Schneier on Security

Clive Robinson • April 18, 2025 2:01 AM

@ ratwithahat,

Your point of,

“More worrying is their mention of ID verification, which is more likely to go through. They claim that the ID scan would be “deleted on verification” but I’m pretty doubtful.”

It’s claimed in the article that the ID scan is “alternatively”,

“The app will ask users to scan their face through a computer or smartphone webcam; alternatively, they can scan a driver’s license or other form of ID.”

Which begs the question what causes the software to switch from age guessing to ID-Checking and if it can be pre-adjusted in some way by “an external entity” like say “law enforcment”…

Why? Because we know that both the UK and Australian “Law Enforcement Authorities” and several other Nations set up and ran “encrypted phone systems”. That the LEAs had backdoored, to be sold/rented to anyone with sufficient money…

On basically the assumption that,

“A desire for secrecy and the money to pay for it”

Automatically made you a criminal…

And by default all your communications were recorded as evidence to that assumption. And I’m assuming by the way it was deliberately done unlawfully with “EncroChat” phones in the UK the records are still kept in France or another European Nation that was involved (I’ve mentioned my reasons for this “qualified” opinion here in the past).

So… lets spin it on it’s head. The public message is that the “images” of the users face and ID Document stay on device. So users might believe that is their mobile phone (it probably won’t be for various reasons).

Now think about not the “image data” but the Meta-Data created when assessing the images such as “facial recognition points” and “optical character recognition text” what happens to those?

The likes of Meta have spent probably billions in Image Identification to tie a real user ID to communications because it significantly enhances the value of the “users Private Data” they sell on to “Data Brokers” and the like.

Does anyone think that LEA’s would not salivate at doing the same to identify “Persons of Interest”?

Without caring if it was lawful or not EncroChat shows beyond doubt that the “Might is right” “The means justify the results” mentality is lets just say “overly strong” in some who have due to their unlawful acts been awarded with “British Honours”…

Thus I suspect it will not be long before someone “gets lent on” to put in the equivalent of a CALEA interface / backdoor, but again without it being lawful.

Because,

1, Might is right.
2, The means justifies the ends.
3, The “nothing to hide” fallacy.

And several other sociopathic arguments to “Do any damn thing they want to”

As Upton Sinclair observed over a hundred years ago,

“Not merely was my own mail opened, but the mail of all my relatives and friends — people residing in places as far apart as California and Florida. I recall the bland smile of a government official to whom I complained about this matter: “If you have nothing to hide you have nothing to fear.” My answer was that a study of many labor cases had taught me the methods of the agent provocateur. He is quite willing to take real evidence if he can find it; but if not, he has familiarized himself with the affairs of his victim, and can make evidence which will be convincing when exploited by the yellow press.”

Which he probably found to his shock made the now famous quote attributed to “Cardinal Richelieu” true,

“Give me six lines written by the hand of the most honest of men, and I’ll find enough within to hang him.”

If people think this can not or will not happen then “I’ve a nice bridge to sell them”.

Clive Robinson • April 18, 2025 3:31 AM

@ ResearcherZero, ALL,

With regards,

“You do not need services like Discord”

True, you can “roll your own” it’s what we used to do back in the last two decades of the last century when I was just “a little bit” more than a lad.

But using an off-the-shelf app has certain advantages, such as it’s a few clicks to install, and people are often already familiar with it’s interface quirks.

Back in the 1980’s I spent nearly three years in my “spare time” developing a codec to digitise voice to encrypt it at a low enough bit rate that it could be sent across a telephone modem at “Bell Standard” rates or more importantly across an HF Radio link.

All I really got out of it was a significant mistrust for the NSA developed “Code Excited Linear Prediction”(CELP) algorithms.

Put simply recognisable human speech has an information rate down below 50bits/second,

https://sps.ewi.tudelft.nl/pubs/hendriks17icassp.pdf

It’s also continuous in nature in that there is natural “Inter Symbol Interference”(ISI) where symbols of information overlap each other (say “pine” then “spine” alternately to here it you will find the “s” effects the “ne” word ending softening it). If you take the digitised output from the CELP encoder you should in theory be able to convert it back to audio tones to go across an ordinary HF Radio link and in practice you can. However now “randomise by encryption” the CELP encoder output and try to convert it back to audio tones for that 2.5KHz audio bandwidth it just does not want to play.

I won’t say CELP is the worst possible voice codec to do secure speech with but it must be high on the list. I eventually went with a form of vocoder and ROM based table look up ISI on the encrypted encoder output which obviously pushed the transmitted symbol rate up… Which ment other changes along the chain.

It feels like CELP was deliberately designed so you could not encrypt it easily…

As it says in the abstract of the 2017 paper I link to above written a decade and a half after I’d tried to “roll my own”,

“The key to the success of speech-based technology is an understanding of human speech communication. While significant advances have been made, a unified theory of speech communication that is both comprehensive and quantitative is yet to emerge.”

A point worth remembering if you want to “roll your own” even today…

Clive Robinson • April 19, 2025 4:20 AM

@ Opesky,

You asked,

“Yesterday they asked for a phone number, today they ask for ID, now what’s next?”

Ask your Government.

The purpose is not “age verification” but “digital branding”[1].

A necessary step in life long identifying an individual for the purpose of control or stigmatisation.

In effect giving them a mandatory unique life long record identifier.

The process was in democratic nations a method of keeping track of payments into a Government run “Social Security fund” used to make payments for disability, healthcare, pension, unemployment, or other compensation. A way of making basic,

“Humane provision for all national citizens.”

In less democratic nations the purpose was less benign and was a,

“Compulsory to carry National ID Card.”

Which quickly became associated with a “Papers Pleaze” proto police state or worse. Having to be produced where ever you went at any time.

In more Authoritarian States it was used not for “Humane Provision” but “Inhumane Prosecution” of discriminatory policy.

In Fascist States additionally people of designated groups were required to wear at all times a clearly visible “Group Identifier”. Those with authority had an item of clothing such as a red or brown shirt through to an entire uniform. Those in persecuted groups were required to wear a large easily seen board, badge or bright colored cloth symbol on their person. Historically such groups were religious or ethnic minorities subject to mandatory taxing or restrictions.

But prior even to this going back into antiquity, it was a way to designate social status in a class system. Your status was assigned to you from your parentage status. Known as the “Estates Of Man” there were three or for levels that had rights of fealty over lower estates that had a duty of homage to all higher estates. Most had no rights and were “tied to the land” and the lord of that land from birth untill death. Usually you were placed in the lower status of either sire or dam. Thus the system was designed as a “closed stud book” breeding or “blood lineage” system to control the title to land and labour thus power. Unfortunately as with all inbreeding systems it had genetic disadvantages.

But certain people actually think such “status systems” are desirable because they foolishly fantasize about being “High Status”.

Unfortunately such idiocy does not stop them gaining “Political Power” and making laws to enforce such inhumane systems for what they claim is “The common good”.

Usually such systems are broken by one or both of,

1, Pestilent epidemic (plague).
2, Insurrection from without or within (war).

Both of which were often preceded by “famine” caused by what these days we would call a “natural disaster” or “bad policy” giving rise to an “economic downturn”, “recession” and the likes of “hyperinflation”.

Because as once astutely observed,

“If you can not pay, you can not play, so a looser you will be.”

So in the modern world it is the politicians no matter how selected or self appointed that decides the answer to not just the question you ask, just remember though the story of “King Herod and the massacre of the innocents”[2]… Such things still happen in the modern world where we call it “ethnic cleansing” or just plain “Genocide”.

[1] BRANDING : noun
1 – Process in which a mark, usually a symbol or ornamental pattern, is burned into the skin of a living person or animal to indicate ownership

2 – The act of stigmatizing a person or group.

3 – Process of creating a unique identity for a product, organization, or individual by associating it with specific names, designs, symbols, and qualities that distinguish it from others for the purpose of trade.

So take your pick they are all common practice even today. Whilst we might not use branding irons we have “gang tattoos” and similar tribal markings. So like everything else making it “digital” is a logical step. Some people even tattoo QR or bar codes on themselves as “body art that is function over form”.

[2] The various “coming for the first born son” or “infant sons” stories are many not just in the bible. Because they are probably based on fact that has suffered the fate of “Chinese Whispers” in the multiple retellings of auditory record. One of the main reasons we have reason to believe they are fact based is that first sons were the inheritors of status, land, thus familial power as the next lord of the manor and upwards to the country as king. And it’s known from near contemporaneous surviving written record that Herod killed at least three male children in his own family to protect his position. He was not the first and certainly not the last to do this right into the middle ages and beyond.

One story in the bible is about the god of the Israelites visiting plagues on Egypt of which the Tenth Plague was “Death of the Firstborn” (Exodus 12:29). Whilst the cause is a myth such plagues did happen and were caused by “natural disasters” such as torrential rain and flooding up stream causing “wash down” and similar. The question of “why first born” is explained by food. As the inheritor of the family the first born received preferential treatment to all women and other children and in times of hardship even the father. So in times of shortage they would get the best and sufficient food whilst the other children would not. Thus contaminated food taken from poor storage –see ergot fungus and similar– or livestock would effect the first born more than the others. So why not the Israelite first born? Well you can put that down to cloven hoof herbivores v feral omnivore pigs and food customs. Pigs will eat just about anything including early rotting corpses and human waste, thus like rats they are primary disease vectors. Israelites by custom did not eat pigs thus any disease the feral pig population had would not be passed onto them, but would to those that did eat them. So Israelite first born would not be infected whilst those that did consume the flesh of the swine would, and as the first born would have eaten a share of any swine flesh, shortages would have ment the other children and even the adults probably would not have.