Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Border Officials Haven't Properly Verified Visitor Passports For More Than a Decade Due To Improper Software (zdnet.com)

Posted by BeauHD on from the update-required dept.

An anonymous reader quotes a report from ZDNet: U.S. border officials have failed to cryptographically verify the passports of visitors to the U.S. for more than a decade -- because the government didn't have the proper software. The revelation comes from a letter by Sens. Ron Wyden (D-OR) and Claire McCaskill (D-MO), who wrote to U.S. Customs and Border Protection (CPB) acting commissioner Kevin K. McAleenan to demand answers. E-passports have an electronic chip containing cryptographic information and machine-readable text, making it easy to verify a passport's authenticity and integrity. That cryptographic information makes it almost impossible to forge a passport, and it helps to protect against identity theft. Introduced in 2007, all newly issued passports are now e-passports. Citizens of the 38 countries on the visa waiver list must have an e-passport in order to be admitted to the U.S. But according to the senators' letter, sent Thursday, border staff "lacks the technical capabilities to verify e-passport chips." Although border staff have deployed e-passport readers at most ports of entry, "CBP does not have the software necessary to authenticate the information stored on the e-passport chips." "Specifically, CBP cannot verify the digital signatures stored on the e-passport, which means that CBP is unable to determine if the data stored on the smart chips has been tampered with or forged," the letter stated. Wyden and McCaskill said in the letter that Customs and Border Protection has "been aware of this security lapse since at least 2010."

141 comments

  1. You know what else isn't verified? by Anonymous Coward · · Score: -1

    MY BALLS!!! Suck 'em, nerds!

    1. Re:You know what else isn't verified? by Anonymous Coward · · Score: 0

      The eighties is never coming back. Your wife never cheated on you.

    2. Re: You know what else isn't verified? by Anonymous Coward · · Score: -1

      itâ(TM)s verified that my DAMN balls need sucked

  2. Bet they were able to get it budgeted though by grasshoppa · · Score: 5, Insightful

    How much do you want to bet that they were able to get a "solution" budgeted every year?

    --
    Mod me down with all of your hatred and your journey towards the dark side will be complete!
    1. Re:Bet they were able to get it budgeted though by jrumney · · Score: 2

      Meanwhile, I have a free app on my phone that is able to verify the signatures on any ICAO compliant NFC passport or identity card.

    2. Re:Bet they were able to get it budgeted though by Hal_Porter · · Score: 5, Insightful

      Isn't that a bit of a security risk?

      E.g. this app requires you enter a bunch of data. And then it scans your passport

      https://play.google.com/store/...

      At which point it knows everything about you. What's to stop is sending the data off to someone who sells it on the internet to identity thieves?

      If it was some pure open source thing I might trust it. However even though this library is open source

      http://jmrtd.org/ ... The ReadID app is not. So you don't know what they do with the data they collect.

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    3. Re:Bet they were able to get it budgeted though by jrumney · · Score: -1, Redundant

      If you're paranoid enough, breathing is a security risk.

    4. Re:Bet they were able to get it budgeted though by Narcocide · · Score: 1

      Yea too bad they couldn't just fucking use Linux.

    5. Re:Bet they were able to get it budgeted though by Anonymous Coward · · Score: 0

      Is that even legal, citizen? Are you sure? The consequences for perceived unlawful behaviour can be... Unpleasant.

    6. Re:Bet they were able to get it budgeted though by Anonymous Coward · · Score: 0

      There's a same kind of app for debit and credit cards with NFC. No way i'll ever use that.

    7. Re:Bet they were able to get it budgeted though by BlueUnderwear · · Score: 1

      What's to stop is sending the data off to someone who sells it on the internet to identity thieves?

      The same thing that's stopping Microsoft from harvesting e-mail passwords via its Outlook Ios/Android app...: Reputation

      --
      Say no to software patents.
    8. Re: Bet they were able to get it budgeted though by Type44Q · · Score: 2

      So pretty much the same way that a large truck would be stopped by a sheet of newspaper blowing in the wind?

    9. Re: Bet they were able to get it budgeted though by Anonymous Coward · · Score: 0

      A better analogy would be that it is the same thing stopping a truck going off the edge of the cliff.

      What (usually) prevents a truck going off a cliff is that the driver is aware of the repercussions: e.g destruction of truck and/or injury/death of driver , or at least loss of job/money, etc.

      Similarly, but to alesser extent, what prevents Microsoft (for example) from harvesting passwords is the potential repercussions: e.g. negative media optics, brand impact and people generally bitching about it.

    10. Re:Bet they were able to get it budgeted though by Darinbob · · Score: 0

      Well, Microsoft's reputation can't get much worse.

    11. Re:Bet they were able to get it budgeted though by AuMatar · · Score: 2

      The reputation of a random company nobody has ever heard of before? Yeah, not downloading that shit.

      --
      I still have more fans than freaks. WTF is wrong with you people?
    12. Re:Bet they were able to get it budgeted though by rhyous · · Score: 1

      I think you underestimate the reputation of Microsoft to the eyes of the general public.

  3. We all know it's security theatre by Anonymous Coward · · Score: 5, Insightful

    This episode of security theatre is brought to you by CBP (Customs and Border Patrol) part of the larger circus called the DHS (Department of Homeland Security) which is now the largest federal law enforcement agency. We can't figure out if your passport is legit but take off your shoes and don't even think of taking those nail-clippers or toothpaste on that airplane. Someone should start a Dilbert-like DHS comic strip and make T-Shirts we people can wear when going through security.

    1. Re:We all know it's security theatre by Anonymous Coward · · Score: 0

      I seem to recall a German security researched found a security hole in the US based company chip and the master password was the text along the bottom. Apparently the same as many public transport value cards. The Estonia has to recall its ID cards for another.
      So, even if it did work, it could still be forged. Still no effort to upgrade the 'chosen' chip with new stuff.

    2. Re:We all know it's security theatre by AvitarX · · Score: 2

      But but, let's replace the private companies that didn't let anything in appropriate through.

      Bush oversaw the largest socialization of private industry in the history of the US, and yet nobody calls him a socialist.

      --
      Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
    3. Re:We all know it's security theatre by jrumney · · Score: 5, Interesting

      That's not a security hole, it is published in the ISO standard that the passports are based on. The data that you get access to by using the key derived from info from the details page is the same info that is on the details page. If you can see the details page to get the key, you can see all that info anyway (except in my case they printed the photo on my passport in black and white, but have the color version on the chip). To verify that information is not forged, it is signed by a certificate of the government that produces it, and it is this that the US system is apparently failing to verify, and this is not something you can forge simply by knowing how to derive the symmetric encryption key that hides your data from people scanning your closed passport as you walk past in the airport.

    4. Re:We all know it's security theatre by ClickOnThis · · Score: 1

      Bush oversaw the largest socialization of private industry in the history of the US, and yet nobody calls him a socialist.

      Must ... resist ... oh damn, here I go.

      First of all, which Bush?

      Second, exactly what "private" (in your view) industry did he "socialize?"

      Third, are you seriously claiming that Bush (41 or 43) is a socialist?? Dude, your tinfoil hat is on too tight.

      --
      If it weren't for deadlines, nothing would be late.
    5. Re: We all know it's security theatre by Anonymous Coward · · Score: 0

      Probably moreso than Obama, yes, based on what each actually did while in office.

    6. Re:We all know it's security theatre by Anonymous Coward · · Score: 1

      This groping brought to you by the makers of Rapescan. I mean Rapiscan.

    7. Re:We all know it's security theatre by AvitarX · · Score: 1

      Bush, 43, did actually, in reality socialize airport security

      Before Bush, it was private security meeting standards (that were never missed on record), within his terms it became government that failed to meet standards.

      150k or so private jobs became government jobs. The largest socialization in US history. And it happened fast.

      --
      Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
    8. Re:We all know it's security theatre by _Sharp'r_ · · Score: 5, Informative

      I recall (living in the DC area at the time of 9/11 and working next to Dulles, so it wasn't exactly a distant concern at the time) that Bush and the Republicans in Congress wanted enhanced private security, but the Democrats would only join them in voting for it if it used government workers, so to get it at all (which I wouldn't have voted for, but that's another discussion) they caved to the Democrats on the issue.

      So while Bush was the President at the time, it's not like he was a dictator. To say it was Bush's idea to use government employees for security isn't accurate. At most, he went along with the Democrats on it.

      --
      The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
    9. Re:We all know it's security theatre by PolygamousRanchKid+ · · Score: 2

      We can't figure out if your passport is legit but take off your shoes and don't even think of taking those nail-clippers or toothpaste on that airplane.

      The entire DHS airport security checks could be replaced with cocktail wieners.

      Just have a tray of them at every airport gate. Passengers wishing to fly would be required to eat a cocktail wiener before boarding the plane. Islamic terrorist would refuse to eat the cocktail wiener, and could thus be filtered out easily and efficiently.

      But no, the DHS folks are only interested in building an empire for themselves by wasting mountains of taxpayer money.

      --
      Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
    10. Re:We all know it's security theatre by Anonymous Coward · · Score: 1, Funny

      Also an effective countermeasure against the scourge of international vegan terrorism. Brilliant!

    11. Re:We all know it's security theatre by Anonymous Coward · · Score: 0

      This would have the added bonus of eliminating Veganistic fundamentalists too. Add gluten to the wieners and I think we have a perfect solution.

    12. Re:We all know it's security theatre by Anonymous Coward · · Score: 0

      Imagine that. Our politicians used to work together despite their ideological differences.

    13. Re:We all know it's security theatre by Anonymous Coward · · Score: 0

      https://www.theregister.co.uk/2006/08/04/e-passport_hack_attack/
      https://www.youtube.com/watch?v=mH-xtDoHnFA
      https://forums.hak5.org/topic/10089-passport-cloning-the-hackers-choice-author-adam-laurievonjeek/

    14. Re:We all know it's security theatre by Anonymous Coward · · Score: 4, Interesting

      And?

      Of course you can clone them, cryptographically signed data is still nothing more than data.
      Signatures only serve to prove the plain-text data is bit-for-bit identical when verified using the public key, compared to when it was signed with the private key.
      Nothing more.

      If you have a forged passport with unsigned data, you can clone that and end up with another forged passport with unsigned data.

      If you have a valid passport with signed data, you can clone that and end up with another valid passport with signed data.

      All the signature does is prove if the governments private key signed the data and that the data hasn't been modified.
      Cloning doesn't modify the data so of course cloning won't break the signature.

      You still need a legit passport with signed data to clone in the first place.
      The signature prevents you from putting your own newly made data on the thing and being able to claim it is valid.

    15. Re:We all know it's security theatre by rickb928 · · Score: 1

      "Islamic terrorist would refuse to eat the cocktail wiener,"

      There is much about Islamic terrorists you do not know or understand. But I know you were engaging in theatre, so I'm not really concerned you are that stupid or naive. At least not about that...

      --
      deleting the extra space after periods so i can stay relevant, yeah.
    16. Re:We all know it's security theatre by Somebody+Is+Using+My · · Score: 3, Insightful

      Before Bush, it was private security meeting standards (that were never missed on record), within his terms it became government that failed to meet standards.

      How do we know they never missed on record? Is it because they told us they never missed? It seems like this might be similar to the difference between open-source and closed-source code; the former might seem less secure because there are lots of bug reports and patches, but that doesn't really tells us anything about the state of the latter. Similarly, it might very well be that the private security was just as much theater as the government's attempts, but a lack of transparency made it easier for them to hide their failings.

      Honestly, I don't know either way. I am just hesitant to believe that the private industry's record was really any better. I'd be curious if there was any information on the topic.

    17. Re:We all know it's security theatre by Anonymous Coward · · Score: 0

      Yes because we all know that private companies are perfect , never fail and never have any security issues.

      Dude, for real get off your ideological high horse. In the real world issues happen and security problems are common.

    18. Re:We all know it's security theatre by Anonymous Coward · · Score: 0

      And since the cloned data can be verified and it includes the photo of the passport holder...

    19. Re:We all know it's security theatre by Darinbob · · Score: 2

      There aren't "passwords" here. This is a signed data. There is a public and a private key, the private key must be kept secret but the public key is intended to be shared and available. By using the public key anyone can verify that the data was properly signed by the holder of the secret private key. Ie, encrypt using the private key, but decrypt using the public key.

      The data itself need not necessarily be encrypted, because it merely shows what is visible on the passport. But the signing process uses cryptography as a means of tamper protection (change one byte and the signature fails to validate), and that authentication must be done because otherwise it is a very simple matter to rewrite or replace that chip.

      The general public should be able to do the same thing, ie, verify that the data on your passport is correct and properly signed.

    20. Re:We all know it's security theatre by Darinbob · · Score: 1

      The digital signing is to prove that the printed data (and photo?) has not been modified. You can clone the chip that says "Anne Onny Mouse" from your passport and put it onto thousands of passports. However those chips will say "this passport is for Anne Onny Mouse", and the border official will then note the name does not match "Robert J Hacker" which is printed on the passport.

      Of course, if you're forging passports, you can easily clone the chip but it's not useful unless the printed data also has the same data as the chip. Ie, you can duplicate a passport so that there are thousands of "Anne Onny Mouse" passports. That's not a good thing but you still need a very good forger and lots of people with very similar faces. And once discovered all the passports can be revoked.

      Assuming of course, that the border security actually checks the authentication.

    21. Re:We all know it's security theatre by Darinbob · · Score: 1

      Let's say you have an army of clones intent on overthrowing the Empire, you could give them all duplicated passports that verifies their names and the photo matches their faces. Oh no! But as soon as one of them slips up all of those passports can be revoked at once.

      Assuming of course a competent Empire. In real life, as we see here, governments are full of bumbling oafs.

    22. Re:We all know it's security theatre by Anonymous Coward · · Score: 0

      Oh yeah, and turn in your guns. We'll protect you.

    23. Re:We all know it's security theatre by DNS-and-BIND · · Score: 1

      Then just have everyone doodle a picture of Mohammed. If you refuse, you don't get on the plane. In fact, we put you on the next plane back to Shitholestan. We don't need those kind of people in our nice country.

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    24. Re:We all know it's security theatre by Darinbob · · Score: 1

      Private contractors for prisons in California are a major failure. But they're entrenched and they have much more powerful unions than the government unions. Private contractors in the Iraq war were also a failure. All paid for out of taxpayer dollars, given to "for profit" companies, and we did not save money or get a better outcomes as a result.

      Even the most die hard anti-government tea party follower still agrees that government has a vital role in national security, and there are loud cries about beefing up the border security. We don't want private contractors doing the one job that almost everyone agrees the government should do. We can have private contractors coming up with methods and procedures and devices of course.

    25. Re:We all know it's security theatre by Anonymous Coward · · Score: 0

      Let's say you have an army of clones intent on overthrowing the Empire, you could give them all duplicated passports that verifies their names and the photo matches their faces. Oh no! But as soon as one of them slips up all of those passports can be revoked at once.

      Have you every watch "Where is Monday?" movie? In other words, even though you have cloned the passport data, you shouldn't be able to go through the same border twice without going out first (if the verification is correctly done). Thus, cloning valid passport data doesn't really have much benefit.

    26. Re:We all know it's security theatre by Darinbob · · Score: 1

      The new line from the remake of Airplane: "We need somebody who can not only fly this plane, but who didn’t have the cocktail wieners!"

    27. Re:We all know it's security theatre by Anonymous Coward · · Score: 0

      You'll also filter out non-terrorist Muslims and people who are bad at drawing. Brilliant!

    28. Re:We all know it's security theatre by nobuddy · · Score: 1

      FAA was the oversight for airport screening before TSA took it over. They tested and reviewed all airport screening.

  4. HMMMMM by Anonymous Coward · · Score: -1, Flamebait

    When was Obama sworn in? Wow. The more new DNC voters the merrier. Right? Need to breed out those pesky christian conservative americans at all cost.

    1. Re:HMMMMM by AHuxley · · Score: 0

      One chip shared by many illegal migrants for many years?

      --
      Domestic spying is now "Benign Information Gathering"
    2. Re:HMMMMM by Anonymous Coward · · Score: -1

      Excellent 'squirrel' post, Vlad! A bonus for you!

    3. Re:HMMMMM by gurps_npc · · Score: -1, Flamebait

      Obama was elected in 2009, one year before the problem became known internally, not when the problem was created.

      It was created by George Bush, whose moron employees failed to create the proper software.

      So, you want to blame the guy at the top of the food chain, fine. But make sure you blame the shmuck that created the problem, rather than just the guy that failed to fix it. Especially as you have no evidence about what Obama did or did not know or do.

      --
      excitingthingstodo.blogspot.com
    4. Re: HMMMMM by Anonymous Coward · · Score: 0

      Well, if someone is taking all the trouble and risk to falsify a passport lying about their nationality is probably not beyond their code of ethics either.

    5. Re:HMMMMM by Anonymous Coward · · Score: 0

      Idiot. the article is abuot how the chip readers don't work.

      Here, I'll spell it out: You don't need a chip. Passport chip readers in the USA don't.

    6. Re:HMMMMM by Anonymous Coward · · Score: 0

      Obama was elected in 2008; he was inaugurated near the start of 2009. And frankly, the person who (should have) known about the problem and failed to fix it deserves a good share of the blame.

  5. Shhhh! Don't talk about this security lapse by Anonymous Coward · · Score: 0

    Now everyone knows about this and now fake passports will accompany people using fake identities because they know nobody is checking the authenticity of the passports. Thanks a lot, blabbermouth!

    1. Re: Shhhh! Don't talk about this security lapse by guruevi · · Score: 1, Insightful

      Forgers have known about this just as long. And even if you get it to work eventually, the encryption on the chips themselves have been proven easy to crack for many years.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    2. Re: Shhhh! Don't talk about this security lapse by jrumney · · Score: 2

      The encryption is published in an ISO standard, so "cracking" it is the domain of snakeoil salesmen. The issue here is not the encryption, it is the digital signatures, and I can assure you that other countries are not as incompetent as the US's Homeland Security in this respect.

    3. Re: Shhhh! Don't talk about this security lapse by ezdiy · · Score: 1

      > the encryption on the chips themselves have been proven easy to crack for many years

      Bullshit.

      However you can't just "crack" the signature on the card if the reader actually does verify the signature. This is because there is no private key for PA on the card, thus classic key extraction attacks are useless. You can still clone the card and use somebody's else identity, but the encryption as such is fine (as long RSA-1024 is fine, which it barely is).

  6. A decade of the software saying? by AHuxley · · Score: 0

    So what happened when a request was made to a chip What did the GUI say for a many years?
    No error, allow the passport?
    The same cryptic error code for every valid passport?
    No error code for every illegal "migrant" trying a "passport"?

    --
    Domestic spying is now "Benign Information Gathering"
    1. Re: A decade of the software saying? by Anonymous Coward · · Score: 0

      You already said that, you Russian troll fuck.

    2. Re:A decade of the software saying? by nedlohs · · Score: 1

      You could try reading the article?

      It does the obvious thing you would expect from a system using digital signatures that is set to not verify the signature.

  7. I should be shocked and alarmed by smylingsam · · Score: 1

    but all I feel is sadly unsurprised. After a while some people just cant live up to your expectations or their own.

    1. Re:I should be shocked and alarmed by Anonymous Coward · · Score: 0

      but all I feel is sadly unsurprised. After a while some people just cant live up to your expectations or their own.

      Whoever knew about this and did not appropriately escalate it and get it dealt with deserves fired. Hell, you'd be better off to release the requirements and necessary specs and let the open source community build it. Somebody could probably knock it out in a week.

    2. Re:I should be shocked and alarmed by smylingsam · · Score: 1

      I am afraid it sound like you have been thinking critically ago. Further that kind of proactive can do disruptive thinking clearly shows a lack of team sprit. We should have a meeting about this

    3. Re:I should be shocked and alarmed by Anonymous Coward · · Score: 0

      Government employees are promoted for this kind of incompetence. Heck, now they have a genuine emergency with tax payer funds incoming. They will need more "experts" and reviews to assess and deal with this "threat." A whole new team will be hired, creating a whole new bureaucracy. Yet another boondoggle and waste of money. Oh, but it provides government jobs and pensions! Win win!

      Out government needs an enema. Fire all of them and start over. Cancel their pensions and health plans. We have been had.

    4. Re: I should be shocked and alarmed by Anonymous Coward · · Score: 0

      Your english teacher also deserves fired.

  8. And this is Trump's fault how? by Anonymous Coward · · Score: -1

    Always blaming Trump for everything.

    1. Re:And this is Trump's fault how? by Anonymous Coward · · Score: 0

      Thanks, Obama.

    2. Re:And this is Trump's fault how? by upuv · · Score: 1

      It happened during Bush's presidency.

  9. Wait, wait, wait by Anonymous Coward · · Score: 0

    Who was US president during most of this time?

    You Maniacs! You blew it up! Ah, damn you! God damn you all to hell!

  10. Wow ... and they wanted a wall? by Anonymous Coward · · Score: 0

    The idiot-in-chief wants to build a wall while there are massive issues like this with the existing system. Fixing this problem would obviously be more effective than a stupid wall. How on earth did we end up with such a moron in the Presidency?.

    1. Re:Wow ... and they wanted a wall? by Anonymous Coward · · Score: 0

      Fixing this problem would obviously be more effective than a stupid wall.

      Yes, everyone knows people hopping the border so often have their passports verified.

      How on earth did we end up with such a moron in the Presidency?.

      The "popular vote" doesn't mean shit. It never has, it never will. Trump is your President, fool, not the moron you're shilling for.

    2. Re:Wow ... and they wanted a wall? by sexconker · · Score: 1

      The issue is that cryptographic signatures aren't verified for passports with chips.
      This only applies to passports from 38 countries. People coming in from Mexico aren't using passports with chips.
      For the 38 countries it does apply to, border and customs agents still verify a person's identity using the passport, the photo, and and person in front of them.

      This fuck up makes the chip useless as anyone can put any data on there.
      You would still have to be able to make a convincing fake of a physical passport for a country on the list to get expedited entry.

  11. Typical US Government by Anonymous Coward · · Score: 0

    Incompetence. I know! Let’s put them in control of our health care!

  12. The passport checkers may as well have stayed home by kriston · · Score: 2

    All of those passport checkers may as well have stayed home for the past ten years.

    --

    Kriston

  13. Also easily replicated by Antique+Geekmeister · · Score: 5, Informative

    There was an interesting e-passport replication technology reported at the "Black Hat" security conference in 2006 So far as I know, this replication approach has never been disabled

    https://www.theregister.co.uk/...

      RFID chips are, by their nature, kept very inexpensive and easy to read. Unless the USA and other nations are prepared to invest in more powerful and secure standards for what is supposed to be a very easily scanned and robust technology, I'm afraid that I don't see how they can be made more secure.

    1. Re:Also easily replicated by 93+Escort+Wagon · · Score: 4, Insightful

      Unless the USA and other nations are prepared to invest in more powerful and secure standards for what is supposed to be a very easily scanned and robust technology, I'm afraid that I don't see how they can be made more secure.

      The point isn’t to make passports truly secure in the eyes of a technically literate person - the point is to make them “secure” within the level of understanding posessed by the average politician.

      You know - the men and women who believe we can have “secure” smartphones which are completely and readily accessible to law enforcement personnel but no one else.

      --
      #DeleteChrome
    2. Re:Also easily replicated by jrumney · · Score: 5, Informative

      Sure, its easily replicated, but the data has your photo, among other things which are easily verified by the border agent against the person standing in front of them. So replicating it isn't all that useful if you are trying to produce a passport that someone not authorized to have that passport can use. You need to modify the data on it, which breaks the digital signature. Only if border security is not properly verifying the signatures does this become useful for nefarious purposes.

    3. Re:Also easily replicated by Anonymous Coward · · Score: 1

      You know - the men and women who believe we can have “secure” smartphones which are completely and readily accessible to law enforcement personnel but no one else.

      Or believe that a "background check" will prevent anyone who ever might do something evil from getting a gun.

    4. Re:Also easily replicated by SirSlud · · Score: 2

      Replicating a passport is far less of an issue than writing a new one whole cloth.

      --
      "Old man yells at systemd"
    5. Re:Also easily replicated by Anonymous Coward · · Score: -1

      Almost every bad guy with a gun was once a good guy with a gun (at minimum during background check).

    6. Re:Also easily replicated by cliffjumper222 · · Score: 2

      Cloning is possible. However, in this case, the digital signature is not even being checked of the data. So, right now, you can create complete forgeries without the private key (or certificate) required. If they actually started to check signatures, which let's face it, software should be able to do easily today (I wonder why it's never been implemented), then you would have to match the details on the written passport exactly and you'd have to be a clone of another passport holder. That is a far higher bar to get over.

    7. Re:Also easily replicated by Anonymous Coward · · Score: 0

      The biggest problem according to slashdot years ago was that the passport terminals did check the signature, but that it also accepted the NULL encryption/signature algorithm. Meaning you could just put any data on the passport with a NULL signature and it would get accepted.

    8. Re:Also easily replicated by Anonymous Coward · · Score: 1

      bloccckkkkkchhhhaaaiiiinnnn

    9. Re: Also easily replicated by Anonymous Coward · · Score: 0

      Easy. A quick hammer strike or two and the RFID is disabled.

    10. Re:Also easily replicated by DarkOx · · Score: 1

      That's the point. If the digital signature is not checked its possible to create altered data. You create a password with your picture, so it look like you standing in front of the agent with the information belonging to some other person who would be admitted at the border.

      Obviously its still a challenge, you need to create convincing physical forger or alter an existing document; which does have physical tamper controls in place. You will also need to be able to program the thing correctly save for needing to produce a valid cryptography signature - that can probably be just something with the right leading magic numbers followed by any old string of junk.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    11. Re:Also easily replicated by Anonymous Coward · · Score: 0

      Oh look, a complete fuckwit.

    12. Re:Also easily replicated by Anonymous Coward · · Score: 0

      Passports pictures are, on average, 5 years out of date. Within the parameters of a passport photo (and the age/sex associated with it, though sex is apparently forgeable if you are Canadian) it isn't really all that hard to find someone that looks similar enough that you wouldn't reasonably be convinced it is just 5 years of change that caused the deviation.

      Happens all the time for other things. Popular around here is to have one God at writing and performing truck driver's tests do all the passing for anyone that looks like him--and that's done IN PERSON, sometimes the same person with the same examiner multiple times!

    13. Re:Also easily replicated by Antique+Geekmeister · · Score: 1

      I agree. But if they're not verifying the recorded data, as seems to be the case, than replicating even one such RFID chip en masse helps enable wholesale forgery.

    14. Re:Also easily replicated by EndlessNameless · · Score: 1

      Cloning is not an issue if the signed data includes physical descriptors and photographs. Ultimately, all government ID systems rely on a human matching the person in front of them to the person on the paperwork.

      Preventing forgery is the major concern. And they have zero chance of stopping it if they cannot verify a fucking digital signature. Pathetic.

      Hell, ADOBE has integrated support for digital signatures and document validation---and it actually works. Unless there was a proposal to fix this that couldn't get Congressional funding, someone needs to be shitcanned. This is a serious lapse, and they should have asked for money to buy the hardware/software years ago.

      --

      ---
      According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
    15. Re:Also easily replicated by Anonymous Coward · · Score: 0

      What the hell? They make you pay ~$100 or more for a passport, you'd think they'd at least get the $5 security chip instead of the $0.50 one...

  14. Papers please by Anonymous Coward · · Score: 0

    I need to see your papers. Are they in order?

  15. Re:The passport checkers may as well have stayed h by AHuxley · · Score: 1

    What did the computers say?
    All passports looked at got a correct pass every year?
    Nobody thought to have a failed passport test at random times to see if every computer GUI was working?
    Every passport failed and the GUI was always ignored. Waiting for an update to finally get the functionality?
    An error code did show but it always had to be scrolled past with many other messages?

    --
    Domestic spying is now "Benign Information Gathering"
  16. We should put thes same people in charge of our he by ryanmc1 · · Score: -1, Troll

    I can't wait until the government takes over our healthcare. They have proven time and time again that they are the best at managing important services.

  17. Need More! by Anonymous Coward · · Score: 0

    We need more of this wonderful government managing as many aspects of society and as much of our lives as possible! What could possibly go wrong?

  18. Comment removed by account_deleted · · Score: 2

    Comment removed based on user account deletion

  19. Comment removed by account_deleted · · Score: 2

    Comment removed based on user account deletion

  20. The only way to get this fixed is to rat them out by Anonymous Coward · · Score: 0

    Replication has SOME value, but being able to change the contents without it being spotted is the money play here.

    And the major players had to know already.
    Want to slip a couple of Russians in ?. Edit a couple of stolen or otherwise clean passports and there you are comrade.

    I'd guess something like that was uncovered during other investigations probably triggered this.

  21. So? by PopeRatzo · · Score: 2, Insightful

    US Border Officials Haven't Properly Verified Visitor Passports For More Than a Decade Due To Improper Software

    And in that time, the number of terrorist attacks by foreigners sneaking into the country is...zero.

    Maybe that "foreign terrorist" threat isn't nearly as bad as we were told? Maybe we have more to worry about from other Americans than we do foreign terrorists?

    --
    You are welcome on my lawn.
    1. Re:So? by Anonymous Coward · · Score: 0

      That can't be, they have assured us that these policies are the only thing keeping us from daily terrorist attacks!

      The government wouldn't lie to us like that!

    2. Re:So? by Anonymous Coward · · Score: 2, Informative

      And in that time, the number of terrorist attacks by foreigners sneaking into the country is...zero.

      Maybe that "foreign terrorist" threat isn't nearly as bad as we were told? Maybe we have more to worry about from other Americans than we do foreign terrorists?

      It isn't zero... "Six Iranians, six Sudanese, two Somalis, two Iraqis, and one Yemeni have been convicted of attempting or executing terrorist attacks on U.S. soil during that time period"

      According to this article arguing against the travel ban: https://www.theatlantic.com/international/archive/2017/01/trump-immigration-ban-terrorism/514361/

      Also, this issue isn't just about terrorism, but also more likely criminals coming to the US. The numbers of criminals coming to the US is well above 0.

    3. Re:So? by DarkOx · · Score: 1

      Or maybe the other controls are relatively effective. The two most obvious

      1) a robust intelligence gathering effort that feeds
      a number of various "lists"
      2) Physical controls on passport documents. Look at them there are number glossy, hologramed bits. The guy at the corner is going to be hard pressed to make a convincing forgery. You might fool the inattentive clerk at your local motel or gas station attendant ringing up some beer but you won't fool a TSA agent. Without access to a lot of resources most criminals don't have. Well funded terrorist organizations might be a different story.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    4. Re:So? by Anonymous Coward · · Score: 0

      And in that time, the number of terrorist attacks by foreigners sneaking into the country is...zero.

      Ergo, we can conclude that terrorist attacks aren't a significant aspect of border "security." While it's true that foreigners haven't seen a reason to go apeshit and kill a bunch of people (for some reason, there don't seem to be many incentives for that sort of behavior), they may have done some other things that Congress wanted to stop them from doing. i.e. get jobs, perform espionage, whatever your imagination can conjure.

      Terrorism was never really that important, anyway. People raised some eyebrows at 9/11 of course, but in the end, if you're really scared of dying you're going to obsess over your diet and exercise, and getting-murdered won't even be a blip on your "death-dar."

      BTW, gun control is like that too. That's why there will be more school shootings: fixing the "problem" isn't really worth it, because it's not really much of a problem at all. Almost nobody ever gets shot at school. (Look at the numbers.) Moms will say they're scared for their kids' safety, but the lie will be exposed at the next McDonald's.

    5. Re:So? by blindseer · · Score: 2

      And in that time, the number of terrorist attacks by foreigners sneaking into the country is...zero.

      Why should they have to sneak in when they can walk in the front door?

      The people that planted a bomb at the Boston Marathon were immigrants. They had their "papers in order", and it was their immigration registration records that allowed the police to identify them so quickly.

      The Boston Marathon bombing was a terrorist act on American soil by foreign actors. That is just one of many examples. There have been many acts of terrorism on Americans by immigrants. Some more successful than others. Some using firearms, some with knives, some using vehicles as weapons, some using improvised explosives.

      Now, not all immigrants are terrorists. I should not have to say that as it should be obvious but if we had some better controls on who enters the nation then we'd see less of this. Also, not all terrorists are immigrants. This should also not require being pointed out. What seems clear though is that immigrants are more likely to commit terrorist acts and other crimes than native born Americans.

      Those that did sneak through the borders to get into the USA have broken the law by the very fact of sneaking past the border. Once here they seem to have little respect for other laws. They will drive without a license, insurance, or registering their vehicle. They will work under falsified papers. They will drive while drunk. They will steal, rape, and murder. Assuming it is true that people sneaking across the border have not done anything that may be considered an act of terrorism we do know that they are not saints, they have broken the law by the act of entering the nation without permission, and have a high probability of further breaking the law.

      If we have more to worry about from native born terrorists than foreign born then it is only because In the USA there are far more people native born than those not. Immigrants have a much higher tendency to break the law than native born Americans, whether they came in the front door or not. Knowing that therefore it may be wise to reduce the number of immigrants and demand that the immigrants we do allow in must be of very high moral character.

      --
      I am armed because I am free. I am free because I am armed.
    6. Re:So? by PopeRatzo · · Score: 1

      Now, not all immigrants are terrorists.

      And not all gun owners are school shooters. Stow that bullshit.

      --
      You are welcome on my lawn.
    7. Re:So? by Anonymous Coward · · Score: 0

      That's not what OP said. OP was talking about terrorists illegally entering the country. That article speaks of terrorists legally entering the country.

    8. Re:So? by Areyoukiddingme · · Score: 1

      Those that did sneak through the borders to get into the USA have broken the law by the very fact of sneaking past the border. Once here they seem to have little respect for other laws. They will drive without a license, insurance, or registering their vehicle. They will work under falsified papers. They will drive while drunk. They will steal, rape, and murder.

      Right. In record numbers. Fox News should be a controlled substance.

      ...they have broken the law by the act of entering the nation without permission, and have a high probability of further breaking the law.

      No they don't. They have a much lower probability of breaking any further laws that aren't labor laws. Breaking laws attracts the attention of law enforcement. Illegal immigrants go out of their way to avoid the attention of law enforcement. Haven't you seen... basically any procedural cop show in the past 20 years? Every single one of them has multiple episodes of local LEOs having to disclaim their interest in the immigration status of people they're interviewing, or threatening to call Immigration in order to extract information. Illegal immigrants are at pains to avoid having any such conversations.

      Your sourceless assertions are ridiculous on the face of it, and contradicted by FBI statistics.

    9. Re:So? by blindseer · · Score: 1

      You gave a website as a reference where I found no breakdown based on immigration status.

      I've heard the claim that illegal immigrants break the law less often than domestic born people and they get to this through some very interesting statistical analysis. They will take the crime rate of immigrants and then they will make adjustments for age, gender, race, education, income, and employment status. What we find is that illegal immigrants are predominately in the age range of 16 to 40 (or something like that), male, hispanic and black, few have even a high school education and many cannot even read in their native language, they are also largely poor and unemployed. So they compare this to domestically born people within a similar demographic and find they are just as likely to commit crimes.

      So, we've proven illegal immigrants do not pose a problem with crime, right? No, they didn't. This is because to make this claim they had to group the illegal immigrants with the legal immigrants. Even then they still see a higher crime rate as a whole, it's only by "statistical adjustments" that anyone can claim a lower crime rate.

      No they don't. They have a much lower probability of breaking any further laws that aren't labor laws.

      Even if we assume that they break no other laws they are still criminals. They break the law by entering the country illegally. They break the law through fraud by getting a job under falsified papers. They break the law by driving without a license or obtaining a license with false documents. By working in the USA they are breaking the law everyday and I'm supposed to be okay with this? Would violating labor laws be tolerated of people born in the USA? Of course not, and it should not be tolerated of illegal immigrants either.

      Haven't you seen... basically any procedural cop show in the past 20 years? Every single one of them has multiple episodes of local LEOs having to disclaim their interest in the immigration status of people they're interviewing, or threatening to call Immigration in order to extract information.

      The networks can show that on TV but that doesn't make it true. Illegal immigrants are often the victims of crimes by other illegal immigrants. They are always reluctant to go to the police, not just because they might get deported but because it opens them up to retaliation for snitching on others.

      Illegal immigrants are at pains to avoid having any such conversations.

      Which is why a lot of illegal immigrants keep quiet on being victims. Many immigrants will report being a victim, because they are here legally or fear being a victim again more than deportation. Many crimes by illegal immigrants go unpunished, illegal immigrants will often flee the country once they've become known to law enforcement. Just because they weren't caught and sent to jail does not mean they didn't commit a crime.

      Your sourceless assertions are ridiculous on the face of it

      Whatever. I've seen the claims of immigrants being more law abiding than those born here and they all bend the statistics to "adjust" this crime away. Lies, damned lies, and statistics. The numbers will tell you anything you want if you torture them enough.

      Illegal immigrants are, by definition, criminals and this should not be tolerated. Their tendency for committing further crimes, like fraud and drug trafficking, should not be tolerated either.

      --
      I am armed because I am free. I am free because I am armed.
  22. Typical by Anonymous Coward · · Score: 0

    This is just another of the many ways in which the United States has become the stupidest country on Earth.

  23. tub61rl by Anonymous Coward · · Score: -1

    area. It is the ccomunity at what we've known as it is licensed

  24. US mercenaries are full of bad people new @ 11 by Anonymous Coward · · Score: 0

    no one in so called law enforcement should be out of prison, Solitary for all of them is appropriate, these are people that are traitors and murders so....

  25. Re:We should put thes same people in charge of our by PopeRatzo · · Score: 1, Funny

    I can't wait until the government takes over our healthcare. They have proven time and time again that they are the best at managing important services.

    I know, right? After that, the government will probably want to take over the military, with enough nuclear weapons to destroy humanity. What could possibly go wrong, amirite? And border security. Thank goodness we live in a free country where the government isn't in charge of something as important as border security or national defense.

    We need to act now to keep the government's hands off our military, don't you agree? Yeah, you. Dummy. I'm talking to you.

    --
    You are welcome on my lawn.
  26. Obama fails again by Anonymous Coward · · Score: 0

    Once again a gross failure of the Obama administration to implement US law is revealed. Though it's not like Obama had any interest in protecting the borders; he was too much invested in being "flexible" with Russia. And of course now the Dims are in hurry-up mode to get Trump to work on fixing Obama's screwups.

    1. Re: Obama fails again by Anonymous Coward · · Score: 0

      You do realize Bush43 started this mess rite? Donâ(TM)t blame the guy that failed to fix it, blame the guy that created the problem...

    2. Re: Obama fails again by nonBORG · · Score: 1

      Man this was Obama I or Bush I am sure they both personally oversaw every detail of the implementation here. Also I am absolutely sure it was up to their technical competence and understanding to get this stuff implemented correctly. There is 36 countries involved here and it is all up to one guy, probably the US president don't have anything else to do.

      --
      You can't handle the truth! - Because I don't post left all my comments get modded down, bye bye Karma.
  27. And its cancerous influence is everywhere by Anonymous Coward · · Score: -1

    Not just some US agencies. Because the EU joined in, every EU citizen had their passports "upgraded" with the rfid/nfc malarky, whether you wanted it or not. (The Swiss at least get a choice. EU citizens do not.) When people demanded built-in sleeves like you got, they didn't get it, so all EU passports are leaky.

    In fact, because "identity cards" were legally equated with passports, those got the chips too. And just about every EU country then forced every citizen to always carry an ID card. With rfid chip and fingerprints. Without shielding sleeve. Because now we have "open borders", sold to us so we wouldn't need a passport at the border, we now have to have rfid ID cards on us at all times. That's three hundred-odd million people stuck with rfid ID cards. No it's not entirely the US' fault, but your out-of-control government just provided our US-sycophant overlords with the convenient excuses. Thanks for that, I guess.

    The thing of course is that this rfid shit doesn't do a thing to make passports safer, in fact it makes them less safe and less secure. But the real problem isn't with the rfid cards. It's with the asylum^Wfortune seekers that come in on stolen blank Syrian passports and other such not entirely honest people that are doing their level best at swamping us. When the rulemongering idiots at immigration "cannot prove" such people have ill intentions, "there is no problem", so they're let in. And issued valid EU papers, complete with valid EU digital signatures and everything. And that's just one small example.

    Digital signage and rfid chips are yet another techno-circle jerk that ultimately doesn't do squat to make anyone more secure or safer. I for one would be much happier with an rfid-free passport and no rules mandating ID cards.

    1. Re: And its cancerous influence is everywhere by Anonymous Coward · · Score: 0

      If only there were some way to buy a passport or identity card sleeve yourself instead of crying that you weren't given one. If only it were as easy as wrapping the thing in aluminum foil. Just imagine how much more secure the world would be and how much less whining you would be able to do if any of this were true.

    2. Re:And its cancerous influence is everywhere by nobuddy · · Score: 1

      I bought an RFI shielded passport wallet for $9. Its a full function wallet, with a shielded passport pocket built in. Also shielded slots for RFI ID cards.

      If you can't afford $9, perhaps you should not be traveling abroad.

  28. cryptographic information by Hognoxious · · Score: 1

    "Cryptographic information" sounds like information about encryption. Do they mean "encrypted information"?

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    1. Re:cryptographic information by sexconker · · Score: 1

      No, they don't.

      The data isn't meaningfully encrypted. Anyone with physical access to the passport has the key to read it AND the data itself (name, date of birth, country, photo, etc.).
      The data is cryptographically signed by the country issuing the passport.
      That signature is the "cryptographic information" in question.
      The readers are failing to verify the signature.

  29. I guess i am confused by Anonymous Coward · · Score: 0

    Why are democrats complaining about this? Dont they want to get rid of all barriers to entry such as walls and such?

    1. Re:I guess i am confused by Anonymous Coward · · Score: 0

      Maybe they give a shit about doing their job correctly.

      I know it's hard for you partisan hacks to understand, but the majority of people on both sides want this country to succeed.

  30. Voter ID by Anonymous Coward · · Score: 1

    And yet the Democrats keep blocking every attempt to verify a voter's real identity. Heck, these people could just show a (fake) passport everywhere they vote.

  31. It's Okay by Anonymous Coward · · Score: 0

    The software they use was supplied by Oracle. It's okay, they logged a bug ticket when they noticed the problem. I'm sure it'll be fixed soon ;-)

  32. I can tell you why this is so by kilodelta · · Score: 1

    It's because congress, and even state legislatures don't have the vision to see that software and training might be necessary. And a bloated enterprise like Homeland Security and TSA - well they can just barely do security theater. So while a legislative body might pass a feel good that the electronic encryption on a passport is secure - they completely forgot about funding to develop the software to read it.

  33. Don't worry APK will tell us about hosts shortly by Anonymous Coward · · Score: 0

    Don't worry everyone, APK will be along shortly to tell us how using hosts can solve this security problem. If you question him he will call you a ne'er-do-well or a soros funded puppet, then state that he won.

  34. Bush as a socialist? Maybe... by sjbe · · Score: 1

    First of all, which Bush?

    It doesn't matter. Both of them substantially expanded the number of government jobs during their administrations.

    Second, exactly what "private" (in your view) industry did he "socialize?"

    All airport security was private contractors prior to 9/11. Then it became a part of DHS. More generally public sector payroll expanded greatly during their administration - more than most recent presidents except perhaps Clinton. Based on their actions it's not entirely irrational to say they are closeted socialists.

    Third, are you seriously claiming that Bush (41 or 43) is a socialist?

    Oh they try to pretend they aren't but it's actually pretty easy to argue that a lot of republicans are really socialists in denial about it. They want big government and if you mute their rhetoric their actions prove it. They never actually cut military spending, medicare spending, or social security which are the three biggest line items in the federal budget. In fact Bush 43 expanded medicare and every republican administration tries to make the military larger to pander to their base. So yeah, they kind of are a weird sort of socialist.

  35. tax dollars in their pockets by Anonymous Coward · · Score: 0

    But the people who convinced the government to buy their ePassport technology are very happy with their results. Who cares if it works, just pay us!

  36. I find it funny... by Anonymous Coward · · Score: 1

    that these Dems who wrote this letter care. After all, the Dems rely on a stream of illegals coming across the border anyways.

    1. Re:I find it funny... by Locke2005 · · Score: 1

      How is that? Illegals can't vote. Didn't they explain how U.S. elections work when you went to school in Moscow?

      --
      I've abandoned my search for truth; now I'm just looking for some useful delusions.
    2. Re:I find it funny... by Anonymous Coward · · Score: 0

      Sure they can, just use your e-passport as ID. Do you read the summaries?

  37. nobody *wanted* a secure border by cascadingstylesheet · · Score: 1

    Nobody wanted a secure border ... nobody who mattered, anyway. No wonder stuff like this got to slide.

    Until, mysteriously, now. Must be those darn xenophobe rubes who took over ...

  38. Oh, so there WAS a reason to pause immigration by Anonymous Coward · · Score: 0

    Who would have thought there was a valid excuse to put a hold on immigration so that the system could be reviewed?

  39. Be glad only 7 environmental studies are needed by Impy+the+Impiuos+Imp · · Score: 1

    The wording on the language in the Request For Proposals is nearing completion.

    Relax peoplre, gubberment is on it!

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
  40. Grow up you obsessed loon... apk by Anonymous Coward · · Score: 0

    See subject & I see you're still butthurt I cornered you for your bs lie you can't backup https://it.slashdot.org/comments.pl?sid=11776765&cid=56174209/ you obsessed lunatic!

    * I loved how you had to EVADE backing up your bullshit that "2 billion people depend on your 'work'" bullshit & your "work" is trolling (no, they do NOT depend on your trolling as it's not an actual useful program like mine that even /.ers use & like)!

    HOWEVER, I must admit - I truly DO depend on YOU - how? I depend on YOU to always make ME look GOOD & yourself like the lying bullshitter you proved you are, lol!

    APK

    P.S.=> GROW UP... apk

  41. A Little Perspective Is Needed by Anonymous Coward · · Score: 0

    Does anyone remember passports before they were chipped? I do. They looked exactly like the new chipped passports do.

    My point is, a forged passport was potentially a problem then just as it is now. I'm not sure our level of risk has greatly increased.

    On the other hand! With chipped passports being available for a number of years, it seems like DHS would have been a little more interested in the chip readers. After all someone felt that the passports would be better with chips in them, and by "someone" I mean people important enough to make that happen, and lots of them. This isn't some kind of small-time initiative you can throw together in a weekend in your backyard.

    So it's not a pants-on-fire emergency. It sounds a little more like standard bureaucratic foot dragging.

  42. What's next by Locke2005 · · Score: 1

    Cue Trump blaming Obama for the problem in 3... 2... 1...

    --
    I've abandoned my search for truth; now I'm just looking for some useful delusions.
  43. Follow the money by Anonymous Coward · · Score: 0

    As a nonAmerikan I was told my well travelled 7 year old passport was "insecure" and "wouldnt be compliant with our new security measures" so I had to spend $200 and no small amount of time getting a new chipped one. Which they never actually scan.

    But you can still buy a good fake US passport in China for $100...

  44. Government is best by mi · · Score: 1

    Is not government awesome? Consider:

    Just recall the above (incomplete) list next time someone suggests, yet another industry/market would be better served by the caring and omniscient government employees, than by the greedy KKKorporations.

    --
    In Soviet Washington the swamp drains you.
  45. It never occurs to you.. by Anonymous Coward · · Score: 0

    Maybe you should worry less?

    Naw. Thats for brave free peoples, not you bigly people.

  46. Re: We should put thes same people in charge of ou by ryanmc1 · · Score: 1

    Really? That's the best comeback you've got? Nuclear weapons? I won't stupe to your level by calling you dirogitory names, but here I am arguing that government should not be in charge of health care because thay take forever to get things done, and health care needs quick reactions, and you try and lump in nuclear weapons into the same category? I for one want them to take a long time to decide to launch nuclear weapons. If you want them to launch them faster then good luck with that. A world where we launch weapons with the speed that we need in healthcare would not be a great place to live in.

  47. Re: We should put thes same people in charge of ou by PopeRatzo · · Score: 1

    I won't stupe to your level by calling you dirogitory names

    The prosecution rests.

    --
    You are welcome on my lawn.
  48. Good thing we're building... by Anonymous Coward · · Score: 0

    ...that wall rather than spending just a tiny fraction of that amount of money on passport scanning software.

    #MAGA