Edit: YHBT ;>

This one came to me via a web2.0 service. It’s not very relevant to my interests usually, no, but here’s something that just made me think twice. Apparently there is someone out there on the blogosphere who’s wrong. Surprising! Wrong information, on MY intertubes?

No, of course, even with Israel’s underdeveloped blogosphere and web services in general – even there, some jerk could come in and pour their verbal manure on to a page. It only takes one. This time, it was about Israel’s oh no revolutionary biometrics act.

Turns out somebody’s quite scared, and has been watching a lot of cheap sci-fi to base their fears, too. So apparently the government will start a database with the fingerprints and “facial features” of citizens.

But here’s the thing, unless somebody screws up royally, there’s no reason for this to fail too hard at all.

So I’ll go one by one and debunk a few of the post’s misinformed ramblings.

There will still be other records that will be more meaningful.
Do you honestly think that any government will suddenly start relying solely on this system? Now, that would be stupid, wouldn’t it?

I can assure you, even though I haven’t read about this too thoroughly, that there will be other records, which will hold more credibility over this one.

We have checksums, and they only work one day way
We have this thing called checksums. Algorithms used to generate checksums generate a one way checksum. The only two ways you can find it out are either:

1. Brute forcing the data yourself
2. Find someone who already bruteforced a lot of data and use their DB (rainbow tables)

This is most likely how logging into your bank account works.

It’s possible to verify the authenticity of data with a public key
We have the technology right here and now, and it goes one way. This is how it works, roughly. I have a private key and a public key. The private key, combined with a password, applied to data, can sign the data.

Say you have 3 agencies sign the biometric data in that manner and each put it in their respective database. Let’s say the databases are all in separate places in Israel, connected using the government’s internal network (it exists, and it’s not a part of the internet) – how am I supposed to make sure they all agree for my evil “leet hacker” methods to work?

It’s not impossible to crack any (most) systems, but it’s not impossible to abuse others’ stupidity.
So called identity theft can be done using the following method.

1. Call unsuspecting victim, pretend to be calling from one of the following: the bank, their cell phone carrier, landlines carrier, some charity organization
2. Ask for unsuspecting victim’s personal information. For instance: credit card number, phone number, some ID number (its local variant), bank account number.
3. Wait a few days
4. Call again as someone else! (Go back to 1)

This is real. These things actually happen. And you want to tell me that the weakest link is… an electronic system? Them evil machines! It’s humans, with their utmost intelligent that provide a system of ultimate fortitude! Well, turns out that’s not the case.

I’ll go a step further and say that, no, physical storage of data is not all that safe either. Houses are broken into on a daily basis. As are shops. Sometimes, no matter how difficult it’s supposed to be to get out or in of some place, it happens all the time.

I have a lot more to say, but maybe I’ll just quit. It’s been fun, but it has to end. So there, I presented strong arguments why the fact that it’s a computerized database doesn’t honestly matter.

Comments (8)