Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Chipped Passport Cloned In Minutes

samzenpus posted more than 6 years ago | from the unsafe-at-any-customs-counter dept.

Privacy 326

Death Metal Maniac writes "New microchip passports designed to be foolproof against identity theft failed the test when a researcher was able to manipulate one in minutes. The cloned passports were accepted as genuine by the computer software recommended for use at international airports. According to the article: 'A computer researcher cloned the chips on two British passports and implanted digital images of Osama bin Laden and a suicide bomber. The altered chips were then passed as genuine by passport reader software used by the UN agency that sets standards for e-passports.'"

Sorry! There are no comments related to the filter you selected.

frosty piss (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#24508241)

but i poop from there!

Um, well... (5, Insightful)

superphreak (785821) | more than 6 years ago | (#24508261)

Is anyone surprised? At all? Seriously...

Re:Um, well... (5, Funny)

Anonymous Coward | more than 6 years ago | (#24508281)

Well, they didn't make him take his shoes off - so no, I am not surprised.

Re:Um, well... (4, Interesting)

Fred_A (10934) | more than 6 years ago | (#24508297)

Hasn't this been known for a long time ?

Some extra security could be added to the chips (proper key signing IIRC) but never is. Everybody knows about this but since it makes the US happy as part of their security theatre, nobody cares.

Re:Um, well... (4, Interesting)

TheLink (130905) | more than 6 years ago | (#24508317)

It's mostly theatre. Bad people get valid passports too.

Only in a few cases are those passports revoked.

Re:Um, well... (3, Insightful)

kingtonm (208158) | more than 6 years ago | (#24508349)

The sad thing is, that as someone who has never been to the US and who can't see myself travelling frequently I don't want to have to pay for a poorly design or implemented system which my government might wind up relying on for things that actually do matter to me.

Re:Um, well... (1, Insightful)

kingtonm (208158) | more than 6 years ago | (#24508465)

Hang on a minute, so what they're really saying is that the mechanism for distributing peoples public keys and the trust around those keys so signatures could be verified. So if people aren't in the chain of trust then it doesn't work, that implies not a problem with the technology but the environment where it's being implemented. That affects our trust of the issuers outside the web and consumers outside the web of passports issued inside the web.

That implies it's sociopolitical not technological.

Re:Um, well... (5, Funny)

Dog-Cow (21281) | more than 6 years ago | (#24508617)

-1, Unintelligible.

Re:Um, well... (4, Funny)

EnsilZah (575600) | more than 6 years ago | (#24508743)

Or

+1, Ready for Academic Publication.

Maybe so. (2, Funny)

BitterOldGUy (1330491) | more than 6 years ago | (#24508763)

I think he has a future as a management consultant or an adviser in the Bush Whitehouse for the remainder of his term.

Re:Um, well... (1)

fastest fascist (1086001) | more than 6 years ago | (#24508777)

In other words, the mechanisms designed to make tampering harder/impossible are not being used by all countries.

MOD PARENT DOWN (-1, Redundant)

Anonymous Coward | more than 6 years ago | (#24508919)

At least one idiot moderator was fooled by the seemingly intelligent sounding technobabble that kingtonm posted. Don't make the same mistake.

Re:Um, well... (4, Insightful)

DrLang21 (900992) | more than 6 years ago | (#24508375)

I recently had a conversation at work about security issues. The fact is that any security system can be beaten. You can keep trying to make it more and more difficult to beat, but at some point you just have to decide that it's good enough. At the same time, you don't want your security to be so over the top that it is either prohibitive such that people are encouraged to find a work around, or it's just plain ineffectual. Adding chips to passports isn't a bad idea (if they actually put enough security in them to make it prohibitive to emulate), but it's not a replacement for old fasion visual inspection.

Re:Um, well... (5, Insightful)

Swizec (978239) | more than 6 years ago | (#24508425)

At the same time, you don't want your security to be so over the top that it is either prohibitive such that people are encouraged to find a work around, or it's just plain ineffectual.

Oh you mean like DRM? Prohibitive and ineffectual never stopped corporations before, why would it the government?

Re:Um, well... (2, Insightful)

jimicus (737525) | more than 6 years ago | (#24508473)

I recently had a conversation at work about security issues. The fact is that any security system can be beaten.

I have a variation on that.

The only 100% guaranteed secure computer system is one that's been pulverised into little shards of metal and encased in concrete.

Re:Um, well... (2, Funny)

jank1887 (815982) | more than 6 years ago | (#24508765)

that's what you think

Re:Um, well... (1)

caluml (551744) | more than 6 years ago | (#24508871)

Indeed. Someone once (on here?) remarked that you can't make a bank invulnerable to being robbed/broken in. What you can do, however, is boost the security to a point where breaking in requires so much time, equipment and risk that it becomes prohibitive.
Bank 1: £100k, in a shoe box, guarded by a blind old lady.
Bank 2: £100m, in a state of the art, underground steel vault, guarded by 100 men with guns and sensors all over the place.

You can, with enough time, people, and equipment rob both successfully.

Wait a minute... (0)

Anonymous Coward | more than 6 years ago | (#24508737)

The UN sets the standards for e-passports? Let me guess - the software is sold by Ban Ki-moon's nephew. Does it support automatic debits from the checking accounts of western citizens yet? God knows the UN has a real boner for corruption, nepotism, decadence, and finding ways to tax the west.

Re:Um, well... (0)

Anonymous Coward | more than 6 years ago | (#24508853)

Osama should be pleased...

Don't forget... (-1, Troll)

Anonymous Coward | more than 6 years ago | (#24508263)

...to pay you $699 licensing fee you cock-smoking tea-baggers!

Re:Don't forget... (1)

smitty_one_each (243267) | more than 6 years ago | (#24508403)

Oh, believe me. The IRS will extract all that and more to fund this and other Federal boo-boos.
The best strategy is keep smiling.

I want one! (5, Funny)

PC and Sony Fanboy (1248258) | more than 6 years ago | (#24508267)

I'd like one, preferably with a large memory chip added, so I can combine all my fake passports into one.

Oh, and I'd like some fake passports.

Re:I want one! (4, Funny)

fastest fascist (1086001) | more than 6 years ago | (#24508787)

But many songs can it store?

Well... (0, Redundant)

larpon (974081) | more than 6 years ago | (#24508269)

that went well!

This is exactly what I thought when... (-1)

fireboy1919 (257783) | more than 6 years ago | (#24508287)

They started printing passports on commemorative plates. What if they get chipped? Then they lose all value.

Its also a well known fact that ceramic chips easily, and can often be cloned using just chips. I have to hand it to the British dudes, though. Usually takes me longer to make plates than minutes.

Think they might be making them using that Shrinky Dink stuff? I guess that would make sense.

Wait. (0)

Anonymous Coward | more than 6 years ago | (#24508289)

In the tests, a computer researcher cloned the chips on two British passports and implanted digital images of Osama bin Laden and a suicide bomber.

The software was supposed to scan faces? I thought it was only supposed to scan the code.

Re:Wait. (1)

$RANDOMLUSER (804576) | more than 6 years ago | (#24508319)

Think of it as counter-theater. "See, even Osama bin Laden could get into the US with this..."

Why be a hacker... (4, Funny)

kale77in (703316) | more than 6 years ago | (#24508299)

... when you can be a respectable "computer researcher"?

That's security professional for you, mister! (3, Funny)

Anonymous Coward | more than 6 years ago | (#24508335)

I'm head of retail logistics, so I have to get back to stocking shelves now.

Re:Why be a hacker... (0, Offtopic)

gilbertopb (1286258) | more than 6 years ago | (#24508401)

Sometimes to be a "espectable "computer researcher" means being part of the same social club. About the passport, what's wrong with the paper docs ?

Re:Why be a hacker... (1)

The Warlock (701535) | more than 6 years ago | (#24508819)

The "paper docs" are even easier to forge than the microchip?

Re:Why be a hacker... (1)

gilbertopb (1286258) | more than 6 years ago | (#24508961)

Easier and cheaper. If they can forge some docs by cents, why spent millions on some also-easy-to-forge-chips or something so?

Re:Why be a hacker... (0)

Anonymous Coward | more than 6 years ago | (#24509005)

so people are less likely to believe in them as absolute truth in the first place? Really, knowing who someone is when they cross the border isn't particularly useful anyway. At best it'll allow you to pick up petty criminals, anyone worth expending effort on stopping from coming into your country is going to have a fake passport whether it's a paper one or a whizz-bang microchip one. The real reason is that high-tech passports cost so much that they make foreign travel prohibitively expensive for a larger chunk of the population than before. (tinfoil hat time)

Re:Why be a hacker... (1)

dnwq (910646) | more than 6 years ago | (#24508413)

The tests for The Times were conducted by Jeroen van Beek, a security researcher at the University of Amsterdam.

because being a l33t sup4 h4x0r doesn't actually require any, you know, qualifications.

Re:Why be a hacker... (2, Funny)

iveygman (1303733) | more than 6 years ago | (#24508429)

Only if I get paid at least 1337 dollars a week.

Re:Why be a hacker... (2, Funny)

slashname3 (739398) | more than 6 years ago | (#24508459)

And take a pay cut?

Re:Why be a hacker... (0)

Anonymous Coward | more than 6 years ago | (#24508641)

I don't really understand the parent post being modded funny... $1337 (USD) per week would be a paycut for most IT professionals wouldn't it? I'm underpaid at the equivalent of $1546.40 a week.

Embarassing, but not suprising (2, Insightful)

Anonymous Coward | more than 6 years ago | (#24508303)

It shows the benefit of this kind of outside security analysis, which should have probably been executed during the development process.

Better the issues be uncovered now than when the issuance is widespread.

There's always a loophole.

Re:Embarassing, but not suprising (1)

Televiper2000 (1145415) | more than 6 years ago | (#24508553)

But, they couldn't spend more time developing the technology the marketing literature was ready. If they're ready to market a the product, the product is definitely done isn't it? We'll still be able to test it, we just have to focus on the launch first.

Golden Reader? (-1, Troll)

ladquin (1177763) | more than 6 years ago | (#24508305)

I bet it runs on Windows... Surprise, surprise!!

Electronic voting's cousin? (2, Insightful)

Porchroof (726270) | more than 6 years ago | (#24508309)

Are these electronic passports related to electronic voting?
It's becoming obvious that low-tech paper is preferable in both elections and passports.

Re:Electronic voting's cousin? (5, Insightful)

pha7boy (1242512) | more than 6 years ago | (#24508387)

It's becoming obvious that low-tech paper is preferable in both elections and passports.

yes, cos god knows, paper passports were NEVER falsified.

Re:Electronic voting's cousin? (0)

Anonymous Coward | more than 6 years ago | (#24508713)

I don't think the falsified passports are the issue, isn't it more about reading personal information from a distance and having your identity stolen?

Re:Electronic voting's cousin? (5, Insightful)

LaminatorX (410794) | more than 6 years ago | (#24508831)

Sucessful paper forgeries are usually more time consuming to create, and require skills that are less common in this day and age.

Or another way, a forged passport is one forged passport. A broken authentication system is a thousand forged passports.

Re:Electronic voting's cousin? (5, Interesting)

stainlesssteelpat (905359) | more than 6 years ago | (#24508423)

I got one of these new fandangled passports a few years ago when I went to Japan, got fingerprinted electronicly at customs and thought nothing of it, with all the post 9/11 sentiment it sucks but i can't see it going away now. Anyway point is I'm an ex chef (still part time while at uni), so when I flew into newark to go visit my girlfriends parents with her in Fargo I get hustled into an interview room. I thought it was on account of being heavily tattoed and having dreadlocks and being under 30. Anyway, I get grilled by this mean assed gentlemen from customs about how I got this passport. Turns out the damage done to my hands over the course of two years, meant that thier software didn't match the biometric that Japanese customs had put on there. Got sorted out eventually, 2 hours nearly missed my connection from JFK. Was more bemused than anything, US customs don't get Aussie humour thats for sure.

No (1)

Mateo_LeFou (859634) | more than 6 years ago | (#24508427)

Obviously, the problem is that there aren't *enough of these spoofable chips. We should have them in our passports, cars, cellphones, and under the skin. 'Cause of terra.

Re:Electronic voting's cousin? (2, Insightful)

DNS-and-BIND (461968) | more than 6 years ago | (#24508525)

Mayor Daley and JFK would like a word with you. Or heck the PRI in Mexico stole elections for 90 years using nothing but paper ballots. Pretending that paper is somehow better is folly.

Re:Electronic voting's cousin? (5, Insightful)

AGMW (594303) | more than 6 years ago | (#24508733)

Pretending that paper is somehow better is folly.

Hmmmm. OK, but the corollary may well be that pretending something other than paper is any better is also folly!

As some other poster says above, you want a level of security that makes it sufficiently difficult for joe-public to not think about trying to beat it, but not so intrusive as to adversly affect people's lives too much in day-to-day use.

All the claptrap and palaver to do with air travel goes too far down the "intrusive" side of things, without actually offering any greater level of security (hence the term Security Theatre [wikipedia.org] ). The attempt to track every individual using ID cards [no2id.net] , etc, is also too intrusive, and just as ineffective - whereas a simple chip containing a picture which is displayed when the passport (or credit card) is put into a reader would allow a human to easily compare the picture with the person and thereby foil most of the casual passport/credit card fraud.

Finally, you have to recognise that you CANNOT completely stop people from doing bad things and to think you can will lead to the 1984-type society that most right-minded people fear is where we are going already!

Re:Electronic voting's cousin? (4, Insightful)

cmat (152027) | more than 6 years ago | (#24508849)

As an aside, there is a parallel between pictures on ID and encryption: A picture on an ID allows me to verify that you look exactly like the guy on the ID (for various definitions of "exactly"), and symmetric encryption allows me to be fairly certain no one is listening in on a communication (assuming protected keys, sufficient key size, etc). But neither allow me to KNOW who you are or who I am communicating with. In other words, both systems fail at authentication, which is, in the end, what passports are trying to provide, and many people think encryption provides.

Don't worry... (5, Funny)

rarel (697734) | more than 6 years ago | (#24508325)

Captain Hammer will save us.

Re:Don't worry... (0, Offtopic)

SaturnNiGHTS (1074969) | more than 6 years ago | (#24508699)

don't you mean "MC Hammer"?

Summary doesn't mention digital signing (5, Interesting)

Wanderer2 (690578) | more than 6 years ago | (#24508329)

The Home Office has always argued that faked chips would be spotted at border checkpoints because they would not match key codes when checked against an international data-base. But only ten of the forty-five countries with e-passports have signed up to the Public Key Directory (PKD) code system, and only five are using it.

The researcher replaced the digital signatures on the passports with ones of his own creation when altering the photographs... if the equipment used to test had actually compared the digital signatures to those on file, it would have immediately spotted the tampering. Problem is most countries aren't sharing their signatures yet, making those checks impotent. For now, at least (and not saying there aren't other vulnerabilities).

Re:Summary doesn't mention digital signing (1)

mpe (36238) | more than 6 years ago | (#24508455)

The researcher replaced the digital signatures on the passports with ones of his own creation when altering the photographs... if the equipment used to test had actually compared the digital signatures to those on file, it would have immediately spotted the tampering. Problem is most countries aren't sharing their signatures yet, making those checks impotent. For now, at least (and not saying there aren't other vulnerabilities).

Any guesses on how secure the private keys for these signatures are likely to be?

Re:Summary doesn't mention digital signing (1)

ettlz (639203) | more than 6 years ago | (#24508517)

Any guesses on how secure the private keys for these signatures are likely to be?

About the same likelihood as your average Home Secretary knowing what a private key is?

Re:Summary doesn't mention digital signing (1)

Wanderer2 (690578) | more than 6 years ago | (#24508619)

Any guesses on how secure the private keys for these signatures are likely to be?

I'm sure they'll never be put on CD to be sent elsewhere then lost by a courier... or put on someone's laptop then left on the 18:15 from Waterloo. ;)

Re:Summary doesn't mention digital signing (1)

Ed Avis (5917) | more than 6 years ago | (#24508549)

Yeah, as far as I can tell the problem is that nobody bothered to import the public keys of all the world's passport signing authorities. In a sane world, each country would publish their public key on a web page, and maybe have paper copies available from embassies so you could check you weren't getting a fake. (Indeed, the passport authority's key signature could be printed on the inside front page of every passport issued, just to get it as widely distributed as possible.)

Re:Summary doesn't mention digital signing (1)

Wanderer2 (690578) | more than 6 years ago | (#24508723)

(Indeed, the passport authority's key signature could be printed on the inside front page of every passport issued, just to get it as widely distributed as possible.)

Would a forger then be able to replace the printed key with one of their own and if so would anyone notice?

I agree it seems silly that most countries haven't signed up to share their public keys yet. Without them you can't verify who actually generated the data on the passport.

Re:Summary doesn't mention digital signing (1)

QX-Mat (460729) | more than 6 years ago | (#24508631)

Sadly that's the problem. Noone in power seems to "get it".

We have an illusionary mechanism of security, when all we can validate is the validation - or worst still, all we can validate is the appearance of some kind of mechanism that if tested would prove our authenticity. We are insecure if the process of testing this security is too taxing as to render it unused.

Authenticating who you say you are vs who you're allowed to be is a trivial problem of matching biometric information that you supply with that on record. Unfortunately all the money is spent on the establishing the pretense of who you are, yet what is more important is the establishing of "yes, I can verify that". Admittedly this is for legacy/"backward compatibility" or unconnected infratructure reasons, but, still, when moving from one country to another, those that rely on the backward compatibility side are those that fear little (ie: legal movement between african nations, the EU, dual-nationality zones) from migration.

Consider the EU laws on travel within the EU. They dont require a passport. Passports are a lie. They require any kind of "valid" photo-ID to establish the name of that person. Even without ID, if boarder control can establish you are who you say you are, you are permitted to enter into another EU country. In this connected world, a photo seems a little pointless when we can take a finger print or eye scan.

What we need is, and I hate to say this, a database of "travellers". A database of hashes is sufficient - and privacy advocates should make sure that this is a one way hash. We should reply upon connectivity to check we are who we say were are, or at the very least, the ability to mirror this database to entry/exits in participating countries.

Why? Then all we have to do is say we are someone, take a finger print, scan, whatever, they can confirm they are that person.

The problem of "storing" our full biometric information whether plain or in bidirection encryption formats is that we can always alter it. Remove that ability for us to alter that data and the data becomes more resistant to tampering.

If you ignore the whole principle of encryption and biometric information, what we are doing is giving everyone an orange as a passport and saying to them -

Boarder Control - "Look here, this confirms you are you, because it's a god-damned orange and we know what oranges look like"

Traveller - "But Sir, I can tell you my name!"

"I still want to see an oranage. If I dont see an orange how I can trust you?".

"But I can grow oranges at home. How can you ever trust someone that shows you an orange."

"Because my computer checks your orange and tells me its your orange"

"But if I grow my orange, it IS my orange, and you computer will tell you it is my orange"

"Mmmm."

Admittedly I believe who whole point in having a passport that mirrors the information you supply is a good one. It shifts the focus on defeating not only biometric scanning but to forging electronic information and paper.

I believe most methods of biometric scanning that I have come across can be defeated with a little research. What we have here is just another element in the linked list of endless methods to stay one step ahead of the professional criminals. Expect more additions.

Re:Summary doesn't mention digital signing (0)

Anonymous Coward | more than 6 years ago | (#24508703)

The way see it . The problem is that widely available chips are used
They needed to use government issued only special chips and Washington lawmakers are too computer security illiterate and too political to do it right!

the final result will likely be :
Chipped Passports cannot be trusted.
  Lawmaker will run an advertising campaign to say the exact opposite , likely forcing you to upgrade older passports to those with chips anyway!!

Take a hammer to it... (3, Interesting)

pha7boy (1242512) | more than 6 years ago | (#24508343)

see, that's why you should take a hammer to that sucker. And when the border guard asks you what happened... say that you sat on it :)

Re:Take a hammer to it... (4, Informative)

MRe_nl (306212) | more than 6 years ago | (#24508487)

Why get all physical?
30 seconds on high in the microwave should do the job and leave less traces.
"And when the border guard asks you what happened." the right response would be
"I don't know what you're talking about Sir, there's chips in my passport?"

( or perhaps, depending on available force-points...
"Sir, these are not the passports you're looking for" :)

Re:Take a hammer to it... (3, Insightful)

c1t1z3nk41n3 (1112059) | more than 6 years ago | (#24508883)

Congratulations. You've created yourself a 6 hour delay and interrogation. At the end of it you'll simply be fingerprinted again and forced to pay for your new passport. I don't think the kind of semi-passive resistance you're advocating really works here. Though I still kind of like the idea I just find it hopeless.

Re:Take a hammer to it... (2, Interesting)

maztuhblastah (745586) | more than 6 years ago | (#24509023)

Unfortunately, microwaving it is likely to cause combustion, either of the chip itself and/or of the material around it.
I'm sure /. can come up with some other ideas for disabling these little bastards. As a privacy geek stuck in an increasingly totalitarian country, I'd love to hear 'em....

Oddly enough.... (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#24508345)

"'A computer researcher cloned the chips on two British passports and implanted digital images of Osama bin Laden and a suicide bomber. The altered chips were then passed as genuine by passport reader software used by the UN agency that sets standards for e-passports.'" ....the fake passport with a picture of George W Bush was rejected as a known terrorist.

Yesterday's News Today! (-1, Redundant)

FreeUser (11483) | more than 6 years ago | (#24508357)

This was all over the BBC News yesterday. What took so long?

Re:Yesterday's News Today! (5, Funny)

gEvil (beta) (945888) | more than 6 years ago | (#24508433)

This was all over the BBC News yesterday. What took so long?

Hey now! This is Slashdot. Taco and Neal and the gang were busy confirming every aspect of the story before they posted it to the front page.

Re:Yesterday's News Today! (5, Funny)

lilomar (1072448) | more than 6 years ago | (#24508497)

Don't forget the painstaking grammar and spelling checking.

Plus they had to go through all the archives to make sure it wasn't a dupe.

Re:Yesterday's News Today! (3, Funny)

underworld (135618) | more than 6 years ago | (#24508775)

If only someone would invent a device capable of automating those tasks.

Authentication requires ... um... authentication (5, Funny)

gavron (1300111) | more than 6 years ago | (#24508359)

If the passport authorities of the world want to authenticate a passport they *MUST* check its signature to ensure it is valid.

Their outright failure to do so for at least a year for the UK and perhaps many more for other countries means that the digital information is less valid than the information imprinted on the card. Less valid because it's far easier to change, and shows no signs of alteration.

In other words, countries that don't authenticate, and rely on the digital information alone are *MORE* insecure and open to falsification than those who do authenticate.

Security: Not a tradeoff of civil liberties, but an intelligent application of a variety of techniques.

Authentication: When available USE IT, don't just put it off and trust easily-modifiable data. When in doubt look at the printed picture and the text. *THAT* is harder to change without showing signs of alternation.

Encryption: I guess if they can't get the key database working for simple authentication (or even a #$&*(#$ hash) they're not going to figure out the encryption stuff either.

Hi Bruce.

Ehud

Re:Authentication requires ... um... authenticatio (0)

Anonymous Coward | more than 6 years ago | (#24508657)

... (or even a #$&*(#$ hash) they're not going to figure out the encryption stuff either.

Hi Bruce.

Ehud


What is going on here? what hash? "Hi Bruce"?

Re:Authentication requires ... um... authenticatio (0)

Anonymous Coward | more than 6 years ago | (#24508885)

"In other words, countries that don't authenticate, and rely on the digital information alone are *MORE* insecure and open to falsification than those who do authenticate. "

Maybe, but are you going to gamble on the country not to have the certificates set up? Because if your signature fails, it is *certain* that your digital data has been altered. And in that case you can expect security personnel to take some real interest in you.

wait just a minute... (1)

iveygman (1303733) | more than 6 years ago | (#24508383)

I distinctly remember RFID passports not all that different from these (at least in principle of being "hack-proof" and "secure") getting broken maybe a year or two ago. The exact date escapes me at the moment. I'm fairly certain it was something being done in the EU. Feel free to correct me on any of this. That aside, just what did you expect? There is no white knight or magic pill to the problem of airport or travel security. That includes magical passports that somehow make it completely impossible for people to forge identity or fool the system.

You Can't Say They Don't Have a Sense of Humour (3, Insightful)

segedunum (883035) | more than 6 years ago | (#24508415)

Come up with a lame technical 'solution' to identity theft to help stop the completely over-hyped global terrorism threat, and then make the whole thing even easier by allowing easy cloning of existing passports. Be in several places at the same time! All you need is one loophole and it propogates.

Additionally, I see no improvements to the initial checking of who is eligible for a passport to try and sort out the Day of the Jackal fraud:

http://en.wikipedia.org/wiki/The_Day_of_the_Jackal [wikipedia.org]

Using some form biometric system that seems to be implicitly trusted is even more dangerous, since if you can get your bogus identity trusted then people aren't ever going to question it.

Re:You Can't Say They Don't Have a Sense of Humour (1)

Red Flayer (890720) | more than 6 years ago | (#24508659)

Using some form biometric system that seems to be implicitly trusted is even more dangerous, since if you can get your bogus identity trusted then people aren't ever going to question it.

It's like gaining root access.

But really, do we really want infallible digitalized security? Seriously, hear me out.

There are undesirables that we want to catch if they try to cross a border. Fine.

There is also an enhanced ability to deny people travel for less-than-good reasons. I don't like the possibility that a few remote keystrokes can render someone incapable of travel. There's far too much room for abuse, and far too little citizen oversight of the process. Most Americans just don't care, since they don't travel internationally. But even without the slippery slope analogy, we have a serious problem that you mentioned.

When border agents trust their automated clearance system, it becomes *easier* to game the system, because there is little emphasis placed on human validation. We all know that any security system can be broached with enough resources, via brute force, exploit of security hole(s), or social engineering. Is our security really enhanced when the fail rate is low enough that people inherently trust the system? Or would we be better off with a system that is known to be insecure, so that operators take proper measures to prevent abuse?

Since day one! (0)

Anonymous Coward | more than 6 years ago | (#24508421)

We have said since day one, if you're that determined to cause untold misery for millions, you will find a way to do it, no matter what. Silly bits of "paper" won't stop you!

Technology cannot overcome human ingenuity (4, Insightful)

erroneus (253617) | more than 6 years ago | (#24508437)

...at least not human technology.

Without exception, everything we try to lock up with a key can be unlocked by someone else. I'd like to hear it from anyone else that they recognize the fact that locks only keep honest people out and then perhaps we can move on to the bigger issue of why they are trying so hard to control honest people.

Watch what you're doing (5, Funny)

ivothamdrup (991171) | more than 6 years ago | (#24508441)

The tests were conducted by Jeroen van Beek, a security researcher at the University of Amsterdam

... and now a no-fly list nominee for engaging in terrorist activities.

everything made by man fails (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#24508443)

you call this 'weather'? fear is unprecedented evile's primary weapon. that, along with deception & coercion, helps most of us remain (unwittingly?) dependent on its' greed/fear/ego based hired goons' agenda. Most of yOUR dwindling resources are being squandered on the 'war', & continuation of the billionerrors stock markup FraUD/pyramid scheme. nobody ever mentions the real long term costs of those debacles in both life & the notion of prosperity, not to mention the abuse of the consciences of those of us who still have one. see you on the other side of it. the lights are coming up all over now. conspiracy theorists are being vindicated. some might choose a tin umbrella to go with their hats. the fairytail is winding down now. let your conscience be yOUR guide. you can be more helpful than you might have imagined. there are still some choices. if they do not suit you, consider the likely results of continuing to follow the corepirate nazi hypenosys story LIEn, whereas anything of relevance is replaced almost instantly with pr ?firm? scriptdead mindphuking propaganda or 'celebrity' trivia 'foam'. meanwhile; don't forget to get a little more oxygen on yOUR brain, & look up in the sky from time to time, starting early in the day. there's lots going on up there.

http://news.google.com/?ncl=1216734813&hl=en&topic=n
http://www.nytimes.com/2007/12/31/opinion/31mon1.html?em&ex=1199336400&en=c4b5414371631707&ei=5087%0A
http://www.nytimes.com/2008/05/29/world/29amnesty.html?hp
http://www.cnn.com/2008/US/06/02/nasa.global.warming.ap/index.html
http://www.cnn.com/2008/US/weather/06/05/severe.weather.ap/index.html
http://www.cnn.com/2008/US/weather/06/02/honore.preparedness/index.html
http://www.nytimes.com/2008/06/01/opinion/01dowd.html?em&ex=1212638400&en=744b7cebc86723e5&ei=5087%0A
http://www.cnn.com/2008/POLITICS/06/05/senate.iraq/index.html
http://www.nytimes.com/2008/06/17/washington/17contractor.html?hp
http://www.nytimes.com/2008/07/03/world/middleeast/03kurdistan.html?_r=1&hp&oref=slogin
http://biz.yahoo.com/ap/080708/cheney_climate.html
http://news.yahoo.com/s/politico/20080805/pl_politico/12308;_ylt=A0wNcxTPdJhILAYAVQms0NUE

is it time to get real yet? A LOT of energy is being squandered in attempts to keep US in the dark. in the end (give or take a few 1000 years), the creators will prevail (world without end, etc...), as it has always been. the process of gaining yOUR release from the current hostage situation may not be what you might think it is. butt of course, most of US don't know, or care what a precarious/fatal situation we're in. for example; the insidious attempts by the felonious corepirate nazi execrable to block the suns' light, interfering with a requirement (sunlight) for us to stay healthy/alive. it's likely not good for yOUR health/memories 'else they'd be bragging about it? we're intending for the whoreabully deceptive (they'll do ANYTHING for a bit more monIE/power) felons to give up/fail even further, in attempting to control the 'weather', as well as a # of other things/events.

http://www.google.com/search?hl=en&q=weather+manipulation&btnG=Search
http://video.google.com/videosearch?hl=en&q=video+cloud+spraying

dictator style micro management has never worked (for very long). it's an illness. tie that with life0cidal aggression & softwar gangster style bullying, & what do we have? a greed/fear/ego based recipe for disaster. meanwhile, you can help to stop the bleeding (loss of life & limb);

http://www.cnn.com/2007/POLITICS/12/28/vermont.banning.bush.ap/index.html

the bleeding must be stopped before any healing can begin. jailing a couple of corepirate nazi hired goons would send a clear message to the rest of the world from US. any truthful look at the 'scorecard' would reveal that we are a society in decline/deep doo-doo, despite all of the scriptdead pr ?firm? generated drum beating & flag waving propaganda that we are constantly bombarded with. is it time to get real yet? please consider carefully ALL of yOUR other 'options'. the creators will prevail. as it has always been.

corepirate nazi execrable costs outweigh benefits
(Score:-)mynuts won, the king is a fink)
by ourselves on everyday 24/7

as there are no benefits, just more&more death/debt & disruption. fortunately there's an 'army' of light bringers, coming yOUR way. the little ones/innocents must/will be protected. after the big flash, ALL of yOUR imaginary 'borders' may blur a bit? for each of the creators' innocents harmed in any way, there is a debt that must/will be repaid by you/us, as the perpetrators/minions of unprecedented evile, will not be available. 'vote' with (what's left in) yOUR wallet, & by your behaviors. help bring an end to unprecedented evile's manifestation through yOUR owned felonious corepirate nazi glowbull warmongering execrable. some of US should consider ourselves somewhat fortunate to be among those scheduled to survive after the big flash/implementation of the creators' wwwildly popular planet/population rescue initiative/mandate. it's right in the manual, 'world without end', etc.... as we all ?know?, change is inevitable, & denying/ignoring gravity, logic, morality, etc..., is only possible, on a temporary basis. concern about the course of events that will occur should the life0cidal execrable fail to be intervened upon is in order. 'do not be dismayed' (also from the manual). however, it's ok/recommended, to not attempt to live under/accept, fauxking nazi felon greed/fear/ego based pr ?firm? scriptdead mindphuking hypenosys.

consult with/trust in yOUR creators. providing more than enough of everything for everyone (without any distracting/spiritdead personal gain motives), whilst badtolling unprecedented evile, using an unlimited supply of newclear power, since/until forever. see you there?

"If my people, which are called by my name, shall humble themselves, and pray, and seek my face, and turn from their wicked ways; then will I hear from heaven, and will forgive their sin, and will heal their land."

meanwhile, the life0cidal philistines continue on their path of death, debt, & disruption for most of US. gov. bush denies health care for the little ones;

http://www.cnn.com/2007/POLITICS/10/03/bush.veto/index.html

whilst demanding/extorting billions to paint more targets on the bigger kids;

http://www.cnn.com/2007/POLITICS/12/12/bush.war.funding/index.html

& pretending that it isn't happening here;

http://www.timesonline.co.uk/tol/news/world/us_and_americas/article3086937.ece
all is not lost/forgotten/forgiven

(yOUR elected) president al gore (deciding not to wait for the much anticipated 'lonesome al answers yOUR questions' interview here on /.) continues to attempt to shed some light on yOUR foibles. talk about reverse polarity;

http://www.timesonline.co.uk/tol/news/environment/article3046116.ece

Red Herring... (4, Funny)

g0dsp33d (849253) | more than 6 years ago | (#24508475)

Who needs passports to get into a country anyway?

Re:Red Herring... (4, Funny)

urcreepyneighbor (1171755) | more than 6 years ago | (#24508583)

Who needs passports to get into a country anyway?

Jose? Is that you?

Less than adequate summary. (4, Interesting)

FlyingBishop (1293238) | more than 6 years ago | (#24508477)

The article says that the problem is that the public keys to the chips aren't being used. Every country maintains their own database of public keys used to identify the passwords. The databases aren't all properly set up to synchronize, so the system must accept all chips from countries that have not synchronized, basically rendering the encryption moot if you know which countries haven't authenticated properly. So the chip itself hasn't been cracked, it's more a question of the international passport encryption network being worthless. Even if everyone was synchronizing properly, such a system sounds highly vulnerable to a cache poisoning attack of some sort.

Securtity is not a product (4, Insightful)

DragonHawk (21256) | more than 6 years ago | (#24508877)

So the chip itself hasn't been cracked, it's more a question of the international passport encryption network being worthless.

Technically accurate. But. The chip by itself is worthless. It's only worth something if it counters some kind of threat. This is why security isn't about products or techniques, it's about working systems. If the "chipped passports" don't have a working PKI, then there's really no point to the chips. They go together.

ObQuote: "Security is a process, not a product." -- Bruce Schneier

But does it run Linux? (0)

Anonymous Coward | more than 6 years ago | (#24508515)

But does it run Linux?

Re:But does it run Linux? (0)

Anonymous Coward | more than 6 years ago | (#24508701)

Yes, the software did run the check on Linux. But, the savvy customs agent quickly spotted the clone passport, and let Darl McBride through anyway.

If one man can do it... (0)

bogaboga (793279) | more than 6 years ago | (#24508545)

This to me, confirms one thing...

If one man can do something, then there is at least one other one who can do it as well.

I offer this as a solution:

Implant the user's thumb print on the passport and have the computer software used at airports verify identity by referencing a central database. What can be better than this?

Re:If one man can do it... (5, Insightful)

Lumpy (12016) | more than 6 years ago | (#24508591)

Sounds great, You're in charge to get all the countries in the world to agree to this.

How about an easier task, convince all countries to agree that one server somewhere is where all their trust of their passports is placed.

Really simple. you should have that done by the end of this week right?

It can be done (1)

bogaboga (793279) | more than 6 years ago | (#24508621)

Here's how:

Simply match a document to thumb print if you are interested in having relations with my country, the USA.

Just a few years ago, the same USA demanded that ALL passports to be used while entering the USA had to be machine readable and it is the case now.

Re:It can be done (2, Insightful)

caluml (551744) | more than 6 years ago | (#24508981)

Just a few years ago, the same USA demanded that ALL passports to be used while entering the USA had to be machine readable and it is the case now.

And from the people I speak to, lots of people aren't visiting the US due to all the information that the US requires, and the way they're treated at Immigration. Read some of the comments in this [guardian.co.uk] , and this [guardian.co.uk] , or this [timesonline.co.uk] .
Yep, I can guess your response: Well don't come here then, we don't want you anyway.

Re:If one man can do it... (1)

teh Wang (777509) | more than 6 years ago | (#24508625)

"I offer this as a solution:

Implant the user's thumb print on the passport and have the computer software used at airports verify identity by referencing a central database. What can be better than this?
"

How about getting old fashioned about it - implant the users thumb in the passport and verify it matches the scar...

Re:If one man can do it... (2, Insightful)

MrMickS (568778) | more than 6 years ago | (#24508655)

Of every passport holder in the world at all airports and processing it in real-time? At present I can get a same day passport by visiting the passport office and then use that passport to leave the country on that day. That's some pretty high powered, resiliant, system that you've got to do that. Not to mention that its got to be run by governments that all have to trust each other with the information not to mention privacy issues.

Anyone thinking that this system has a chance of faultless working once you go from design to implementation is a little naive. The theory is simple. In practice its just not going to work.

If you still believe this is possible I've something else that might interest you. I've a formula for turning base metals into gold. If you could just help fund me industrialising it you'll make a tidy profit.

Ha Ha Ha (1)

tecknoh (1138163) | more than 6 years ago | (#24508577)

Ha Ha Ha Ha. Sorry, after the read, I I am now suffering from uncontrollable laughter.

"Can't find ass with both hands" comes to mind... (1)

EWAdams (953502) | more than 6 years ago | (#24508637)

Why is it that one after another after another after another of these government-sponsored security systems keep failing? I just don't get it. We give them infinite amounts of money to spend protecting us from something FAR less dangerous than ourselves (compare # of US gun crime victims to # of US terrorist victims sometime), and they consistently do a half-assed job.

In about 1960, we decided to go to the moon. In 1969, we were there. Done and dusted -- and a government program, at that. Has America just lost its technical know-how, or what?

Re:"Can't find ass with both hands" comes to mind. (1)

darjen (879890) | more than 6 years ago | (#24508669)

No matter what they seem to claim, the state cannot protect us. One of the main justifications of the state's existence, security, falls flat on its face every time. When it comes right down to it, bureaucrats are very poor at what they are supposed to be doing.

Re:"Can't find ass with both hands" comes to mind. (1, Informative)

Anonymous Coward | more than 6 years ago | (#24508837)

One big problem with America today is that it's too US-centric. As an example, TFA is about the UK, but you just assumed it was about the US...

Safety Measurse that Make Us Less Safe - News at 6 (1)

johndmartiniii (1213700) | more than 6 years ago | (#24508861)

This really does make you wonder how we sent human beings to the moon without involving either fiery or airless death. I know that it is not a matter of technology as much as it is political pretense, but good lord, if we are going to use technology in our polite public fiction then wouldn't it be nice if it were well implemented and deployed?

Currently, passports are still difficult to copy and someone looks at the passport to confirm that it is real. What do you think will happen when a TSA monkey can just slide the passport under a reader? They are not going to look at anything! They will just do whatever the screen tells them to do, which, I suppose, is the way that our current overlords want it. They get to pull the strings, all the way to the ground-level.

In other words, once again, in our attempts to appear as though we have everything under control, we have added a layer of complexity and simultaneously a layer of vulnerability which can and will be exploited by those who have the appropriate incentives.

It's win-win really: Terror: 1, Fear-mongering: 1.

Another reason (1)

return 42 (459012) | more than 6 years ago | (#24508643)

I think we're overlooking a very important reason for this sort of screwup. Yes, they're incompetent. And yes, it's theater. But consider this: if security measures are ineffective, sooner or later there'll be another successful attack. And what happens then?

Misleading info? (5, Informative)

Daemonic (575884) | more than 6 years ago | (#24508665)

The article contains the line:

Many of the 9/11 bombers had travelled on fake passports.

Now I could be wrong, but I thought all the 9/11 bombers were legally allowed to be where they were, and were using valid documents?

I think what might have been the case is that they HAD used fake passpports in the past. The way this phrases it though suggests that a better implementation might have helped avoid 9/11, which is news to me.

ICAO Documen describing features (1, Informative)

Anonymous Coward | more than 6 years ago | (#24508791)

I wrote a better document on this, but then I hit the [back] button on my browser:

BAC (Basic Access Control): not required but everybody uses it. Prevents skimming and eavesdropping. If the document number/expiry date and birthday can be easily guessed the protection is pretty weak, especially for eavesdropping (offline brute force attack). No identifying data is released by well designed ePassports before BAC.

PA (Passive Authentication): required. Prevents alteration of the info in the data groups. Works on X.509 compatible PKI (CMS/X.509 certificates). Fully uncrackable, but won't work if you don't have a trust store with the country signing certificates. You can get those by the PKD (Public Key Directory) but also by bilateral means, or even just by download from the internet.

AA (Active Authentication): not required, hardly implemented. Prevents complete cloning of the chip. Uses a private key stored in protected memory in the chip. Relies on PA, otherwise you cannot trust the public key stored in the ePassport to do the verification. Basically this is a challenge/response protocol. Also fully uncrackable at this time as long as the chip security holds.

Here are the standards, all public information:

http://www.mrtd.icao.int/images/stories/Doc/ePassports/PKI_for_Machine_Readable_Travel_Documents_offering_ICC_read-only_access_v1.1.pdf [icao.int]

Paranoia (0)

Anonymous Coward | more than 6 years ago | (#24508937)

The simple fact that the government so strongly desires to completely and accurately establish your identity should be cause enough to make you hesitant to allow it.

Information from the researcher himself (0)

Anonymous Coward | more than 6 years ago | (#24508975)

Information from the researcher who investigated the passport can be found at

http://www.os3.nl/

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?