a trail of DNA and data

2005-04-04 Thread Eugen Leitl

A Trail of DNA and Data

By Paul Saffo

Sunday, April 3, 2005; Page B01

If you're worried about privacy and identity theft, imagine this:

The scene: Somewhere in Washington. The date: April 3, 2020.

You sit steaming while the officer hops off his electric cycle and walks up
to the car window. "You realize that you ran that red light again, don't you,
Mr. Witherspoon?" It's no surprise that he knows your name; the intersection
camera scanned your license plate and your guilty face, and matched both in
the DMV database. The cop had the full scoop before you rolled to a stop.

"I know, I know, but the sun was in my eyes," you plead as you fumble for
your driver's license.

"Oh, don't bother with that," the officer replies, waving off the license
while squinting at his hand-held scanner. Of course. Even though the old
state licensing system had been revamped back in 2014 into a "secure"
national program, the new licenses had been so compromised that the street
price of a phony card in Tijuana had plummeted to five euros. In frustration,
law enforcement was turning to pure biometrics.

"Could you lick this please?" the officer asks, passing you a nanofiber
blotter. You comply and then slide the blotter into the palm-sized gizmo he
is holding, which reads your DNA and runs a match against a national genomic
database maintained by a consortium of drug companies and credit agencies. It
also checks half a dozen metabolic fractions looking for everything from
drugs and alcohol to lack of sleep.

The officer looks at the screen, and frowns, "Okay, I'll let you off with a
warning, but you really need more sleep. I also see that your retinal
implants are past warranty, and your car tells me that you are six months
overdue on its navigation firmware upgrade. You really need to take care of
both or next time it's a ticket."

This creepy scenario is all too plausible. The technologies described are
already being developed for industrial and medical applications, and the
steadily dropping cost and size of such systems will make them affordable and
practical police tools well before 2020. The resulting intrusiveness would
make today's system of search warrants and wiretaps quaint anachronisms.

Some people find this future alluring and believe that it holds out the
promise of using sophisticated ID techniques to catch everyone from careless
drivers to bomb-toting terrorists in a biometric dragnet. We have already
seen places such as Truro, Mass., Baton Rouge, La. and Miami ask hundreds or
thousands of citizens to submit to DNA mass-testing to catch killers.
Biometric devices sensing for SARS symptoms are omnipresent in Asian
airports. And the first prototypes of systems that test in real time for
SARS, HIV and bird flu have been deployed abroad.

The ubiquitous collection and use of biometric information may be inevitable,
but the notion that it can deliver reliable, theft-proof evidence of identity
is pure science fiction. Consider that oldest of biometric identifiers --
fingerprints. Long the exclusive domain of government databases and FBI
agents who dust for prints at crime scenes, fingerprints are now being used
by electronic print readers on everything from ATMs to laptops. Sticking your
finger on a sensor beats having to remember a password or toting an easily
lost smart card.

But be careful what you touch, because you are leaving your identity behind
every time you take a drink. A Japanese cryptographer has demonstrated how,
with a bit of gummi bear gelatin, some cyanoacrylic glue, a digital camera
and a bit of digital fiddling, he can easily capture a print off a glass and
confect an artificial finger that foils fingerprint readers with an 80
percent success rate. Frightening as this is, at least the stunt is far less
grisly than the tale, perhaps aprocryphal, of some South African crooks who
snipped the finger off an elderly retiree, rushed her still-warm digit down
to a government ATM, stuck it on the print reader and collected the victim's
pension payment. (Scanners there now gauge a finger's temperature, too.)

Today's biometric advances are the stuff of tomorrow's hackers and clever
crooks, and anything that can be detected eventually will be counterfeited.
Iris scanners are gaining in popularity in the corporate world, exploiting
the fact that human iris patterns are apparently as unique as fingerprints.
And unlike prints, iris images aren't left behind every time someone gets a
latte at Starbucks. But hide something valuable enough behind a door
protected by an iris scanner, and I guarantee that someone will figure out
how to capture an iris image and transfer it to a contact lens good enough to
fool the readers. And capturing your iris may not even require sticking a
digital camera in your face -- after all, verification requires that the
representation of your iris exist as a cloud of binary bits of data somewhere
in cyberspace

FEC requesting comments on Internet use

2005-04-04 Thread Shawn Duffy

Public comments due June 3rd.

>From the Summary:
"The Federal Election Commission requests comments on proposed
changes to its rules that would include paid advertisements on the
Internet in the definition of ``public communication.'' These changes
to the Commission's rules would implement the recent decision of the
U.S. District Court for the District of Columbia in Shays v. Federal
Election Commission, which held that the current definition of ``public
communication'' impermissibly excludes all Internet communications.
Comment is also sought on the related definition of ``generic campaign
activity'' and on proposed changes to the disclaimer regulations.
Additionally, comment is sought on proposed new exceptions to the
definitions of ``contribution'' and ``expenditure'' for certain
Internet activities and communications that would qualify as individual
volunteer activity or that would qualify for the ``press exemption.''
These proposals are intended to ensure that political committees
properly finance and disclose their Internet communications, without
impeding individual citizens from using the Internet to speak freely
regarding candidates and elections. The Commission has made no final
decision on the issues raised in this rulemaking. Further information
appears in the supplementary information that follows."

Cryptanalysis of ePassports

2005-04-04 Thread cypherpunk
An article is up on the eprint archive, "Security and Privacy Issues in
E-passports" by Ari Juels and David Molnar and David Wagner. It
analyzes the new contactless chips which will be in U.S. passports in
a few months.

Among the risks it identifies are that terrorists could eavesdrop on
chip transactions and recover digital photographs of what people look
like - when they are not smiling. The mind boggles at what a creative
terrorist could do with such sensitive information.


Re: FEC requesting comments on Internet use

2005-04-04 Thread James A. Donald
On 4 Apr 2005 at 12:47, Shawn Duffy wrote:

> Public comments due June 3rd.
> >From the Summary:
> "The Federal Election Commission requests comments on 
> proposed changes to its rules that would include paid 
> advertisements on the Internet in the definition of 
> ``public communication.'' These changes to the 
> Commission's rules would implement the recent decision 
> of the U.S. District Court for the District of 
> Columbia in Shays v. Federal Election Commission, 
> which held that the current definition of ``public 
> communication'' impermissibly excludes all Internet 
> communications. Comment is also sought on the related 
> definition of ``generic campaign activity'' and on 
> proposed changes to the disclaimer regulations. 
> Additionally, comment is sought on proposed new 
> exceptions to the definitions of ``contribution'' and 
> ``expenditure'' for certain Internet activities and 
> communications that would qualify as individual 
> volunteer activity or that would qualify for the 
> ``press exemption.'' These proposals are intended to 
> ensure that political committees properly finance and 
> disclose their Internet communications, without 
> impeding individual citizens from using the Internet 
> to speak freely regarding candidates and elections.

 "Properly finance" means that speech will be defined as
paid for, even if no actual money changes hands.   The 
proposed rule brings what was formerly speech into the 
definition of expenditure, even if assigning a money 
value is arbitrary.

There is no real distinction between individual speech 
and campaign expenditure so broadly defined.  Any 
distinction between the campaign and individual citizens 
is merely some arbitary cutoff.  Perhaps comments in "A" 
list blogs might be defined as campaign expenditure, and 
comments in other blogs might be defined as individual.

The obvious rule is "If the campaign does not pay money 
for it, it is not a campaign expenditure", but this rule 
is declared to be a loophole, a loophole that must be 
corrected - and of course it is a loophole.  But it is a 
loophole that cannot be fixed without massive violation 
of free speech.  Fixing this "loophole" is what is meant 
by "properly finance".

To fix this "loophole", speech must be deemed to be 
campaign speech, at least if it is sufficiently 
prominent, and if it is not in fact paid for directed 
and planned by the campaign, this will be an offense, a 
form of fraud, cheating the campaign laws.

This rule (speech is money, and unpaid for, unsupervised 
electoral speech is fraud) already applies in the 
offline world - thus the NRA is forbidden to inform 
voters about the way a particular politician votes on 
guns - at least forbidden to do so shortly before 
election time, because that would supposedly be a 
campaign expenditure.  To get around this rule, the NRA 
has purchased some radio stations, thus availing itself 
of the press exemption, which allows the press, but not 
ordinary mortals, to comment on political races.

The question then, is how will this prohibition against 
political speech on specific politicians and campaigns 
be applied to the internet.  "A" list blogs claim to be 
the press, so the argument is that "A" list blogs should 
be exempt from this rule because they are the press, "B" 
list blogs exempt because they are individuals, so no 
regulation of internet speech. Evidently some people
reject this argument. 

 James A. Donald

Reading every ones g-mail

2005-04-04 Thread Major Variola (ret)
At 10:17 AM 4/1/05 -0800, Sarad AV wrote:
>Maybe it was just a bot parsing the contents of the
>mail. Cannot say for sure. Reading every ones g-mail
>doesn't appear to be practical.

Whoah, are you clueless.

Not only reading, but indexing, and indexing all your correspondants.

Can you spell "traffic analysis" ?

Re: [silk] Google Targeted ads - gmail (fwd from

2005-04-04 Thread Major Variola (ret)
At 11:26 AM 4/1/05 -0800, cypherpunk wrote:
>On Apr 1, 2005 10:57 AM, Eugen Leitl <[EMAIL PROTECTED]> wrote:
>> Now here's your one stop shop for evil. A position for Google
minister for
>> propaganda is about to be posted, so I hear.
>Let's get this straight. It's not evil if people are voluntarily
>agreeing to it! Maybe you're being facetious but you undermine the
>significance of true evil by applying the word to voluntary
>relationships. Cypherpunks should support noncoercive information
>relationships because they give users the option to protect their own
>privacy. Nobody is forced to use Google, and technology exists to
>allow it to be used in a privacy protecting way.
>True evil would be a system which takes away your options and forces
>you to interact in a way that prevents you from protecting yourself.
>Google is 180 degrees removed from such an approach.

1. The author is entirely, c'punkly correct.  Trading your DNA for a
hamburger is entirely voluntary, consensual, ergo moral.  That
Joe Sixpack is a sheep with her butt in the air is not relevant.
Temple Grandin (a future Google BOD member) has designed
really comfy slaughterhouses.

2. If you don't encrypt, you broadcast.  End of story.

mu-metal Altoids

2005-04-04 Thread Major Variola (ret)
At 07:54 PM 4/3/05 -0500, Riad S. Wahby wrote:
>Thomas Shaddack  wrote:
>> Putting the tag into an enclosure made of a feromagnetic material
>> though. Altoids can proved to be a pretty effective shielding.
>Clearly we need mu-metal Altoids tins.

Mu-metal is expensive and I've heard that cold-working it reduces its
permeability.  The idea of ultracheap (ie, disposable) shields is
a Good Thing, and better than Enemy of the State's Brin's potato-chip
bag elevator stunt.

"...ordinary household products (if one were so inclined)..." -TD
peroxide + nail polish + sulphuric drain cleaner = TATP