Archive for the ‘biometrics’ Category

So, if you wanted really informed commentary on the Theresa May/Brodie Clark upfuck (now there’s some slash), where would you go? Wouldn’t you want to ask a distinguished civil servant? I bet you would. Specifically, a career immigration officer with 39 years in the service. Who’s just retired, and is therefore allowed to be snarky.

Now you can! Because my dad has a blog.

I’ll always remember the day he brought home the video briefcase. I think it’s safe to tell the story now.

The creation of a database containing all 9 million Israelis’ demographic, family, and medical information plus identifying biometrics has not necessarily developed to their advantage. Bonus points for use of the phrase “Hasidic criminal underworld”. They’ll make you an offer it takes years of painstaking theological scholarship to understand.

Read this now

A classic piece at The Register on biometrics and stupidity: read David Moss and you’ll be more competent than anyone in government on this issue. It’s the false positives, of course; but the truly shocking thing is that despite everything, the ID scheme still depends on the n=10,000 trial from 2004 that they deny is a trial.

Go, read.

A lot of The Accidental Guerrilla concerns ideas of terrain, space, and time. In fact, quite a bit of it could be considered an architectural approach to counter-insurgency. This is not surprising; a major theme is the idea that the conflict environment – the state of being at war or potentially at war, the disrupted social and political structure, the faltering infrastructure, the global black market – is the enemy. After all, it is one of the reasons people seek survival through certainty by calling on the deliberate guerrillas to influence their other political relationships.

One example of this is the one I’ve already written up – the armoured patrol vehicle as urban submarine, a self-defeating machine that itself divides the counter-insurgents from the people in an ironic reversal of their own thinking.

Kilcullen goes almost New Urbanist on this; discussing the Iraq experience, he argues that a huge flaw in the US strategy was that they had to commute to the battle, travelling in monster armoured vehicles, without contact with the civilian population, but still vulnerable to IEDs and ambushes on the over-predictable road routes between their camps and their areas of operation. The answer was to redeploy into the cities and move into positions that let them walk to work; I tell you, Richard Florida got nothing on him.

Similarly, a major aim of his campaign plan was to control access to Baghdad, counterattacking the NOIA encirclement strategy and preventing insurgent “commuters” from the Sunni semi-urban belt getting into the city. You could almost call it a critique of suburban warfare.

This concern with space is also a major theme of the case study on Kunar and road building. The construction of a road was intended to get access and control of the narrow flood plain at the bottom of the valley, which is where everyone lives, rather than up on the mountains. Nothing much grows on the tops and it’s tough to get up there or back down, so the only important places up there are a few tactically important hilltops.

Road access meant that it was easier to force the Taliban to go quiet, either by climbing into the mountains or by going underground. More importantly, it made it possible to keep them there, and to deliver economic benefits. But perhaps the biggest changes it provided were as follows:

Firstly, it changed the topography so that the government side were in the villages, looking out, and the Taliban were outside, looking in. The US or Afghan government fire was outgoing; the Taliban’s, incoming.

Second, it made it worth arguing where different groups’ authority ended; without the road, it was bounded by the difficulty of travel. Once they had to argue about it, the government or the traditional authorities could be called in to arbitrate the dispute, boosting their authority and making them useful. In a sense, the Kunar case study is all about creating a demand for government, or at least competing with the Taliban to supply it.

An interesting question, though; the whole paradigm of The Accidental Guerrilla is based on experience in places where the state is absent, illegitimate, or never established. But many of the same phenomena happen in places where the state, or the structure of traditional authority, once existed but has broken down.

Further, the international jihadis are trying to move (as Kilcullen says) from expeditionary terrorism, where their operations are set up in the home base and carried out remotely, to a guerrilla model where they are set up by sympathisers recruited in the target state. This implies that the process will have to take place in an environment where the state exists here and now.

I’m less convinced by his arguments regarding this; obviously, the naked city has as many possible base-areas as it has people, but as Daniel Davies pointed out, the current European takfiris seem to have less access to firearms than a typical criminal gang, and one of the most worrying possibilities in this line is indeed that they cross-fertilise with ordinary decent criminals. Kilcullen’s practical recommendations in this line are mostly commonsensical, although he is very keen on Cold War analogies with efforts to start non-communist unions and the like, and the other activities of the Blearsministerium.

However, despite the technological implications of auto-immune warfare, he also believes that “biometric reconnaissance” is a strategically important capability. I rather suspect that we’ve already been seeing the effects of this advocacy without knowing what was behind it.

OK, so yer lie detector. It’s been something of a blogosphere hit. And in the comments, we have Nigel, who appears to know something about acoustic signal processing – in the sense of “makes speech recognition systems for Eurofighters”.

It seems that rather than being a signal at a frequency between 8 and 12Hz, the signal you’re interested in is a signal, of that frequency, modulated onto the main signal. So in fact, you could theoretically detect it through a telephone call. I was wrong.

However, that isn’t what Nemesysco’s patent claims, and they vigorously deny that what they are doing is voice stress analysis. It’s not the pitch of any such signal that is discussed in the patent, either; it’s the change in the numbers of thorns and plateaus.

Our acoustic expert says that this could be a way of measuring the signals required for classical VSA, just not a very good one; and anyway, he argues that VSA itself is useless, even if it was VSA they were promising to conduct. And, of course, they deny that this is their methodology. Further, VSA gives only one measurement, one of vaguely-defined stress – not the nine or so Nemesysco claim to get out of this.

Meanwhile, someone who makes the same spelling mistakes as Amir Liberman does showed up in comments to claim there was more, secret technology involved that they hadn’t actually patented. Interestingly, he showed up from the same network as Nemesysco’s Web site. The same network was also the source of a Wikipedia article which got deleted for advertising, in which Nemesysco claimed that their method uses 129 different measurements and isn’t anything like VSA. No, sir. And there weren’t 129 different metrics in their patent…

OK, so what about those identity cards for (some kinds of) foreign nationals? You’ll recall that the Government promised, back in the spring, to have them out and operational in 300 days. As late as July, there were no actual contracts for the job, but they did actually manage to bring in Thales to start work. So how’s it going?

Well, despite the vast cutback in scope and scale, the decision to base it on crappy existing records, and just to forget about the National ID Register for now (thus obviating the whole point)…it’s already over budget by 29% and it’s sliding right, from March 2009 to August 2010. Cracking; the element of the project they specially rushed forward in order to get something, anything working on time has now slid so badly that it’s caught up with the rest of the project.

Meanwhile, the Home Office is issuing 5,400 fraudulent passports a year, among some 200,000 dodgy docs in circulation. Apparently “automated facial recognition” will solve it; this doesn’t make very much sense, as surely the main problem is people submitting genuine photographs of themselves and falsifying the biographical section of the form.

Further, face recognition systems are poor enough (remember the one in Newham that never actually caught anyone?) at positive identification; checking the face provided against the one on file. The failure rate in the Home Office 2004 trials was about 30 per cent. But the IPS and DVLA seem to think they can rely on it to guarantee that the same person isn’t already registered, and do this by matching faces to a database containing tens of millions of faces, taken under all kinds of different circumstances. What kind of false-positive rate can you expect from that?

In fact, it’s worse; if they’re trying to detect multiple applications or applications under false names, the evidence of an honest application will be the absence of a match. So the most common failure mode will result in the document being issued anyway, and there is no way to detect this. And you won’t be able to assume that a match is proof of fraud either, because of the inevitable false positives; so the chance of successfully getting a passport or driving licence in someone else’s name might actually be better.

Late to the party, I know. But is this the worst example of biometrics as a religion yet? So the Shia-led, pro-Iranian government of Iraq we’re desperately propping up doesn’t like the Sunni, Iraqi chauvinist countergangs we organised to prop them up much. So the plan to reintegrate them, as they say, into society as law-abiding citizens ain’t going so well. (Ah, Sergeant Hussein? You know how we invaded your country, overthrew the dictator, then dissolved the army you spent the last 15 years in and left you to rot on the dole while we conspired with your despised religious and class enemies? And we finally agreed to enrol you and your old mates as an auxiliary police force because we couldn’t catch you? Well, thanks, we’re doing it again. Yes, the first bit. Have you considered becoming a plumber? Please don’t use any metalworking skills you may acquire to make EFPs, that’s all we ask.)

Worse, yer man is now trying to pick a fight with the Kurds, in which case they will no doubt retaliate by grabbing Sgt Hussein’s home town and telling the government in Baghdad it can’t have any more oil. As a lot of the army Maliki counts on for this is actually the Kurdish army, there’s a lot more that can go wrong here. So what’s the plan B?

Apparently it’s biometrics. All those ex-insurgents from the NOIA who signed up on our side were iris-scanned, and the information something or other with Saddam’s old secret police files. Hey, I remember that the secret police files got torched. Except for the bits involving George Galloway and various other people who all by coincidence opposed the war. And the ones the Chalabi Boys nicked and the US Army had to nick back; there’s a lot of different data sets wandering about, no? Of course, there’s absolutely no point in looking for Sunni Arab nationalist ex-army insurgents in Saddam’s old files; it was Sunni Arab nationalist army officers who compiled Saddam’s old files in the first place. Perhaps they mean the Republican Guard payroll, but who knows, eh.

Anyway, the biometrics. How is this meant to help? Specifically, the iris scans. Now, if you make a bomb, your irises don’t leave any traces on it. Iris-scanning implies you’ve caught the guy already and you want to check if he’s on the list. And the point of guerrilla warfare is that the enemy doesn’t know who to lock up, or else they can’t catch up with them, or the people they are after hide out somewhere they’ll need to stage a huge multidivisional onslaught and probably build a railway to get into. I mean, it’s got to be better than having absolutely no information, but it’s no solution, especially if the data is mashed up with the wrong kind of intelligence files. (Ah, Sergeant Al-Hakim. You must be proud of your years of heroic resistance to Baathist tyranny…)

It’s as if they believe that having an MD5 hash of someone’s iris means you can double-click on their photo and they’re delivered to your desk like an Amazon.com package; or that the camera will take your soul. But then, every government thinks this, at least some of the time. Which reminds me:

The immigration minister, Liam Byrne, promised yesterday to start issuing ID cards to foreign nationals within 300 days – by November 2008. The first required to apply will be students and those married to British citizens or involved in civil partnerships or long-term relationships.

Seven weeks to go. No contracts. No requirements document. No specs. No code. Someone’s in for an epic binge-coding session, aren’t they? Or is “Teh Stupid! It’s Byrne’s!” hoping we’ve all forgotten? Maybe NO2ID should put in a bid itself…

So I took my stupid damn idea off to the stupid ideas club. When we got there, guess who? Spyblog was waiting at the rendezvous with some Dutchmen and an Argentine documentarist and half the No2ID members not currently in hospital. And after we made our way through Jock McZanu’s EU Maddie monsoon (GOOD HERE ISN’T IT???) to the pub, who shows up but Rat; carrying a total of 30GB of mass storage on his person in an array of USB drives, a fob GPS, and God knows what in his piercings.

Anyway, we talked over the thing, and many other things besides; what should happen if secret police become members? wouldn’t it be easier to do an open-source clone of a BMC helpdesk ticketing app? (why? why? I thought my brain would concrete) how would you sterilise an airport fingerprint reader in less than 10 seconds? So I promised to revise the proposals, and well, here they are.

Or would be, but nobody likes a 2,000 word blog post. So instead it’s here on Google Documents, which probably means something badological. Read. Mark. Learn. Inwardly digest. Comment. Here at first, but if you want to take part just tell me and I’ll give you write privileges. If anyone cares very much I’ll get it set up on Sourceforge and set about preparing a list of functions and tables. I still think Django is the way to go, in which case the mapping of the org model into Python classes into db tables should be as straightforward as these things ever are.

So, those Oystercard outages. I wrote a sizable post on this immediately before going on holiday, but something odd happened with WordPress’s clever ajaxy bits and it vanished. Computers…anyway, we can work out various things about the problem from the few details supplied.

In the first incident, around 1% of the cards somehow became nonfunctional. We don’t know how; we do know, however, that it was indeed the cards, because the fix was to bring them in and issue new ones. This raises an interesting question; why did new physical cards have to be issued? The process of issuing a card involves writing the data TfL holds on you to the blank card; there isn’t much difference between this and overwriting whatever is on the card with the details held in the database. This suggests either that the affected cards suffered actual physical damage – unlikely, unless someone’s running about with a really powerful RF source and a bad sense of humour – or else that TfL can’t trust the information on file, and therefore needs to erase the affected records and set up new user accounts.

So, how could it happen? Card systems can work in various ways; you can do a pure online authorisation system, like debit or credit cards, where information on the card is read off and presented to a remote computer, which matches it against a look-up table and sends back a response, or you can do a pure card system, where your credit balance is recorded on the card and debited when you use it, then credited when you pay up. Or you can have a hybrid of the two. Oyster is such a hybrid. TfL obviously maintains a database of Oyster user accounts, because it’s possible to restore lost cards from backup, to top-up through their Web site without needing a card reader, and to top-up automatically. But it’s also clear that the card is more than just a token; you can top up at shops off-line, and the transaction between the card and the ticket barrier is quick enough that you don’t need to break stride (consider how long it takes to interact with a Web site or use a bank card terminal).

Clearly, the actual authorisation is local (the barrier talks to the card), as is offline top-up, but the state of the card is backed up to the database asynchronously, and changes to your record in the database are reflected on the card, presumably as soon as it passes through a card reader. To achieve this without stopping the flow of passengers, I assume that when a card is read, the barrier also keeps the information from it in a cache and periodically updates the database. Similarly, in order to get online top-ups credited to the cards, the stations probably receive and cache recent updates from the database; if the card number is in the list, it gets an “increment £x” command.

We can probably rule out, then, that 1% of the Oyster card fleet were somehow dodgy when they started to flow through the gatelines that morning, and that the uploaded data from them caused the matching records to become untrustworthy. It’s possible – just – that some shops somehow sporked them. It’s also vaguely possible that bad data from some subgroup of cards propagated to the others. But I think these are unlikely. It’s more likely that the batch process that primes the station system with the last lot of online and automatic top-ups went wrong, and the barriers dutifully wrote the dodgy data to the cards.

This is also what TfL says:

We believe that this problem, like the last one resulted from incorrect data tables being sent out by our contractor, Transys.

People of course think this was somehow connected with the NXP MiFare class break, but it’s not necessary.

In this scenario, some sort of check incorporated in the database was intended to detect people using the MiFare exploit (probably looking for multiple instances of the same card, cards that didn’t appear in the database, or an excess of credit over the cash coming in), but a catastrophic false positive occurred. This is a serious lesson about the MiFare hack, and about this sort of public-space system in general; the effects of the security response may well be worse than those of the attack. Someone using a cloned, or fraudulently refilled, card could at best steal a few pounds in free rides. But the security response, if that was what it was, first threatened a massive denial-of-service attack on the whole public transport system, and then caused TfL to lose a whole day’s revenue.

Genius. Not only can the Chaos Computer Club tell you how to fool a fingerprint reader, but they’ve got Wolfgang Schauble’s dabs.