Page 32 of 46
For a few months, German police tested a face recognition system. Two hundred frequent travelers volunteered to have their faces recorded and three different systems tried to recognize the faces in the crowds of a train station. Results (in German): 60% recognition at best, 30% on average (depending on light and other factors).
Earlier this month, I blogged about a library of people’s smells kept by the former East German police. Seems that the current German police is still doing it:
The Stasi secret police used scent gathering in Communist East Germany, collecting smells in empty jam jars and storing them. The method has reminded Germans of that failed regime of snoopers, and was highlighted in the recent Oscar-winning film “The Lives of Others” about a Stasi surveillance officer.
The domestic policy spokesman for the Social Democrat Party, Dieter Wiefelspütz, finds the new weapon “pretty bizarre.” But he knows that unappetising though it may be, the method has been employed by German investigators for a long time.
In legal terms, recording someone’s body odour is no different than taking their finger prints. It’s covered by the criminal statue book. The scent contains a person’s identity just like the lines of his finger tips or his DNA.
Taking someone’s DNA is subject to strict conditions but the law permits finger printing and scent recording whenever police deem it necessary as part of a criminal investigation—which means virtually always. Erhard Denninger, an expert on Germany’s justice system, has no problem with scent analysis. “It’s harmless by comparison with sledgehammer plans like searching people’s computers,” he said.
Suspects are told to hold several 10 centimeter steel pipes in succession for several minutes each.
There are strict rules governing this procedure. The interior minister of the state of North Rhine-Westphalia has decreed that “persons must contaminate the metal tubes through their hands”, and that the aromatic traces thereby recorded “be secured in glass containers in dry condition.”
It sounds harmless. But a number of defence lawyers, Düsseldorf-based Udo Vetter among them, advise their clients not to agree to scent recording. If the state sniffs the sweat of its citizens, it amounts to a “considerable intrusion into one’s intimate sphere,” he says.
The complexity of collecting someone’s scent is the theme of Patrick Süskind’s novel “Perfume”, recently made into a movie, in which an 18th century murderer wraps beautiful women in cloths which he later boils. Unlike in real life, the perfume specialist chose to kill his victims before taking their scent.
A year ago, I blogged about a bank hack at the center of a French national scandal.
Well, the case has taken an interesting turn. Law enforcement experts managed to retrieve incriminating evidence from the hard disk of senior intelligence General Rondot after about a year of work.
Wouldn’t we all like to know the technical details of both the data shredding and forensic technologies?
I’ve written about forged credentials before, and how hard a problem it is to solve. Here’s another story illustrating the problem:
In an apparent violation of the law, a controverisal aide to ex-Gov. Mitt Romney created phony law enforcement badges that he and other staffers used on the campaign trail to strong-arm reporters, avoid paying tolls and trick security guards into giving them immediate access to campaign venues, sources told the Herald.
When faced with a badge, most people assume it’s legitimate. And even if they wanted to verify the badge, there’s no real way for them to do so.
U.S. drug enforcement agents use key loggers to bypass both PGP and Hushmail encryption:
An agent with the Drug Enforcement Administration persuaded a federal judge to authorize him to sneak into an Escondido, Calif., office believed to be a front for manufacturing the drug MDMA, or Ecstasy. The DEA received permission to copy the hard drives’ contents and inject a keystroke logger into the computers.
That was necessary, according to DEA Agent Greg Coffey, because the suspects were using PGP and the encrypted Web e-mail service Hushmail.com. Coffey asserted that the DEA needed “real-time and meaningful access” to “monitor the keystrokes” for PGP and Hushmail passphrases.
And the FBI used spyware to monitor someone suspected of making bomb threats:
In an affidavit seeking a search warrant to use the software, filed last month in U.S. District Court in the Western District of Washington, FBI agent Norman Sanders describes the software as a “computer and internet protocol address verifier,” or CIPAV.
The full capabilities of the FBI’s “computer and internet protocol address verifier” are closely guarded secrets, but here’s some of the data the malware collects from a computer immediately after infiltrating it, according to a bureau affidavit acquired by Wired News.
- IP address
- MAC address of ethernet cards
- A list of open TCP and UDP ports
- A list of running programs
- The operating system type, version and serial number
- The default internet browser and version
- The registered user of the operating system, and registered company name, if any
- The current logged-in user name
- The last visited URL
Once that data is gathered, the CIPAV begins secretly monitoring the computer’s internet use, logging every IP address to which the machine connects.
All that information is sent over the internet to an FBI computer in Virginia, likely located at the FBI’s technical laboratory in Quantico.
Sanders wrote that the spyware program gathers a wide range of information, including the computer’s IP address; MAC address; open ports; a list of running programs; the operating system type, version and serial number; preferred internet browser and version; the computer’s registered owner and registered company name; the current logged-in user name and the last-visited URL.
The CIPAV then settles into a silent “pen register” mode, in which it lurks on the target computer and monitors its internet use, logging the IP address of every computer to which the machine connects for up to 60 days.
I’ve been saying this for a while: the easiest way to get at someone’s communications is not by intercepting it in transit, but by accessing it on the sender’s or recipient’s computers.
EDITED TO ADD (7/20): I should add that the police got a warrant in both cases. This is not a story about abuse of police power or surveillance without a warrant. This is a story about how the police conducts electronic surveillance, and how they bypass security technologies.
Most computer security products deliberately do not detect police spyware.
In London (the system was built for road-fare collection, and is now being used for counterterrorism):
Police are to be given live access to London’s congestion charge cameras—allowing them to track all vehicles entering and leaving the zone.
Anti-terror officers will be exempted from parts of the Data Protection Act to allow them to see the date, time and location of vehicles in real time.
They previously had to apply for access on a case-by-case basis.
I’ll bet you anything that, soon after this data is used for antiterrorism purposes, more exceptions will be put in place for more routine police matters.
EDITED TO ADD (8/16): Well, that didn’t take long.
I’m sure glad the Australian Federal Police have their priorities straight:
Technology such as cloned part-robot humans used by organised crime gangs pose the greatest future challenge to police, along with online scamming, Australian Federal Police (AFP) Commissioner Mick Keelty says.
It’s nice to post a positive story once in a while:
Is it a bird? Is it a bomb? No, it’s the missing ‘bot.
A robot dubbed Seahorse 1, which was stolen days before an international contest, has turned up in a field off Interstate 45 in Dallas.
“Somebody was mowing his grandmother’s yard and thought it was a bomb,” said Nathan Huntoon, an engineering grad student and member of SMU’s robotics team.
The police were delivering the missing machine to SMU Monday afternoon. “We don’t know yet if it’s in working condition,” Mr. Huntoon said.
Sad that this feels like an exception.
I’ve blogged a few times about the Greek wiretapping scandal. A system to allow the police to eavesdrop on conversations was abused (surprise, surprise).
Anyway, there’s a really good technical analysis in IEEE Spectrum this month.
On 9 March 2005, a 38-year-old Greek electrical engineer named Costas Tsalikidis was found hanged in his Athens loft apartment, an apparent suicide. It would prove to be merely the first public news of a scandal that would roil Greece for months.
The next day, the prime minister of Greece was told that his cellphone was being bugged, as were those of the mayor of Athens and at least 100 other high-ranking dignitaries, including an employee of the U.S. embassy. [See sidebar “CEOs, MPs, & a PM.”]
The victims were customers of Athens-based Vodafone-Panafon, generally known as Vodafone Greece, the country’s largest cellular service provider; Tsalikidis was in charge of network planning at the company. A connection seemed obvious. Given the list of people and their positions at the time of the tapping, we can only imagine the sensitive political and diplomatic discussions, high-stakes business deals, or even marital indiscretions that may have been routinely overheard and, quite possibly, recorded.
[…]
A study of the Athens affair, surely the most bizarre and embarrassing scandal ever to engulf a major cellphone service provider, sheds considerable light on the measures networks can and should take to reduce their vulnerability to hackers and moles.
It’s also a rare opportunity to get a glimpse of one of the most elusive of cybercrimes. Major network penetrations of any kind are exceedingly uncommon. They are hard to pull off, and equally hard to investigate.
See also blog entries by Matt Blaze, Steve Bellovin, and John Markoff; they make some good security points.
EDITED TO ADD (10/22): More info:
The head of Vodafone Greece told the Government that as soon as it discovered the tapping software, it removed it and notified the authorities. However, the shutdown of the equipment prompted strong criticism of Vodafone because it had prevented the authorities from tracing the taps.
Sidebar photo of Bruce Schneier by Joe MacInnis.