Entries Tagged "cameras"
Page 6 of 20
Not a lot of details:
ElcomSoft research shows that image metadata and image data are processed independently with a SHA-1 hash function. There are two 160-bit hash values produced, which are later encrypted with a secret (private) key by using an asymmetric RSA-1024 algorithm to create a digital signature. Two 1024-bit (128-byte) signatures are stored in EXIF MakerNote tag 0×0097 (Color Balance).
During validation, Nikon Image Authentication Software calculates two SHA-1 hashes from the same data, and uses the public key to verify the signature by decrypting stored values and comparing the result with newly calculated hash values.
The ultimate vulnerability is that the private (should-be-secret) cryptographic key is handled inappropriately, and can be extracted from camera. After obtaining the private key, it is possible to generate a digital signature value for any image, thus forging the Image Authentication System.
Canon’s system is just as bad, by the way.
Fifteen years ago, I co-authored a paper on the problem. The idea was to use a hash chain to better deal with the possibility of a secret-key compromise.
Increasingly, chains of evidence include software steps. It’s not just the RIAA suing people — and getting it wrong — based on automatic systems to detect and identify file sharers. It’s forensic programs used to collect and analyze data from computers and smart phones. It’s audit logs saved and stored by ISPs and websites. It’s location data from cell phones. It’s e-mails and IMs and comments posted to social networking sites. It’s tallies from digital voting machines. It’s images and meta-data from surveillance cameras. The list goes on and on. We in the security field know the risks associated with trusting digital data, but this evidence is routinely assumed by courts to be accurate.
Sergey Bratus is starting to look at this problem. His paper, written with Ashlyn Lembree and Anna Shubina, is “Software on the Witness Stand: What Should it Take for Us to Trust it?”
We discuss the growing trend of electronic evidence, created automatically by autonomously running software, being used in both civil and criminal court cases. We discuss trustworthiness requirements that we believe should be applied to such software and platforms it runs on. We show that courts tend to regard computer-generated materials as inherently trustworthy evidence, ignoring many software and platform trustworthiness problems well known to computer security researchers. We outline the technical challenges in making evidence-generating software trustworthy and the role Trusted Computing can play in addressing them.
From a presentation he gave on the subject:
Constitutionally, criminal defendants have the right to confront accusers. If software is the accusing agent, what should the defendant be entitled to under the Confrontation Clause?
Witnesses are sworn in and cross-examined to expose biases & conflicts — what about software as a witness?
This is a clever development in ATM skimming technology. It’s a skimmer that attaches to the ATM-room door lock, not the ATM itself. Combined with a hidden camera, it’s an ATM skimmer that requires no modification to the ATM.
The Seattle man who refused to show ID to the TSA and recorded the whole incident has been cleared of all charges:
[The jury] returned not guilty verdicts for charges that included concealing his identity, refusing to obey a lawful order, trespassing, and disorderly conduct.
Papers, Please! says the acquittal proves what TSA critics have said all along: That checkpoint staff have no police powers, that contrary to TSA claims, passengers have the right to fly without providing ID, and yes, passengers are free to video record checkpoints as long as images on screening monitors aren’t captured.
“Annoying the TSA is not a crime,” the blog post states. “Photography is not a crime. You have the right to fly without ID, and to photograph, film, and record what happens.”
And a recent Dilbert is about the TSA.
EDITED TO ADD (1/10): Details and links.
It’s amazing how many security cameras are on the Internet, accessible by anyone.
And it’s not just for viewing; a lot of these cameras can be reprogrammed by anyone.
Watch the video.
What valuable security lessons does this teach?
EDITED TO ADD (1/3): And why aren’t the polar bears destroying the hidden cameras that are filming the polar bears destroying the hidden cameras?
EDITED TO ADD (1/13): Sadly, the BBC has taken the video down on copyright grounds.
Last week, Metro Transit Police received a report from a rider about suspicious behavior at the L’Enfant Plaza station and on an Orange Line train to Vienna.
The rider told Metro he saw two men acting suspiciously and videotaping platforms, trains and riders.
“The men, according to the citizen report, were trying to be inconspicuous, holding the cameras at their sides,” Metro spokesman Steven Taubenkibel says.
The rider was able to photograph the men who were videotaping and sent the photo to Metro Transit Police.
I assume the rider took that photo inconspicuously, too, which means that he’s now suspicious.
How will this all end?
EDITED TO ADD (12/27): In the comments I was asked about reconciling good profiling with this sort of knee-jerk photography=suspicious nonsense. It’s complicated, and I wrote about it here in 2007. This, from 2004, is also relevant.
I’ve written a lot on the “War on Photography,” where normal people are harassed as potential terrorists for taking pictures of things in public. This article is different; it’s about recording the police:
Allison’s predicament is an extreme example of a growing and disturbing trend. As citizens increase their scrutiny of law enforcement officials through technologies such as cell phones, miniature cameras, and devices that wirelessly connect to video-sharing sites such as YouTube and LiveLeak, the cops are increasingly fighting back with force and even jail time — and not just in Illinois. Police across the country are using decades-old wiretapping statutes that did not anticipate iPhones or Droids, combined with broadly written laws against obstructing or interfering with law enforcement, to arrest people who point microphones or video cameras at them. Even in the wake of gross injustices, state legislatures have largely neglected the issue. Meanwhile, technology is enabling the kind of widely distributed citizen documentation that until recently only spy novelists dreamed of. The result is a legal mess of outdated, loosely interpreted statutes and piecemeal court opinions that leave both cops and citizens unsure of when recording becomes a crime.
This is all important. Being able to record the police is one of the best ways to ensure that the police are held accountable for their actions. Privacy has to be viewed in the context of relative power. For example, the government has a lot more power than the people. So privacy for the government increases their power and increases the power imbalance between government and the people; it decreases liberty. Forced openness in government — open government laws, Freedom of Information Act filings, the recording of police officers and other government officials, WikiLeaks — reduces the power imbalance between government and the people, and increases liberty.
Privacy for the people increases their power. It also increases liberty, because it reduces the power imbalance between government and the people. Forced openness in the people — NSA monitoring of everyone’s phone calls and e-mails, the DOJ monitoring everyone’s credit card transactions, surveillance cameras — decreases liberty.
I think we need a law that explicitly makes it legal for people to record government officials when they are interacting with them in their official capacity. And this is doubly true for police officers and other law enforcement officials.
EDITED TO ADD: Anthony Graber, the Maryland motorcyclist in the article, had all the wiretapping charges cleared.
Sex attack caught on camera.
Hamilton police have arrested two men after a sex attack on a woman early today was caught on the city’s closed circuit television (CCTV) cameras.
CCTV operators contacted police when they became concerned about the safety of a woman outside an apartment block near the intersection of Victoria and Collingwood streets about 5am today.
Remember, though, that the test for whether the surveillance cameras are worth it is whether or not this crime would have been solved without them. That is, were the cameras necessary for arrest or conviction?
EDITED TO ADD (12/17): When I wrote “remember, though, that the test for whether the surveillance cameras are worth it is whether or not this crime would have been solved without them,” I was being sloppy. That’s the test as to whether or not they had any value in this case.
Sidebar photo of Bruce Schneier by Joe MacInnis.