Last of the old or first of the new?

[ordnance11]

James Bond or Ghost in the Shell?
I say its the latter. Considering how easy it is to hijack someone's ID nowadays. I'd say the Mossad took a couple of true ID's for their hit teams and then changed them back to their true identities or gave them new ones after the operation. No one had ever accused the Mossad of institutional bungling. Dubai's showing them on TV may have null value. What is the use of all these biometric equipment if you can swap identities like trading cards?
On a related note...Peter Graves aka Jim Phelps died.
__________________
Into terror!,  Into valour!
Charge ahead! No! Never turn
Yes, it's into the fire we fly
And the devil will burn!
- Scarlett Pimpernell

[Sweno]

I'm going to vote on the ghost in the shell side of things.

When you are no longer able to insert a fake into the system it becomes necessary to steal a valid ID from someone else.

The fact that IDs are getting more complex is not a significant impediment to any modern intelligence organization that can devote the needed resources to reverse engineering it.
-Terry
-----
"so listen up boy, or pornography starring your mother will be the second worst thing to happen to you today"
TF2: Spy

[Black Aeronaut]

The fact that IDs are getting more complex is not a significant impediment to any modern intelligence organization that can devote the needed resources to reverse engineering it.

Don't forget that most of our Identification systems are a result of R&D in the Intel Community.  We just get the stuff they deem as being 'obsolete'.
  

[Kurisu]

...this article will self-destruct in 5 seconds. Good Luck, Jim.
_____
DEATH is Certain. The hour, Uncertain...

[Rod.H]

Meh, if you've got access to the computers doing the passport checking who's to say that you can't insert a fake id which will pass that test. Not to mention passing the low-tech tests too.

Actually, with the rise of chip-embedded id, what's the odds that a backdoor has been built in to the chip and/or reader which will return a valid id regardless of what's been inputed or exists in a database.

--Rod.H

[Sweno]

oh certainly, if an american agency wants to fake an american passport, that's not even a problem. It might not even be a *fake* depending on how you define it. But that also leaves a nice big arrow pointing back at america.

I have no first hand knowledge of spy craft. But I would think that if you are going to perform clandestine operations in another country, keeping those arrows from pointing back at you is something you want to avoid.

So you need to fake/hijack someone else's passport. And I doubt that any country would have a back door in their system that could be abused by third parties. If you have control of the backend database it it much easier to insert a few new records than it is to design a system with a backdoor and hope that no one else discovers it. If you are thinking that *someone else* inserted a backdoor into a government system of this import? I highly doubt that. All of these things are home grown. Sure the US (and other countries) will look and see what others have done as a way to improve their own systems. But when it comes to the design and manufacture, I would bet good money that it is produced 100% locally.
-Terry
-----
"so listen up boy, or pornography starring your mother will be the second worst thing to happen to you today"
TF2: Spy

[Bob Schroeck]

Um. The link above doesn't go to a specific article any more... can someone provide a gloss?

Also, note Kurisu's comment. Different article, oddly related in a strange coincidental way.
-- Bob
---------
Then the horns kicked in...
...and my shoes began to squeak.

[ordnance11]

http://www.msnbc.msn.com/id/35710411/?GT1=43001
__________________
Into terror!,  Into valour!
Charge ahead! No! Never turn
Yes, it's into the fire we fly
And the devil will burn!
- Scarlett Pimpernell

[CattyNebulart]

And I doubt that any country would have a back door in their system that could be abused by third parties.

Most people are idiots and most programmers are people. Add on to that that most systems are made by the lowest bidder (or made by the one who greases the wheels the best) and most of the people doing programming work barely know how to turn on a computer and then you start getting an idea of why that is a silly idea. A very silly idea.

Add to that budget and time pressures and the sheer complexity of most IT systems and one can understand why even competent programmers often leave security holes all over the place. And even if system security is nearly perfect admins can get up to all kinds of naughty stuff given the proper incentive. And most admins are overworked and underpaid, and if all of that isn't enough they tend to have connections to the outside world, so a kidnapping or two can break even the most scrupulous admin, but given that there are ussualy hunderds of people who have accsess to the system finding one bad apple is ussualy not too hard. Many of these systems are also geographically dispersed (like say the passport system, where every embassy has some accsess to they system) so it's often not too daunting of a challange to insert yourself into the loop somewhere.

But i am far more worried about criminal accsess to the data than anything else, forinstance the proposed national ID database in brittan would be worth more on the black market than the US defense budget, assuming the glut of supply wouldn't drive down the price. As a practical matter no-one has any idea on how to secure such large databases against attack. Many security companies say they do but none of them have ever been sucsessful in stopping attacks.

The most advanced security model that is widespread in normal peoples hands at the moment is the unix security model which is used on mac OS and most linux boxes among other places, and that dates back to the early 1970's or so. The threat profile has changed a little since then but there is comparativly little work done on better security models. windows security model is actually more reminicient of even earlier security models, one of the reasons vista was so hated is because they brought it closer to the unix security model and it broke lots of things, even though they left backdoors in for old programs.

There are some ideas for better security models, but most of them require pretty much all current software to be scrapped. Not likely to happen. The best around is something like SELinux as designed by the NSA but even that has short comings.
E: "Did they... did they just endorse the combination of the JSDF and US Army by showing them as two lesbian lolicons moving in together and holding hands and talking about how 'intimate' they were?"
B: "Have you forgotten so soon? They're phasing out Don't Ask, Don't Tell."

[Sweno]

ok, perhaps I should have been more specific.

I doubt that any country would purposefully insert a back door into their systems.

I have no problem believing that a flaw could be exploited to produce a false positive when it comes to allowing access.
-Terry
-----
"so listen up boy, or pornography starring your mother will be the second worst thing to happen to you today"
TF2: Spy

[robkelk]

And most admins are overworked and underpaid

You've never worked as a government sysadmin, have you?

In Canada, the entry-level pay for a federal government sysadmin is $50,140 Canadian per year, according to http://www3.pipsc.ca/portal/page/portal ... e09.en.pdf]the current collective contract, and new hires only stay at that level for a year. (And one has to pass a security check to get the job.) I can't see any other Commonwealth or G8 country paying their sysadmins any less than that.
--
Rob Kelk
"Governments have no right to question the loyalty of those who oppose
them. Adversaries remain citizens of the same state, common subjects of
the same sovereign, servants of the same law."

- Michael Ignatieff, addressing Stanford University in 2012

[ordnance11]

The question is then suborning a sysadmin into doing the deed then no? God knows, someone tried to offer a bribe to me once. He said he was joking, but I had my doubts. I told him I'm not considering doing anything for him unless it's 10 years salary in cash.
__________________
Into terror!,  Into valour!
Charge ahead! No! Never turn
Yes, it's into the fire we fly
And the devil will burn!
- Scarlett Pimpernell

[NifT]

CattyNebulart wrote:

---

Most people are idiots and most programmers are people. Add on to that that most systems are made by the lowest bidder (or made by the one who greases the wheels the best) and most of the people doing programming work barely know how to turn on a computer and then you start getting an idea of why that is a silly idea. A very silly idea.  

While I'll agree that there are idiots in the programming field, saying that most of them barely know how to turn on a computer is a bit much.  And more than a little insulting.

[robkelk]

That depends on what's meant by "a computer" - government databases don't reside on PCs, after all.

(It takes at least 20 minutes to turn on a mainframe, and that assumes you know what you're doing. Power up the mainframe's processor before the SAN, and you'll have to start over... unless it's the model where you reverse those steps.)
--
Rob Kelk
"Governments have no right to question the loyalty of those who oppose
them. Adversaries remain citizens of the same state, common subjects of
the same sovereign, servants of the same law."

- Michael Ignatieff, addressing Stanford University in 2012

[NifT]

That depends on what's meant by "a computer" - government databases don't reside on PCs, after all.
(It takes at least 20 minutes to turn on a mainframe, and that assumes you know what you're doing. Power up the mainframe's processor before the SAN, and you'll have to start over... unless it's the model where you reverse those steps.)

If Catty meant a mainframe, then I'll concede the point and redact my previous statement.  If Catty meant a PC... Well, I'm one of those supposed idiots.  Besides, even if the systems are made by the lowest bidder, the contracter still has to abide by the Government's requirements.  And if the Government wants it done a certain way, that's the way it gets done if you want your paycheck.
  

[CattyNebulart]

If Catty meant a mainframe, then I'll concede the point and redact my previous statement. If Catty meant a PC... Well, I'm one of those supposed idiots.

I was exaggerating just a little, and I'm one of your fellow idiots too. Most is not all, but given that most people assume they are above average it seems safer to assume that an notion of great competence is just a delusion.

But do you understand how to turn on a PC? I don't mean just pressing the button but what happens on power on, where it looks on the harddrive, what and why it loads stuff (first sector aka MBR) from the harddrive into ram, how chainloading works, etc? Most people don't, however most people probably understand what happens when you flip a lightswitch. A program not understanding bootstraping is like a electrician not understanding what happens in a lightswitch just knowing which cable connects to where. Not understanding is fine as long as you don't have to work with it, but understanding is valuable when you encounter something odd (like say non ibm architecture computers).
E: "Did they... did they just endorse the combination of the JSDF and US Army by showing them as two lesbian lolicons moving in together and holding hands and talking about how 'intimate' they were?"
B: "Have you forgotten so soon? They're phasing out Don't Ask, Don't Tell."

[Sweno]

I would argue that not understanding bootstrapping as a programmer is akin to not understanding how a hydroelectric dam works as an electrician. Light switches are something the average electrician deals with on normal basis. I don't think the same can be said for programmers and bootloaders.

I program for a living (perl), but I don't write to the bare metal. And I have no immediate need to understand bootstrapping. I know what the concept means, and can describe it in vague terms.

Could I build a bootloader, or diagnose where one went wrong? no.
Could a standard electrical engineer build or diagnose a hydroelectric dam? no

But honestly, I don't want to know. I would rather fill my head with more pertinent information to my job (designing a lexical parser for re2c given the constraints of x). And I'm sure my employer feels the same way.

But to drag my post back onto a more general topic that is more constructive to this conversation:
Every one of us is probably an expert at the slim niche of stuff we deal with every day. We don't have to understand the process behind the modern combustion engine, how characters appear on screen when we hit the letters on our keyboards, or a thousand other things that enable us to do our jobs and live our lives.

Most people are idiots about things outside of their areas of experience. I would quickly be out of a job if I was an idiot at programing perl. But I can very easily live my life while being an idiot about hunting, sub-orbital physics, biochemistry, and a hundred other things.

If someone has a job that deals with X, I expect them to not be an idiot at X. If your job is securely working with a mainframe, I expect to not be an idiot at security and mainframes. If your job is a technical writer on how to use an application that interfaces with a mainframe, I expect you to know how to properly start up the application. I do not expect you to know how to properly start up said mainframe.
-Terry
-----
"so listen up boy, or pornography starring your mother will be the second worst thing to happen to you today"
TF2: Spy

[VladimirTherin]

You don't need to branch/subvert the american passport agency.

You only have to suborn/blackmail the sysadmin of the LOCAL entry point. Customs camera tapes? So sorry, they all got erased.

That this didn't happen, makes me tend to think this was a spur of the moment thing.

Either that or simply plan on the agents involved retiring or undergoing cosmetic surgery afterward.

Either way, the covert agents probably outnumber the people who really need to die for-sure-and-certain enough that the latter option is entirely feasible.

[NifT]

Eh. More or less what sweno said, only I'm in web apps on ASP.NET.