As clients using old version of MSIE are more likely to be infected with malware, I decided to not only stop support for them, but block them entirely.
If more sites did alike, users might feel slightly more motivated to update.
The.Net Framework Assistant also changes the User-Agent string of the Firefox browser, adding "(.NET CLR 3.5.30729)", so infected sites can better detect which MS vulnerability to exploit.
As the financial problems of the state of California are quite obvious, any COBOL programmers who are capable and willing to do the job should make sure to get their money before they even look at the code or the documentation (if any).
And, by the way, can they contract programmers without having a budget?
Papers that leaked from the German Federal Ministry of the Interior state that legal regulation allowing so called remote forensic searches exist - explicitly in Romania, Cypria, Latvia, Spain, and Switzerland, - implicitly in Slovenia, and that a similar approach to establish explicit allowance for remote forensic searches is ongoing in Sweden. At least readers in Sweden should contact their members of parliament and do some lobbyism. The current political discussion in Germany only got that public attention beacause some people started what they call nerd lobbyism.
It is also noteworthy that an also leaked draft of a new law regarding German federal criminal police (c.f. CCC press release at http://www.ccc.de/updates/2007/bkaterror) lists several other new or extended competencies.
The ICAO recommended approach is much more secure -- the problem here is that the EU has chosen not to implement the security features.
This is not correct. The EU has implemented those security features - Basic Access Control (BAC) especially is a European development, mainly brought into ICAO by German Federal Office for IT Security (BSI). BSI also proposed Extended Access Control (EAC) for additional data such as fingerprints. The study on which the Budapest declaration is based has all this analysed.
The US State Dept. has chosen to go one step beyond the ICAO recommendations and add shielding to the passport cover, so the chip is isolated and can't be queried or detected when the cover is closed.
The contactless smart card chip refuses to divulge any data until after the reader authenticates itself with a challenge-response protocol using an AES key (128 bits, IIRC) which is derived from an optically-scannable string printed inside the passport cover. [...] So, unless you can break AES or exploit some other flaw in the passport chip* the only way to retrieve the data from the chip is to look inside the passport.
The basic problem is, that
RFID communication is open to eavesdropping, that
the entropy of the key space is rather limited as the keys (MRZ hashes) consist of names, birthdays, serial numbers, etc., and that
as the machine readable zone (MRZ) from which the key is hashed does not change for a passports lifetime of 10 years (in Germany), the key is not changeable.
During the challenge-response protocol, a pair of session keys are generated, one is used by the passport chip to encrypt all data responses, and the other is used by the reader to individually authenticate each data request.
If you have access to the MRZ, you can just decrypt the session keys. Successfull brute force attacks on eavesdropped passport-to-reader-communication is already feasible within hours, see ePassport Privacy Attack. Once the MRZ is known, e.g. when you have to leave your passport in a hotel or after a successful brute force attack, the passport can be 'pinged' e.g. when going through a door and then be used as a trigger for something. Excessive eavesdropping of passport-to-reader communication e.g. at airports allows for later brute forcing and then identity theft.
The Budapest declaration and the study behind it focus in all these issues and take all your points into account. BAC and what is already known on EAC has been analysed. Still the resumee is 'poorly conceived'.
Because it avoids the need to place all of this detailed personal information in central databases which are accessed remotely from thousands of locations around the world. How would you secure such a database?
Well, as the US want to store all the data collected from the passports for 50 years, maybe they have an answer to that question?
Note that these chips were not created for passports, they're standard contactless smart card chips which have decades of use as security devices behind them, and which protect billions in credit card transactions annually -- nothing's perfect, but they're darned good, having gone through many years of breaks and application of countermeasures.
The problem is not the chips. The problem is the RFID interface, the limited keyspace entropy, the absence of the option to change the key, well, see above.
Another problem with the passports is the use of biometrics in General, which is also covered within the study and the declaration.
The bottom line is: RF interface and biometrical identification do not increase security, but risks. These passports will cost lots of privacy, security, and tax money.
Slashdot Mirror
Meanwhile, AI at competetior BMW is being trained using GTA ...
Thanks for putting what I wanted to know in terms I could understand. :o)
What happens in case they combine two Y chromosomes?
As clients using old version of MSIE are more likely to be infected with malware, I decided to not only stop support for them, but block them entirely.
If more sites did alike, users might feel slightly more motivated to update.
... that after Return of the Jedi, no more Star Wars movies were ever made.
sK1 is an illustration program http://sk1project.org/ that supports CMYK and can import files from Corel Draw and Adobe Illustrator.
The posted link didn't work for me, but http://www.dn.se/kultur-noje/nyheter/ny-dom-paverkar-inte-ipredlagen-1.894500 did.
The .Net Framework Assistant also changes the User-Agent string of the Firefox browser, adding "(.NET CLR 3.5.30729)", so infected sites can better detect which MS vulnerability to exploit.
As the financial problems of the state of California are quite obvious, any COBOL programmers who are capable and willing to do the job should make sure to get their money before they even look at the code or the documentation (if any).
And, by the way, can they contract programmers without having a budget?
A concept on how to actually identify and track people using EPCs on RFID can be found in the paper Identification and Tracking of Individuals and Social Networks using the Electronic Product Code on RFID Tags or the corresponding slides (SSL certs are from CAcert.org, so there might be a warning message in your browser).
There is also a study on RFID, Profiling, and Ambient Intelligence that might help to further highlight this topic.
Sorry, Cyprus of course.
Papers that leaked from the German Federal Ministry of the Interior state that legal regulation allowing so called remote forensic searches exist
m -beantwortet-fragen-zur-online-durchsuchung/
- explicitly in Romania, Cypria, Latvia, Spain, and Switzerland,
- implicitly in Slovenia,
and that a similar approach to establish explicit allowance for remote forensic searches is ongoing in Sweden. At least readers in Sweden should contact their members of parliament and do some lobbyism. The current political discussion in Germany only got that public attention beacause some people started what they call nerd lobbyism.
The German papers are available at http://netzpolitik.org/2007/bundesinnenministeriu
It is also noteworthy that an also leaked draft of a new law regarding German federal criminal police (c.f. CCC press release at http://www.ccc.de/updates/2007/bkaterror) lists several other new or extended competencies.
Criticism claims that Germany is on it's way to reinstate a secret police, with the last German incarnations being http://en.wikipedia.org/wiki/Stasi and http://en.wikipedia.org/wiki/Gestapo.
This is not correct. The EU has implemented those security features - Basic Access Control (BAC) especially is a European development, mainly brought into ICAO by German Federal Office for IT Security (BSI). BSI also proposed Extended Access Control (EAC) for additional data such as fingerprints. The study on which the Budapest declaration is based has all this analysed.
The shielding within the cover is not a complete Faraday cage, see RFID Passport Shield Failure Experimental Report
The basic problem is, that
If you have access to the MRZ, you can just decrypt the session keys. Successfull brute force attacks on eavesdropped passport-to-reader-communication is already feasible within hours, see ePassport Privacy Attack. Once the MRZ is known, e.g. when you have to leave your passport in a hotel or after a successful brute force attack, the passport can be 'pinged' e.g. when going through a door and then be used as a trigger for something. Excessive eavesdropping of passport-to-reader communication e.g. at airports allows for later brute forcing and then identity theft.
The Budapest declaration and the study behind it focus in all these issues and take all your points into account. BAC and what is already known on EAC has been analysed. Still the resumee is 'poorly conceived'.
Well, as the US want to store all the data collected from the passports for 50 years, maybe they have an answer to that question?
The problem is not the chips. The problem is the RFID interface, the limited keyspace entropy, the absence of the option to change the key, well, see above.
Another problem with the passports is the use of biometrics in General, which is also covered within the study and the declaration.
The bottom line is: RF interface and biometrical identification do not increase security, but risks. These passports will cost lots of privacy, security, and tax money.
... is what some smart people demonstrated at BlackHat Europe: Silver Needle in the Skype