Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Diana

Pages: [1] 2 3 ... 28
1
2004 / Personal Security
« on: May 31, 2004, 11:10:06 AM »
Hi all,

This is not computer related...but it is a tech/privacy issue.

I'm posting the whole article here, but it came from The Register

US lubes passports with RFID snake oil
By Thomas C Greene
Published Thursday 20th May 2004 13:36 GMT

Opinion As we reported recently, the US State Department will conduct a trial of biometric passports this Fall, with any eye toward moving to full production in 2005.

This scheme is supposed to help officials catch evildoers who are too thick to get biometric passports issued to themselves under false identities. It will, of course, be a great obstacle to knuckleheaded exploding-sneakers types like Richard Reid and loose talkers like Jose Padilla, although even moderately slick terrorists will not be affected.

Mug me, I'm rich

One of the more dubious aspects of the new regime is the so-called "smart chip," a spectacularly dumb RFID (Radio Frequency Identification) gizmo that might very well broadcast data indiscriminately to any device designed to receive it. There are several ways to design such a chip, and the preferred design, from a security point of view, would require the document and reader to be in physical contact. A passive chip can be read at a distance by a powered reader, but it doesn't have to be. However, it is likely, given the tech industry's lust for adding 'features' whether they're needed or not, that the chips will be readable from a distance. This would make it easier to move large herds of travelers through customs gates quickly, and it is likely to be pitched successfully on this basis.

Unfortunately, this would also make it easy for street criminals to scan crowds in search of naive foreigners likely to be in possession of decent quantities of cash, like Americans and Europeans, say. The RFID lobby has consistently neglected to address issues of personal safety when sensitive, identifying information is being broadcast secretly and indiscriminately by their nifty gizmos. Such electronic documents are a boon to street thugs looking for probably-rich tourists, and, more ominously, to sophisticated criminals and kidnappers.

Arrest me, I'm naughty

It's a minor blow to one's privacy when a packet of razor blades is chipped so that anyone with a reader can learn what brand you happen to like. But chipping personal documents such as ID cards and passports is tantamount to chipping people. A document that reveals your name, age, address, and more, that can be read from a distance without your knowledge by anyone for any reason, is a clear threat to personal safety, and, obviously, any semblance of privacy.

There is nothing, beyond a few laws that get weaker every year, to prevent overzealous Feds and similar government busybodies from setting up surreptitious readers, and performing silent, automated ID stops that one knows nothing about.

In a nightmare world quite conceivable after a few more terrorist atrocities, ID readers could be integrated with subway turnstiles, metal detectors, and scores of other daily nuisances and choke points. Data scanned could be sent to a database that is searched automatically for certain triggers. It might be some time before such intrusions become routine, but it is beyond doubt that the bureaucrats currently pushing the technology know perfectly well that this potential exists, and are secretly pleased by it.
Big assumptions

Unlike the RFID aspect of the new passport scheme, which will actually bring harm to people, the biometric obsession is basically a harmless, if rather expensive, folly. Superstitious faith in biometrics is touching, but the technology is no worse than what we've got at the moment. Of course, it's also no better.

Bogus credentials are easy to come by, so if biometrics are intended as a security measure, implementation is going to trip up only the thickest and laziest of attackers.

It is quite easy to forge a birth certificate (or obtain one belonging to someone who died in infancy, approximately one's own age), and use it to establish a series of foundation documents such as a Social Security card, a driver's license, and a passport, which, in turn, can be used to register for college, get a job, establish credit, obtain licenses, housing, services and utilities, and so on. These secondary documents will be founded on a lie, all right; but they will be perfectly authentic and can be used with ease to scam the system. This is because authenticity, rather than accuracy, is the standard on which documents are accepted.

Such documents tell other people where you live, where you went to school, whether you're qualified to drive, and so on. But they don't establish who you are. Nevertheless, they are used as if they did, and adding a biometric feature only reinforces the popular illusion that they actually identify people. In fact, biometrics merely establish ownership of the document in question, regardless of whether it tells the truth or not.

For example, my picture-ID driver's license tells you that someone claiming to be named Thomas Greene is qualified to drive an automobile, and that I (whoever I might actually be) am the rightful owner of the document that proves it. Assuming that the document is authentic, when I present it to you, you can safely assume that I'm a properly licensed driver, but no more.

Mark of the Beast

At present, it's impossible for any bureau to know that one is who they claim to be. The only near-foolproof way to establish identity would be through universal DNA profiling at birth. After a few generations, virtually everyone could be identified with certainty, so long as DNA identification and verification is required, cradle to grave, for all transactions such as obtaining a birth, marriage, or death certificate, establishing credit, opening a bank account, buying, selling or leasing real property, registering to vote, obtaining a driver's license or a passport, enrolling in school, registering for military service, employment, and so on.

To be effective, the data would have to be collected without fail from everyone issued a birth certificate, and be made widely and easily available to anyone who wishes to verify it. And it would have to be verified routinely, to minimize the chance that one could obtain any useful documents without DNA identification. But since this scheme is so repulsive, and so closely resembles the mark of the Beast prophesied in Revelation, it is doubtful that it could be implemented without tremendous, and possibly violent, opposition from the public. Unless terrorists should accommodate the change by nuking a major city or something equally hideous.

But until something truly Biblical happens to break down people's resistance to being branded by their governments, we're going to have to accept the fact that motivated people can and will alter their identities, and that biometrics can do nothing to prevent it. We may accept digitized fingerprints and face scans as the new standards, but they're no more effective at identification than the analog photos and signatures we use today. The flaws in the system will remain the same.

The problem is not biometrics, which represent only a waste of money that could be better spent. The chief problem is the RFID element, which invites myriad abuses of personal data by the evil-twin forces of criminal exploitation and government paternalism. ®

Thomas C Greene is the author of Computer Security for the Home and Small Office, a complete guide to system hardening, online anonymity, encryption, and data hygiene for Windows and Linux.

2
2004 / Personal Security
« on: April 21, 2004, 10:11:33 AM »
Hi all,

I haven't posted anything new here in a while, but I've run across some more good stuff now. I'm going to put in links covering several "topics" instead of creating multiple posts below this one.

A set of good links from Netscape about security basic including privacy, and personal digital certificates.
Understanding Security and Privacy

Here is an editorial about the new Google mail service
Free webmail at Google
I will not be signing up for Google mail, but I'm also going one further. I will not be emailing anyone that uses that service. Please very carefully consider that this service will not be secure so a business entity should not even consider this service for itself nor allow its personnel to do so.

Here is a futuristic look at privacy. Given your political mindset, you will either cringe or drool over the possibilities.
A Post-Privacy Future for Workers
and to show how predictions can come true, read this article as sent to me by my brother-in-law who was sent to Iraq as a reservist, but is now back in Virginia working for the army, still enlisted.
Onward Cyber Soldiers (this is a long one)

And here is a book that is receiving great reviews..(I haven't read it yet) about security for the non-techy person. I'm sure by now that my posts are overlapping in content, but if ever there is something old presented in a new way, it may teach to someone who still doesn't understand..smile.gif
Invasion of Privacy! Big Brother and the Company Hackers (Edited to change URL to Amazon...much cheaper there than the first link I had, and I just ordered mine..smile.gif )

and finally, for anyone interested in actually participating in a Government panel concerning the RFID tags that are becoming prevalent, either because you are close to the meeting site or wish to travel there anyway, here is an open invitation to such a meeting:
Public Workshop: Radio Frequency Identification: Applications and Implications for Consumers; Notice

happy reading

3
2004 / Personal Security
« on: March 15, 2004, 06:58:55 PM »
Here's an interesting and informative article at SecurityFocus about how hackers use Google to get to your "thought to be private" information. Any one who publishes pages on a server should take note.

Hackers use Google ...

Edit: YIKES!..thanks tons Mayo. I hadn't double checked that like I should..was reading the comments and musta copied the wrong URL. I fixed it here..not to take anything from Mayo's correction in the post below, but because I hate to leave my link wrong..smile.gif Thanks again Mayo.

4
2004 / Personal Security
« on: March 12, 2004, 09:07:49 AM »
Here is an archive of articles relating to identity theft.

It would probably be good to bookmark this one as the contents will be added to as stories/articles are published. Some will be familiar to those who are concerned, but the nice thing about this page is these articles, although published in other places as well, appear here altogether.

silicon.com's protecting your ID archive

5
2004 / Personal Security
« on: March 03, 2004, 01:13:05 PM »
Ok..not exactly personal computer related, but a new scam to be aware of

ATMs being modified to skim your card data and collect your PIN

After you look at the pictures, see if you would be able to spot the adapter...I don't know that I could. So, I'm going to be pulling on the pieces parts to see if they come off or wiggle around now..smile.gif

Oh..and for the skeptics like me...Snopes.com says it true.

6
2004 / Personal Security
« on: February 24, 2004, 08:02:26 AM »
New requirements for Small Businesses who are covered by the HIPPA rules

http://www.smallbusinesscomputing.com/news...cle.php/3313751

There are so many facets to this stuff..smile.gif We all need to learn about our own personal privacy issues, but also we need to be watchful of how others use or abuse our privacy. Businesses both large and small are in a position to learn and know more about each of us that we ever imagined. Business owners should be aware of their requirements under the law too, especially as the awareness of these issues rises. Don't get caught unprepared.

7
2004 / Personal Security
« on: February 24, 2004, 07:56:01 AM »
-- USPS Proposes Modification To System Of Records
Privacy issues
http://edocket.access.gpo.gov/2004/04-3496.htm

 -- Computer Matching Between DOJ, IRS
IRS will provide tax payer addresses to the DOJ for initiation of prosecution of debtors using computer matching
http://edocket.access.gpo.gov/2004/04-3793.htm

8
2004 / Personal Security
« on: February 24, 2004, 07:44:19 AM »
So you think your bank or credit lender is looking out for you?

Think again
How lenders are abetting the ID thieves

and here is a good PDF Whitepaper from Security Focus
Attitudes towards privacy study

9
2004 / Personal Security
« on: February 24, 2004, 07:13:45 AM »
Young people may be targeted for Identity Theft

Here are some links with stories and cautions.
Teen from Eatonville, WA - No checking account or credit cards but ID stolen anyway.

Story about how Penn State is combatting ID theft for their students

U of Penn practices

Good practice:

Use good passwords that are changed often and never written down
Shred all ATM and credit card/bank receipts
Never reveal personal info over the phone or online
Check your credit card statements monthly and credit reports yearly
Make front and back photocopies of all documents in your wallet/purse. Keep these photocopies in a safe/locked place

10
2004 / Personal Security
« on: February 23, 2004, 09:13:40 AM »
Here is utility with a double edge. This could be very useful for those of us who forget passwords on Windows machines. The free utility can recover passwords under the asterisks in password dialog boxes...including those for web pages.

Lostpassword.com

For this to work, you must have set your system or a program to remember passwords.

The problem I see is this: If you leave your computer alone and unlocked for others to use, they can download this free utility in seconds/minutes..(it's very small)..and procede to uncover passwords. It could also be put on a floppy/usb/memory stick and installed very quickly.

This shows yet again how important your passwords are, and even more so the importance of physical security for your machine. It is best if you don't use programs...even the browser...to remember your passwords/logins for you. Granted some passworded areas aren't especially sensitive...(your favorite browser start page for example), but NEVER use the same passwords across multiple sites and NEVER EVER allow your banking password to be the same as your instant messenger password...(examples all). Best practice would be to keep all those most important passwords in your head, don't let anything remember them for you. That makes this utility less useful...and dulls both edges of the blade.

*grin...sorry to keep making this Windows-centric, but I know some here run PCs and Macs.

11
2004 / Personal Security
« on: February 18, 2004, 01:20:04 PM »
Security relating to cell phones

Bluetooth enabled phone users at risk

Security issues are being raised in many corners. The last lines of the article seek to ease fears, but remember, very few foresaw early on the Internet as it is today, fewer still were worried about spam/viruses and other baddies just a couple of years ago. Keep up on these issues even as they relate to PCs and all your mobile devices. When fixes are available, be sure to apply them as your situation requires.

12
2004 / Personal Security
« on: February 17, 2004, 02:38:12 PM »
TUTORIAL - Good for Windows buddies

 -- How to Safeguard Your Computer on a Budget (Windows)
This tutorial examines the possibilities of your computer being infected and what you can do to fix the problem and set your computer up so as to prevent future attacks without having to spend a fortune.

http://www.wired.com/news/infostructure/0,...7,62222,00.html

13
2004 / Personal Security
« on: February 16, 2004, 09:03:07 PM »
Here is a good story about the use/abuse of broadband connections and the very real necessity that all users secure and maintain their personal machines.

I realize that again this isn't a Mac-specific or even a Mac-possible issue, but if we all learn and tell our Windows friends, we'll make progress.

Spammers Exploit High-Speed Connections

Hopefully these articles will stick around as this thread ages. If someone notices that they are disappearing, please let me know and I'll start archiving them myself

see ya,

14
2004 / Another Spam Scam?
« on: February 12, 2004, 05:43:35 AM »
Hi Sandbox,

I'm sorry if I made you think I thought you made a mistake.. sad.gif  I thought your explanation was great...and useful...smile.gif

I should have spent my time explaining the "funny" URL that starts with webmail.pas.earthlink.net. But I'm not sure now if Mayo was asking why the webmail.pas came before earthlink.net or if it was the httpS thing...smile.gif

I'm confused. wacko.gif I'll speak again when I recover. doh.gif

15
2004 / Personal Security
« on: February 11, 2004, 06:46:14 PM »
Hi Mayo,

I would consider your post to be right in line..smile.gif Dealing with data that is old/outdated/no longer needed is very important...especially if it could be used against you.

I find myself questioning my own topic title. I see security all tied up with privacy so even though the topic would seem to be security, personal privacy is also a valid topic.

As the poor Windows people don't even seem to understand, allowing those awful viruses to infect a computer leads to personal loss of privacy, including identity theft. Think secure, keep your data your own, and protect your privacy. In this since I'm not advocating you lock yourself in your house and refuse to wave at the neighbors,  wink.gif   I'm only pointing out that as we if we forget security..(locking our doors), the thieves will arrive and steal not only physical objects, but personal/private data. These thieves come in many disguises..marketing companies, spammers, unscrupulous businesses and even governments...and their modes of operation don't always look as suspicious as they should...(see TiVo operation above)

smile.gif I've always wanted to nuke a CD just to see what would happen, I may have to do it when I'm ready to buy a new microwave..current one is 18+ years old and I'm not ready to kill it..smile.gif

Pages: [1] 2 3 ... 28