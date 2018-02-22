US Border Officials Haven't Properly Verified Visitor Passports For More Than a Decade Due To Improper Software (zdnet.com) 85
An anonymous reader quotes a report from ZDNet: U.S. border officials have failed to cryptographically verify the passports of visitors to the U.S. for more than a decade -- because the government didn't have the proper software. The revelation comes from a letter by Sens. Ron Wyden (D-OR) and Claire McCaskill (D-MO), who wrote to U.S. Customs and Border Protection (CPB) acting commissioner Kevin K. McAleenan to demand answers. E-passports have an electronic chip containing cryptographic information and machine-readable text, making it easy to verify a passport's authenticity and integrity. That cryptographic information makes it almost impossible to forge a passport, and it helps to protect against identity theft. Introduced in 2007, all newly issued passports are now e-passports. Citizens of the 38 countries on the visa waiver list must have an e-passport in order to be admitted to the U.S. But according to the senators' letter, sent Thursday, border staff "lacks the technical capabilities to verify e-passport chips." Although border staff have deployed e-passport readers at most ports of entry, "CBP does not have the software necessary to authenticate the information stored on the e-passport chips." "Specifically, CBP cannot verify the digital signatures stored on the e-passport, which means that CBP is unable to determine if the data stored on the smart chips has been tampered with or forged," the letter stated. Wyden and McCaskill said in the letter that Customs and Border Protection has "been aware of this security lapse since at least 2010."
How much do you want to bet that they were able to get a "solution" budgeted every year?
Re:Bet they were able to get it budgeted though (Score:5, Insightful)
Isn't that a bit of a security risk?
E.g. this app requires you enter a bunch of data. And then it scans your passport
https://play.google.com/store/... [google.com]
At which point it knows everything about you. What's to stop is sending the data off to someone who sells it on the internet to identity thieves?
If it was some pure open source thing I might trust it. However even though this library is open source
http://jmrtd.org/ [jmrtd.org]
... The ReadID app is not. So you don't know what they do with the data they collect.
What's to stop is sending the data off to someone who sells it on the internet to identity thieves?
The same thing that's stopping Microsoft from harvesting e-mail passwords via its Outlook Ios/Android app...: Reputation
Yea too bad they couldn't just fucking use Linux.
We all know it's security theatre (Score:5, Insightful)
This episode of security theatre is brought to you by CBP (Customs and Border Patrol) part of the larger circus called the DHS (Department of Homeland Security) which is now the largest federal law enforcement agency. We can't figure out if your passport is legit but take off your shoes and don't even think of taking those nail-clippers or toothpaste on that airplane. Someone should start a Dilbert-like DHS comic strip and make T-Shirts we people can wear when going through security.
Re:We all know it's security theatre (Score:5, Interesting)
But but, let's replace the private companies that didn't let anything in appropriate through.
Bush oversaw the largest socialization of private industry in the history of the US, and yet nobody calls him a socialist.
Bush oversaw the largest socialization of private industry in the history of the US, and yet nobody calls him a socialist.
Must
... resist ... oh damn, here I go.
First of all, which Bush?
Second, exactly what "private" (in your view) industry did he "socialize?"
Third, are you seriously claiming that Bush (41 or 43) is a socialist?? Dude, your tinfoil hat is on too tight.
Re: (Score:1)
Bush, 43, did actually, in reality socialize airport security
Before Bush, it was private security meeting standards (that were never missed on record), within his terms it became government that failed to meet standards.
150k or so private jobs became government jobs. The largest socialization in US history. And it happened fast.
Re:We all know it's security theatre (Score:5, Informative)
I recall (living in the DC area at the time of 9/11 and working next to Dulles, so it wasn't exactly a distant concern at the time) that Bush and the Republicans in Congress wanted enhanced private security, but the Democrats would only join them in voting for it if it used government workers, so to get it at all (which I wouldn't have voted for, but that's another discussion) they caved to the Democrats on the issue.
So while Bush was the President at the time, it's not like he was a dictator. To say it was Bush's idea to use government employees for security isn't accurate. At most, he went along with the Democrats on it.
Before Bush, it was private security meeting standards (that were never missed on record), within his terms it became government that failed to meet standards.
How do we know they never missed on record? Is it because they told us they never missed? It seems like this might be similar to the difference between open-source and closed-source code; the former might seem less secure because there are lots of bug reports and patches, but that doesn't really tells us anything about the state of the latter. Similar
We can't figure out if your passport is legit but take off your shoes and don't even think of taking those nail-clippers or toothpaste on that airplane.
The entire DHS airport security checks could be replaced with cocktail wieners.
Just have a tray of them at every airport gate. Passengers wishing to fly would be required to eat a cocktail wiener before boarding the plane. Islamic terrorist would refuse to eat the cocktail wiener, and could thus be filtered out easily and efficiently.
But no, the DHS folks are only interested in building an empire for themselves by wasting mountains of taxpayer money.
Also an effective countermeasure against the scourge of international vegan terrorism. Brilliant!
"Islamic terrorist would refuse to eat the cocktail wiener,"
There is much about Islamic terrorists you do not know or understand. But I know you were engaging in theatre, so I'm not really concerned you are that stupid or naive. At least not about that...
Obama was elected in 2009, one year before the problem became known internally, not when the problem was created.
It was created by George Bush, whose moron employees failed to create the proper software.
So, you want to blame the guy at the top of the food chain, fine. But make sure you blame the shmuck that created the problem, rather than just the guy that failed to fix it. Especially as you have no evidence about what Obama did or did not know or do.
The clear implication is that this rule is specific to nations which don't require a Visa. countries that don't get the Visa waiver don't necessarily need an e-passport, because the e-passport is used to streamline non-Visa travel. And nations such as Mexico, China and India, e.g. places likely to have illegal immigrants to the USA aren't on the Visa waiver list, therefore the
Forgers have known about this just as long. And even if you get it to work eventually, the encryption on the chips themselves have been proven easy to crack for many years.
You could try reading the article?
It does the obvious thing you would expect from a system using digital signatures that is set to not verify the signature.
It happened during Bush's presidency.
The passport checkers may as well have stayed home (Score:3)
All of those passport checkers may as well have stayed home for the past ten years.
Also easily replicated (Score:5, Informative)
There was an interesting e-passport replication technology reported at the "Black Hat" security conference in 2006 So far as I know, this replication approach has never been disabled
https://www.theregister.co.uk/... [theregister.co.uk]
RFID chips are, by their nature, kept very inexpensive and easy to read. Unless the USA and other nations are prepared to invest in more powerful and secure standards for what is supposed to be a very easily scanned and robust technology, I'm afraid that I don't see how they can be made more secure.
Re: (Score:3)
Unless the USA and other nations are prepared to invest in more powerful and secure standards for what is supposed to be a very easily scanned and robust technology, I'm afraid that I don't see how they can be made more secure.
The point isn’t to make passports truly secure in the eyes of a technically literate person - the point is to make them “secure” within the level of understanding posessed by the average politician.
You know - the men and women who believe we can have “secure” smartphones which are completely and readily accessible to law enforcement personnel but no one else.
Re:Also easily replicated (Score:4, Insightful)
Replicating a passport is far less of an issue than writing a new one whole cloth.
Re: (Score:3)
Cloning is possible. However, in this case, the digital signature is not even being checked of the data. So, right now, you can create complete forgeries without the private key (or certificate) required. If they actually started to check signatures, which let's face it, software should be able to do easily today (I wonder why it's never been implemented), then you would have to match the details on the written passport exactly and you'd have to be a clone of another passport holder. That is a far higher ba
Re: (Score:3)
I know, right? After that, the government will probably want to take over the military, with enough nuclear weapons to destroy humanity. What could possibly go wrong, amirite? And border security. Thank goodness we live in a free country where the government isn't in charge of something as important as border security or national defense.
We need to act n
