* Posts by Lockstep Technologies

7 publicly visible posts • joined 29 Oct 2009

It's an important ID, so why isn't the Medicare card chipped?

Lockstep Technologies

Re: Card is gateway fraud

You describe the status quo where the information on the card can ve replayed byID thieves with out anyone knowing. My proposal is different and uses Chip-and-PIN principles to safeguard the presentation of personal data. The idea is to digitally sign data in the chip card before it is presented, so that the receiver can tell freshly presented data from replayed stolen data. This is how Chip-and-PIN cards prove the provenance of cardholder details between card and merchant terminal. We should do the same thing with all critical personal data. Governments could provide citizens with identity-protecting infrastructure, by 'chipping' Medicare cards, driver licenses and other identifiers, and also opening up these devices as Personal Data Stores to hold other personal details. The form factor can be plastic card or smart phone.

Note carefully the proposal is not a new identity system let alone a national ID, but to use technology to preserve and safeguard the various IDs and relationships we have today.

Japan begins mega-rollout of 100 million+ national IDs

Lockstep Technologies

Friends of the people not agents of the state

There's a fabulous opportunity here to leverage national scale smartcard technology to head off the sorts of exposures of citizen identities suffered in Korea and the USA.

See "Safeguarding the pedigree of personal attributes" at http://lockstep.com.au/blog/2014/09/01/pedigree-of-ids

The root cause of much identity theft and fraud today is the sad fact that IDs, customer reference numbers and attributes generally are so easy to copy and replay without permission and without detection. Simple numerical attributes like social security numbers, bank account numbers and health IDs can be stolen from many different sources, and replayed with impunity in bogus transactions.

Our personal data nowadays is leaking more or less constantly, through breached databases, websites, online forms, call centres and so on, to such an extent that customer reference numbers on their own are no longer reliable. Privacy consequentially suffers because customers are required to assert their identity through circumstantial evidence, like name and address, birth date, mother’s maiden name and other pseudo secrets. All this data in turn is liable to be stolen and used against us, leading to spiraling identity fraud.

To restore the reliability of personal attribute data, we need to know their pedigree. We need to know that a presented data item is genuine, that it originated from a trusted authority, it’s been stored safely by its owner, and it’s been presented with the owner’s consent. If confidence in single attributes can be restored then we can step back from all the auxiliary proof-of-identity needed for routine transactions, and thus curb identity theft.

Bruce Schneier's Data and Goliath – solution or part of the problem?

Lockstep Technologies

You think data protection regulation is complex?

The idea that privacy should be regulated by market forces seems not very far away from this critique of Schneier. The author says privacy has to be based on data ownership. If regulatory complexity - especially exceptions and special cases - is thought to be a problem with principles-based privacy, just think about consumer protection in retail and financial services. There is no way known that market forces can be left to shape reasonable privacy outcomes without massive regulatory oversight. The ability for consumers to tell what's going on in the weird and wonderful and oh-so-wild digital world, sufficient to make informed choices about competing products and models, is simply zero. No, Schneier is right. Privacy is about fundamental rights and even in the USA, all sorts of difficult intangible human rights are enshrined in law and reasonably well managed.

Major London rail station reveals system passwords during TV documentary

Lockstep Technologies

Security isn't secure

May I suggest the real question is this: how on earth do such organisations pass their infosec audits?? Do none of the auditors at any of these companies ever notice the passwords in plain view? Or do the operators do a quick clean up before the auditors arrive? Either way, here's yet more proof that security audit is a sick joke. And that security practices aren't worth the paper they're printed on. Security isn't what people think it is. Instead of meticulous processes and hawk-eyed inspections, it's just mediocrity and theatrics. Security isn't secure.

Google KNEW Street View cars were slurping Wi-Fi

Lockstep Technologies

Classic technologist's privacy error

At the time the story broke, blogs were full of geeks espousing their view that unsecured data in the public domain is up for grabs, and that Google did nothing wrong. I bet that was the predominant view in Google engineering and Google management. And it's wrong, at least in those many parts of the world where OECD privacy principles hold. No organisation can collect Personally Identifiable Information beyond what is required to do their job, and even then, they are obligated to be transparent about it. Thus Google's StreetView wifi exercise broke the privacy law of many jurisdictions. There is no strong privacy law in the US to be broken and the FTC investigation obviously went down a different track.

http://lockstep.com.au/library/privacy/public-yet-still-private.html

Google knew what was going on but they didn't see surreptitiously harvesting PII as being wrong. Why would they? It's their BUSINESS MODEL.

Fukushima fearmongers are stealing our Jetsons future

Lockstep Technologies

April Fool?

If this article is not an April Fools joke, then it is another example of fighting scaremongering with nuclear anaesthesia. How on earth is the Fukushima situation 'slowly winding down'? Radiation levels climb by the day, with the exposure of the source appears worsening as the core melts. Richard Lahey, ex director of boiling water reactor safety at GE, predicts that the fuel will start to come out "like lava". Nobody knows what's happening inside the borken structures. There is real pressure to extend the exclusion zone. And the government has no idea what to do next. I am no hysteric but this situation is farcical, and for some people to sit back and say soothingly, well, nobody is actually dead yet, is utterly incredible.

Security boss calls for end to net anonymity

Lockstep Technologies

We need MORE anonymity not less

Kaspersky's call for Internet Passports is madness. The social repurcussions are surely obvious, and it's not clear what problem it might solve.

Most cybercrime is actually linked to an EXCESS of arbitrary identification, with inadequate safeguards. For the average user, anonymity in reality has become a luxury. The simplest credit card purchase requires an inordinate amount of identifying information to be divulged, to total strangers, who then pass it all onto third party processors no one has ever heard of. Hundreds of millions of personal records are compromised every year, fuelling a rampant black market in illegitimate IDs.

I say to Kaspersky, anonymity would be a blessing! To solve cybercrime, we don't need any new passport, rather we need to protect the identities we already have against theft and abuse.

Stephen WIlson, Lockstep Technologies.