identification Archives - Page 12 of 27

Entries Tagged "identification"

Page 12 of 27

Federated Authentication

New paper by Ross Anderson: “Can We Fix the Security Economics of Federated Authentication?“:

There has been much academic discussion of federated authentication, and quite some political manoeuvring about ‘e-ID’. The grand vision, which has been around for years in various forms but was recently articulated in the US National Strategy for Trustworthy Identities in Cyberspace (NSTIC), is that a single logon should work everywhere [1]. You should be able to use your identity provider of choice to log on anywhere; so you might use your driver’s license to log on to Gmail, or use your Facebook logon to file your tax return. More restricted versions include the vision of governments of places like Estonia and Germany (and until May 2010 the UK) that a government-issued identity card should serve as a universal logon. Yet few systems have been fielded at any scale.

In this paper I will briefly discuss the four existing examples we have of federated authentication, and then go on to discuss a much larger, looming problem. If the world embraces the Apple vision of your mobile phone becoming your universal authentication device so that your phone contains half-a dozen credit cards, a couple of gift cards, a dozen coupons and vouchers, your AA card, your student card and your driving license, how will we manage all this? A useful topic for initial discussion, I argue, is revocation. Such a phone will become a target for bad guys, both old and new. What happens when someone takes your phone off you at knifepoint, or when it gets infested with malware? Who do you call, and what will they do to make the world right once more?

Blog post.

Posted on March 29, 2011 at 6:43 AM • View Comments

Using Language Patterns to Identify Anonymous E-Mail

Interesting research. It only works when there’s a limited number of potential authors:

To test the accuracy of their technique, Fung and his colleagues examined the Enron Email Dataset, a collection which contains over 200,000 real-life emails from 158 employees of the Enron Corporation. Using a sample of 10 emails written by each of 10 subjects (100 emails in all), they were able to identify authorship with an accuracy of 80% to 90%.

Posted on March 14, 2011 at 5:04 AM • View Comments

REAL-ID Implementation

According to this study, REAL-ID has not only been cheaper to implement than the states estimated, but also helpful in reducing fraud.

States are finding that implementation of the 2005 REAL ID Act is much easier and less expensive than previously thought, and is a significant factor in reducing fraud. In cases like Indiana, REAL ID has significantly improved customer satisfaction, resulting in that state receiving AAMVA’s “customer satisfaction” award of the year. This is not just a win-win for national and economic security, but a win (less expensive) -win (doable) -win (fraud reduction) -win (improved customer satisfaction) for federal and state governments as well as individuals.

Moreover, 11 states are already in full compliance, well ahead of the May 2011 deadline for the 18 benchmarks. Another eight are close behind. Some states, like Delaware and Maryland, have achieved REAL ID compliance within a year. Washington State refuses REAL ID compliance, but has already implemented the most difficult benchmarks.

Perhaps most astonishing is that from the cost numbers currently available, it looks like implementation of the 18 REAL ID benchmarks in all the states may end up costing somewhere between $350 million and $750 million, significantly less than the $1 billion projected by those still seeking to change the law.

Legal presence is being checked in all but two states, up 28 states from 2006. Only Washington and New Mexico still do not require legal presence to obtain a license, but Washington so significantly upgraded its license issuance in 2010 that the fraudulent attempts to garner licenses in that state are now significantly reduced. Every state is now checking Social Security numbers.

This might be the first government IT project ever that came in under initial cost estimates. Perhaps the reason is that the states did not want to implement REAL-ID in 2005, so they overstated the costs.

As to fraud reduction—I’m not so sure. As the difficulty of getting a fraudulent ID increases, so does its value. I think we’ll have to wait a while longer and see how criminals adapt.

EDITED TO ADD (2/11): CATO’s Jim Harper argues that this report does not show that implementing the national ID program envisioned in the national ID law is a cost-effective success. It only assesses compliance with certain DHS-invented “benchmarks” related to REAL ID, and does so in a way that skews the results.

Posted on January 25, 2011 at 6:16 AM • View Comments

The Mahmoud al-Mabhouh Assassination

Remember the Mahmoud al-Mabhouh assassination last January? The police identified 30 suspects, but haven’t been able to find any of them.

Police spent about 10,000 hours poring over footage from some 1,500 security cameras around Dubai. Using face-recognition software, electronic-payment records, receipts and interviews with taxi drivers and hotel staff, they put together a list of suspects and publicized it.

Seems ubiquitous electronic surveillance is no match for a sufficiently advanced adversary.

Posted on October 12, 2010 at 6:12 AM • View Comments

Orange Balls as an Anti-Robbery Device

In Japan:

These balls full of orange paint are anti-theft devices. When someone robs a store, the clerk can throw the ball at the perp (or at the perp’s feet) so they’re easily identified after they escape.

Seems to me the best way to escape from a robbery would be to throw a bunch of orange balls at a crowd.

Posted on September 9, 2010 at 1:32 PM • View Comments

New German ID Card Hackable

No surprise.

Posted on September 9, 2010 at 7:15 AM • View Comments

Misidentification and the Court System

Chilling:

How do most wrongful convictions come about?

The primary cause is mistaken identification. Actually, I wouldn’t call it mistaken identification; I’d call it misidentification, because you often find that there was some sort of misconduct by the police. In a lot of cases, the victim initially wasn’t so sure. And then the police say, “Oh, no, you got the right guy. In fact, we think he’s done two others that we just couldn’t get him for.” Or: “Yup, that’s who we thought it was all along, great call.”

It’s disturbing that misidentifications still play such a large role in wrongful convictions, given that we’ve known about the fallibility of eyewitness testimony for over a century.

In terms of empirical studies, that’s right. And 30 or 40 years ago, the Supreme Court acknowledged that eyewitness identification is problematic and can lead to wrongful convictions. The trouble is, it instructed lower courts to determine the validity of eyewitness testimony based on a lot of factors that are irrelevant, like the certainty of the witness. But the certainty you express [in court] a year and half later has nothing to do with how certain you felt two days after the event when you picked the photograph out of the array or picked the guy out of the lineup. You become more certain over time; that’s just the way the mind works. With the passage of time, your story becomes your reality. You get wedded to your own version.

And the police participate in this. They show the victim the same picture again and again to prepare her for the trial. So at a certain point you’re no longer remembering the event; you’re just remembering this picture that you keep seeing.

Posted on August 30, 2010 at 12:05 PM • View Comments

Skeletal Identification

And you thought fingerprints were intrusive.

The Wright State Research Institute is developing a ground-breaking system that would scan the skeletal structures of people at airports, sports stadiums, theme parks and other public places that could be vulnerable to terrorist attacks, child abductions or other crimes. The images would then quickly be matched with potential suspects using a database of previously scanned skeletons.

Because every country has a database of terrorist skeletons just waiting to be used.

Posted on August 24, 2010 at 6:56 AM • View Comments

Personal Code Ink

Remember SmartWater: liquid imbued with a uniquely identifiable DNA-style code? Well, Mont Blanc is selling a pen with uniquely identifiable ink.

Posted on April 21, 2010 at 6:07 AM • View Comments

Identifying People by their Bacteria

A potential new forensic:

To determine how similar a person’s fingertip bacteria are to bacteria left on computer keys, the team took swabs from three computer keyboards and compared bacterial gene sequences with those from the fingertips of the keyboard owners. Today in the Proceedings of the National Academy of Sciences, they conclude that enough bacteria can be collected from even small surfaces such as computer keys to link them with the hand that laid them down.

The researchers then tested how well such a technique could distinguish the person who left the bacteria from the general population. They sampled bacteria from nine computer mice and from the nine mouse owners. They also collected information on bacterial communities from 270 hands that had never touched any of the mice. In all nine cases, the bacteria on the mice were far more similar to the mouse-owners’ hands than to any of the 270 strange hands. The researchers also found that bacteria will persist on a computer key or mouse for up to 2 weeks after it has been handled.

Here’s a link to the abstract; the full paper is behind a paywall.

Posted on March 29, 2010 at 7:15 AM • View Comments

←Previous 1 … 10 11 12 13 14 … 27 Next→

Sidebar photo of Bruce Schneier by Joe MacInnis.