2008.08.20
Many of you may be aware that this week the government in their ‘infinite wisdom’ have decided to trial a facial recognition system at Manchester & Stansted airports. Lets have a little look and see why this is a pointless endevour to “add another layer of security and not repace existing systems”.
A test on this scale is normally to work out any final bugs out and produce a final system that will then be rolled out across the rest of a network. There will be a few problems with this for our beloved UK gov.
To start with, facial recognition technology has NEVER been accurate, throwing up false-negatives and false-positives so this appears to be as much a test of the technology as it is of the security system and as far as I can tell it is based on existing technology. Concerns by the Biometrics Assurance Group (pdf) [show] that there is still work to do on both the facial recognition standards and the format in which facial images are stored.
This means the government is committing to a system upon which there are NO standards to adhere to, basically making this a very risky operation. Considering the biometric chip in passports may be incompatible with other systems, or at the very least when a standard is agreed UK residents with the chipped passports may end up having to get yet another passport. Normally standards are agreed before any large-scale testing goes ahead so this seems rather fool-hardy.
Now lets consider people who have gone before. There have been many tested applications of facial recognition and nearly all have been scrapped after only a few years in service as they proved impractical and inaccurate.
“Boston’s Logan Airport also ran two separate tests of facial recognition systems at its security checkpoints using volunteers. Over a three month period, the results were disappointing. According to the Electronic Privacy Information Center, the system only had a 61.4 percent accuracy rate, leading airport officials to pursue other security options.”
If this is supposed to be another layer of security, to augment the already ludacris systems that are in place, then passengers will see no benefit at all. Did I mention that the whole process will be overlooked by securities staff who can step in at any time and take you to a real person to match your picture.
If all goes well and the system works then it will be truely remarkable and may indeed speed up entry through immigration. However, I feel that given the problems many people have with technology the so-called speed may be just an illusion, a target, similar to the fiasco at Heathrow Terminal 5. Not to mention the fact the system may fall flat on it’s face irrispective of whether people can use it. I predict an amalgation of both which will troublingly create some of the longest queues, the opposite of the desired effect.
2008.08.13
I have just returned from a very nice two week holiday in the Bahamas with my parents and sister but if you think I am going to write about how the holiday was as my first post then you are sorely mistaken. That will come later.
The first post is about how thoroughly targeted I felt on the journey, how my privacy was invaded at every opportunity and how nobody seemed to want to listen to reason - nobody with any authority anyway.
To get to the Bahamas you have a few choices to make as there is not yet a direct flight to the island of Exuma where we stayed. Do you go to Nassau then on to Exuma or do you go through Miami then on to Exuma? The only difference is that going though Miami is much cheaper but I advise caution if you are a white, British family of four.
The first leg of the journey started at Heathrow which was fairly quick I suppose but for some reason there were four or five people telling us on the way to the security checkpoint that we were not allowed liquids over 100ml, fair enough but after the third person reels of a list of things that could be over 100ml (how stupid am I?) it got quite tedious. By number five I was already making jokes about their job descriptions and CVs. Passport control and signing up for IRIS recognition (more about that in another post) was fast and relatively stress free.
Once in Miami International however, things took a dramatic turn for the worse. The Queue to get into the country was long… the queue to even get into that queue streched right back to an escelator making for some difficult negotiation of luggage and bodies to avoid being dragged back down on the underside. After an hour or so we finally got to immigration where we were interigated (Are you a terrorist? Are you involved in espionage? Real head scratchers…) and were forced to give our fingerprints. You either do it or you don’t come in… I asked.
Now we get to the crux of my complaint. Getting out of America is fatastically difficult and I must say absolutely retarded. To start you have to swipe your passport to get your tickets printed, fine, but if it doesn’t scan and you enter it manually then you have to seek out an attendant type person to ‘approve’ you. Even the one standing right next to us needed plenty of encouragement to even come near us. Then when you have your ticket you have to go to ‘baggage drop’. I must point out this is the same in the UK with Virgin and some other airlines. So we now have to join another queue to drop our bags off, which we do and show our tickets and passports and are asked again if we are terrorist etc. Then for some reason we have to take our bags away, yes that is right, we queued to drop our bags off only told we have to take them back after they’re weighed. This caused no end of confusion and delays for everyone as you have to negotiate the queue back the way you came… to drop your bags at a ’special’ TSA screening booth.
TSA is the unit that is responsible for the searching of people and bags for things that might be a hazzard, like hand creame, and do so with an obvious lust for power. After being motioned to another queue after dropping our bags of at the bag drop, bag drop… we were then told we had ‘randomly’ been selected for secondary screening or SSSS as it was printed on our tickets. The guy who told us about this was very shocked to see us in this queue as we were a family of four white, British, middle-class holiday go-ers. After being stuck in this queue for half an hour we saw where it went… a ’special’ area for ’specially selected’ people of interest. Oh and so show how random it was, there were no Americans in this queue, no Muslims, no Arabs, no Turbans or Burkhas of any kind. Now I’m not suggesting that these people are going to be dangerous but given the way america views the world, I was very surprised. The people in this section were not organised and didn’t care. My family was split up, sent around in circles, asked to point out our luggage that we couldn’t see, and treated pretty poorly. Just like everyone else in this large supposedly random queue. We went through an explosive residue detector, a metal detector and had our shoes and bags scanned… My dad and my sister were put in a special glass ‘pen’ with a locked door and then asked to point to their bags, then searched one by one, frisked, wanded and made to walk through another series of metal detectors. After which they then had to find their shoes and bags (which contained the valuables they had to remove) in a sea of everyone elses. My dad made a very good point that this area would be an ideal target for a suicide bomber as there was so much confusion and so many people it would be easy and result in serious casualties. My mum was wearing a bracelet that went off in every metal detector and every time she was asked to take it off and every time she replied with “I can’t because the clasp screws on” and every time she was met with a puzzled look and asked to take all her other jewellery off (which doesn’t make the machine bleep) and put it in her bag. Then her bag was thrown into the sea of other bags and all she could do was hope that no one saw her put all her gold in it. Then she was searched but of course it had to be by a woman so for the next ten minutes all you could here was “female assist” which went without reply.
It was at this point I read the signs saying “verbal or physical threats or abuse of TSA staff is a breach of federeal law” or words to that effect. It was all I could do to restrain myself from screaming at them “do you actually have any common sense you complete retard!”. So the signs in fact fuelled this sensation.
After all of that was over one guy said “thanks for your patience” and I actually laughed at him saying “it’s not like I had a choice”… he wasn’t happy, I’m surprised he didn’t take me into a back room and perform another kind of search… cough cough.
Then our plane was delayed, delayed again, delayed again then cancelled. Then it took an hour to speak to someone who actually cared and sent us to Fort Lauderdale to get another flight leaving fairly soon.
When we go there and got our tickets you can guess what they said… ‘SSSS’ so we went through the whole process again, albeit much faster as it was a smaller airport, it was the same story with my mum and her bracelet. My comments about organisation and such were not appreciated by the guy searching my bag and pulling out the bottle of water I’d bought after the screening in Miami, not having enough time to think about it before rucshing accross the city to another airport. When he finished he said something about the key to organisation being communication… it made little sense and had little relevance to the situation at hand but he had thought about it for several minutes so he must have felt I needed to hear it. He also wouldn’t let my dad try and find his passport until he had finished looking through his bag.
When we actually went to board the plane, there was another TSA desk that was picking people out of the line and guess what, my sister (the evil and sisnister looking girl that she is) was ’selected’ and given another rigourous search.
Is the UK not worried about terrorism as much as the US? Are we less of a target? Or is it simply that we seem to be much more pragmatic about the whole process? All I know is that I hope I never go to Miami Interational in a hurry, or maybe I should wear a turban if I do?
In no way do I want this to me misconstrood as belittlement of terrorism of the efforts of people trying to prevent it… but this expericence felt like targeted victimisation. Maybe it was articles like that that got us in the special selection in the first place. I think my name has just moved up a few places in the rankings.
Next time, my fun with IRIS recognition.
2008.05.29
Is internet privacy giving way to internet security?
There is an inherent paradox with security and privacy issues surrounding the internet. They seem to be unable to work in harmony even though their definitions are exclusive of each other. Could this be due to pressures from the music and film industries with regard to file? A look into other areas where privacy and security issues have been addressed, possibly in the area of terrorism, something to which file sharers have been accused of.
A large part of this and in fact what has brought this to light is file sharing and the problems & controversy that it is causing. ISPs are being forced to take responsibility for what their customers are downloading which means they are forced to void their subscribers’ privacy through ‘deep packet inspection’ which has issues within itself. To try and combat this, the ‘three strike rule’ was proposed which was narrowly defeated. Neither the government nor the music / film industries know how to combat illegal file sharers or ‘unauthorised distribution of copyrighted material’ so they are trying to see what EVERYONE is downloading in order to catch those few who with nefarious purposes.
Historically there has been a problem with security and privacy, none more so than during times of war. The privacy of other nations was being invaded but it was needed to ensure the security of the home nation. Is this the reason people when we examine privacy vs security within the borders of a nation? Is the problem now an international one and should it be dealt with on an international scale with all countries signing a document? There is a possible reference to the enigma machine, message encryption and code breaking. Has anything really changed since then and is it just the technology that has advanced on both sides of the current ‘cyber war’?
Why is illegal or copyright file-sharing so prolific? Is the government to blame or is it the greed of the industries which are being infringed?
Sony BMG has released their entire music collection for free, with a 10 second advert at the start of each song. It is free to download and listen to but costs to transfer to an mp3 player, for which one would hope they would have removed the advert. This is a sign that things are changing and industries are realising they cannot simply BAN everyone who they suspect is illegally getting their content. Instead they are seeing that there are other financial models that gives users’ and themselves what they want, without pressuring governments and regulatory bodies into taking foolhardy ’seen to be taking action’ actions.
The aim is to find out why we need security and why we want privacy. The key difference is in the need vs want. Security is paramount as without it we are vulnerable yet we want privacy which seems to be infringed upon by security. Can we ever find a way that we are being protected and anonymous?
People to Contact
Torrent Users – as part of the Bit Torrent community I am able to easily contact people about how they use the service. Some of the largest copyright infringement lawsuits are aimed at the users directly or at the people who provide ‘trackers’.
Torrent Trackers – such as Torrent Leech and The Pirate Bay the latter of which is a more prominent name and is currently undergoing a legal battle in Sweden which started by the Swedish police confiscated 180 servers. The site remains operational.
Phorm - internet advertising agency that have been in the media recently about violating internet privacy laws even though they tried to make their targeted ad system anonymous. Their video indicated that it was anonymous so I would be interested as to what they have violated.
ISPs - internet service providers such as BT, Virgin, Tiscali, Pipex etc. would be a great source of information with regard to the pressures they faced recently with the government’s proposed ‘three strike ban’. Luckily this was voted out, but only narrowly.
Government - contacting any area of the government that deals with this area would be very beneficial as the argument needs to have an official line in order to get both sides and ensure a balance and having a direct quote from a government official would be a fantastic example.
Sony BMG - it would be interesting to find out how long they have been thinking about their move to freely distribute their content. They are in partnership with one site which would also be worth contacting to find out how they managed to get a huge distributor to do what no one said could be done.
2008.05.13
Today I discovered a previously unknown password facility within Firefox 2 that is simply brilliant.
While discussing password security and allowing Firefox to save username and password combinations so you dont have to with a colleague the other day I became aware that if my laptop got stolen… there was a hell of a lot of stuff people could access as Firefox held the login details.
I was about to delete all passwords from the system to ensure security I chanced upon the ‘Master Password’ button in the ‘Security’ tab in the options menu. Once set I assumed it would just protect the passwords stored which, while a step in the right direction, would still allow people to click my bookmarks and bypass the login screens as Firefox retained the login details.
I was wrong, it is in fact very clever. When a master password is set Firefox does indeed protect the saved passwords from being shown in the options menu but it also provides a pop-up box requiring the master password when you click on a site that has saved login details. So for example if I click on Facebook with the master password enabled, Firefox asks me for the master password before loading the page. Once entered Firefox then pre-fills the login details for me to click ‘login’. If I get the master password wrong or click cancel, the page still loads but the login form is empty!
The form only needs to be filled in once per session then all form fields are filled from then on.
2008.05.13
Apparently this site has a password generator that is the strongest that you can use.
64 random hexadecimal characters (0-9 and A-F)
63 random printable ASCII characters
63 random alpha-numeric characters (a-z, A-Z, 0-9)
Check it out, it says its good for WiFi Security and “potentially unbreakable”
” ..our server generates a unique set of custom, high quality, cryptographic-strength password strings..”
2008.04.02
According to an article on The Register, someone has developed a proof-of-concept for a ‘bio-logger’.
You’ve heard of key-loggers for keyboards right? That log keystrokes made on a target keyboard and send the retrieved data to a USB key or via the internet to anyone. Well this new ‘gadget’ does the same thing but captures images of fingerprints from keyboard users which could then be used to create a replica fingerprint and used to access biometric-protected areas.
This just goes to show that not even your fingerprints are safe. Imagine if you will, that the government gets it’s way and introduces its identity card scheme, you use a computer that has a ‘bio-logger’ attached… hackers’, thieves and general undesirables then have your fingerprints. Which they can then use to potentially steal all of your data from anywhere that (in the future) uses biometrics as a security system. Off the top of my head I would imagine using it instead of chip-n-pin, passports, starting your car and even general identification if stopped by the police.
This reminds me of a 5 part drama that was on recently called ‘The Last Enemy’ set in the not to distant future and featuring things. But that’s another post entirely.
Just another reason why the government’s identity card system would fail miserably.
2008.03.05
I have just completed my contextual studies essay! I wrote about the peer-to-peer network and how the government has no idea what they are doing with regard to trying to shut down illegal file sharing. I left out the illegal part mostly and focused on comparing the monitoring of data to the tapping of phones and how similar legalities have to be applied to a ‘web tap(?)’ and therefore rendering it totally useless… even if it were possible in the first instance.
Feel free to view my essay here.
2008.03.04
The following is an essay I wrote as a polemic as part of a Contextual Studies elective.
Peer To Peer is an internet distribution network allowing users to share content without using dedicated servers or utilizing bandwidth. The users share information directly with each other using a centralised ‘tracker’ which directs the relevant information to the correct recipient.
‘Such networks [contain] audio, video, data or anything in digital format, real-time data such as telephony traffic is also passed using P2P technology.’
(Wikipedia - 2008)
Many small businesses use peer-to-peer to keep distribution costs low as constant downloading from web servers results in high server costs for the client and slow download speeds for the customer.
‘10Mbps connection on a 3GHz Xeon server is priced at $324 per month.’
(www.thewhir.com/)
The VoIP telephone services such as Skype also use peer-to-peer networks to enable phone calls over the internet for free for this very reason.
So why then is there so much controversy over the use of such technologies? If there are so clearly so many benefits why is the government so adamant about stricter regulations, more stringent monitoring and new legislation meaning ISPs have to track the content?
This is what makes me very angry, the government really doesn’t know what it’s talking about. The reason they want to restrict peer-to-peer infrastructure is because the technology can be used for file sharing / distribution. A subset of this is ‘copyright infringement’ whereby music / film / TV / software and games are shared without the proper licences.
‘The UK government wants to introduce a three strike system and users will be policed via their ISPs, though a decision has yet to be made whether ISPs will be allowed to share their data to stop users jumping ship to new packages.’
(www.trustedreviews.com – 2008)
Copyright infringement is one thing, but what about an infringement of a person’s basic civil rights, the privacy of their communication.
‘If the law were enacted it would turn ISPs, like BT, Tiscali and Virgin, into a pro-active net police force.’
(Darren Waters, Technology Eeditor, BBC News - 2008)
Also they would be breaking current data protection law (by sharing internet traffic data with other ISPs) but more seriously they would be monitoring what every person was looking at on the internet at any given time. What this amounts to is a modern day phone tap, which requires ‘reasonable cause’ and needs to be approved by a Justice Minister.
There are many things wrong with this, if we entertain the idea preliminarily and use the phone tapping procedure and according lawful requirements and hindrances as a base model for comparison it soon becomes clear that even if the government DID in fact enact this three strike plan, it wouldn’t work.
Firstly the government listens to around 2,200 number of phone conversations each year.
Justice Minister Michael McDowell… refused to reveal the number of phone taps he has authorised during his time in office.
(www.digitalrights.ie – 2008)
There were 2,243 phone tap warrants issued there last year. This included 66 mistakes, in which security services were listening in to the wrong numbers.
(www.digitalrights.ie – 2008)
A phone tap, or in possibly a web tap (?), must be approved by the justice minister personally and the only way you can apply for a phone tap is if you have reasonable cause to suspect wrong doing on the part of the individual or group accused. So they must have OTHER EVIDENCE to support their need for a phone tap, but in the case of a possible ‘web tap’ no other evidence will be available as the government is going to be forcing ISPs to instigate what amounts to the same as a phone-tap on ALL it’s customers all the time with no reasonable cause.
If such a practice were considered with regard to a phone tap (if a company / agency were to start monitoring people’s phones without consent for the minister or reasonable cause) then this would be regarded as a criminal act and would be dealt with accordingly.
Finally, phone tap evidence is inadmissible in court so even if a person says on the phone that they killed someone, it will not get them convicted in a court of law. So if a recorded phone conversation of a killer’s confession won’t incriminate him then how can monitoring of an individual’s internet traffic (downloads) result in a conviction or fine if the process of monitoring is the same?
Apart from the obvious legal ambiguities this approach would evidently fall rise to, what about the practical application of such a scheme? Is it feasible for any ISP to physically track not only the packets of information travelling through their network infrastructure (some of which are encrypted), but also their starting point and destination? Considering the sheer volume of data that is being transmitted, the speed at which it’s being transmitted and the current monitoring applications that are available it is an extremely unlikely event that ISPs will be able to accurately monitor a users’ data.
‘Internet providers are no more able to inspect and filter every single packet passing across their network than the Post Office is able to open every envelope.’
‘ISPs bear no liability for illegal file sharing as the content is not hosted on their servers’
(Internet Service Providers Association - 2008)
So what is the alternative to all the intrusion, monitoring and accusing? Blocking apparently as Spain have decided in 2006 to block all peer-to-peer activity on all of it’s ISPs.
‘A law enacted last week makes it a criminal offence for ISPs to “facilitate file sharing”. Added to this is a tax on recordable digital media, such as blank CDs and DVDs. The tax will go into a fund which will be shared among copyright holders to compensate for piracy.’
(Quentin Reade – 2006)
This is one way to ‘cope’ with the file sharing ‘problem’ but it’s kind of like cutting off the nose to spite the face. Spain will have greatly reduced the effectiveness of if not cut altogether its VoIP services, it’s IPTV services and any chance of getting files distributed solely via peer-to-peer network.
If the UK government’s ‘three strike’ plan is put into effect, the part of the ISPs, to ban users who download illegal content, will be soured with many wrongful accusations and subsequent applications for compensation.
‘ISPA is worried about the cost to its members if users targeted by rights holders for copyright infringement turn out to be innocent.’
(Internet Service Providers Association – 2008)
So the ISPs can’t monitor data being transferred and even if they could they would need permission for each individual they targeted, and then they would require reasonable cause for such an action to be undertaken, along with subsidisation from the government (or those fighting for the imposing of such restrictions) in case they accidently target the wrong users. So why are the government still pushing this if even the ISPA say it can’t be done with any degree of success?
‘We still need to establish the proof points’
(Internet Service Providers Association – 2008)
This is however in stark contrast to Comcast, a large US cable service provider who has been in legal battles recently after being sued for deliberately sacrificing peer-to-peer bandwidth under the pretext of ‘traffic shaping’ to reduce the strain of the network at peak times.
A Comcast customer filed the lawsuit after being fed up with slow speeds while using peer-to-peer software.
‘…a lawsuit against the nation’s biggest cable operator, alleging the company “intentionally and severely” impedes the use of peer-to-peer file-sharing applications.’
(www.multichannel.com – 2007)
A few months later, a few more Comcast customers had a similar qualm and responded in the same way by filing a similar lawsuit which prompted a review of the company’s policies and practices on ‘management’ of their network traffic for specific protocols.
‘…claims that service frequently stops or slows to a crawl when using file-sharing applications’
(www.multichannel.com – 2007)
Whereas I was expecting the lawsuit to get thrown out, surprisingly it stuck and eight months later an independent researcher discovered that Comcast HAD been ‘managing’ (also known as throttling) certain peer-to-peer protocols.
‘Comcast was secretly throttling BitTorrent and other P2P traffic’
(www.theregister.com)
Record labels and film studios need to stop fighting the system and losing; they need to rethink their own distribution arrangement and start working with peer-to-peer. A successful adoption of such technology is Napster that, for a low monthly charge, allows you to download and play as much music as you like; transfer it to an mp3 player for a small amount extra each month or burn to CD with a one-off payment.
There appears not to be a real solution to the ‘problem’ of peer-to-peer activity on the internet. The users favour it over any other download method; distributors who use it favour it over any other distribution method as it saves bandwidth on their servers and the government is obviously under pressure from film studios and record labels because of ‘copyright infringement’ and as a result must be seen to be doing something about it. The fact is there is not real way to do what they’re asking and by the time there is, technology in this area with have made another leap forward to be able to avoid / circumvent and restrictions that are put in place.
This is a serious issue that could affect the future of distribution of media.
I have been running a bit Torrent client, sharing content to users whilst writing this. Long live the revolution!
2008.02.23
I know how tempting it is to set up a fake Facebook page and then message your friends with all kinds of abuse or stalker-like behaviour, but have you ever stopped to think what the ramifications could be?
Well a Moroccan computer engineer certainly didn’t, although he did sign up to Facebook as Prince Moulay Rachid, younger brother of King Mohammed VI. I don’t think the guy was ever expecting to get caught and if he did I suppose he thought he would just get a slap on the wrist from Facebook and not be allowed to play with the other kids.
Far from it, this guy has been sentenced to 3 years in prison and ordered to pay $1,300. I think that’s a little extreme myself but hey, now I’m not going to sign up to Facebook pretending to be the queen as originally planned!
http://news.bbc.co.uk/1/hi/world/africa/7258950.stm
2008.02.20
This is how! A wonderful program by doubleTwist called, surprisingly enough, doubleTwist desktop. It synchronises with iTunes or Windows Media Player, getting around their copy protection by converting the DRM files to MP3s in real-time while you listen to them. This means no copyright laws are ‘technically’ being broken. It’s just like recording from the radio or TV!
The platform also allows you to share music over Facebook (other social networking sites to follow) with the use of it’s ‘TwistMe’ application. It’s genius. According to their website (and I will test this in a minute) it “acts like a media drop-box, enabling your friends to send you pictures, video and audio…right to you your desktop”.
The company’s mission is “to enable consumers to enjoy their digital media on the widest possible range of devices and help them share what they’ve created with friends”.
Brilliant! The concept is great and what’s more - the company was started by the guy who broke the copy protection on DVDs.
I just love the term “legally circumvent” too. It’s an oxymoron and just makes me laugh!