tag:blogger.com,1999:blog-8587336.post8697771583029508875..comments2024-03-28T23:39:08.616-07:00Comments on CONTRARY BRIN: Paranoia, Conspiracies and SurveillanceDavid Brinhttp://www.blogger.com/profile/14465315130418506525noreply@blogger.comBlogger50125tag:blogger.com,1999:blog-8587336.post-59472447960357228592015-12-10T12:55:59.631-08:002015-12-10T12:55:59.631-08:00onward
onwardonward<br /><br />onwardDavid Brinhttps://www.blogger.com/profile/14465315130418506525noreply@blogger.comtag:blogger.com,1999:blog-8587336.post-24604277783235026882015-12-10T12:23:01.465-08:002015-12-10T12:23:01.465-08:00locumranch:
This is the hidden cost of urbanisati...locumranch:<br /><i><br />This is the hidden cost of urbanisation: When we live in warrens like defenseless bunnies, then defenselessness becomes a virtue & we become as bunnies, which (in turn) allows the most innocuous of ferrets (foreign OR domestic) to wreck havoc upon us, leading the bunny collective to demand an ever more secure ferret-proof fence, so bunnyland may remain undisturbed.<br /></i><br /><br />Once again, you reverse the roles. For the most part, the citizens of New York, Chicago, Paris, etc determine to go on about their lives as if the terrorists can only harm us if we give in to panic. Meanwhile, the inhabitants of red states, who are probably thousands of miles from the nearest terrorist, are the ones who freak out and demand immediate perfect security. Some of the first post-9/11 Homeland Security funds were earmarked to protect sites in Nebraska, for gosh sakes.<br /><br />It's not the urbanites who are currently demanding we keep out Syrian refugees. And while the Paris and San Bernardino shootings were indeed tragic and sobering, does Paris really shock us when we imagine that those terrorists might strike here in the US, adding one more mass shooting to our annual 355 and counting? Had we been able to prevent the <b>muslim</b> terrorists in San Bernardino, that total could have been kept to 354. Is that really a goal worth giving up American ideals for?LarryHartnoreply@blogger.comtag:blogger.com,1999:blog-8587336.post-40551151476215070092015-12-10T12:17:28.633-08:002015-12-10T12:17:28.633-08:00Duncan,
Re: "scale of risk vs scale of securi...Duncan,<br />Re: "scale of risk vs scale of security".<br /><br />That's a pretty standard security trope: "Always make it cost the enemy more than the information is worth." But the way you describe it, it sounds like it's actually law in NZ?<br /><br />Anyway, that's a good example of the danger of allowing larger and larger databases containing more and more information about more and more people. There's an imbalance in "what the information is worth".<br /><br />History says that databases will <i>not</i> be secured according to the cost/value to the people <i>on</i> the database, but according to the cost/inconvenience to the <i>organisation</i> that controls the database.<br /><br />The cost of securing the asset, and the cost of recovering from a breach, is pretty much the same for the organisation regardless of the size of the database. But the cost to the people <i>on</i> the database increases exponentially as the amount of information on the database increases.<br /><br />Same for the attackers. Giant all-seeing databases are huge assets, hence attackers can justify spending millions on their attack. Otoh, mandating small databases, containing (by law) as little data as possible for any given transaction, are worth much less to attackers. The cost of recovering from a breach is roughly the same for the database owner, but is much smaller for the people affected. It brings the scale of cost/risk back into proportion.<br /><br />The same cost/risk scale should exist for the exercise of power. Making cost proportional to the number of people affected, and the scale of the effect. Smaller databases, with minimum information makes it harder to abuse power.<br /><br />I'm not bothered that a government agency (NSA/etc) can hire an analyst who can target me by painstakingly pulling together the thousands of disparate electronic threads I've left behind. The cost of doing that means that they'll only do so when it matters, so it's innately self-regulating. What concerns me is having a single giant database automatically vacuuming up all the data, from all sources, in a format that's already cross-linked and indexed, that requires almost no skill to use. It means that it costs a tiny amount to target millions of people at a time. "Reciprocal accountability" isn't even remotely adequate to deal with that kind of disproportionate power.<br /><br />(Jon S's example shows the same effect. It was targeted, time-consuming and specialised. Therefore is only attempted when the issue is large enough to justify the cost. That's the balance we should be aiming for.)Paul451https://www.blogger.com/profile/12119086761190994938noreply@blogger.comtag:blogger.com,1999:blog-8587336.post-73214136483138197122015-12-10T12:13:02.011-08:002015-12-10T12:13:02.011-08:00The different experiences that Duncan and Raito ha...The different experiences that Duncan and Raito had recovering from fraud demonstrates my point. They both depended on the "kindness of strangers". Duncan's organisation (bank?) had empowered their staff to make common sense judgements about fraud/identity issues. Raito's organisation didn't.<br /><br />The key is that neither of you were able to affect that situation. All of the power to resolve the problem exists outside of the hands of the people actually affected. You depended entirely on large organisations deciding to help you with your problem. (Even though it was <i>their</i> systems which were defrauded or breached, it was <i>your</i> problem.)<br /><br />Whenever that kind of imbalance exists, we must assume that external force needs to be applied. And I'm guessing that the NZ bank was fairly highly regulated. They would have been slapped by a regulator if they failed to implement such policies. Those regulation only exist because of past difficulties people had with recovering from fraud.<br /><br />Raito's organisation was... well, probably in the US. 'Nuff said.Paul451https://www.blogger.com/profile/12119086761190994938noreply@blogger.comtag:blogger.com,1999:blog-8587336.post-36290910168560642792015-12-10T12:10:39.723-08:002015-12-10T12:10:39.723-08:00Jumper,
Re: "Clueless" targeted ads/reco...Jumper,<br />Re: "Clueless" targeted ads/recommendations.<br /><br />You have to remember that the ads and recommendations aren't <i>for</i> you, they are... well, "against" you.<br /><br />That is, the correct assessment of their value is whether it increases the number of hits or sales for the advertiser, not whether it's useful to you.<br /><br />If their response rate to non-targeted ads is 0.01%, but with targeted ads it jumps to 0.03%, from your point of view the relevance of the ads/recommendations went from 99.99% useless to 99.97% useless. From <i>their</i> point of view, it's a 300% increase in sales.Paul451https://www.blogger.com/profile/12119086761190994938noreply@blogger.comtag:blogger.com,1999:blog-8587336.post-28791790599558278242015-12-10T11:59:36.758-08:002015-12-10T11:59:36.758-08:00Douglas, it may be you know more about the interne...Douglas, it may be you know more about the internet than certain younger people who can't seem to do anything with it <i>except</i> Facebook.Jumperhttps://www.blogger.com/profile/11794110173836133321noreply@blogger.comtag:blogger.com,1999:blog-8587336.post-21358484017467507612015-12-10T11:49:50.224-08:002015-12-10T11:49:50.224-08:00Myself, I prefer to have a bank where I can actual...Myself, I prefer to have a bank where I can actually go and talk to the person in charge of my account personally and who knows me by sight. I suppose if someone really wanted to he could use a disguise but I rather doubt it would work contrary to what the movies tell us unless I have gobs of money that makes it worthwhile for the thief. I do use online banking but if I go above a certain amount, my bank calls me to confirm it. I am all for biometrics but I would prefer it to be attached to actual physical verification. If in the future bank branches disappear then I would have to adapt but I would prefer to pay more for banking services in order to have a real person in front of me to bitch to if something goes wrong. <br /><br />I am sure if the NSA wanted, they could have all the information about me even if I use fake names and encryption but that doesn’t bother me since I am not into illegal activity. If a Snowden want to rummage around my messages because he is bored, I don’t give a damn. If I really wanted to keep an activity secret, I would not use electronic media whatsoever but instead use the many other ways that do not use electronic means. It is just common sense. Of course, I do use encryption and other methods to avoid identity theft but that is about it.<br /><br />The easiest way to get sensitive information on a person, a company or government is by corrupting a mid-level IT person. All communication passes by them. Often they feel underpaid and underappreciated and therefore open to manipulation by an astute person or organization. Sometimes they even do it for “moral” reasons or maybe because his boss yelled at him. That is the real weakness in keeping information secret and unless you can cut that off then expect your personal details or that of your company will be revealed from time to time. <br /><br />Also I don’t use Facebook not because I am paranoid but because I don’t see a real use for it. I am of the generation where if I want to talk to a friend or family I call them up or see them and exchange pictures by email or whatnot. I guess that means I am retro and out of the loop but I don’t care. I don’t see the need for advertising my life to people I hardly know. My ego is not tied up into how “friends” I have. <br />Deuxglasshttps://www.blogger.com/profile/03488986307291616948noreply@blogger.comtag:blogger.com,1999:blog-8587336.post-46060690797621035792015-12-10T11:12:07.867-08:002015-12-10T11:12:07.867-08:00Walter Kirn's article in the Atlantic that Dav...Walter Kirn's article in the Atlantic that David referenced was rather stupid, I thought. I would bet he was one of these rude clowns who, when asked by Facebook if he wanted to "help find friends" when he signed up, quite happily uploaded his email contact list to them. And apparently he has all sorts of apps and gadgets on his phone which he equally thoughtlessly loaded without a care in the world. I would also bet he had never done a thing about trackers, and even likely keeps all cookies on his machines forever.<br />I'm not really all that paranoid, but I don't like spam, and I don't like snoops, so I do routine things that cost me little effort, and I'm not bugged by the stuff he is.<br /><br />I delete my Google cookies too, because machine intelligence is woefully unable to determine what I'm looking for. Amazon tries to come up with suggestions for me, and they are clueless. And I like Amazon, but they aren't having any sort of success with those attempts. I suspect hubris on their programmers' part, and the same with Google.Jumperhttps://www.blogger.com/profile/11794110173836133321noreply@blogger.comtag:blogger.com,1999:blog-8587336.post-54478144002593826192015-12-10T08:46:46.003-08:002015-12-10T08:46:46.003-08:00Banks aren't centralized (in an informational ...Banks aren't centralized (in an informational sense)? When they all use the same 3 credit bureaus?<br /><br />One wise man I know once attempted to teach risk analysis to some cavemen. It's pretty simple. The simple equation is the risk of something is equal to how often it happens times the seriousness of the result if it happens. Included in the seriousness of the result is how hard is it to fix the result and whether there is residual damage even after being fixed.<br /><br />Unlike Duncan, proving that I was me and someone else wasn't was nearly impossible. Bureaucracies simply don't care, because your problem causes them no pain.<br /><br />No identification/authorization/verification scheme is perfect. They will all be broken. And it seems more likely that it will happen at banks. After all, that's where the money is.<br /><br />So it comes down to being able to cut out some majority of the damage, and being to restore correctness in proportion to the damage.<br /><br />The biggest problem with database security is that they stick them on the internet. And that there's little damage to doing so, as the use of the data by miscreants doesn't harm the owner of the database.<br /><br /><br /><br />raitonoreply@blogger.comtag:blogger.com,1999:blog-8587336.post-61253698004450241802015-12-10T07:15:43.229-08:002015-12-10T07:15:43.229-08:00Encryption doesn't stand up well when subjecte...Encryption doesn't stand up well when subjected to prolonged analysis, either.<br /><br />One of my (many) temp jobs was at a company in Seattle that was recovering data from seized hard drives belonging to a major tobacco company. Their effort was to recover "deleted" emails and files from those hard drives, in order to prove what the tobacco companies knew about various health risks and when they knew it. By the stage I was involved in, the "deleted" segments had been converted into a format readable by Excel; our job was to find related segments so they could go in the same Excel files for further analysis. (I rather wish I knew less about biology than I did at the time; if you know what the various terms they use mean, those papers were quite disturbing at times...)<br /><br />Now, these were people who not only encrypted their data, but tried to delete it before it could be seized; they had every reason to want to conceal all available information regarding their activities. Their resources were not inconsiderable, as well. Yet even their crypto could only stand so long against a concerted effort to decipher it. Encryption is a piece of the puzzle, but not the entire solution.Jon S.https://www.blogger.com/profile/13585842845661267920noreply@blogger.comtag:blogger.com,1999:blog-8587336.post-26034275294353847932015-12-10T06:58:41.889-08:002015-12-10T06:58:41.889-08:00As Manny Ribera said to Tony Montana in Scarface (...<br />As Manny Ribera said to Tony Montana in Scarface (1983), there is such a thing as "too much (efffing) security" and, although David has always said as much about encryptions, passwords & HIDING as proof against surveillance, it is easy to see why Paul451 misunderstands this word-woozy 'accountability' argument.<br /><br />Like many, Paul451 does NOT understand that 'accountability' is a PC euphemism for (reciprocal) predation. That's how reciprocity works ... by preying on the would-be predator (aka 'a cheater'), giving tit-for-tat (sousveillance for surveillance) and 'calling them to account'.<br /><br />Of course, this message has been hidden under a pile of 'Better Angels of Our Nature' fertiliser which, along with confusing bunnyesque vulnerability with cultural advancement & enlightenment, tends to accentuate the New 'Victim as Hero' mythos that our degenerate culture has propagated.<br /><br />This is the hidden cost of urbanisation: When we live in warrens like defenseless bunnies, then defenselessness becomes a virtue & we become as bunnies, which (in turn) allows the most innocuous of ferrets (foreign OR domestic) to wreck havoc upon us, leading the bunny collective to demand an ever more secure ferret-proof fence, so bunnyland may remain undisturbed.<br /><br />But that is NOT the answer: Accountability is. Mutual Predation is. <br /><br /><br />Bestlocumranchnoreply@blogger.comtag:blogger.com,1999:blog-8587336.post-79058528002726006802015-12-10T06:09:35.903-08:002015-12-10T06:09:35.903-08:00I've always said that as much as I would like ...I've always said that as much as I would like to keep my privacy - I'd be very willing to give it up as the cost of having the government giving up its privacy.Howard Brazeehttps://www.blogger.com/profile/08837948125432719131noreply@blogger.comtag:blogger.com,1999:blog-8587336.post-33977417403518770882015-12-10T06:07:14.523-08:002015-12-10T06:07:14.523-08:00Duncan,
interesting but confusing (besides his mis...Duncan,<br />interesting but confusing (besides his misreading of David Brin's position)<br /><br />"You state that my project to restore the ocean pastures in 2012 was a rogue effort. Why do you promote this lie when the fact is that the project worked for many years with 9 government ministries in Canada who over those years carefully vetted the project."<br /><br />Huh - many years - together with 2012? Was this project started in 2012 or was it ended in 2012? Besides that, I always get annoyed with money illusion - people talking about environmental projects and money in the same breath. Money is in a global sense irrelevant. Money is how people keep score against one another, the earth doesn't care the least about it.reasonhttps://www.blogger.com/profile/10958786975015285323noreply@blogger.comtag:blogger.com,1999:blog-8587336.post-56539323603177997072015-12-10T03:26:01.777-08:002015-12-10T03:26:01.777-08:00To the defense of paranoids everywhere, the variou...To the defense of paranoids everywhere, the various powers that be (governments, businesses, religious...) are really not helping their cases to make us trust them. Virtually each organisation with power has enough skeletons in their closets to populate a necropolis and a very loose (sometimes sociopathic) definition of morality.<br /><br />For example, how do you trust the French 5th Republic when their past actions include torture (Algerian independence war), terrorism (Rainbow Warrior), criminal presidents (Chirac). Other democratic governments also have a lot of sordid actions in their histories, I just picked France because it's not one of the more known rogues to many.<br /><br />How do you trust large banks when they still operate as casinos gambling with other people's money, bribe/finance campaigns for politicians to look the other way ?<br /><br />Or how about diamond traders that have no moral qualms about buying diamonds from warlords or simply mined in horrible conditions ?<br /><br />And the less said about the Catholic Church the better. <br /><br />In each case they did their darnedest to cover up those actions and considered themselves perfectly justified in doing so. (for the greater good/bottom line) Also notice how few have ever been punished by more than a slap on the wrist for these previous actions. The worse part is that all this is considered perfectly normal/acceptable in the world of "realpolitik" and everyday business and that anyone in those that tries to go against that sort of behavior is considered mentally defective/naive at best or dangerous at worst.<br /><br />So naturally, if you have a history of behaving like a rogue or join a group with such a history, people are going to assume by default that you are a rogue and are up to no good. No need for the media to repeat the SOA meme when our powers are doing such a good job themselves of appearing untrustworthy.<br /><br /> <br />Midboss57noreply@blogger.comtag:blogger.com,1999:blog-8587336.post-8145352150401819832015-12-10T00:29:04.045-08:002015-12-10T00:29:04.045-08:00Somebody called RG has just posted this on one of ...Somebody called RG has just posted this on one of the older threads<br />Any Comments???<br /><br />You state that my project to restore the ocean pastures in 2012 was a rogue effort. Why do you promote this lie when the fact is that the project worked for many years with 9 government ministries in Canada who over those years carefully vetted the project. The government of Canada even took an active and financial position in the work by offering international guarantees, directly subsidizing the salaries of science employees whom they vetted and approved to be hired, provided state of the art satellite resources and training, and many other elements of support to the project. You seem to have swallowed hook, line, and sinker the lies promoted against me and that project, the question is why? <br /><br />Further the project science plan was cloned from a plan endorsed and promoted by leading oceanographic institutes from around the world as being the appropriate next step in 25 years of R&D on restoring ocean plant life. Why do you continue to foment lies and misinformation about this work. Could it be that you, like so many profits of doom and gloom, feel threatened by work that has now proven that by caring for Mother Nature billions of tonnes of CO2, the lions share of the climate change crisis, can be effectively, immediately, safely, and sustainably managed at a cost of mere millions of dollars per year as opposed to the trillion dollars per year in new climate taxes being proposed at the Paris COP21 meeting. Or is it the billions of additional fish that will swim into our nets and onto the plates of hungry people the world around helping to end world hunger that worries you, again at a cost of a fraction of 1% of the funds being spent not solving that problem today. http://russgeorge.net/2015/11/16/a-practical-solution-to-world-hunger/<br /><br />duncan cairncrosshttps://www.blogger.com/profile/14153725128216947145noreply@blogger.comtag:blogger.com,1999:blog-8587336.post-44653380283506546422015-12-09T22:16:56.562-08:002015-12-09T22:16:56.562-08:00You guys are making it all too complicated
Securit...You guys are making it all too complicated<br />Security costs money<br />You need security in line with what it is protecting<br /><br />Which means a different system to protect millions of dollars than thousands<br /><br />We (NZ) have a simple system<br /><br />(1) Level One - login and password<br />I can transfer/pay up to $300<br /><br />(2) Level Two - login and password PLUS an additional code that is sent to an entirely separate system (my cell phone)<br />Up to $10,000<br /><br />(3) Level Three<br />Personal visit - identification - delays to check everything<br />Buying a house - cost a lot! <br /><br />Each system is recorded<br />The bank has insurance against any "clever" breaches<br /><br />Not a major problem<br /><br />The main idea is to use two separate systems - internet and cell phone for moderate security<br /><br />As far as <br />"Have you ever had to try to prove that someone pretending to be you is not you?"<br /><br />I have had to do that twice in my nearly 60 years<br /><br />Each time it was easy,<br />Somebody pretended to be me in the UK - it was local so I just turned up with ID<br /><br />I had bogus charges on my credit card in NZ<br />Just one phone call reversed the charges and arranged for a new credit card with a different number<br /><br />On that point I have a card with a high limit for "emergencies" which is never used and a card with a low limit for internet shopping<br />duncan cairncrosshttps://www.blogger.com/profile/14153725128216947145noreply@blogger.comtag:blogger.com,1999:blog-8587336.post-49193458640875700212015-12-09T21:56:28.521-08:002015-12-09T21:56:28.521-08:00Whillikers. I am the ONLY one who does not "...Whillikers. I am the ONLY one who does not "depend entirely on the "good will" of the organisation you are dealing with." You have just proved that you haven't even the remotest clue what I've been talking about.David Brinhttps://www.blogger.com/profile/14465315130418506525noreply@blogger.comtag:blogger.com,1999:blog-8587336.post-66977622595275042952015-12-09T20:37:05.581-08:002015-12-09T20:37:05.581-08:00Or Google's "Please prove you are not a r...Or Google's "Please prove you are not a robot", which we discovered could simply be left blank.Paul451https://www.blogger.com/profile/12119086761190994938noreply@blogger.comtag:blogger.com,1999:blog-8587336.post-72954093410115361122015-12-09T20:35:29.163-08:002015-12-09T20:35:29.163-08:00David,
"Not when you take your physical body ...David,<br /><i>"Not when you take your physical body to a bank booth where all of them can be compared at once..."</i><br /><br />Every single biometric system every created has been hacked. Every one. Biometic scanners do not measure "your physical body", they measure proxies. Images, sounds, chemicals. If technology exists to read a signal, it exists to fake a signal.<br /><br />The readers are connected to machines, to computers, that run software. Systems that need to be updated and maintained, that have USB slots and standardised plugs. Those systems will then connect to the broader network (otherwise each person is limited to only one booth at only one branch) which uses standard internet protocols, which will be as vulnerable to breaches as every other database that's been hacked. They will not have a customised bespoke system, they will use standardised components. They always do. And those systems only need to be breached once to make everyone vulnerable.<br /><br />At the most recent DEFCON, one of the most prestigious bank safe makers (Brink's) had their new "digital" safe cracked in sixty seconds. The hacker didn't guess the password, they didn't even touch the reader. They plugged in a USB stick which simply overwrote the software and bypassed the whole system.<br /><br />(I've seen fancy biometric safes which can be opened by gently dropping them a few inches.)<br /><br />((Many home-detention ankle-bracelets can apparently be removed by wrapping them in metal foil or using a cell-jammer before you cut them off. The makers never considered that the criminal trying to remove their digital shackle would dare to prevent the alarm from connecting to the phone network. Others can be tricked by spoofing the GPS signal with a simple radio.))<br /><br /><i>"with new [biometric systems] being included monthly."</i><br /><br />No company or agency is going to roll out entire new biometric systems every month to hundreds of thousands of branches necessary for every single person in the country to renew their passwords every month. Any system put into place will be updated once per decade at most.<br /><br />Your country is struggling to get banks to adopt chip'n'pin to replace the 45 year old magnetic stripe cards.<br /><br />Speaking of "renewing their passwords every month"... If you could get people taking that much interest in their security, we wouldn't have a fraction of the malware, spam and identity theft that we have today. I mean, spending an hour or two to refresh their entire security once a month, every month. That idea alone is deep fantasy.<br /><br /><i>"But the best way to deter someone from pretending to be you in order to steal stuff is DISAVOWAL. "I didn't do that." "</i><br /><br />That's really naive. It's like people who suggest that password systems should lock you out after X failed attempts. You can't see the vulnerability you just opened up?<br /><br /><i>"Which draws attention of other eyes to the event in question."</i><br /><br />Except it doesn't. Have you ever had to try to prove that someone pretending to be you is not you? It's not like there's sudden interest, "a <i>crime</i> has been committed!", and everyone pays attention. You get some call-centre gimp who just doesn't care.<br /><br />You depend entirely on the "good will" of the organisation you are dealing with. Many of them, or at least the people you deal with, aren't even aware of the possibility of identity theft. After all, their financial interest is not <i>your</i> financial interest.Paul451https://www.blogger.com/profile/12119086761190994938noreply@blogger.comtag:blogger.com,1999:blog-8587336.post-53518655281154287612015-12-09T20:06:39.506-08:002015-12-09T20:06:39.506-08:00The key to password security isn't changing yo...The key to password security isn't changing your password frequently.<br /><br />Instead what you need is a long password - the more characters the better. It can be a sentence you think of or a quote you enjoy or the like... but if it's long enough then some stranger or hacker won't easily get the password unless they utilize the human element (ie, call in and pretend to be an employee of another company that needs access).<br /><br />And then you have to choose a different quote for every single password-user account you have. Even if one password falls, it will be difficult to get the rest.<br /><br />And best of all? It's easier to remember a quotation or a phrase than it is a random jumble of characters.<br /><br />xkcd explained it: X2^k#T is far easier to hack than something like Fearisthemindkiller. And you can even spice it up as F34r1sth3m1ndk1ll3r. <br /><br />Rob H.Acacia H.https://www.blogger.com/profile/07678539067303911329noreply@blogger.comtag:blogger.com,1999:blog-8587336.post-71094608875374874742015-12-09T19:33:07.511-08:002015-12-09T19:33:07.511-08:00Paul that's baloney. Biometrics are not my &q...Paul that's baloney. Biometrics are not my "only thing." The one thing that stops or deters bad people from doing bad things is accountability, and that can happen in many different ways but all of them depend on light. Bad or villainous people are allergic to light. That's the core truth.<br /><br />Biomentrics at your bank will pragmatically help. But the best way to deter someone from pretending to be you in order to steal stuff is DISAVOWAL. "I didn't do that." Which draws attention of other eyes to the event in question. And enough curious investigative eyes - plus rewards for whistle blowers etc - will catch most miscreants.<br /><br />I am talking about real stuff. Real events, and real history. It is happening on. Our. Streets. Right. Now.<br /><br />The cypher zealots, in contrast cannot point to a single consistent success... amidst a bazillions flawed or failed efforts. Not. One.<br /><br />Your objections to biometrics only apply separately not in aggregate. Not when you take your physical body to a bank booth where all of them can be compared at once... with new ones being included monthly. Come on man. Envision it. Truly you thing that can be spoofed? Dang, YOU should write sci fi.David Brinhttps://www.blogger.com/profile/14465315130418506525noreply@blogger.comtag:blogger.com,1999:blog-8587336.post-36581884886943313512015-12-09T19:29:38.445-08:002015-12-09T19:29:38.445-08:00TCB,
Re: Movement based biometrics.
In order to b...TCB,<br />Re: Movement based biometrics.<br /><br />In order to be useful, the system has to deal with the variation in normal people doing things. That means the biometrics has to be "soft". That weakens its ability to deal with spoofing. It's like have a password system that has to let you pass if you're "close enough".<br /><br />In which case, will the system be able to deal with a tablet held up in front of the camera showing a video of you doing your signature move? Based on a micro-camera hidden near the original reader, recording you earlier. Will the makers even think of the possibility, given how confident they'll be in their own system? (Judging by previous biometric efforts. Fingerprint readers that can be fooled by photocopies. Facial recognition systems that were never tested on non-white participants, or can be fooled by masks.)<br /><br />I guarantee such a system won't take "a hundred years" to be cracked. I'd be surprised if it could last a single weekend at DEFCON or a similar convention without someone figuring a work-around.Paul451https://www.blogger.com/profile/12119086761190994938noreply@blogger.comtag:blogger.com,1999:blog-8587336.post-53152192261346506882015-12-09T19:17:32.188-08:002015-12-09T19:17:32.188-08:00David (Brin),
You don't see that you are doin...David (Brin),<br /><br />You don't see that you are doing exactly what you accuse the crypto-fetishists of, believing that your one trick will solve the problem. Ignoring the number of times it's failed.<br /><br />Only your "crypto" is biometrics.<br /><br />I suspect it's because you believe (at least subconsciously) that the biometric reader is measuring the actual thing. Ie, it measures something "real". A "fingerprint reader" reads the actual fingerprint on your fingers, the "DNA reader" reads your body's DNA sequences, etc.<br /><br />But fingerprint readers don't "read" your fingerprints. Many just take an image of whatever is in front of the reader, convert it into a high contrast image, and look for certain points of line overlaps/intersections. Hold up a high contrast image of a fingerprint (which you leave on everything you touch) and many readers are completely fooled. If you know the algo, you don't even need an image of an entire fingerprint, just marks for the check points used by the scanner software.<br /><br />[Others require more work, they use a laser to create an interference pattern from the pattern of bumps, so you need to actually make silicone-rubber moulds; but instructions are available online. And you write your "password" on every smooth surface you touch. (Even worse are the databases that store actual images of fingerprints. The equivalent of storing a list of passwords in clear-text.) ]<br /><br />And the same weakness lies behind every biometric marker. It's the nature of the technology. If they can be read, they can be faked. Looking at the history of biometrics, they tend to be much easier to break than most forms of crypto. And their vendors are much less trustworthy, and their entire industry much more prone to hype and over-reliance on unproven novel systems. Worse, of course, is that the actual biometric reader doesn't even need to be beaten, chances are that the rest of the bank's network that connects the biometric system and password generators leaks like a sieve.<br /><br />Note: I didn't say that this would be easy. My concern is that it is <i>irreversible</i>. You are turning a single system (the bank's biometric reader) into an unchangeable master password upon which every other form of access depends. Basing my entire electronic/financial security on such a system terrifies me.<br /><br />I said you're doing what you <i>accuse</i> the crypto-fetishists, the obscuritanists, of doing. But in reality they are much less extreme than you. They want multiple solutions, each of which they know is incomplete. Laws/regulations/limits on governments and corporations, <i>and</i> public oversight, <i>and</i> personal ownership of crypto, <i>and</i> public awareness of the issues, <i>and</i> wilful obscurity, <i>and</i> consumer shunning of companies that don't exhibit best practice.Paul451https://www.blogger.com/profile/12119086761190994938noreply@blogger.comtag:blogger.com,1999:blog-8587336.post-60859893555109409482015-12-09T18:05:40.756-08:002015-12-09T18:05:40.756-08:00Security is never perfect, you try to figure out y...Security is never perfect, you try to figure out your biggest threat and do something to make it smaller. So hiding might be appropriate in some circumstances, though not a panacea. No one wants to wear a bulletproof vest every day, and it wouldn't stop a high calibre round or an atom bomb, but if you felt like someone is likely to shoot at you, you might wear one until the feeling wore off.<br />That said, inconvenience prevents most people from using adequate security. So we're discussing the appropriateness of hiding in a world full of people who refuse to hide. The security guys are like a pair of puritans at a nudist colony, their recommendations fall on deaf ears.<br />As for conspiracies, the stuff "they" brag about is usually bad enough, I don't feel a need to speculate about what "they're" hiding. ;)Davehttps://www.blogger.com/profile/17330240621500931648noreply@blogger.comtag:blogger.com,1999:blog-8587336.post-35248819903426720202015-12-09T17:24:17.767-08:002015-12-09T17:24:17.767-08:00I suspect the key to defending validation statemen...I suspect the key to defending validation statements is going to be our willingness to change the passkey periodically. Even if someone with a lot of resources is trying to fake statements about you (crack your stuff), you have some defense if you change things quickly.<br /><br />There probably IS a value to social credit scores. If mine plummets, that would be a signal to get to the bank and change my passkey immediately and to increase my frequency for doing so until the score improves. People with the lowest scores will collect the fewest defenders no matter how many choose to go for their throats.<br /><br />Social credit scores don't bother me too much. I've seen rudimentary ones at social media sites. People learn to game them and when they do it successfully, most others learn to ignore them. These scores are essentially information compressions and aren't new. The price of a commodity compresses a great deal of information about its many uses and how people prioritize access to it when the economize. Prices work extremely well, though, mostly because no one controls them. They are emergent information. I suspect useful scores of other types will be similar.Alfred Differhttps://www.blogger.com/profile/01170159981105973192noreply@blogger.com