DMossEsq

Monday 16 September 2013

Biometrics, Aadhaar and the Apple iPhone 5S

(Hat tip: Ram Krishnaswamy)

For seven years DMossEsq has been boring the world with scare stories about biometrics. "Biometrics don't work", he's been telling anyone not agile enough to get away from him first, "not well enough to do the job they're meant to do, not in the mass market, not with large populations".

Even the other day when those fashionable and lovable exploiters of third world labour Apple announced details of the iPhone 5S, with its fingerprint verification, he couldn't stop himself writing about the problems of false non-matches.

These warnings just wash over people. It's all theoretical. "Computer says no" is a line in a very rude TV comedy show, it doesn't happen in real life.

Really?

Try this.

The Hindu, 14 September 2013, 'How the biometric system has failed hard working people':

The much-lauded biometric ration card system is believed to be fool proof and expected to bring the public distribution system (PDS) in step with the digital era. However, ironically, the feedback from the ground indicates that it is rejecting the poor and the impoverished it was intended to benefit.

The biometric authentication system installed at the PDS outlets fails to establish the identity of many genuine beneficiaries, mostly workers, as their daily grind in the agricultural fields, construction sites or as domestic help have eroded the lines on their thumb resulting in distorted impressions.

‘MATCH NOT FOUND’

The ridges and the patterns that are unique to each individual cannot be detected by the scanner and the screen repeatedly blinks a message stating “match not found”.

India is gradually introducing Aadhaar, a biometrics-based identity management scheme which is meant among other things to reduce corruption in the food security system. "PDS outlets" can give subsidised rice to genuine claimants, who use Aadhaar to prove their entitlement, and withhold it from scammers.

At least they can if the biometrics work.

But they don't.

So the PDS shops initially refuse rice to genuine claimants. And then, like normal human beings, they relent, give them the rice anyway, otherwise they'd starve to death or start a riot, and damn the system – "Mr. Vombatkere said that if the beneficiary has to depend on the munificence of the officials to get their quota and not as their right, then the purpose of introducing the biometric system is defeated".

All that money spent on Aadhaar.

Wasted.

That's not a theoretical PDS agent, in the picture alongside, giving theoretical rice to a theoretical claimant. They're all real. Like the failure of mass market biometrics.

Remember, you're entitled to the money in your bank account. It's yours.

But suppose you had to use biometrics to prove that. And suppose the iPhone said "no". Or rather "match not found". Then maybe it wouldn't be so theoretical after all.

----------

The trainspotters and stamp collectors among you will remember that the strength of Aadhaar is derived, according to the Unique Identification Authority of India (UIDAI), from using not one but two biometrics – fingerprints and iris scans.

How come the match-not-found people whose fingerprints fail the biometric test for rice can't be identified by their iris scans instead?

You didn't seriously suppose, did you, that the UIDAI were going to waste money installing iris scanners in tens of thousands of outlets?

----------

As DMossEsq says, "you can solve the false non-matching problem, all you have to do is reduce the matching threshold. But then you get a false matching problem, impostors are able to claim your rice or use your bank account".

Would you like to know more?

How high is your boredom threshold?

Biometrics, Aadhaar and the Apple iPhone 5S

These warnings just wash over people. It's all theoretical. "Computer says no" is a line in a very rude TV comedy show, it doesn't happen in real life.

Really?

more ►

Sunday 15 September 2013

Universal Credit – one for The Old Vic

Last Wednesday, 11 September 2013, the Public Accounts Committee took evidence on Universal Credit from DWP, the NAO and the Cabinet Office.

Media coverage of this electric event has been minimal. We know all about the different colours available for the Apple iPhone 5S. Nothing about the unmasking of misfeasance in public office on a monumental scale.

Where the media fail, perhaps another institution could succeed?

From: David Moss
Sent: 15 September 2013 10:34
To: Kevin Spacey CBE
Subject: Universal Credit – one for The Old Vic?
Attachments: uncorrected transcript - universal credit (223 KB)

Kevin Spacey CBE

Artistic Director

The Old Vic

15 September 2013

Dear Mr Spacey

I attach a script for your consideration.

It’s 52 pages long.

52 pages of insight into how the Legislature in the UK is subverted by the unaccountable Executive. The politicians want to spring the poverty trap created by a dysfunctional welfare system. Their will is converted into stratospheric payments to IT contractors. All in the name of public service.

It’s a story of misfeasance in public office. Incompetence. And insouciance about hundreds of millions of pounds of taxpayers’ money going up in smoke. Why bother to pay tax?

It’s an epic business failure. It’s a whodunnit. It’s a courtroom drama. It’s a gladiatorial contest.

52 pages of drama. All paid for already by the taxpayer – no additional cost to the Old Vic for the script. And there’s plenty more where that came from. Masses more.

The set is simple. The characters are complex. Public interest could/should be huge.

One for The Old Vic?

Yours sincerely

David Moss

Universal Credit – one for The Old Vic

more ►

Wednesday 11 September 2013

Public services under a cloud

Cloud computing is like a utility. Cheap. Think of your gas and electricity and phone and water bills.

Like the internet, it's always available. Resilient. Disaster-proof. No power cuts. Ever.

Except for the past two days, when some suppliers accredited to the UK government CloudStore found they couldn't log on, see below.

CloudStore is hosted by Memset. And since 1 June 2013, it's been the responsibility of the Government Digital Service, who promise that cloud computing is the key to the future of public services delivered efficiently by innovative SMEs. If they can log on, at least.

Does anyone know how this impossible-to-happen service interruption happened?

@G_Cloud_UK http://t.co/djp2lnHj2K CloudStore looking a little poorly this morning, with a page of SQL errors
— Gareth Niblett (@infosecmaven) September 10, 2013

@G_Cloud_UK Store down? any idea when it will be back up?
— Neil Moulton (@neil_moj) September 10, 2013

@G_Cloud_UK CloudStore back online for me
— Gareth Niblett (@infosecmaven) September 10, 2013

@G_Cloud_uk https://t.co/2aPSntEOI8 -> 503 Service Temporarily Unavailable and I need to do smthg by Fri. pls let me know when it's back
— Saul Cozens (@saulcozens) September 10, 2013

@saulcozens looks like it's up and running now. Are you able to login?
— G-Cloud (@G_Cloud_UK) September 11, 2013

@G_Cloud_UK yup thanks. You could probably do with a more informative 503 error page though.
— Saul Cozens (@saulcozens) September 11, 2013

Public services under a cloud

more ►

iPhone 5S fingerprint technology – eye-catching

Apple unveils two iPhones — and a password at your fingertip, it says in the Times today. According to the Telegraph, Apple iPhone 5S and 5C: fingerprint sensor and plastic make iPhone 5 debut. Etcetera, throughout the media.

You could have announced the end of the world yesterday. No-one would have noticed.

In fact, Sir David Attenborough did. "I think that we've stopped evolving", he told the Radio Times. And all anyone wanted to know is how easily they can photograph themselves with the iPhone 5C.

No matter how trivial the detail, media coverage was breathlessly serious.

Except, perhaps, for Murad Ahmed in the Times. For him, maybe there is some sign of a sense of humour. Maybe there is hope:

At events held at the company’s headquarters in Cupertino, California, and Berlin yesterday, analysts said the new fingerprint technology was the most eye-catching advance.

Which brings us to biometrics.

Suppose the fingerprint recognition in the iPhone 5S doesn't work. Suppose that 20 percent of 5S owners queue up outside Phones4U, complaining that they've bought a product that won't let them use it – the computer says I'm not me and it won't let me unlock the home screen – and they all want their contracts cancelled and their money back.

Suppose someone finds a way to steal your fingerprints from the iPhone 5S and use them to authenticate their own purchases, fraudulently. It's not as though you can just go out and get a new set of fingerprints ...

That's not a disaster for Apple alone.

What will the news footage of those queues do for US-VISIT, the US border control system that relies on fingerprint recognition? What will it do for Aadhaar, the Indian identity management scheme that ditto? What will it do for Safran's share price? What will it do for payments systems which rely on fingerprint recognition to authenticate transactions?

Sweaty fingers and scared eyes. It's in their DNA. That's the evolutionary response that will be shared by all the owners with a horse in the Apple Stakes.

If the fingerprint technology is up to the job and can authenticate you as the legitimate user of this iPhone 5S, then it can also allow you to open the front door to your house. As the Wall Street Journal said in Apple's Latest iPhone Puts Focus Back on Fingerprint Security. Last word to them:

"If I go jogging with my iPhone and I come back to my house and my thumb is all sweaty and I can't get in my apartment door, that would kind of suck".

iPhone 5S fingerprint technology – eye-catching

more ►

Tuesday 10 September 2013

Edward Snowden – déjà vu all over again

Come to think of it, this debate about the security services having cracked all our codes is not entirely new.

For what it's worth, back in August 2010, on the No2ID forum, we were discussing the latest revelations about BlackBerry mobile phones. Someone posted the following extracts from a Nic Fildes article in the Times newspaper, BlackBerry ‘near deal to open messages to Saudis’. The debate remains relevant three years later:

The makers of BlackBerry mobile phones appear to have backed down in the face of demands from Saudi Arabia to allow the state to monitor messages sent on its devices ...

The Saudi-backed television station Al-Arabiya quoted unnamed sources as saying RIM [Research In Motion, the people behind the BlackBerry] had agreed in principle to grant the Saudi authorities access to its messages.

Bandar al-Mohammed, of the Saudi Communications and Information Technology Commission, said RIM had expressed its “intention…to place a server inside Saudi Arabia”, allowing the kingdom to inspect communications and data exchanged between BlackBerry handsets ...

The United Arab Emirates intends to ban BlackBerry e-mail, messaging and web browsing on October 11 ...

The company then issued a statement on Thursday denying that it had already allowed some governments access to BlackBerry data.

The US and Canadian governments have also offered to hold talks with countries concerned about the security implications of BlackBerry usage.

Not just Saudi Arabia, but the UAE, too, and India and Indonesia and France – it seemed as if no country would allow people to use BlackBerrys until its security services had found out how to listen in. There are obvious implications for industrial and other espionage.

Then Justin found a Babbage article in the Economist magazine, Spies, secrets and smart-phones, and someone posted this, adding a reference to Sir Richard Dearlove, the former head of MI6 ...

From the Economist article usefully brought to our attention by Justin:
A security pundit interviewed on BBC television's "Newsnight" a few days ago speculated that the American authorities are only pretending when they claim they still can't tap into Skype calls. This was then put to Lord West, a former British security minister. His response was fascinating:
When I come on a programme like this I'm always very nervous, ‘cos I know so much. And also people…don’t necessarily always tell the truth. That sounds an awful thing to say but do you want anyone to know that you can get into very high-encrypted stuff? No, you can say "we don’t, we can’t do it".
He then went on to say how "mind-boggling" are the capabilities of America's National Security Agency and its British counterpart, GCHQ. To this blogger, that sounded like: "Yes of course we can hack Skype calls and all the rest, but we have to pretend we can't".
Lord West is not the only one playing this game. At 9.30 a.m. on Saturday 26 September 2009 Sir Richard Dearlove lectured several hundred of us on the security risks the world faces and the international response [p.15]. At one point he said that there are many good encryption systems available but maybe "we" have cracked them. (I paraphrase.) (Andrew Watson turned out to be at the lecture, too – Andrew, can you confirm this is at least roughly right?)

Let's take it, from Sir Richard's lecture and Lord West's appearance on Newsnight, that the commonly available encryption systems are a busted flush. So what?

The implications are legion.

One of them is that part of the case for long periods of detention without charge [remember Admiral Lord West, the once court-martialled and then reinstated "simple sailor"] collapses. That case is based on the large number of computer files that often have to be checked for evidence and on the difficulty of deciphering them. If that difficulty doesn't exist, ... etc.

... followed by wise words from Andrew Watson:

I have to admit that I don't remember what he said on that topic - having lived through all the fuss surrounding PGP export from the USA in the 90s [see Phil Zimmermann, Why I wrote PGP, pp.227-31], I'm afraid I tend to tune-out speculation about whether the NSA can or cannot read any particular form of encryption. I agree that there doesn't seem to be any publicly-available hard data on this point, and one can spend a lifetime speculating about the possibilities for bluff, double-bluff, triple-bluff etc by those who may know but aren't telling.

Here's the one bit of hard data I have seen recently -

http://www.theregister.co.uk/2010/06/28 ... _lock_out/

... but again, one could speculate that the NSA could break this crypto if they wanted to, but choose not to release this information to the FBI for fear of revealing the secret (etc, etc).

That ElReg article referred to by Andrew, Brazilian banker's crypto baffles FBI, is all about TrueCrypt, the open source encryption facility which was exercising Mydex the other day, "Waaaaat? A backdoor is available for truecrypt too?".

Mydex, and the rest of us – we're all exercised by the Edward Snowden revelations that began on 6 June 2013.

In the atmosphere of "bluff, double-bluff, triple-bluff etc" we're not going to get any sensible answers.

So here's a flippant point.

England staged its revolution over a century before the Americans and the French got round to holding theirs. Edward Snowden was beaten to it by Sir Richard and Lord West by three or four years. Late again!

Edward Snowden – déjà vu all over again

The makers of BlackBerry mobile phones appear to have backed down in the face of demands from Saudi Arabia to allow the state to monitor messages sent on its devices ...

The Saudi-backed television station Al-Arabiya quoted unnamed sources as saying RIM [Research In Motion, the people behind the BlackBerry] had agreed in principle to grant the Saudi authorities access to its messages.

Bandar al-Mohammed, of the Saudi Communications and Information Technology Commission, said RIM had expressed its “intention…to place a server inside Saudi Arabia”, allowing the kingdom to inspect communications and data exchanged between BlackBerry handsets ...

The United Arab Emirates intends to ban BlackBerry e-mail, messaging and web browsing on October 11 ...

The company then issued a statement on Thursday denying that it had already allowed some governments access to BlackBerry data.

The US and Canadian governments have also offered to hold talks with countries concerned about the security implications of BlackBerry usage.

more ►