Just print a little green padlock on the front of the passport - then they know everything is safe
Two Democratic US senators have formally asked Uncle Sam's Customs and Border Protection (CBP) agency to get its act together on electronic passports. In 2005, America began issuing passports with implanted machine-readable RFID chips that contain the traveler's personal information. This data is cryptographically signed so …
You joke, but getting people to socially adopt confirmation works for 99% of the time. Doing a ritual sometimes bakes in the obedience to authority. I am not saying I agree, but it seems factual. It's the 1% that were lying that there is usually a problem, or reason they lied.
Of cause those statistics are made up, but illustrative. Look at most school, jobs or social groups. People do things not because it is right, works, or even sane half the time. They do it because everyone else is.
It's the remaining 1%
You just emphasized what is wrong with CBP. Its procedures are aimed at 1%-5% which is in the rabid paranoya zone especially regarding people from other developed country.
The root cause is American exceptionalism. USA thinks that the whole world has nothing better to do than to go and pollute the precious American purity of the nation. The root cause is that the whole nation has the idea that they are the pinnacle of creation drilled into them from the cradle to the grave. They cannot grok the idea that most of us got work to do and joining the ranks of the people eating hormone beef and chlorinated chicken without any medical coverage is the last thing on our minds.
The real number of travelers with "issues" between developed countries is significantly less that 0.1%. Acknowledging this, however means that USA has to acknowledge that their border circus is mostly pointless - something they will never do.
"Acknowledging this, however means that USA has to acknowledge that their border circus is mostly pointless - something they will never do."
This is a good one. I've seen similar circus several times in border control, in former Soviet Union.
Most other countries don't bother as they know most of the circus is pointless and just wasted money: Security theatre as most of the so-called 'security' nowadays.
Basically a money laundering system for management: Steal from taxpayers, give to my buddies here, working in 'security'. And I get a nice slice, of course.
Basically a money laundering system for management: Steal from taxpayers, give to my buddies here, working in 'security'.
Slightly more complicated I am afraid. Americans observing this circus every time they travel can get a reinforcement of their sense of exceptionalism. The ability to steal more money from them (in the form of taxes) is only one small facet.
When someone is brainwashed into exceptionalism crashing out into the real world is a very hard experience with unpredictable results. So their sense of exceptionalism should be cherished and supported at every step. Just in case. To make sure that the period when the Americans questioned their ruling class on THINGS THAT MATTERED, like the 60-es and early 70-es never ever happens again. It is bad for business.
"If your test can't distinguish them, with reasonable levels of reliability, then it's not contributing anything of value."
This is absolutely true. I can see the idea behind the chips but it's already obsolete: Programming a chip so it has same data as the passport isn't hard. Making forgery a bit harder, but no means impossible so criminals just steal blank passports and chip them with whatever they want.
Whole idea of "security chips" is based on assumption that only authorities have capability to create or use said chips. Which might have been true 20 years ago but hasn't been true for a long time now.
You need to read up on digital signatures. Yes you can copy the data, but you cannot alter it and maintain a valid signature without the private key. You also can't create a new one from scratch, it won't have a proper signature.
The only thing you can do is make an exact copy, which is no more useful than just stealing the physical passport.
"You need to read up on digital signatures. Yes you can copy the data, but you cannot alter it and maintain a valid signature without the private key. You also can't create a new one from scratch, it won't have a proper signature."
Yeahbut, the point of the story is that 13 years after introducing the system and "ordering" other countries to spend lots of money also introducing RFID passports, they still can't verify the keys. Currently it's not better than a simple printed passport and now the encryption system is 13 years old. That's a long time time in terms of crypto development and cracking. I wonder how good the encryption was then and how good it is now?
Yes you can copy the data, but you cannot alter it and maintain a valid signature without the private key. You also can't create a new one from scratch, it won't have a proper signature...
.. which none of the Border cops will pick up becuase they don't have the capability. I suspect that you could use a self-signed cert and get away with it - right up until you try to go into an advanced country that actually has the proper technology..
(A number of years ago I worked for a company that tried to see passport readers that could read the biometrics. None of them had any network access (to the best of my admittedly hazy knowledge) and so wouldn't have been able to check certificates unless against a good-known set. Which would have been out of date very rapidly and therefore been worse than useless.)
@ " It's the 1% that were lying that there is usually a problem"
Ah another "if you have done nothing wrong then you have nothing to fear", how about those people who only want to share their personal information directly with the people they can see?
Not to mention the US agents scaning people when they enter other countries. I can understand the US requiring chipped passports for people entering the US but since they don't bother to verify them and the chip is not turned off elsewhere then non-sheep wonder why.
I don't know that it was a bluff but it does show the level of competence. When you have a situation where everyone is screaming that gov't must do something then what you get is gov't usually does something. Is it the right thing, a practical thing, or effective thing to do? Probably not but it tempers the vocal minority and when a plane isn't hijacked in the next year everyone goes back to sitting on their hands.
Oh, the reason no one knows how long it takes is because once the heat is off they go right back to hand sitting or playing minesweeper or surfing pr0n or whatever it is minions do when the
boss taxpayer isn't looking.
Yep. Security through obscurity. Gets the terraists thinking "They have very good passport ID chips so we can't use fake passports any more."
Now the vulnerability has been exposed CBP have a very short period of time to fix it before it starts getting exploited.
Plus ça change, plus c'est foutu. (Blame Google translate, not me).
You know, the "Who in this crowd is from the USA?" one, to aid in targeting them.
Or should I say "Who in this crowd is from the USA _and_ dumb enough not to RF shield their passport and credit cards?"
And the digital signatures? I assume the private keys will be from Verisign.
Here we are 13 years later and they still can read and verify the chips? On top of that they haven't even looked for or ordered the software? Yet, these guys claim to be defending the country's borders from the evil (fill in enemy of the day). Not surprising, just unexpected that this sort of crap is happening.
If its anything like the UK it will take them ten years and cost several billion dollars
It would cost millions of pounds, the people allocated to the project would sit on their hands for the first month or so before anyone bothers to develop a plan and several millions later they would decide to scrap the plan because by now everyone has their tax payer funded yacht and it's becoming too obvious it was never meant to produce results.
To ensure the NAO gives it a clean bill of health regardless, you "retire" one of your senior people when the project is just underway, and he or she than "happens" to take up a top job at the NAO. Once there, you brief the people in the project before you run the audit, and, of course, you choose the most inexperienced people to perform the audit.
It's really easy if you have the right friends. Surely you don't think certain people have to establish their own private bank just because they are so good at saving, do you?
Creating Information ( read "IT") based projects on the "cheapest and least we can get away with while appearing to be doing something" basis seems endemic. On that background this just seems another example. - though I suspect it's spread to other fields, as in aircraft carriers without aircraft.
Essentially it's about giving the appearance without the substance. Like one of the Hollywood stage sets.
So, for example, get an expensive powerful new Data management system that is expected to run on an old, ageing network and no staff training will be provided.
You were very close to the truth .....
It is called 'Security Theatre' !!!
You make a very obvious 'Song & Dance' about some aspect of Security to 'Demonstrate' the huge effort being made for your security & safety, only it is more to hide the fact that the system does not work or is incomplete etc.
It has been spoilt by the fact that the lack of s/w to check the validity of the Signatures has now been made known to 'Everyone' !!! :) ;)
Looks like they will have to spend the money to complete the system and make sure it does 'work' or create another piece of 'Security Theatre' to convince the public that there is some 'other' system/process protecting them !!!
Guess which one is *more* likely !!! :)
The Gullibility Quotient of the *majority* is already known ..... from events that culminated on November 8, 2016. :) :)
The last time I went through a US airport I decided to re-enact the Ninja's Flute, a story where a pair of ninja infiltrate a guarded palace by arguing about whose flute is of higher quality to distract the guards inspecting them. This is because I am a ninja, even though I mostly use my powers for good. As I handed the TSA agent my legitimate, electronically authoritative American passport, I pulled a water bottle out of my bag, made to hand it to her, and asked her if she thought it was barely small enough to bring on board. Completely distracted by this important security issue requiring discriminating judgement, she closed my passport without even looking at the picture or comparing my name to my boarding pass, handed it back, and took my water bottle for inspection.
So basically... the fact that no one is bothering with working electronic passport authentication is really, really not the important issue here.
Clearly, the dihydrogen monoxide you had was an extreme dangerous good. Compare to the passport, they had to dispose the hazardous chemical immediately as its tasteless and odorless properties can be easily inhaled, potentially causing suffocation and deaths.
Those agents are very good at putting their priorities in order to protect the children. Did you know that dihydrogen monoxide is the leading cause of unintentional injury-related death among children ages 14 and under? From 2006 to 2010, there are at least 400 fatalities caused by dihydrogen monoxide.
You should be glad that they didn't force you to inject those substances into your body on the spot after you took it out. Just imagine what it would do to your body afterward!
@DNTP "...she closed my passport without even looking at the picture or comparing my name to my boarding pass,..."
I recall having a Miami Twice* moment when I was checking in at an airport in the Land of the Free. The agent "checked" my fine brown British passport, "Dieu et mon Droit" proudly emblazoned in gold letters across the bottom of the majestic royal coat of arms.
And then proceeded to ask me if I was Australian.
Icon is how I would have responded if I didn't have an aversion to intimate inspections.
*One of the running jokes through this Only Fools and Horses special is everyone thinks these two chancers from South London are from Australia.
Mmmh, if you put these 2 stories together then a bigger picture emerges...
Not dealing with the smartest kid on the block... American Xceptionalism:
Nice new machines at the new YYC terminal building, to read\scan your passports & fingerprints when travelling into the US, the first time I went through seemed to be a lot quicker than the second 7 months later, but then I was traveling with family members.
Coming back into Canada, the spanky new machines doesn't seem to have simplified\accelerated the whole customs experience of coming home.
Last time I went into the US, last summer at Oakland, they had these ESTA checking machines, which had a long line of people trying to use, and they aren't especially easy if you've never seen one before. Then, of course, we had to join an even longer line to see the regular Immigration guy, with the usual photo and fingerprint dance. Since the desk guy has to scan the passport, why don't they do the ESTA check there?
If one is crossing a border in (for example) the hinterlands of Mongolia, where they utterly fail to have Network access, then the friendly border agents working in the shed are forced to reply on your "Papers Please" hard copy documents.
Everywhere else in the world, where there's electricity and an Ethernet cable, a simple bar code or memorized string should be enough to bring up your file. The agents can review the information on their screen, ask you to remove your hat, look in your left ear for the mole, and generally carry on from there.
If the multi-factor "What You Have" factor is needed, then - based on the electronic information - they can ask to see (for example) your car keys to confirm it's Honda or whatever. If not car keys, then the head from the GI Joe doll that you always carry and have registered as the "Have" factor.
The whole concept of a hard copy Passport is obsolete given that it's mostly used to bring up your online file anyway.
Of course it's useless- the possession of a document is and always has been only one of the three authentication requirements. Even so, this relies on the border officer comparing the photograph with the person in front of him. This is an action that is not proved as having been done. How do we identify an individual? Name or appearance? How about an intrinsic biometrics? In which case, we don't need a piece of paper issued by an authority based on a series of easily forged breeder documents.
"...the government says the only thing on the chip is the passport number. "
That's news to me, but I'm not saying you're wrong.
"So are they lying, or is this fake news?"
Install the "READID NFC Passport Reader" app from Google Play and find out for yourself. I did this just yesterday after reading about it in a comment here on El Reg.
Among other things, there's your date of birth, the issuing location, date of issuance, date of expiration, and so on.
Along with the crypto certs that the USA CBP agents can't verify.
I did some research into chipping animals. IIRC there are five different proprietary systems in the USA. No veterinary practice is going to buy five competing scanners so when Fido gets lost he may not be coming home. In the EU there is one open standard.
The CBP will, no doubt, have to use red, yellow, blue, green and fuchsia coloured scanners to cope with every nationality. /s
so when Fido gets lost he may not be coming home. In the EU there is one open standard
I'll have you know that far more important species of pets (see posting name - now up to 7 cats) are also chipped.
And we may now be buying chip-enabled feeders to prevent VastlyOverweightCat from eating all the food intended for TimidLittleCat.
Although getting the two still semi-feral cats to stay still while they are near the feeder is going to be an interesting challenge. One that'll require armour since I really don't want more punctures in my left arm..
They seem to have no idea what they're doing full stop.
I had to fly to New Zealand last month, my transfers were via San Francisco... because like most of us these days I have a valid ESTA, I was told to use the automated machines... the machine read my passport, asked me a load of questions, took my finger prints and issued me a "transfer voucher" instead of a normal landing card. It wasn't obvious where I should go next so I asked a handy agent who directed me to a queue... I asked him if he was sure because I'd just used the machine and he replied "The only way out is past one of those guys" so even though I had used a machine a still had to queue up and go through the whole rigmarole again.
TBH everything about their border controls is low rent and 3rd world.
"TBH everything about their border controls is low rent and 3rd world."
Similar show I've seen only in one place: Former Soviet Union border. Except those were competent people, very professional.
If you had all papers (literally) in your hand and those were OK even there I had to queue only once. No automation of course at that time.
Automation is meant to replace the humans in the process, but obviously US border control hasn't quite grasped the idea yet.
Or are protecting their precisious jobs by doing the job twice.
Quote from Virus Bulletin's Martijn Grooten today -
"Researchers note that even without signature validation ensuring data integrity, it would still take technical skill to manipulate the information on an e-Passport's RFID chip "
Yeah Right. Using Linux is like so difficult dude it needs actual technical skills :p
Back in 2007 Adam Laurie was doing research into RFID cards and did the whole Shmoocon / DEFCON / Blackhat tours with RFidiots & hacking an ePassport. He even told the Daily Mail.
However, the U.K. Home Office defended the passports, asserting the hack doesn't make them less secure.
"The key point ... is that the information on the chip cannot by changed, rendering the procedure described by Adam Laurie pretty pointless," wrote Peter Wilson, senior press officer.
Further, a cloned chip would have to be inserted into a forged passport, and new security measures in the passports make that "virtually impossible," the Home Office said, quoting a report released by the National Audit Office.
So here's a link to the pretty pointless procedure of changing your photo "Hackers expose security flaws with 'Elvis Presley' (e)passport" from CNN
Any Android phone with NFC can read everything you want to know from passports (or national ID cards, on which some people travel instead of passports.)
For example this app will read the .jpg copy of the photo plus the entire certificate chain from my UK passport:
This is why you can't use ePassport Gates in the US unless you've previously been through immigration control at least once, using the same passport.
They verify the data the first time (although verify basically means checking you match the passport and it looks legit) and then the eGates will accept you on the next visit.
The "grim faced" comment is unnecessary. One, border control, an aspect of law enforcement, is a serious job, it's not handing people a mai tai when they board the plane for Hawaii. Two, bear in mind that the officers are dealing with both entitled arrogant US citizens and clueless visitors who just repeat questions back or cannot answer basic questions without being asked 3x--all this while being criminally understaffed. It takes its toll. Plus, everyone arriving thinks they're a comedian and the first one to say the witty thing they have to say.
1. To verify the public key on the RFID in the passport, you'd need a copy of the public key.
2. That would have to be stored *somewhere* and the public key would have to be scanned and sent to <location> over <network>.
3. Compare and pair the keys.
4. Presumably the TSA Agent would get a red light, or a green light (KISS principle) for the Cryptographic Validity of the RFID's data on their hand-held or base scanner thingy.
Simplified, sure. But that's mostly the correct way to do it.
The other way, is to put the public key in each scanner so it ust checks right there in the boxen.
I'll be here having a pint taking bets on how this solution gets pushed.
Biting the hand that feeds IT © 1998–2021