electricinca.com

Bruce Schneier has posted the final part of his five part interview with the TSA Administrator Kip Hawley.

Links to Parts 1, 2, 3, and 4.

Labels: Security

Admiral Sir Alan West has been appointed to the newly created Home Office post of Under-Secretary for Security, Counter-terrorism and Police of the United Kingdom.

The former First Sea Lord and Chief of the Naval Staff will need to be made a Life Peer in order for him to serve as a Minister in Gordon Brown's government.

I'm bothered that we now have a former senior military officer in a post as a Government Minister without him ever having to be elected by the voters. He will however have a great deal more experience in matters of security to call on than his colleagues at the Home Office.

Labels: politics, Security, Terrorism

BBC News: Al-Qaeda cell members imprisoned

Seven men have been jailed for up to 26 years over an al-Qaeda-linked plot to kill thousands in the UK and US.

Woolwich Crown Court heard they were in a "sleeper cell" led by Dhiren Barot, who is already serving a life sentence.

Barot planned attacks including an explosives-packed limousine, a dirty radiation bomb and blowing apart a London Underground tunnel.

Six admitted conspiracy to cause explosions and a seventh was found guilty of conspiracy to murder.

A rare piece of good news in the so called War on Terror with the police and presumably the Security Service, although they are not mentioned in the BBC article, preventing a cell of terrorists from carrying out an attack.

Deputy Assistant Commissioner Peter Clarke, head of the Metropolitan Police's Counter Terrorism Command, said

"The plans for a series of co-ordinated attacks in the United Kingdom included packing three limousines with gas cylinders and explosives before setting them off in underground car parks. This could have caused huge loss of life.

"The plans to set off a dirty bomb in this country would have caused fear, panic and widespread disruption."

I'm always wary when I hear that plots involving dirty radiation bombs have been foiled because the use of the term "dirty bomb" seems to be a preferred method of the government's for terrifying the British public when in fact the reality of the danger of such devices is far outweighed by the perceived danger.

This goes back to what I was saying yesterday about Walter Mitty like terrorist wannabes with outlandish unfeasible plots. Whilst in theory a "dirty bomb" is relatively simple to construct the construction and deployment of such a device in a manner that could kill a great number of people is a whole different ball game.

However in this case if the BBC article is accurate then the terrorist cell contained a wide range of skills and apparently enough expertise to carry out a devastating attack using conventional methods without the need for the movie plot device of a "dirty bomb".

In the trial of Dhiren Barot, the ringleader of this cell, an expert testified that if the radiation (dirty bomb) project had been carried out, it would have been unlikely to cause deaths, but was designed to affect about 500 people.

Labels: Security, Terrorism

Bruce Schneier has written an excellent piece on how the actual dangers posed by terrorist plots often differs widely from the dangers portrayed by the media and governments, it is titled Portrait of the Modern Terrorist as an Idiot.

The recently publicized terrorist plot to blow up John F. Kennedy International Airport, like so many of the terrorist plots over the past few years, is a study in alarmism and incompetence: on the part of the terrorists, our government and the press.

Terrorism is a real threat, and one that needs to be addressed by appropriate means. But allowing ourselves to be terrorized by wannabe terrorists and unrealistic plots -- and worse, allowing our essential freedoms to be lost by using them as an excuse -- is wrong.

These wannabe terrorists are often pathetic Walter Mitty type characters whose fantasies of martyrdom are undermined by their utter of competence and ability to carry out their ridiculous plots. The case of Russell Defreitas and his plot to blow up JFK airport is a good example.

It'S a plot straight from the disaster movie genre. Destroy New York's major airport, its terminals, and even parts of the borough of Brooklyn in one dastardly explosion.

Unfortunately for the alleged plotters, the real life Jack Bauers (of 24 fame) were ahead of the ticking bomb. Not only was the idea outlandish and highly unlikely to succeed, but authorities have been recording the conversations of the plotters for the past 18 months.

- Did these men pose a threat? Undoubtedly.
- Could they have blown up JFK airport? It's doubtful and in any case they were barely into the planning stage of the attack and had been under surveillance for a long time so whatever threat they posed could never be realised.

Labels: Security, Terrorism

Is it just me or does CTU LA seem to be the least secure Counter Terrorist facility on the planet. I've lost track now of how many times it has been successfully infiltrated or attacked it seems to have at least once a season if not more.

Hour 21 of Season 6 and it has happened again and been taken over by Chinese agents. Poor foolish Milo. This would never have happened had Bill Buchanan been left in charge!

Labels: Security, TV

Iridology may be bogus science, but it appears that the eyes really could windows to the soul as Swedish researchers reveal it may be possible to read a person's personality from their irises.

Labels: science, Security

BBC News: Could X-ray scanners work on the street?

X-ray cameras that would "undress" passers-by in a bid to thwart terrorists concealing weapons, could be coming to a street near you, according to reports. Aside from the obvious privacy issues, would such a plan work?

Leaked documents said to have been drawn up by the Home Office and seen by the Sun newspaper say cameras which can see through clothes could be built into lamp posts to "trap terror suspects".

X-ray type cameras have their place in the security framework but in the War on Terror they would be costly and ineffective if implemented widely like surveillance cameras.

They are effective in situations where specific locations need securing such as airports as they can be used to filter out individuals for additional scrutiny by security guards who are hand to do so.

Surveillance cameras are used in an entirely different manner they are predominantly used as a visible deterrent against criminal acts or as evidence gathering devices for prosecution of criminals after the fact. They are very rarely used to apprehend criminals in the act.

Security expert Bob Ayers, of Chatham House, believes putting an X-ray lens on a lamppost poses all sorts of resource questions.

"Some guy walks past and his picture is beamed back to a control room to say that something is under his jacket. What do you do? Despatch a police car to hunt him down and frisk him?

"The real question is not whether the technology can see something under the clothing. It's how you respond to it when the technology says there's something unusual.

This may well have been obtained from leak Home Office documents but I doubt even that incompetent government department would pursue this ill-thought out scheme.

Labels: Security, Surveillance

BBC News: Giant ID computer plan scrapped

Not unfortunately the scrapping of a plan for a government computer the size of a building like they had at Bureau West near where I live.

In fact the government has announced that the proposed National Identity Register which underpins their ID Card scheme will not be created anew so as to be clean and error-free but instead will be constructed from the current databases of various government agencies.

The information will be stored in three separate databases including the Department of Work and Pensions' Customer Information Service, which holds national insurance records, and the Identity and Passport Service computer system.

Mr Reid denied IT companies had wasted millions on preparation work for an entirely new system, saying the industry had been consulted on the move.

The government has reportedly spent about £35m on IT consultants since the ID cards project began in 2004.

"Doing something sensible is not necessarily a U-turn," Mr Reid told reporters.

"We have decided it is lower risk, more efficient and faster to take the infrastructure that already exists, although the data will be drawn from other sources."

So we'll have a National Identity Register that is as full of errors as the current ones are, hardly the 'Gold Standard' for identity that the Home Office proudly announced it would be is it.

Interestingly the Press Release from the Identity and Passport Service makes no reference to this at all other than in passing.

This news comes as Home Office Minister Liam Byrne published a Strategic Action Plan for the National Identity Scheme and the Borders, Immigration and Identity Action Plan, which follow the wider Home Office review earlier this year and signal the countdown to the introduction of ID cards to UK citizens in 2009.

The Strategic Action Plan being the document where the new plans for the National Identity Register are laid out. Instead the press release focuses on the part of the plan that describes how the fingerprinting of foreign nationals will help secure Britain’s border and crackdown on illegal working and fraudulent access to services. Immigration Minister Liam Byrne said:

We’re determined that Britain won’t be a soft touch for illegal immigration. Compulsory biometric identity for foreign nationals will help us secure our borders, shut down access to the illegal jobs, which we know attracts illegal immigrants, and help fight foreign criminals.

But all this is completely irrelevant when we are talking about the establishment of a biometric based National Identity Register of UK citizens.

As NO2ID theorize this is about the establishment of the 'database state'.

There is a growing list of planned systems.

* So-called 'biometric' ePassports that log data about your travel when used - see www.RenewForFreedom.org
* Centralised medical records without privacy - see www.TheBigOptOut.org
* Biometrics in schools - see www.LeaveThemKidsAlone.com
* Recording of all car journeys as a matter of course, using ANPR.

Labels: ID Cards, Security

The Guardian reports that due to National Security issues a major SFO investigation of BAE Systems has been halted.

A major criminal investigation into alleged corruption by the arms company BAE Systems and its executives was stopped in its tracks yesterday when the prime minister claimed it would endanger Britain's security if the inquiry was allowed to continue.

The remarkable intervention was announced by the attorney general, Lord Goldsmith, who took the decision to end the Serious Fraud Office inquiry into alleged bribes paid by the company to Saudi officials, after consulting cabinet colleagues.

It would appear that the lobbying of the company and the Saudi government has finally payed off and the government has pulled the plug as it were on the inquiry. The Serious Fraud Office issued this statement.

The Attorney General had apparently consulted with the prime minister, the defence secretary, foreign secretary, and the intelligence services, and they jointly decided that "the wider public interest" "outweighed the need to maintain the rule of law".

So BAE Systems can now in my opinion be considered above the law, but then that has seemed always to have been the way when it comes to British arms companies, at least under the previous Conservative government.

I suppose naively I had thought that this government would be different especially given that we've a prime minister who once taunted his predecessor as someone "knee deep in dishonour" over an arms deal and who promised that he would be "purer than pure" in office.

I feel like one of the animals looking in at the pigs and men at the end of Animal Farm.

The creatures outside looked from pig to man, and from man to pig, and from pig to man again; but already it was impossible to say which was which.

Edit: Garry Smith of A Big Stick and a Small Carrot apparently feels exactly the same and beat me to the punch with the quote.

Labels: Security

I finally got around to activating my new credit card this morning that I had received a few weeks ago.

I put it off as I really do hate these phone calls and I've done it quite a few times in the past as I transfer balances around to new cards in order to take advantage of the 0% balance transfer rates.

It is a good security procedure but more and more the card companies are using it as an opportunity to flog their overpriced payment protection policies. So sure enough having sat there on hold for five minutes waiting until they could connect me to an operator I was then told it would take five minutes to activate my card.

Bollocks does it!

It takes a fraction of a second to activate the card and then five minutes of sales pitch. But I can't blame them as I do the same at my place of work but then I really believe in the product I'm selling. LOL

Labels: Security

The Guardian reports: Police want power to crack down on offensive demo chants and slogans

Present curbs are too light, Met chief to tell Goldsmith

This seems like nothing more than a power grab and an appeal to the right wing members sections of Britain that are incensed by these uppity sandal-wearing Lefties and Muslim types voicing their displeasure about various things.

The country's biggest force, the Metropolitan police, is to lobby the attorney general, Lord Goldsmith, because officers believe that large sections of the population have become increasingly politicised, and there is a growing sense that the current restrictions on demonstrations are too light.

It seems to me that Tony Blair's government has recently freaked out about something which has been going on for quite a few years and that is issue politics. The populace seem generally apathetic about the political parties but a number are passionate about singular political issues be it marching in opposition to the Hunting Bill or demonstrating against the Iraq war etc. Also there has been a rise in political views being expressed online as the number of fora has increased where such views can be aired.

I think that they have freaked out because virtually all these views being expressed are anti-government. You'd be hard pressed to find any Joe Public commenter expressing a pro-Iraq opinion for example.

Most worrying is the following bit of it.

The police want powers to tackle a "grey area" in the array of public order laws. At present, causing offence by itself is not a criminal offence.

Causing offence is not a criminal offence and it never fucking well should be.

He talks about respecting freedom of speech.

We also need to think more laterally around how we police public demonstrations where 'offence' could be caused, while still respecting the British position around freedom of speech.

But this sounds like just a piece of management speak that means fuck all that has been bored from Tony Blair.

But then I'm part of the problem not the solution aren't I.

Labels: politics, Security, Surveillance

Earlier this year the UK Passport Service (now the Identity and Passport Service) started to introduce Biometric Passports (pdf link) in an effort to vastly improve the security of the passport system. In their words

To:
• help fight passport fraud and forgery;
• help the public and the UK to fight identity fraud;
• ensure the British Passport stays one of the most secure and respected in the world;

However it seems that according to a report in today's Guardian that these new ultra-secure passports aren't all they are cracked up to be and that the security has been severely undermined by a number poor decisions made in the implementation of the sytem.

Firstly they have opted to use RFID chips to store the data in accordance to standards drawn up by the International Civil Aviation Organization. The use of RFID to store the data is bad enough but the ICAO standard also directs that the key used to access the data should be comprised of , in the following order, the passport number, the holder's date of birth and the passport expiry date, all of which are contained on the printed page of the passport on a "machine readable zone."

Bruce Schneier an authority in the area of security has written a number of times about the security wreckage associated with passports containing RFIDs.

• April 28, 2005 RFID Passport Security

• November 03, 2005 The Security of RFID Passports

Including on August 03, 2006 Hackers Clone RFID Passports a very similar hack to the one carried out by Adam Laurie on behalf of The Guardian newspaper.

Most recently Schneier has revealed that The Data Privacy and Integrity Advisory Committee of the Department of Homeland Security has recommended against putting RFID chips in identity cards. Whether the US government heeds this advice is yet to be seen but unfortunately for us in Britain our government has already made the poor choice.

The security measures in place to prevent unauthorized access to the data held on the chip work by creating a encrypted 'conversation' between the chip and the reader. Interestingly they have used the Triple DES algorithm for the encryption instead of AES which was introduced to replace Triple DES in 2002 and which is much more efficient. However the choice of algorithm is a secondary concern compared with how it was implemented with a key that is comprised of non-secret information that is published in the passport itself.

As Laurie puts it so eloquently "That is the equivalent of installing a solid steel front door to your house and then putting the key under the mat."

Labels: Computer security, ID Cards, Security

The BBC reports on a new service that is designed to help users reduce their risk of identity theft through a monitoring facility. The service is kind of like the constant surveillance of the Orwellian Big Brother but where the individual is in control of the surveillance upon themselves.

The Garlik Datapatrol service has been set up by the founders of the internet bank Egg with the intention of putting users back in control of the information that is held on them in public databases that are easily accessible through the internet.

The service brings together from the internet, public databases, and Credit Reports all the personal information it can find on a user and then displays it in a simple online format. Then on a monthly basis users will receive an update summary of additions or changes to their online profile as well as highlighting any risks or suspicious activity.

By facilitating individuals access to the information that is held on them the service puts its users on an equal footing with the criminals that might seek to steal their identities and as irregularities are often the first indication of a problem the monitoring system gives users an early warning and the possibility of nipping it in the bud before any negative consequences have occurred.

My only concerns are the security of Garlik's database and the trustworthiness of the company. They seem to have a fairly robust system to establish user's identity and to then authenticate users accessing the personal information gathered in the server database. But it presupposes that an individual's identifying information hasn't already been compromised or stolen.

I can see this service being a boon for identity theft rings who have enough data to register falsely for the service in order to further the scope of their thefts by letting Garlik do the legwork as it were in accruing further information.

Garlik's secure servers would also be a prime target for criminals and so I would hope that they have taken the security of their servers as seriously as any bank would with theirs. Is the physical access to the servers as well secured as the online access is?

My second concern would be that as a new company they haven't had the time to build a reputation or a record of establishment of trust. Registered users will be empowering the company and placing a lot of trust in the security of the service and the authenticity and accuracy of the personal information data provided to users. Having said that there is nothing to suggest that Garlik is in any way a disreputable company it is merely my natural paranoia.

I would have more faith in Garlik presently than I would in the UK government in securing any personal information I would give them.

Garlik are currently offering free trials to people signing up for the Datapatrol service at their website. http://www.garlik.com.

People with concerns about identity theft and security online should also take a look at the following website Get Safe Online which has been set up by banks and prominent internet companies.

Labels: Computer security, Security, Surveillance

The BBC reports that a senior Microsoft executive has promised that its new operating system will be more secure than ever.

Jean-Philippe Courtois, president of Microsoft International, said that beefing-up security was one reason behind delays to Windows Vista.

I think Microsoft should be applauded for their relatively recent commitment to the subject of security in their products particularly given their laissez-faire attitude to it up until a few years ago. But Microsoft promised the same thing about their previous Operating System release and Windows XP proved to be their least secure system ever until they beefed up the security with the Service Pack 2.

The thing about software security though is that it's effectiveness can only be judged in retrospect because modern software is now so complicated particularly operating systems that the process used to create it inevitably introduces bugs and security holes.

So the Microsoft engineers may well have patched all the security flaws that had been exposed through previous releases and the testing of this release of Windows Vista, but there will no doubt be new holes that have been inadvertantly created that no one has even conceived of yet.

One such newly introduced security hole has been discovered by researcher Joanna Rutkowska and it's a biggie. She describes it a blue pill a reference to the movie The Matrix and would allow a malicious hacker to completely compromise a system and the user would have no indication at all that their syetm had been compromised.

Rutkowska's Vista kernel attack did not rely on any known bugs in Vista, which is still in beta testing. She stressed that her demonstration did not rely on any implementation bug nor any undocumented Windows Vista functionality. She characterized her approaches as "legal," using documented SDK features.

As she says it did not rely on any known bug within Windows Vista so who knows what other security problems might have been engineered into the operating system that haven't yet been uncovered by Microsoft's own testers or by third party researchers.

Labels: Computer security, Security

I think Bruce Schneier's right on the money when he calls this Opinion Monitoring Software Orwellian.

It's like the sort of thing you can imagine a nascent Ministry of Truth using to separate the goodthinkers from the crimethinkers.

It starts out well enough and sounds like a useful tool to track world opinion on the US and its government's policies and as result make the US a more responsible player on the world stage.

A consortium of major universities, using Homeland Security Department money, is developing software that would let the government monitor negative opinions of the United States or its leaders in newspapers and other publications overseas.

Such a “sentiment analysis” is intended to identify potential threats to the nation, security officials said.

But like any tool there is scope for misuse of the technology should the research into it actually bear fruit in this case.

Labels: books, Computer security, Security

I know Microsoft is striving hard to improve the security of their operating systems but this is ridiculous.

At least 18770 Characters! Fucking hell!

Labels: Computer security, Security

Newt Gingrich argues in today's Guardian that attacking Iran is not a long-term solution. He does however belive that a regime change in Iran is needed in order to stabilise the Middle East and maintain the security of the US and the rest of the world.

Iran's pursuit of a nuclear program in defiance of the United Nations has led some to call for military strikes against Iran's nuclear facilities to prevent the terror-sponsoring regime from obtaining a nuclear weapon. While I agree that a military option to replace the regime must be left on the table, I worry that some believe a military strike on Iran's nuclear installations is a viable long-term solution to stopping the Iranian regime's pursuit of greater power in the region.

In truth, until the Iranian regime itself is replaced with one that does not sponsor terrorism and does not seek a nuclear program, then the threat will remain and grow.

I agree with his assessment that military strikes are not the most sensible option. Such strikes would undoubtedly have to come from the US and its allies all of whom are currently overstretched as it is and even at full capacity those military forces would face a massive challenge to neutralise Iran.

But I disagree on his other points. Gingrich states that Iran must be stopped not because of its weapons and its pursuit of nuclear weapons but because of its evil intent. I believe it is the characterisation of Iran as evil by the US that is to some extent to blame for this situation.

It is because of the disengagement from Iran by the US that it suffers from significant gaps' in intelligence, which would undermine any attempts to force Iran to comply with UN directives. I don't believe that I'm an expert on Iran but even I can see that President Ahmadinejad's commitment to seeing Israel "wiped off the map" is empty rhetoric to gain public support in a country where such statements can be heard everyday on the streets of Tehran.

I too believe regime change must occur in Iran but I believe it will come from within in fact I believe that it must come from within for it to hold fast. The population of Iran is a young one and the old guard will fall under the liberalising westernised attitudes of that youth. But as Iran is a country with a long history of being manipulated and oppressed by western powers the regime change must be initiated from within or else it will be rejected as yet another intervention from outside powers for the pursuit of their own ends.

It can be seen from the examples of Iraq and the current crisis within the Labour party that forcing regime change ends badly with unforseen long term repurcussions and no one comes out of it smelling of roses.

Labels: politics, Security, Terrorism

BBC News reports that the police investigating an alleged bomb plot targeting UK to US flights have been given extra time to question 23 of the suspects.

The time police can hold 23 of the 24 suspects expired on Wednesday and a district judge had to decide whether to grant detectives an extension.

Warrants given to the Metropolitan Police Anti-Terrorist Branch allow them to question 21 people until 23 August.

Another two of those held can be detained until 21 August.

The maximum period that someone suspected of terrorist activity can be held without charge is now 28 days following the extension in the 2006 Terrorism Act.

This is the extension that the Home Office said was vital to the security of the country and it's ability to counter the threat posed by international terrorism. The extension that was actually a compromise between the former period of 14 days and the 90 day period that the Home Office and police wanted.

Curiously the 28 days detention without charge part of the 2006 Terrorism Act was not commenced when the rest of the act was in April but was actually only commenced as of July 25th 2006.

Odd that the extension to the detention without charge period that was so vital to our security that the powers weren't gievn to the police until just a few weeks ago.

Labels: Security, Terrorism

In an addendum to my previous post about the UK Threat Level it's good to see Home Secretary John Reid keep his tendancy for hyperbole under check. Quoting from this BBC News report.

Home Secretary John Reid said the government was "confident" the ring leaders were in custody but it was not complacent.

He said had the plot been successful, it would have meant "loss of life on an unprecedented scale".

I think the precedents of massive loss of life in our history are pretty fucking massive even if we only take a single incident rather than the wars or genocides of the last century the precedent of the dropping of an atomic bomb on Hiroshima killing instantly about 80 000 people easily outweighs any possible loss of life if this latest terrorist plot had been succesful.

Labels: politics, Security, Terrorism

At some point today unbeknownst to me the UK entered into the highest level of threat that of critical.

Oh my! How in the world could I have missed such an important event as the changing of our current threat level to its highest possible state? Whatever shall I do now?

That's the pertinent question what shall we as the public do now? No one knows because there is nothing for the public to do other than get scared.

The Threat Level System has according to the Home Office website been created to keep the public informed about the level of threat to the UK from terrorism. But it's of no practical use it's like shouting DANGER in a crowded city centre street, it can do nothing but cause confusion and fear as there is no specific advice associated with each different level of threat.

So what event has caused the threat level to be raised?

It was the arrest of 24 people by police who were suspected of a plot against UK flights to the US. The police believe they have disrupted this plot to blow up these transatlantic flights and are convinced they have detained the key players, but believe the network involved is large and global.

The plot apparently was to smuggle liquid explosives onto around ten transatlantic flights in water bottles or similarly innocuous containers. Airlines have now taken the precaution of preventing people taking anything other than the most essential pieces of hand luggage onto flights leaving the UK. The police have said that the plotters could have caused "mass murder on an unimaginable scale".

Yes they could have blown up many airliners and killed hundreds of people but for the fact that the people involved had been under surveillance for some time. We shall have to wait and see when more information is released about how far along there really were with their plot whether they were a credible threat to our security. I do not want to get caught up in the politician's gambit of who can imagine the worst scenario possible.

Security chiefs said the group believed to be planning the attack had been under surveillance for some time.

US Homeland Security Secretary Michael Chertoff said the plot was "in some respects suggestive of al-Qaeda".

"They had accumulated and assembled the capabilities that they needed and they were in the final stages of planning for execution," he said.

It had only become apparent in the "last two weeks" that the target of the flights was the US, said Mr Chertoff.

Another problem I see with having a public Threat Level System is that surely it tips the terrorists off to the fact that they might be under surveillance. If the level increases correspondingly as the terrorist group gets closer to the commission of their act of terrorism is that not an indication that the UK Security Services are onto them.

Labels: politics, Security, Surveillance, Terrorism

I read in the Times newspaper today that NORAD were to move out of their nuclear bunker facility underneath Cheyenne mountain to a more regular air force base.

Unlike most readers of the story though my first thought on hearing the news was "Well what are they going to do with the Stargate then?"

Labels: Security, TV

According to BBC News the Home Secretary John Reid has announced that Britain is to get a Terror Threat Level system similar to that used in the US published by the Department of Homeland Security.

A new warning system is to alert the public to the threat of attacks by al-Qaeda and other terror groups.

From 1 August, details of current threat levels will be published on the websites of the Home Office and MI5, Home Secretary John Reid announced.

Great! Just what we really need, yet another channel for the government to terrify the public with.

Any alert system is useless unless those people that are being alerted have corresponding duties or actions to perform upon receiving such an alert for example on a warship. A threat level indicator for the general public can therefore have no value as there is no corresponding action that the public can perform.

Labels: Security, Terrorism

Are you tired of being yourself?

Why not become someone else at random. [via]

Or make up an email address that's usable for 24 hours.

Labels: Computer security, Security

"Wisconsin this week will become one of the first states to ban the forcible implantation of radio frequency identification (RFID) tags into humans. The act dictates that no person may force another to have a microchip implanted in his body. Violators face fines of $10,000 each day until the chip is removed."

read more | digg story

Labels: Digg, Security

There is a new trojan going around that deletes files that it suspects to be downloaded via P2P networks. The trojan unknowingly infects a user's computer and begins deleting files. The trojan, called Erazer-A, targets the default download directories used by numerous P2P programs.

Is the Record Industry resorting to taking desperate measure to combat filesharing? Highly unlikely.

This is probably just some moronic script kiddie who's taken it upon themselves to "save" the record industry. I don't know the full details but it seems like a pretty unsophisticated trojan.

read more | digg story

Labels: Computer security, Digg, Security

The Guardian reports that a cross-party select committee is to recommend that the UK should adopt a US-style terror alert system.

A cross-party committee investigating the background to the July 7 bombings is expected to recommend a transparent official public warning system for the threat posed by terrorist attacks. It would be similar to the kind that has proved controversial in America.

The idea, which is likely to be one of the conclusions in the intelligence and security committee's annual report next month, has caused consternation among the security services. The issue is at the heart of an intense debate involving MI5, the Home Office, and the committee, in the wake of the attacks on London.

Of course such a system has worked so very well in the US to date and US citizens know exactly what each level of alert actually means and how their behaviour should change accordingly. Well actually no that isn't true at all and so obviously we should adopt such a clearly useless system here also.

The very well respected security consultant Bruce Schneier wrote an excellent analysis of the US alert system in October of 2004. The most telling passage of his analysis is below.

In theory, the warnings are supposed to cultivate an atmosphere of preparedness. If Americans are vigilant against the terrorist threat, then maybe the terrorists will be caught and their plots foiled. And repeated warnings brace Americans for the aftermath of another attack.

The problem is that the warnings don't do any of this. Because they are so vague and so frequent, and because they don't recommend any useful actions that people can take, terror threat warnings don't prevent terrorist attacks. They might force a terrorist to delay his plan temporarily, or change his target. But in general, professional security experts like me are not particularly impressed by systems that merely force the bad guys to make minor modifications in their tactics.

I really don't think that the public really need to be informed of every alert as without any guidance as to how they should respond once they have been alerted it just causes a state of anxiety.

It makes sense to inform people to evacuate a building when there has been a specific threat against that building. But to issue an alert when intelligence has revealed a few scant details about a vague threat to a building in the London area clearly helps no one especially if the advice is to continue about your daily business as usual.

If the government is causing terror to it's citizens then they are doing the job of the terrorist for them. The terrorist would never need to ever follow through with any of their threats to achieve the same effect in this scenario.

Labels: politics, Security, Terrorism

In a follow up to yesterday's piece about John Reid's comments concerning whether the Geneva conventions are still adequate to cover all eventualities in today's world he offers this rebuttal.

I am relieved by this clarification of his motivation. Or at least I would be more relieved if his words in today's rebuttal more fully covered what he actually said in his speech and if I believed that the threats posed by terrorism or rogue states as outlined in his speech were as significant as he would have us believe.

He expresses the need for intervention to prevent mass killings or genocide - illustrated by Rwanda and Sudan among others. But then appears to go to say that such things are already covered under the conventions. The only problem then surely is the political will then to actually intervene in such situations.

John Reid's original speech, which was given to the Royal United Services Institute for Defence and Security Studies is available here at the MOD's website.

I am still concerned by the issue of 'imminence' and under what conditions does he believe the British military should be allowed to pre-emptively strike against another nation.

Labels: Security, Terrorism

This is pretty cool. Fine example of a WW II Enigma cipher machine in a very good condition and a great history; full functional on eBay. 100% Original!!!

read more | digg story

Labels: Digg, Security

BoingBoing's Cory Doctorow wrote an angry letter to American Airlines following a security check that he believed exceeded sense and decency.

This has now been hilariously remixed with the premise of the forthcoming Samuel L. Jackson movie Snakes on a Plane in the following Metafilter thread.

Labels: Security

How does someone in Moscow step up to a cash machine and withdraw money from an account holder half a world away? Even when the debit card is still in the victim's wallet? To show me how easy it was, two executives from MagTek Inc., one of the largest makers of credit card stripe readers, visited MSNBC.com and gave a demonstration.

read more | digg story

Labels: Computer security, Digg, Security

The 4GB flash drive encrypts all data with 128-bit AES, and then adds an extra layer of security: a self destruct feature. If anyone tries to use a brute-force attack to guess your password, the drive will automatically erase itself after 25 wrong guesses.

Now that's what I call secure, or at least it would seem to be. The 128-bit AES encryption should be enough to prevent a brute-force attack in any case but the 25 guess limit adds a good second tier of security.

A question does come to mind though what is to prevent the copying of the encrypted data off the drive to stage a brute-force attack on the data using a different machine?

read more | digg story

Labels: Computer security, Digg, Security

Not really news as the truth did come out following the event but Fox News now has video footage that shows President Bush was warned of the potential impact of Hurricane Katrina.

In dramatic and sometimes agonizing terms, federal disaster officials warned President Bush and his homeland security chief before Hurricane Katrina struck that the storm could breach levees, put lives at risk in New Orleans' Superdome and overwhelm rescuers, according to confidential video footage.

Bush didn't ask a single question during the final briefing before Katrina struck on Aug. 29, but he assured soon-to-be-battered state officials: "We are fully prepared."

The possibility that the levees might be 'topped' was a grave concern at the meeting and yet the President was to state categorically after the hurricane had hit New Orleans that no one could have predicted that the levees would be breached.

Labels: Security

Most people who use e-mail now know enough to be on guard against "phishing" messages that pretend to be from a bank or business but are actually attempts to steal passwords and other personal information. But there is evidence that among global cybercriminals, phishing may already be passé.
read more | digg story

Labels: Computer security, Digg, Security

A voluntary scheme is to start operation in Yeovil soon that will seen drinkers submit themselves to fingerprint scans and having their photos taken by pubs and clubs.

Avon and Somerset police have joined forces with the local licensees in an effort to make Yeovil a far safer place to drink.

"The aim is to make the town safer on a night out – violent crime has dropped by 16 per cent in the last year but we aim to reduce this further.

If this were any place but Yeovil I'd think this was an unnecessay step in the fight against anti-social behaviour and alcohol related violence.

As seems to be the case with every biometric based system they have chosen to build a database of innocent individuals in order to keep out the troublemakers. It would be just as effective and less of a security concern if they just stored the data of known troublemakers and scanned everyone who entered but only to check against the blacklist of offenders so that innocent revellers could remain anonymous.

Building a database of everyone is just going to increase the chances of false positives and misidentifying someone as a violent troublemaker when they are not. Plus any database that contains biometric data of thousands of people is going to be a target of identity thieves.

Labels: Security

Yet another link via Schneier.

ID Card Planned for the Borders

U.S. officials announced Tuesday they would start issuing a special identification card this year that would allow Americans who frequently traveled to Mexico or Canada to continue crossing the border without a passport.

Officials said the card would be about the size of a credit card, carry a picture of the holder and cost about $50, about half the price of a passport. It will be equipped with radio frequency identification, allowing it to be read from several yards away at border crossings.

To obtain the card, officials said that citizens would be required to provide the same kind of documentation needed to obtain a passport.

Okay so it requires the same documentation to obtain as a passport does and in effect acts like a passport when crossing the border. I have to ask, why not just use a fucking passport then?

Not only is such an ID redundant but to be equipped with RFIDs that can be read from several yards is a security nightmare and a boon to identity thieves. Jeez.

Labels: Security

A quirky but of security humour found via Bruce Schneier's blog.

How to Survive a Robot Uprising

Schneier's readers come up with some additions to the list.

Labels: Security

Do enjoy that feeling of the eye of Big Brother following you everywhere you go in city centres with his CCTV cameras?

Do you feel bereft when you climb into your car and drive away from his gaze?

Well fear not.

The Independent: Britain will be first country to monitor every car journey

By Steve Connor, Science Editor

Britain is to become the first country in the world where the movements of all vehicles on the roads are recorded. A new national surveillance system will hold the records for at least two years.

Using a network of cameras that can automatically read every passing number plate, the plan is to build a huge database of vehicle movements so that the police and security services can analyse any journey a driver has made over several years.

The network will incorporate thousands of existing CCTV cameras which are being converted to read number plates automatically night and day to provide 24/7 coverage of all motorways and main roads, as well as towns, cities, ports and petrol-station forecourts.

By next March a central database installed alongside the Police National Computer in Hendon, north London, will store the details of 35 million number-plate "reads" per day. These will include time, date and precise location, with camera sites monitored by global positioning satellites.

Plus The Independent also examines Surveillance UK: why this revolution is only the start.

I wish I had more time to write but I have to go to work now. I'll come back to this later. But for now V for Vendetta is becoming evermore prescient.

Labels: Security, Surveillance

BBC News: US ex-gang boss Williams executed

Former gang leader Stanley "Tookie" Williams has been executed by lethal injection, 24 years after he was convicted of killing four people.

Several hundred of his supporters gathered outside San Quentin prison, north of San Francisco, where he was declared dead at 0035 (0835GMT).

He denied the murders and, while in jail, campaigned against gang violence.

California Governor Schwarzenegger questioned his claims of redemption and refused to grant clemency.

I can't say I'm surprised that his sentence wasn't commuted particularly given the Governor's recent political travails but it has outraged many in Europe particularly his birth nation of Austria.

I don't know the specifics of this case enough to know whether he was innocent of the crime or not but the idea that he might be and that he might have been executed because of his assertion that he was innocent of this crime and thus failed to show remorse for it horrifies me.

But even if he was guilty and he was almost certainly guilty of many crimes I don't believe he should be executed. No person should be able decide whether another human should live or die and neither should the State because ultimately it comes down to the decisions of human beings.

In discussions I've had recently the reasons of finance and safety were raised by somone who was in favour of capital punishment. A case can be made for both but ultimately they are both too flimsy in my opinion to justify a death sentence.

There maybe a valid reason for the death penalty if it makes people feel safer even if it doesn't actually make them any safer. But it's just Security Theatre like air travel security, most airport security procedures are nothing more than things done to make passengers feel secure but offer very little real security benefits. Better to devote resources to something that will actually make society safer rather than make people think they are safer.

The financial reason that was mentioned is an interesting one. It's something that has occurred to me before and I've read of in an abstract way in economic writings but never known anyone really express it.

Imprisoning people for a long time is expensive and therefore it's a lot cheaper to execute someone than to to imprison them for life. But taking someone's life becasue it's a cheaper alternative is distasteful to virtually everyone even those who are in favour of capital punishment. In addition this reason is less applicable in the US where people can be on death row for decades before their execution.

Which is yet another thing in this case, Stanley "Tookie" Williams was on death row for 24 years before the death sentence was finally carried out. He was a very different man now from the person that was found guilty of murder, he had by all accounts become a reformed character that had attempted to undo many of the wrongs from the time prior to his incarceration. In effect the man he was died in prison and the new man he became was the executed.

It's odd that that should be the case in the US that the carrying out of capital punishment should follow such a protracted period of imprisonment.

Why not get it over and done with far quicker? Trial and then appeal then execution if appeal fails. I don't know about other modern societies who execute but back when the UK still had capital punishment (which really wasn't very long ago) it all happened pretty swiftly.

There is a website titled Murder File with the relevant data.

Take the last case in 1964, which was pretty typical but notable for the date being only just over 40 years ago.

Peter Anthony Allen & Gwynne Owen Evans comitted murder on Tuesday, 7th April, 1964, were tried between 1st - 7th July, 1964 and then executed Thursday, 13th August, 1964.

Barely 4 months between the commission of the crime and the carrying out of the sentence. Is it cruel and unusual punishment to be imprisoned for so long before the ultimate sentence is carried out, or is it crueler for the sentence to be swift?

Labels: Security

An amalgamation of what would have been a number of seperate posts that I then decided to unite under the banner of the Surveillance Society. Every day there seems to be further incursions into the public's privacy.

Firstly we'll llok at the recent news that media companies wish to use legislation that was proposed to combat terrorism, by allowing the police access to communications data, in order to tackle illegal file-sharing.

Fight for your right to privacy

BBC News: Media companies want to take advantage of laws designed to counter terrorism. Bill Thompson thinks they have to be stopped.

The Guardian: Music industry seeks access to private data to fight piracy

The music and film industries are demanding that the European parliament extends the scope of proposed anti-terror laws to help them prosecute illegal downloaders. In an open letter to MEPs, companies including Sony BMG, Disney and EMI have asked to be given access to communications data - records of phone calls, emails and internet surfing - in order to take legal action against pirates and filesharers. Current proposals restrict use of such information to cases of terrorism and organised crime.

"The scope of the proposal should be extended to all criminal offences," says a letter to European representatives from the Creative and Media Business Alliance, an informal lobby group representing media companies. "The possibility for law enforcement authorities to use data in other cases ... is essential." The attempt to pressure MEPs comes as they prepare to vote on an extension to the period for which data must be held by telephone networks and internet service providers. The plans, championed by the British government, would harmonise and extend the broad range of policies across the continent.

The Home Office says such moves are necessary in order to assist proper investigation of suspected terrorist activity. But if successful, it would mean communications companies would be obliged to keep information on phone calls, emails and internet use for as long as three years.

"It is not for us to get involved in the wider issue of national security," said a spokesman for international music industry association IFPI, parent body of the CBMA.

If the demands were met by European legislators, it would open use of such private information across any number of criminal cases. "Even the Bush administration is not proposing such a ludicrous policy, despite lobbying from Hollywood," said Gus Hosein, a senior fellow at Privacy International.

The music industry has already pursued a large number of cases against illegal downloaders, but the letter claims that wider access to private information would be an "effective instrument in the fight against piracy" and help secure more legal actions. Critics say it is simply a case of litigious industries attempting to gain access to protected data by the back door.

The proposals, to be put to the vote on December 13, have already faced censure. More privacy-conscious nations such as Germany have voiced concerns about long-term data retention, and telecoms companies say they cannot afford to keep more information about their customers.

"The passing of the data retention directive would be a disaster not just for civil liberties and human rights in Europe," said Suw Charman, director of digital rights campaigners, Open Rights Group.

The music industry has been waging war against illegal filesharing for some time, with film companies closely behind. An Australian court this week ordered Kazaa, one of the biggest file-swapping services, to filter out copyrighted music from its systems or face closure. Last week the British Phonographic Industry announced its latest batch of cases against illegal downloaders, taking the total number of UK actions to over 150.

Such prosecutions already rely on voluntary data supplied by internet providers, but the music industry would like it made compulsory. At the same time, the legitimate digital download industry continues to grow at a startling pace.

It seems to be that every time that there is some harmonization of EU intellectual property laws they are brought in line with the most restrictive laws that exist in a EU state. But in this case there is no harmonisation taking place as no state has such legislation currently.

Even the US isn't seeking such powers and they're the home of the most powerful music industry lobbying for more and more powers to tackle filesharing and to extend the term and scope of copyright.

I oppose the legislation in any case as I believe this wholesale retention of data is a violation of innocent citizens privacy and is unlikely to be more effective in combatting terrorism than a specific targetted wiretap of a suspect's communications.

But to extend such legislation to cover cases of copyright infringement is ludicrous, government's should wiegh the demands of industry against the rights of the people they represent. The average filesharer is indeed infringing copyright but they do not pose a major threat to the businesses of the music and movie industries. It is the criminals that are making millions by selling pirated copies of CDs and DVDs that are the real threat and it these criminals that the proposal will not catch.

Unfortunately I don't have faith in the British government to weigh the arguments and consider the rights of the people.

There was a debacle several months back concerning the proposed UK National ID card. The main stumbling block for the government is that the majority of the British public is opposed to the ID card on the basis of the high cost.

(I wish the public would be opposing it due to civil liberties infringements and the complete uselessness of the proposal to tackle any of the major issues it is supposed to solve but that's another story)

Anyway there was a leak that the Government was intending to offset the probable cost of the ID card scheme and thus make it more palatable to the British public by the selling of the data in the National Identity Register to private companies. Which caused an uproar and the Government soon announced that in fact they had never considered doing any such thing.

Governments really should not be trusted with our personal data in my opinion. It's very easy for our privacy to be given away but far harder for us to reclaim it. The obvious counter-argument being that they must hold certain data or else how can such things as passports and driving licences be administered. In fact it is possible to create systems based upon crytographic principles that would allow officials to check whether an individual was authorised to drive a car or leave the country without knowing who they are or where they live or any other personal information about that individual.

I wrote earlier that

Even the US isn't seeking such powers and they're the home of the most powerful music industry lobbying for more and more powers to tackle filesharing and to extend the term and scope of copyright.

but that was merely in regard to media companies having access to all communications data.

Of course as you would expect the U.S. government wants to peer into phone service networks

The federal government wants to peer into your computer communications, forcing companies that provide high-speed access or Internet-based telephone service to design -- or redesign -- their networks to accommodate surveillance...

"This is like saying, `Everybody has to keep their doors unlocked because the FBI might need to get in,"' said Mark Rasch, a former attorney who handled computer crime cases for the Justice Department and is now senior vice president and chief security counsel of Solutionary Inc., an Omaha, Neb., computer security consulting company. "The harm of everybody keeping their doors unlocked all the time is much greater than the benefit."

As I argued above as they already have legislation in place to allow targetted wiretaps such a proposal is unnecessary and overreaching.

On a far more local level my car number plate is being read every time I drive into Bath to work and checked against a database to see whether I'm a wanted criminal. The Bath Chronicle: Cameras scan for criminals

Now I don't know if the data is retained or if the number plates are only in the system as long as it takes to make the check against the database. But I am worried that this data is indeed being retained and thus my and every other communter or Bath resident movements are being in effect tracked.

I have therefore pledged to create a standing order of 5 pounds per month to support an organisation that will campaign for digital rights in the UK.

The pledge is currently only a small number away from reaching it's target.

Also I intend to use the Write to Them service to contact my MP and MEP in order to express my opposition to the EU data retention legislation.

Labels: copyright, Security, Surveillance, Terrorism

The first rule of Security Theatre is never to talk about Security Theatre. (ruidh)

Foot-in-mouth Vanstone 'must resign'

ASTOUNDING comments from Amanda Vanstone ridiculing federal airline security measures and questioning increased spending on national security warranted an apology and the Immigration Minister's resignation, Labor frontbenchers said last night.

In a wide-ranging speech to Adelaide Rotarians, Senator Vanstone dismissed many commonwealth security measures as essentially ineffective. "To be tactful about these things, a lot of what we do is to make people feel better as opposed to actually achieve an outcome," Senator Vanstone said.

Like Bruce Schneier I don't know who she is but I also happen to think Amanda Vanstone is right about airline security.

A lot of what is presented as security measures are mere shams to create the illusion of security to make it look to the paying customers that the airlines value their lives and are doing what they can to ensure safe travel.

During her Adelaide speech, Senator Vanstone implied the use of plastic cutlery on planes to thwart terrorism was foolhardy.

Implied? I'll say it outright. It's stupid. For all its faults, I'm always pleased when Northwest Airlines gives me a real metal knife, and I am always annoyed when American Airlines still gives me a plastic one.

As one commenter wrote in Schneier's blogpost the replacement of real cutlery with plastic knives and forks is more likely due to a financial motive than a question of security.

Senator Vanstone has a great grisly turn of phrase also.

I asked him if I was able to get on a plane with an HB pencil, which you are able to, and I further asked him if I went down and came and grabbed him by the front of the head and stabbed the HB pencil into your eyeball and wiggled it around down to your brain area, do you think you'd be focusing? He's thinking, she's gone mad again.

I'm liking her more and more. As you might expect opposition politicians are calling for her resignation because as I wrote at the start: The first rule of Security Theatre is never to talk about Security Theatre.

Labels: Security, Terrorism

The police and security services have managed to track down those responsible for the attacks in London and it appears that they were four young men from the Leeds area all of whom died in the resultant explosions.

It is not the result that people were expecting. It was theorized that the attackers may have been outsiders or perhaps Britons that had trained in Afghanistan and it was thought that they had planted the bombs and then left as the Madrid bombers did so that they could attack again in future.

But now we know that it was four seemingly normal young men who had somehow become radicalized in this country to the point of becoming suicide bombers. Questions are sure to be asked about how this came to be. It's quite likely that there was some outside influence on them, who organised them and supplied them with the explosive material, but perhaps we are deluding ourselves about this just because we cannot understand how these four men could do what they did.

Labels: Security

A report in today's issue of the Independent on Sunday by Francis Elliott, Andy McSmith and Sophie Goodchild reveals that Ministers plan to sell your ID card details to raise cash

Personal details of all 44 million adults living in Britain could be sold to private companies as part of government attempts to arrest spiralling costs for the new national identity card scheme, set to get the go-ahead this week.

The Independent on Sunday can today reveal that ministers have opened talks with private firms to pass on personal details of UK citizens for an initial cost of £750 each.

This seems to be a desperate move by the Government to ensure that they regain the public support for the scheme as the expected cost has continued to rise the support has decreased.

In seeking to offset the cost by selling off information they hope to gain the public's support again. Of course if they follow through with this proposal they not only will have rescinded on their pledge that "unlike electoral registers, the National Identity Register will not be open for any general access or inspection" but will compromise the security of the National Identity Register.

The greater the access to the Register there is the more likely that the information will make it into the hands of criminals or terrorists therefore increasing the likelihood of identity theft that the Identity Card scheme is designed to prevent.

The National Identity card bill will be going before parliament yet again this coming Tuesday. Government whips are confident of winning Tuesday's vote, but opponents are predicting that the process can be killed off before implementation due to the ever-rising costs and the now apparent risks of database breach or failure.

EDIT: Thanks to Murky.org I've discovered some additional links of possible interest.

ID cards: a child’s view, even a child can see how flawed the scheme is.

In today's Sunday Times we discover that costs may force ID cards to be cheap ‘chip and pin’, thus doing away with the biometric system that although imperfect and flawed in many ways would be a much more secure system for verifying that the card was held by the true cardholder. Ironically one of the primary motives for the proposed card in the first place was that the US was insisting on taking biometric data on all visitors to their country.

It really does seem that the government wishes to install an ID card system by any means possible even if those means totally undermine the security of the system and make the ID card utterly unable to fulfil any of the objectives it's introduction is meant to.


Edit: 28/06/2005

The Home Office has denied a report the personal details of millions of Britons could be sold to help pay for the introduction of identity cards in this BBC report ID card database 'not for sale'.

Labels: ID Cards, Security

It was the Queen's Speech today in which she outlined what her government would be doing in this parliament.

Tony Blair has pledged to create a "culture of respect" as he put moves to tackle crime and disorder at the heart of his third term agenda.

Public service reform also figured strongly in the Queen's Speech, setting out the government's new programme.

A total of 44 bills and six draft bills are in the 2005 Queen's Speech - ensuring a packed legislative schedule in the parliamentary session that follows the general election.

The 44 bills for Parliament to debate by November 2006 included ID cards and laws against religious hatred.

The Conservatives say Labour has copied much of their agenda. The Lib Dems say Mr Blair has not listened to voters.

BBC News: Queen's Speech at-a-glance or in full.

As outlined in the speech the government has not yet given up on it's planned National ID card scheme.

Controversial plans to introduce a compulsory identity card scheme have been unveiled in the Queen's Speech.

The cards, which had to be dropped ahead of the election, will be linked to a National Identity Register holding information on all UK residents.

Home Secretary Charles Clarke said there had been "technical" changes to the new bill to take account of previous objections to the plans.

The Lib Dems say the plans could be defeated with Tory and Labour support.

I really wonder why they insist on pursuing this ill-conceived plan that will be both costly and inefficient, and will certainly not provide increased national security.

Further reading:
• My analysis of the scheme.
• The text of the Identity Cards Bill
• NO2ID NewsBlog

Labels: ID Cards, politics, Security

Apparently the US government is pushing through a bill that will introduce a defacto national ID card system on the back of a another bill on military spending. Curiously many US citizens are unaware that it is happening.

FAQ: How Real ID will affect you
By Declan McCullagh
Staff Writer, CNET News.com

What's all the fuss with the Real ID Act about?
President Bush is expected to sign an $82 billion military spending bill soon that will, in part, create electronically readable, federally approved ID cards for Americans. The House of Representatives overwhelmingly approved the package--which includes the Real ID Act--on Thursday.

What does that mean for me?
Starting three years from now, if you live or work in the United States, you'll need a federally approved ID card to travel on an airplane, open a bank account, collect Social Security payments, or take advantage of nearly any government service. Practically speaking, your driver's license likely will have to be reissued to meet federal standards. The Real ID Act hands the Department of Homeland Security the power to set these standards and determine whether state drivers' licenses and other ID cards pass muster. Only ID cards approved by Homeland Security can be accepted "for any official purpose" by the feds.

UnRealID
Papers, Please!

Real ID = National ID Card

This Tuesday, the US Senate is scheduled to vote on the implementation of a national ID card system. The Real ID Act is nothing less than a Real National ID Act. The only thing left to the individual states is to decide which pretty picture they will choose to put on the card: everything else will be controlled by Washington DC bureaucrats.

The Real ID Act has never been debated on the US Senate floor. They've never talked about it in any committee. Heck, most of them haven't even read it! Yet they're planning to vote on it on Tuesday, no questions asked.

For more on the Real ID Act and why it is an ineffective waste of money that will actually introduce security problems rather than solve a security issue take a look at Bruce Schneier's excellent blogpost and read the comments if you have time.

Labels: ID Cards, Security

I read an interesting article last week by Edward Felten about a proposal to incorporate RFID chips in US passports.Edward W. Felten: Why Use Remotely-Readable Passports?

Yesterday at CFP, I saw an interesting panel on the proposed radio-enabled passports. Frank Moss, a State Department employee and accomplished career diplomat, is the U.S. government's point man on this issue. He had the guts to show up at CFP and face a mostly hostile audience. He clearly believes that he and the government made the right decision, but I'm not convinced.

The new passports, if adopted, will contain a chip that stores everything on the passport's information page: name, date and place of birth, and digitized photo. This information will be readable by a radio protocol. Many people worry that bad guys will detect and read passports surreptitiously, as people walk down the street.

This is a remarkably stupid idea that has little to no tangible benefit and will most likely compromise security and enable identity theft. The only possible reason for this proposal is that some technology company seeking a government contract convinced someone that it was a good idea and no one in the process could understand the repercussions if it were to be implemented.

There clearly is a problem with identity theft and the forgery of identity documents such as passports so governments seek solutions to improve security. As you would expect they seek advice from experts in the field. Unfortunately they seem to be ignoring the advice of independent experts whose advice is that there is no technological solution to the problem and taking the advice of industry experts, which typically will be technology companies seeking to sell the government a solution.

Take for example the intention of the British government to include biometric data on the proposed National Identity Card.

Biometric data systems simply are not capable of working on the sort of scale that the proposed national identity card system would require them to.

They are good enough for their priamry application which is to verify that for example the iris scan of an individual matches within a certain threshold the biometric data held on the person's ID card.

But the system also would be required to prevent an individual being able to get a second ID card with different identity details. The proposed method of doing it would be to check that the individuals biometric data isn't already listed against an identity in the national identity database.

In February 2003 the National Physical Laboratory performed a biometrics feasibility study on behalf of the Home Office, DVLA and the UK Passport Service.

They studied the feasibility of the use of recognition systems for face, iris and fingerprint on the scale needed to cover the population of the UK. No biometric system is perfect and a balance needs to be found between false matches and false non-matches.

A false match is where the biometric template of an individual is matched to that of a different individual i.e. Vera Duckworth of Manchester is falsely recognized as Pauline Fowler of London.

A false non-match is where an individual is scanned and are not matched to their own biometric template i.e. the system has failed to recognize them.

Iris recognition was found to be the best method of distinguishing between individuals.

The results for the iris recognition part of the study were that Iris recognition can achieve a false match rate of better than 1 in a million with a false non-match rate of below 1 in 100.

For the current UK population of 60 million a random individual would be falsely matched with on average 60 other individuals in the national database plus would have a slim chance of not being matched against their own data.

With such a high chance of false matches (in fact it is practically a certainity that every individual will falsely match with another) there is no way to discern the difference between a false match and a true match for an individual who is applying for an ID card with a fake identity. Biometric technology clearly isn't upto the job of preventing multiple legitimate ID cards being issued to an individual until there is no possiblity of matching with another person.

Undoubtably technology will improve over time but will it improve to the required extent, it has a long way to go to do so.

The worse thing about biometrics is the faith in its infallibility, your biometric template is nothing more than a bodypart reduced to a long stream of numbers it is merely a fancy password and it's one that can never be changed. The proposed system treats the biometric template as the core of your identity with all the other information about you such as your name and address of secondary importance.

If the details of your biometric template can be stolen and accurately faked then your whole identity can be stolen.

Shit I've gone into rant mode the gist of this was supposed to be that politicians cannot be expected to be expert in all fields and justifiably must make decisions based upon the advice of experts. But they must listen to all the advice from all sides even if it isn't what they wish to hear as decisions must never be based solely upon the advice of comapnies seeking a huge government contract.

There is a cynical part of me that believes that the reality is probably that politicians are being unduly influenced by such things as campaign contributions and are awarding contracts not based on outside advice at all.

Labels: Computer security, ID Cards, Security

It appears that both the government and the Conservative party have seized upon the case of Kamel Bourgass, Al-Qaeda suspect and killer of DC Stephen Oake, to make political capital in the run up to the election.

Tory leader Michael Howard has said Tony Blair's failure over asylum led to ricin plotter Kamel Bourgass being able to commit his crimes.

Mr Howard said Bourgass should not have been in the UK and said the case showed "the chaos in our asylum system".

Does this extreme case indicate the general failings in the British asylum system or should we take a broader picture and examine many cases before judging if the system is in chaos. Mr. Howard's statement would appear to be little more than an implication that asylum seekers are a danger to our society.

I think that the Conservatives have taken the wrong tack with their efforts to focus their campaign on immigration and may well have been led astray by focus groups. Immigration is an issue that I think most people are actually less concerned about than they say they are. It is an issue that has been fuelled by the tabloids which makes the average bloke in the street feel he should have an opinion on when really he couldn't give a toss.

The Labour government have also seized upon the case for their own ends.

Home Secretary Charles Clarke earlier insisted: "Things like identity cards, stronger borders to deal with migration issues, the kinds of anti-terrorism legislation that we passed in the last Parliament are all necessary."

Perhaps if Bourgass' plot to poison thousands had succeeded and the reason he wasn't stopped was due to the fact that the Police and security services were unable to identify him then there might be a case to argue for ID cards but none of this happened.

He was identified and tracked and was arrested along with many other individuals who had some connection to him so therefore the present system worked perfectly. The only problem was that his arrest was bungled which led to him having an opportunity to try to escape and then kill DC Stephen Oake in the process.

In addition it was played up at the time that it was a terrorist cell plotting a Ricin attack that had been stopped. It is now known that he was a loner and all the other individuals that had been arrested at the same time have been released having had the charges against them dropped or the court cases abandoned. Yet the Home Secretary in giving his opinion on the verdict still used the term terrorist organisations.

The Guardian: Police killer gets 17 years for poison plot. Charles Clarke, the home secretary, expressed his satisfaction with the verdict. "What the case showed was that there are terrorist organisations which seek to challenge us in this country and challenge our basic freedom," he said.

The case clearly did not show that at all, there may well be terrorists seeking to disrupt our society but only the goverment is seeking to curtail our basic freedom. There appears to be very little evidence that Kamel Bourgass was organised in his plot let alone part of a larger organisation.

I wonder what happened to the Blitz mentality of 'business as usual' whilst we were suffering the equivalnet of a 9/11 every week now we seem to be in a period of 'hysteria as usual' precipitated I feel by the government.

It's all scaremongering for the sake of winning an election, coercion through fear for political reasons in effect 'electoral terrorism'.

Labels: ID Cards, Security, Terrorism

So the Prevention of Terrorism Bill was finally passed and Alan Moore's V for Vendetta is looking ever more prescient. The controversy of the Bill is mainly concerned with the Control Orders which would allow suspected terrorists, whether a UK national or a non-UK national to have severe restrictions placed upon under the orders of the Home Secretary without trial.

Thanks to the truly excellent website They Work For You the entire epic commons debate is available in an easily read format with much background information. It is split up into a m umber of segments due to the bill being passed back and forth between the Houses of Commons and Lords as amendments to the Bill were suggested and considered.

9th March debates
Prevention of Terrorism Bill (Programme) (No. 3)
Orders of the Day — Prevention of Terrorism Bill
Clause 1 — Power to Make Control Orders

10th March debates
Prevention of Terrorism Bill Debate
Prevention of Terrorism Bill Debate
Prevention of Terrorism Bill Debate

Finally the Bill was agreed upon and given