport and never give it back. That could prove to be a issue. Imagine, your going from Canada to the US, you present your passport to the US customs, they take it and then tell you "Nope not allowed in, you don't have your passport." You try to go back into Canada and then they say "We would let you in but since you don't have your passport your stuck, eh?"
-Ours is the wisdom of Solomon, the magic of Merlyn, the fall of Icaris.
I have to say the more we rely on "foolproof" technology, the more we rely on fools to operate the machinery.
I have to admit the Germans had it nearly right. Almost nothing beat the steely-eyed glare of a Hauptsturmführer asking for your passport -- unless of course you have a John Williams musical score swelling in the background, and even then it would be a life changing, tension filled 2 minutes of your life going by you.
Also they seem to have implemented cryptographic certificates really really badly if they have to share their entire databases with each other. I mean even a browser can spot a fake web site cert without polling the network. I'm sure you could build something similar where each machine has a copy of the public key of each nations passports, with the biometric info signed by a key that was (directly or indirectly) signed by the nations key.
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
Correction: the state cannot protect us from everything.
That doesn't mean it's not protecting us from plenty of other stuff, just by the mere existence. Just to name one example, I'm pretty sure my neighbor would have offed me by this point if it wasn't for the fact that the state would punish him.
History tells us that cryptography usually falls down in implementation, not theory. As soon as you start building networks, selling chip readers, issuing passports then your theory starts to slowly crumble.
Even if the whole chain of trust is perfect it only takes one act of stupidity/corruption by a human to bring the whole thing crashing down.
Passports are also one of the worst possible places for security to fail. Passports, passport readers, etc. can't be updated via a patch, they need to be thrown away and replaced.
The technology for this is in its infancy and rushing out hundreds of millions of passports at an international level is doomed to failure.
I'm sure it won't stop philistine politicians from trying though - after all, it's not their money they're flushing.
No sig today...
well done, labour government, for spending so much money on this watertight security system that i had to spend over £70 to renew my passport. it should be nothing more than a book ffs!
So what happens if someone steals/sells/revokes the signing key for a passport authority? I can see it in Slashdot sigs now . . .
I don't think that this proves the technology is useless, just that it's possible to compromise it. I mean, I lock my doors when I leave, but a "security expert" could pick the lock and be in inside 30 seconds. That doesn't make locks ineffective. It's not perfect, but it's not useless just because it can be compromised. Slashdotters don't seem to understand security at all. You want to make it hard to do terrorism. You cannot make it impossible.
Currently hooked on AMP
Actually, all country trust roots (not _signatures_) end up in an international database, and terminals SHOULD check that passports are signed by one of those. The "hack" does not work for this reason (and relevant countries' terminals do check, even if the standard-testing software does not).
FYI, country certs are also published on human-readable pages, such as these:
http://www.bsi.bund.de/english/topics/csca/index.htm
http://www.bmi.gv.at/csca/startseite.asp
So hypothetically, you could collect these (they won't be changed more than once every few years) and perform your own verification.
Does anyone know of any statistics to the detection rate/difficulty to forge existing physical passports?
I would suspect the time needed to learn to create forged physical passports that would not be detected by an experienced customs official would be on par with that of brute forcing the private key used to sign these electronic passports using the computing resources of a reasonable sized organization.
I would guess that consequences of the State isn't the reason most people don't kill their neighbors.
The problem is that the people we are trying to defend against have no fear of punishment. It is a fairly well-known axiom that you can't stop an assassin that is willing to die to accomplish their mission. What we have is a group of people that are absolutely willing to die to accomplish their missions. Tough job to defend against that.
We could take the attitude that their victims are just a cost of doing business. Folks in the US are incredibly willing to take casualties that are due to accidents, misfortune and so-called "acts of God." However, for the most part people in the US are incredibly vengeful when faced with casualties due to incompetence and deliberate acts.
This can be seen by the response to 40,000 highway fatalities each year vs. the five or so people that died because of the Tylenol tampering. Could the highway deaths be prevented or reduced? Maybe, but the general feeling is that these are not intentional acts or due to incompetence. So they are overlooked. The Tylenol tampering was an intentional act and resulted in vast changes to how products are made and distributed in the US.
The folks that would like us to "convert or die" - and let them have their own legal system in our country - are not being treated as something that is nobody's fault. There is clear intent there and malice. It wasn't easy or simple to change how food and drugs are packaged in the US, nor was it easy to go to the Moon. But it was done because there was a strong motivation to do it. I don't think anyone in the US is going to stand for treating terrorism as a "cost of doing business" or just stuff that happens that isn't intentional. It is intentional. It is done with malice. And the general feeling is that it isn't going to be tolerated.
Don't like it? Think we should just accept a few casualties now and then? I'd strongly suggest that you live elsewhere, somewhere where the general attitude is more in line with your feelings. It isn't going to happen anytime soon in the US.
To me the bigger worry with these RFID passports is that, as someone demonstrated at DEFCON a year or two ago, they can be read at a distance of something like 25 feet. What a convenient way for terrorists, or whoever else might want to kidnap you, to identify you as you walk down the street. Or to identify your nationality, for the purposes of randomly kidnapping a Brit or American or whatever.
I have heard that a cost effective solution to this problem (and the duplication/manipulation problem too I suppose) is a well placed hammer strike to the little bulge in the passport where the RFID chip is hidden.
It's like the saying goes, the more complicated you make things the easier it is the throw a wrench in the works.
Storing ANY information electronically on the passport is simply a bad idea. The only thing that really MUST be on the passport is the passport number, and you don't need a chip or a magnetic strip or an RFID or even a barcode to store a 16-digit number on a piece of paper. Ideally, there shouldn't be any other information shown at all. Everything else - birth dates, passport expiration dates, physical description, photo, etc should all be in a secure database. Creating false entries in the database would require hacking government systems - stuff that's difficult and carries heavy consequences. Without any of the info on the document itself, a crook wouldn't know anything about the person whose identity they've stolen. That may not matter for a credit card being used online, but for a sweaty, nervous would-be criminal standing in line at customs in JFK it'd matter a whole hell of a lot.
So having a 'fake' passport would require possession of an actual original at some point, and it'd have to be someone to whom you bear a close resemblence. Add facial-recognition software based on the images in the database, and, well, good luck impersonating someone else. Cooking up a fake passport electronically would therefore be impossible without social engineering at a government office authorized to create new passports - and that'll continue to be a problem whether you have chipped passports or not.
So, a central database is the only way to go. There are massive precedents and established methods for protecting data integrity in large databases, while the precedents for securing handheld data storage are rubbish (as the case in point shows so well). The database should be a shared international resource that nations subscribe to, administered through the UN via Interpol - it would give the UN something actually useful to do for a change.
Ideally, your passport would just be a number - and you could carry that in your head without any documents at all. The real effort should go into protecting the integrity of the basic ID numbers - this hypothetical number would be one, your SS# would be another.
A-Bomb
Based on the article, you made a wrong assumption regarding distributing public keys or any kind of PKI system. If it was cloned so easily, then it's a dumb chip card that carries some data, but that's about it. That's *totally* different than a card capable of real PKI.
Cloning a passport chip is not a problem. It's a sensational article, but it's not a problem for anyone involved in the project.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
I would guess that consequences of the State is the reason some people don't kill their neighbors.
I'm not really worried about all the rest of my neighbors, just that one nut.
I'm not sure what all that had to do with my post (which you were replying to, after all). In fact, my point was exactly that - the state won't protect us from everything. But showing that it doesn't protect us from some thing doesn't also logically prove that the state cannot protect us from anything (which was what the post I replied to was positing).
FWIR about 1/3 of Iran's population is blonde haired and blue eyed. The Caucuses mountain range (from which we get the term Caucasian) is partly in Iran. So if Iran or part of their population (the government) is evil that whole profiling thing starts to not work real fast.
I'm not arguing against profiling, but stating that 1/3 of Iran's population is "blond haired and blue eyed" is totally misleading.
Caucasian != look like you're from Sweden
About the "whitest" people in Iran are the Azeri, and maybe the Mazandarani, and I highly doubt you'd label any of them blond haired and blue eyed.
http://en.wikipedia.org/wiki/Image:Caucasus-ethnic_en.svg
With the first link, the chain is forged.
Police: I'll ask you once more, "Are you a citizen, Sir?"
Guy: Am I...
(off camera) A TRUNCHEON, from behind arcs furiously toward the skull of the ticket holder
(sound/visual f/x) CRUNCH
(off camera) MACE hisses into the face of the ticket holder
(sound/visual f/x) PSSSSS
Ticket holder: harumphhh/AHHHHHH
There, fixed that for ya!
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
Cellular tracking technology used the way credit card transaction anti-fraud monitoring works might help immensely.
If two passports geographically separated present the same ID number in a period of time that cannot be traveled by the average person, then BOTH of them get nabbed and checked. It'll inconvenience a lot of people, but it'll slow the uptick in mischievous use of cloned passports. BUT, the thing is, this probably has to be done in REAL TIME.
So, since it's unlikely that two travelers with real and clone p/ps will travel in the verify-window scheme, then biometrically, each traveler would have to indicate "start/stop of my travel through inspected portals". If one views that travel as a band of time and space, then the next presentation of that p/p number should trigger detention of the subsequent presentation, and a track-down of the initial presenter, and the two re-verified at nearest Interpol or law enforcement facility.
OR, since that is still similar to my initial paragraph, then the program may have to go global and require ALL passport holders to have radio-trackable passports, which will not sit well with most people.
I guess this implies that combined retina, fingerprint, DNA and facial scanners may be the ultimate tool, relegating passports to a simple, somewhat unverified ID card.
As said by a US Marine SSgt in charge of me in 1984, "Where there's a WAY there's a WILL!"
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
Are you suggesting they only have truncheons, mace and no tazers ? This lack of funding is outrageous, someone ought to Think Of the Children !
May contain traces of nut.
Made from the freshest electrons.
I can't take credit for this idea, but I read about it someplace over 5 years ago.
Use PKI.
When you request an ID (Drivers License, Photo ID, Passport), the request includes a photo. That photo is converted to electronic form and used in the creation of public and private keys of 4K length. The photo and private key are placed onto a server with extremely limited access that is replicated to however many disks (SAN) and remote servers as needed. That data is also replicated to read-only media which can be located at the larger custom facilities in case there's a communication fault, but is generally not used. A secure web service is setup to allow anyone in the world with a login/password and smartcard to perform remote queries by passing the public key and some nominal text to help speed the DB queries (Country, Name, ID#) and limit and duplicate record queries that need to be decrypted with the provided public key. Purely a web interface for tiny customs offices or DMVs everywhere.
The photo, e-photo and public key are placed onto the ID Card along with the trivial ID information listed above.
Ok, so you're the customs guy at a terminal. The passport holder hands you his/her passport and you swipe it. That kicks off the remote query to the main server farm (with your login data and smartcard data for tracking who's looking at what records). While that query is being processed, the electronic photo is read from the ID and displayed. The query returns and that information is displayed with another photo and more data about the person standing in front of him/her.
The person, and 3 photos aren't identical? Arrest that person!!!
3 Photos?
1) E-photo on the ID card
2) E-photo returned from the central server
3) photo inside the ID that humans see
Any failure in any of these being images being identical? Humans have an innate ability to tell when faces don't match?
The fail safe media would need to be replenished dependent on the rate of new/changed data. Cross overs in rural North Dakota don't need the same level of connectivity as JFK or Atlanta Airports OR the San Diego border.
As a technical architect, I think I can design around those problems with redundant servers and networking and power feeds. Of course, all the data transferred is fully encrypted with the keys predetermined by the customs officer and central servers. It is the physical control of the read-only backup use media that concerns me most.
Am I missing any thing with this solution besides the obvious communications failure or power outage risks?
http://blogs.zdnet.com/Ou/?p=394
I get sick of all the stories claiming RFID passports were cloned but they never mention (or understand) the concept of a digitally signed hash that would become invalid the minute you alter any data. This latest story is suggesting that the system does not check the digital signatures when they say:
"But only ten of the forty-five countries with e-passports have signed up to the Public Key Directory (PKD) code system, and only five are using it. Britain is a member but will not use the directory before next year. Even then, the system will be fully secure only if every e-passport country has joined."
This doesn't seem very clear to me. Are they suggesting 35 of 45 countries don't even bother to offline check the hash to see if it's been signed by a legitimate entity? I'm wondering if this PKD system is some sort of online system that allows you to do a real-time check on passport revocations.
If that's the case, then a failure to check the PKD system would leave the system vulnerable to someone who at one time got a valid passport through an official source but the passport was later revoked, but they would not be vulnerable to a self-signed or hash mismatch digital passport. This article is suggesting that 35 countries have basically disabled any sort of cryptographic verification or failed to implement any chain of certificate authority trust which would be shocking if true, but I've been burned by too many of these stories written by gullible reporters who haven't a clue about crypto.
Considering his vote for FISA amongst several other freedom-killing, totalitarian stances, I don't believe him or you.
The more power we give presidents the worse off we are in the long run. And moreover, the Democratic party is hardly the party of peace, just look back to Johnson who escalated Vietnam from 16,000 to 550,000 US military personnel.
Also, sometime or another we're going to need to elect another party's candidate (because power corrupts everyone) and unfortunately right now the only other game in town is the Republicans, so do you really want a subsequent republican president to have the same power you seem to ascribe to with the "elect-Obama-and-everything-will-be-better" perspective.
"If still these truths be held to be
Self evident."
-Edna St. Vincent Millay
will they ever learn?
Technically there might not be that much in common with the passport stuff but I am surprised at how well the SUICA (transportation credit cards with chips in them) and cell phone wallets (cell phones with SUICA like chips in them) have worked out. I would have thought they would have been crackable, but apparently not, and they contain MONEY!
It has always been the case in Japan that with telephone cards and other magnetic cards that they would get copied and/or manipulated, and there was a case where a Pachinco chain implemented a card system that got cracked swiftly by yakuza who then went and deposited free credit into the cards. Pachinco is gambling, so they made a ton of money playing with free money. Of course, the company that implemented the system claimed it would be unbreakable.
I think in cases such as this involving security, the company that implements such a system should be liable by contract if and when the system fails. In other words, if they say they can create something safe, and can't, the government or whoever hired them should get a full refund.
What?
A browser:
1. Queries the certificate over the network to verify certificate chains (eg. GoDaddy SSL certificates with intermediates)
2. Has a copy of the trusted root certificates distributes with the browser/OS.
3. Each website has their own public and private certificate on the server. The public part is transmitted to the browser. It is also that part that is signed by 3rd party known to be reliable (according to the browser).
Each nation to have their public key available or SSL fails from the get go.
I don't think you know how SSL works.
How about the government leaves us alone and sees to its actual responsibilities and, oh i don't know, obeys its own laws and attempts to embody American ideals? Just a suggestion.
Vote for Obama and you'll get a chance of seeing that.
Vote for Bob Barr and your changes are better.
Falcon
Should there be a Law?
So a handful of bad neighbors somehow justifies the massive security apparatus of the state... no matter how effective it is? Moreover, you're willing to force me to pay for your security, when I don't fear any of my neighbors? You don't see anything wrong with this?
Yup. Because my entire argument about the "massive security apparatus of the state" was completely based on just the thread of a handful of bad neighbors. No way that could possibly be just one example. You totally showed me up. Kudos to you, sir.
Ideally, there should be no demand for any passport or any other ID.
Falcon
Should there be a Law?
The actual validation of the certificate chain doesn't depend on network access. Only a check for revocation would require it, but I would hope that certs used for passports would be very closely guarded secrets for which revocation would be a rare event.
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
I'm not trying to show you up. I am pointing out how hopeless government security is, which this article is yet another shining example. Just because you fail to see it doesn't make it so. Private security could easily take care of bad neighbors. The police are the last people I would rely on for that.
Doesn't it make more sense to keep using the bar code system they already have on passports with the data tied to the passport stored remotely ? Storing data on the passport itself makes no sense.
waiting for ad.doubleclick.net
I thought everyone knew that something digital is easier to copy -- and copy perfectly -- than something physical.
The record industry knows this. The film industry knows this. Why doesn't the government understand it?
Some things are better left in the physical realm... like passports, and ballots.
The real silly thing is that someone with bad intentions can always find a way to kill others, with or without planes.
Think about how many times A DAY you trust others to not kill you. Just walking down the street, any one of hundreds of cars could just decide to run up the sidewalk and take you out. At the mall you stand by a railing overlooking the lower levels, whoosh someone could shove you over from behind. Subways, buses, sporting events, outdoor concerts, etc., are all vulnerable.
There are only two real answers to 'terrorism'. One is to live as a hermit in a bunker. The other is to effectively address what causes terrorists to come into being. We always throw money at technology solutions. How about just 1% of the money going to humanitarian research to solve what brings about terrorists. Many terrorists are uneducated. Many come from poor families and are promised wealth to their living relatives. All them are egged on and incited to violence by some person of 'authority' in their life.
What if we actually got off our technological high horse, and actually admitted we haven't figured out how to handle PEOPLE. And then actually went about addressing that.