Following on from Eliot Van Buskirk’s Wired column Who’s Killing MP3 and iTunes? (in which he pontificated on the future of the MP3 file format in comparison to DRMed alternatives like Apple’s AAC format as sold in their iTunes online store) there is the news that EMI has announced that it will no longer produce CDs with DRM.
One swallow doesn’t make a summer but this would seem to be an indication that even the record companies are coming to doubt the efficacy of DRM.
BBC columnist Bill Thompson discovers that forgetting a password might be an opportunity for reinventing yourself.
An employee who forgot their password to log in to the corporate network would probably get a withering look from the support staff as they grovelled to have it reset.
By contrast it seems that young people who forget their MySpace logins are just as likely to make a new account as fret over their lost friends or painstakingly constructed homepage decorations.
Multiple personalities is the new black.
BBC News: Giant ID computer plan scrapped
Not unfortunately the scrapping of a plan for a government computer the size of a building like they had at Bureau West near where I live.
 |
In fact the government has announced that the proposed National Identity Register which underpins their ID Card scheme will not be created anew so as to be clean and error-free but instead will be constructed from the current databases of various government agencies. |
The information will be stored in three separate databases including the Department of Work and Pensions’ Customer Information Service, which holds national insurance records, and the Identity and Passport Service computer system.
Mr Reid denied IT companies had wasted millions on preparation work for an entirely new system, saying the industry had been consulted on the move.
The government has reportedly spent about £35m on IT consultants since the ID cards project began in 2004.
“Doing something sensible is not necessarily a U-turn,” Mr Reid told reporters.
“We have decided it is lower risk, more efficient and faster to take the infrastructure that already exists, although the data will be drawn from other sources.”
So we’ll have a National Identity Register that is as full of errors as the current ones are, hardly the ‘Gold Standard’ for identity that the Home Office proudly announced it would be is it.
Interestingly the Press Release from the Identity and Passport Service makes no reference to this at all other than in passing.
This news comes as Home Office Minister Liam Byrne published a Strategic Action Plan for the National Identity Scheme and the Borders, Immigration and Identity Action Plan, which follow the wider Home Office review earlier this year and signal the countdown to the introduction of ID cards to UK citizens in 2009.
The Strategic Action Plan being the document where the new plans for the National Identity Register are laid out. Instead the press release focuses on the part of the plan that describes how the fingerprinting of foreign nationals will help secure Britain’s border and crackdown on illegal working and fraudulent access to services. Immigration Minister Liam Byrne said:
We’re determined that Britain won’t be a soft touch for illegal immigration. Compulsory biometric identity for foreign nationals will help us secure our borders, shut down access to the illegal jobs, which we know attracts illegal immigrants, and help fight foreign criminals.
But all this is completely irrelevant when we are talking about the establishment of a biometric based National Identity Register of UK citizens.
As NO2ID theorize this is about the establishment of the ‘database state’.
There is a growing list of planned systems.
* So-called ‘biometric’ ePassports that log data about your travel when used – see www.RenewForFreedom.org
* Centralised medical records without privacy – see www.TheBigOptOut.org
* Biometrics in schools – see www.LeaveThemKidsAlone.com
* Recording of all car journeys as a matter of course, using ANPR.
Earlier this year the UK Passport Service (now the Identity and Passport Service) started to introduce Biometric Passports (pdf link) in an effort to vastly improve the security of the passport system. In their words
To:
• help fight passport fraud and forgery;
• help the public and the UK to fight identity fraud;
• ensure the British Passport stays one of the most secure and respected in the world;
However it seems that according to a report in today’s Guardian that these new ultra-secure passports aren’t all they are cracked up to be and that the security has been severely undermined by a number poor decisions made in the implementation of the system.
Firstly they have opted to use RFID chips to store the data in accordance to standards drawn up by the International Civil Aviation Organization. The use of RFID to store the data is bad enough but the ICAO standard also directs that the key used to access the data should be comprised of , in the following order, the passport number, the holder’s date of birth and the passport expiry date, all of which are contained on the printed page of the passport on a “machine readable zone.”
Bruce Schneier an authority in the area of security has written a number of times about the security wreckage associated with passports containing RFIDs.
• April 28, 2005 RFID Passport Security
• November 03, 2005 The Security of RFID Passports
Including on August 03, 2006 Hackers Clone RFID Passports a very similar hack to the one carried out by Adam Laurie on behalf of The Guardian newspaper.
Most recently Schneier has revealed that The Data Privacy and Integrity Advisory Committee of the Department of Homeland Security has recommended against putting RFID chips in identity cards. Whether the US government heeds this advice is yet to be seen but unfortunately for us in Britain our government has already made the poor choice.
The security measures in place to prevent unauthorized access to the data held on the chip work by creating a encrypted ‘conversation’ between the chip and the reader. Interestingly they have used the Triple DES algorithm for the encryption instead of AES which was introduced to replace Triple DES in 2002 and which is much more efficient. However the choice of algorithm is a secondary concern compared with how it was implemented with a key that is comprised of non-secret information that is published in the passport itself.
As Laurie puts it so eloquently “That is the equivalent of installing a solid steel front door to your house and then putting the key under the mat.”
Security expert Bruce Schneier turns his eye to the subject of voter recounts in elections and the effect of electronic voting machines.
When a candidate has evidence of systemic errors, a recount can fix a wrong result — but only if the recount can catch the error. With electronic voting machines, all too often there simply isn’t the data: there are no votes to recount.
This year’s election in Florida’s 13th Congressional District is such an example. The winner won by a margin of 373 out of 237,861 total votes, but as many as 18,000 votes were not recorded by the electronic voting machines. These votes came from areas where the loser was favored over the winner, and would have likely changed the result.
The spread of electronic voting machines which have no paper backup is of concern to many people especially when the result is of such importance as deciding who might be the next government and doubts remain to the security of the systems.
The BBC reports on a new service that is designed to help users reduce their risk of identity theft through a monitoring facility. The service is kind of like the constant surveillance of the Orwellian Big Brother but where the individual is in control of the surveillance upon themselves.
The Garlik Datapatrol service has been set up by the founders of the internet bank Egg with the intention of putting users back in control of the information that is held on them in public databases that are easily accessible through the internet.
The service brings together from the internet, public databases, and Credit Reports all the personal information it can find on a user and then displays it in a simple online format. Then on a monthly basis users will receive an update summary of additions or changes to their online profile as well as highlighting any risks or suspicious activity.
By facilitating individuals access to the information that is held on them the service puts its users on an equal footing with the criminals that might seek to steal their identities and as irregularities are often the first indication of a problem the monitoring system gives users an early warning and the possibility of nipping it in the bud before any negative consequences have occurred.
My only concerns are the security of Garlik’s database and the trustworthiness of the company. They seem to have a fairly robust system to establish user’s identity and to then authenticate users accessing the personal information gathered in the server database. But it presupposes that an individual’s identifying information hasn’t already been compromised or stolen.
I can see this service being a boon for identity theft rings who have enough data to register falsely for the service in order to further the scope of their thefts by letting Garlik do the legwork as it were in accruing further information.
Garlik’s secure servers would also be a prime target for criminals and so I would hope that they have taken the security of their servers as seriously as any bank would with theirs. Is the physical access to the servers as well secured as the online access is?
My second concern would be that as a new company they haven’t had the time to build a reputation or a record of establishment of trust. Registered users will be empowering the company and placing a lot of trust in the security of the service and the authenticity and accuracy of the personal information data provided to users. Having said that there is nothing to suggest that Garlik is in any way a disreputable company it is merely my natural paranoia.
I would have more faith in Garlik presently than I would in the UK government in securing any personal information I would give them.
Garlik are currently offering free trials to people signing up for the Datapatrol service at their website. http://www.garlik.com.
People with concerns about identity theft and security online should also take a look at the following website Get Safe Online which has been set up by banks and prominent internet companies.
The BBC reports that a senior Microsoft executive has promised that its new operating system will be more secure than ever.
Jean-Philippe Courtois, president of Microsoft International, said that beefing-up security was one reason behind delays to Windows Vista.
I think Microsoft should be applauded for their relatively recent commitment to the subject of security in their products particularly given their laissez-faire attitude to it up until a few years ago. But Microsoft promised the same thing about their previous Operating System release and Windows XP proved to be their least secure system ever until they beefed up the security with the Service Pack 2.
The thing about software security though is that it’s effectiveness can only be judged in retrospect because modern software is now so complicated particularly operating systems that the process used to create it inevitably introduces bugs and security holes.
So the Microsoft engineers may well have patched all the security flaws that had been exposed through previous releases and the testing of this release of Windows Vista, but there will no doubt be new holes that have been inadvertantly created that no one has even conceived of yet.
One such newly introduced security hole has been discovered by researcher Joanna Rutkowska and it’s a biggie. She describes it a blue pill a reference to the movie The Matrix and would allow a malicious hacker to completely compromise a system and the user would have no indication at all that their syetm had been compromised.
Rutkowska’s Vista kernel attack did not rely on any known bugs in Vista, which is still in beta testing. She stressed that her demonstration did not rely on any implementation bug nor any undocumented Windows Vista functionality. She characterized her approaches as “legal,” using documented SDK features.
As she says it did not rely on any known bug within Windows Vista so who knows what other security problems might have been engineered into the operating system that haven’t yet been uncovered by Microsoft’s own testers or by third party researchers.
Internet crime eclipses burglary in survey of perceived risks
Fear of internet crime is now more prevalent than concerns about more conventional crimes such as burglary, mugging and car theft, according to a report published today. And criminals are increasingly targeting cyberspace as more and more people shop online and use internet banking services.
The study was conducted by Get Safe Online, a UK internet security awareness campaign launched last year by the government, the Serious Organised Crime Agency and big online companies.
More than a fifth of internet users (21%) feel more vulnerable to electronic crime than any other type of criminal activity. It is second only to bank card fraud (27%) as the type of crime to which survey respondents felt most exposed. Internet crime has overtaken burglary (16%) as one of the crimes people feel most at risk of.
Of course like many things that people fear the perception differs hugely with the actual reality of the situation. That’s not to say that there isn’t a risk of becoming a victim of crime on the internet but that there are simple and easy precautions that people can take to minimize their exposure.
The problem is that the internet is still largely an unfamiliar environment for most people even if they do shop and bank online. There is generally an awareness amongst people of the crime rate in their area and so they can gauge to what extent they are of at risk of being burglarised. But the internet exists as a single place in the minds of many people and so every story they hear of crimes carried out online further increases their anxiety about it.
I think Bruce Schneier’s right on the money when he calls this Opinion Monitoring Software Orwellian.
It’s like the sort of thing you can imagine a nascent Ministry of Truth using to separate the goodthinkers from the crimethinkers.
It starts out well enough and sounds like a useful tool to track world opinion on the US and its government’s policies and as result make the US a more responsible player on the world stage.
A consortium of major universities, using Homeland Security Department money, is developing software that would let the government monitor negative opinions of the United States or its leaders in newspapers and other publications overseas.
Such a “sentiment analysis” is intended to identify potential threats to the nation, security officials said.
But like any tool there is scope for misuse of the technology should the research into it actually bear fruit in this case.
19 Year Old Diebold Technician Wins U.S. Presidency [via]
President-elect Pustule said he was still working on his platform, but that he had “a lot of ideas about making acne medication cheaper and also making thongs required in more places”.
I, for one, welcome our new acne-faced overlord.