Entries Tagged "surveillance"

Page 85 of 86

Remote Physical Device Fingerprinting

Here’s the abstract:

We introduce the area of remote physical device fingerprinting, or fingerprinting a physical device, as opposed to an operating system or class of devices, remotely, and without the fingerprinted device’s known cooperation. We accomplish this goal by exploiting small, microscopic deviations in device hardware: clock skews. Our techniques do not require any modification to the fingerprinted devices. Our techniques report consistent measurements when the measurer is thousands of miles, multiple hops, and tens of milliseconds away from the fingerprinted device, and when the fingerprinted device is connected to the Internet from different locations and via different access technologies. Further, one can apply our passive and semi-passive techniques when the fingerprinted device is behind a NAT or firewall, and also when the device’s system time is maintained via NTP or SNTP. One can use our techniques to obtain information about whether two devices on the Internet, possibly shifted in time or IP addresses, are actually the same physical device. Example applications include: computer forensics; tracking, with some probability, a physical device as it connects to the Internet from different public access points; counting the number of devices behind a NAT even when the devices use constant or random IP IDs; remotely probing a block of addresses to determine if the addresses correspond to virtual hosts, e.g., as part of a virtual honeynet; and unanonymizing anonymized network traces.

And an article. Really nice work.

Posted on March 7, 2005 at 3:02 PMView Comments

Garbage Cans that Spy on You

From The Guardian:

Though he foresaw many ways in which Big Brother might watch us, even George Orwell never imagined that the authorities would keep a keen eye on your bin.

Residents of Croydon, south London, have been told that the microchips being inserted into their new wheely bins may well be adapted so that the council can judge whether they are producing too much rubbish.

I call this kind of thing “embedded government”: hardware and/or software technology put inside of a device to make sure that we conform to the law.

And there are security risks.

If, for example, computer hackers broke in to the system, they could see sudden reductions in waste in specific households, suggesting the owners were on holiday and the house vacant.

To me, this is just another example of those implementing policy not being the ones who bear the costs. How long would the policy last if it were made clear to those implementing it that they would be held personally liable, even if only via their departmental budgets or careers, for any losses to residents if the database did get hacked?

Posted on March 4, 2005 at 10:32 AMView Comments

Implanting Chips in People at a Distance

I have no idea if this is real or not. But even if it’s not real, it’s just a matter of time before it becomes real. How long before people can surreptitiously have RFID tags injected into them?

What is the ID SNIPER rifle?

It is used to implant a GPS-microchip in the body of a human being, using a high powered sniper rifle as the long distance injector. The microchip will enter the body and stay there, causing no internal damage, and only a very small amount of physical pain to the target. It will feel like a mosquito-bite lasting a fraction of a second. At the same time a digital camcorder with a zoom-lense fitted within the scope will take a high-resolution picture of the target. This picture will be stored on a memory card for later image-analysis.

Edited to add: This is a hoax.

Posted on February 4, 2005 at 8:00 AMView Comments

GovCon

There’s a conference in Washington, DC, in March that explores technologies for intelligence and terrorism prevention.

The 4th Annual Government Convention on Emerging Technologies will focus on the impact of the Intelligence Reform and Terrorism Prevention Act signed into law by President Bush in December 2004.

The departments and agencies of the National Security Community are currently engaged in the most comprehensive transformation of policy, structure, doctrine, and capabilities since the National Security Act of 1947.

Many of the legal, policy, organizational, and cultural challenges to manage the National Security Community as an enterprise and provide a framework for fielding new capabilities are being addressed. However, there are many emerging technologies and commercial best practices available to help the National Security Community achieve its critical mission of keeping America safe and secure.

There’s a lot of interesting stuff on the agenda, including some classified sessions. I’m especially interested in this track:

Track Two: Attaining Tailored Persistence

Explore the technologies required to attain persistent surveillance and tailored persistence.

What does “persistent surveillance” mean, anyway?

Posted on February 3, 2005 at 9:07 AMView Comments

FBI Retires Carnivore

According to SecurityFocus:

FBI surveillance experts have put their once-controversial Carnivore Internet surveillance tool out to pasture, preferring instead to use commercial products to eavesdrop on network traffic, according to documents released Friday.

Of course, they’re not giving up on Internet surveillance. They’ve just realized that commercial tools are better, cheaper, or both.

Posted on January 24, 2005 at 8:00 AMView Comments

RFID Passports

Since the terrorist attacks of 2001, the Bush administration—specifically, the Department of Homeland Security—has wanted the world to agree on a standard for machine-readable passports. Countries whose citizens currently do not have visa requirements to enter the United States will have to issue passports that conform to the standard or risk losing their nonvisa status.

These future passports, currently being tested, will include an embedded computer chip. This chip will allow the passport to contain much more information than a simple machine-readable character font, and will allow passport officials to quickly and easily read that information. That is a reasonable requirement and a good idea for bringing passport technology into the 21st century.

But the Bush administration is advocating radio frequency identification (RFID) chips for both U.S. and foreign passports, and that’s a very bad thing.

These chips are like smart cards, but they can be read from a distance. A receiving device can “talk” to the chip remotely, without any need for physical contact, and get whatever information is on it. Passport officials envision being able to download the information on the chip simply by bringing it within a few centimeters of an electronic reader.

Unfortunately, RFID chips can be read by any reader, not just the ones at passport control. The upshot of this is that travelers carrying around RFID passports are broadcasting their identity.

Think about what that means for a minute. It means that passport holders are continuously broadcasting their name, nationality, age, address and whatever else is on the RFID chip. It means that anyone with a reader can learn that information, without the passport holder’s knowledge or consent. It means that pickpockets, kidnappers and terrorists can easily—and surreptitiously—pick Americans or nationals of other participating countries out of a crowd.

It is a clear threat to both privacy and personal safety, and quite simply, that is why it is bad idea. Proponents of the system claim that the chips can be read only from within a distance of a few centimeters, so there is no potential for abuse. This is a spectacularly naïve claim. All wireless protocols can work at much longer ranges than specified. In tests, RFID chips have been read by receivers 20 meters away. Improvements in technology are inevitable.

Security is always a trade-off. If the benefits of RFID outweighed the risks, then maybe it would be worth it. Certainly, there isn’t a significant benefit when people present their passport to a customs official. If that customs official is going to take the passport and bring it near a reader, why can’t he go those extra few centimeters that a contact chip—one the reader must actually touch—would require?

The Bush administration is deliberately choosing a less secure technology without justification. If there were a good offsetting reason to choose that technology over a contact chip, then the choice might make sense.

Unfortunately, there is only one possible reason: The administration wants surreptitious access themselves. It wants to be able to identify people in crowds. It wants to surreptitiously pick out the Americans, and pick out the foreigners. It wants to do the very thing that it insists, despite demonstrations to the contrary, can’t be done.

Normally I am very careful before I ascribe such sinister motives to a government agency. Incompetence is the norm, and malevolence is much rarer. But this seems like a clear case of the Bush administration putting its own interests above the security and privacy of its citizens, and then lying about it.

This article originally appeared in the 4 October 2004 edition of the International Herald Tribune.

Posted on October 4, 2004 at 7:20 PMView Comments

Aerial Surveillance to Detect Building Code Violations

The Baltimore housing department has a new tool to find homeowners who have been building rooftop decks without a permit: aerial mapping. Baltimore bought aerial photographs of the entire city and used software to correlate the images with databases of address information and permit records. Inspectors have just begun knocking on doors of residents who built decks without permission.

On the face of it, this is nothing new. Police always have been able to inspect buildings for permit violations. The difference is they would do it manually, and that limited its use. It simply wasn’t feasible for the police to automatically document every building code violation in any city. What’s different isn’t the police tactic but the efficiency of the process.

Technology is fundamentally changing the nature of surveillance. Years ago, surveillance involved trench-coated detectives following people down streets. It was laborious and expensive, and was only used when there was reasonable suspicion of a crime. Modern surveillance is the police officer sitting at a computer with a satellite image of an entire neighborhood. It’s the same, but it’s completely different. It’s wholesale surveillance.

And it disrupts the balance between the powers of the police and the rights of the people.

Wholesale surveillance is fast becoming the norm. Security cameras are everywhere, even in places satellites can’t see. Automatic toll road devices track cars at tunnels and bridges. We can all be tracked by our cell phones. Our purchases are tracked by banks and credit card companies, our telephone calls by phone companies, our Internet surfing habits by Web site operators.

Like the satellite images, the electronic footprints we leave everywhere can be automatically correlated with databases. The data can be stored forever, allowing police to conduct surveillance backward in time.

The effects of wholesale surveillance on privacy and civil liberties is profound, but unfortunately, the debate often gets mischaracterized as a question about how much privacy we need to give up in order to be secure. This is wrong. It’s obvious that we are all safer when the police can use all possible crimefighting techniques. The Fourth Amendment already allows police to perform even the most intrusive searches of your home and person.

What we need are mechanisms to prevent abuse and hold the police accountable and assurances that the new techniques don’t place an unreasonable burden on the innocent. In many cases, the Fourth Amendment already provides for this in its requirement of a warrant.

The warrant process requires that a “neutral and detached magistrate” review the basis for the search and take responsibility for the outcome. The key is independent judicial oversight; the warrant process is itself a security measure that protects us from abuse and makes us more secure.

This works for some searches, but not for most wholesale surveillance. The courts already have ruled that the police cannot use thermal imaging to see through the walls of your home without a warrant, but that it’s OK for them to fly overhead and peer over your fences without a warrant. They need a warrant before opening your paper mail or listening in on your phone calls.

Wholesale surveillance calls for something else: lessening of criminal penalties. The reason criminal punishments are severe is to create a deterrent because it is hard to catch wrongdoers. As they become easier to catch, a realignment is necessary. When the police can automate the detection of a wrongdoing, perhaps there should no longer be any criminal penalty attached. For example, red-light cameras and speed-trap cameras issue citations without any “points” assessed against drivers.

Another obvious protection is notice. Baltimore should send mail to every homeowner announcing the use of aerial photography to document building code violations, urging individuals to come into compliance.

Wholesale surveillance is not simply a more efficient way for the police to do what they’ve always done. It’s a new police power, one made possible with today’s technology and one that will be made easier with tomorrow’s. And with any new police power, we as a society need to take an active role in establishing rules governing its use. To do otherwise is to cede ever more authority to the police.

This article was originally published in the 4 October 2004 edition of the Baltimore Sun.

Posted on October 4, 2004 at 7:18 PMView Comments

Aerial Surveillance to Detect Building Code Violations

The Baltimore housing department has a new tool to find homeowners who have been building rooftop decks without a permit: aerial mapping. Baltimore bought aerial photographs of the entire city and used software to correlate the images with databases of address information and permit records. Inspectors have just begun knocking on doors of residents who built decks without permission.

On the face of it, this is nothing new. Police always have been able to inspect buildings for permit violations. The difference is they would do it manually, and that limited its use. It simply wasn’t feasible for the police to automatically document every building code violation in any city. What’s different isn’t the police tactic but the efficiency of the process.

Technology is fundamentally changing the nature of surveillance. Years ago, surveillance involved trench-coated detectives following people down streets. It was laborious and expensive, and was only used when there was reasonable suspicion of a crime. Modern surveillance is the police officer sitting at a computer with a satellite image of an entire neighborhood. It’s the same, but it’s completely different. It’s wholesale surveillance.

And it disrupts the balance between the powers of the police and the rights of the people.

Wholesale surveillance is fast becoming the norm. Security cameras are everywhere, even in places satellites can’t see. Automatic toll road devices track cars at tunnels and bridges. We can all be tracked by our cell phones. Our purchases are tracked by banks and credit card companies, our telephone calls by phone companies, our Internet surfing habits by Web site operators.

Like the satellite images, the electronic footprints we leave everywhere can be automatically correlated with databases. The data can be stored forever, allowing police to conduct surveillance backward in time.

The effects of wholesale surveillance on privacy and civil liberties is profound, but unfortunately, the debate often gets mischaracterized as a question about how much privacy we need to give up in order to be secure. This is wrong. It’s obvious that we are all safer when the police can use all possible crimefighting techniques. The Fourth Amendment already allows police to perform even the most intrusive searches of your home and person.

What we need are mechanisms to prevent abuse and hold the police accountable and assurances that the new techniques don’t place an unreasonable burden on the innocent. In many cases, the Fourth Amendment already provides for this in its requirement of a warrant.

The warrant process requires that a “neutral and detached magistrate” review the basis for the search and take responsibility for the outcome. The key is independent judicial oversight; the warrant process is itself a security measure that protects us from abuse and makes us more secure.

This works for some searches, but not for most wholesale surveillance. The courts already have ruled that the police cannot use thermal imaging to see through the walls of your home without a warrant, but that it’s OK for them to fly overhead and peer over your fences without a warrant. They need a warrant before opening your paper mail or listening in on your phone calls.

Wholesale surveillance calls for something else: lessening of criminal penalties. The reason criminal punishments are severe is to create a deterrent because it is hard to catch wrongdoers. As they become easier to catch, a realignment is necessary. When the police can automate the detection of a wrongdoing, perhaps there should no longer be any criminal penalty attached. For example, red-light cameras and speed-trap cameras issue citations without any “points” assessed against drivers.

Another obvious protection is notice. Baltimore should send mail to every homeowner announcing the use of aerial photography to document building code violations, urging individuals to come into compliance.

Wholesale surveillance is not simply a more efficient way for the police to do what they’ve always done. It’s a new police power, one made possible with today’s technology and one that will be made easier with tomorrow’s. And with any new police power, we as a society need to take an active role in establishing rules governing its use. To do otherwise is to cede ever more authority to the police.

This article was originally published in the 4 October 2004 edition of the Baltimore Sun.

Posted on October 4, 2004 at 7:18 PMView Comments

1 83 84 85 86

Sidebar photo of Bruce Schneier by Joe MacInnis.