OT: Hackers crack new biometric passports

Lennart Sorensen lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org
Tue Aug 8 16:46:54 UTC 2006


On Mon, Aug 07, 2006 at 12:03:54AM -0400, Jamon Camisso wrote:
> How to clone the copy-friendly biometric passport
> By John Lettice
> Published Friday 4th August 2006 13:08 GMT
> http://www.theregister.co.uk/2006/08/04/cloning_epassports/
> 
> "... The ICAO documentation Grunwald consulted is publicly available,
> and explains the detail of the various levels of security of the
> ePassport system, the baseline level being something not unadjacent to
> zero..."
> 
> For proponents of security though obscurity, that sentence there is
> pretty much all you'd need to construct a rhetorically charged, loosely
> factually based, FUD mongering condemnation of the whole notion of open
> source (I use the term loosely, not specifically in the software sense
> of the word).
> 
> What this really means is that, despite the apparent failures of the
> system presently, the next version or updates to the chips will likely
> be secured in a more secretive manner. i.e. no more open access to the
> ICAO's how and what documentation. Just imagine how secretive they'll be
> allowed to be once DNA imprinting becomes commonplace.

When will they learn that you can not do either of:

1) Leave it totally open and readable by anyone with the right
equipment.  Just because the equipment is hard to get or expensive now,
doesn't mean it always will be, or that people can't get it.

2) Making things secret is no better.  The spec has to be open, designed
by people who know what they are doing, and designed to be secure (which
almost never means it should be secret).  CSS was secret, look how that
went.  802.11's WPE was just plain bad.  Secrets have a tendency to
become non-secret, so it is better to not make them secret in the first
place and just make it secure instead.

Of course copying the chip on a passport, doesn't help you much if the
chip contains an image or fingerprint that doesn't match the person
carrying the passport.  It is still a concern though.

--
Len Sorensen
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml





More information about the Legacy mailing list