kickingtyres

Just as France cut card fraud by 80% by implementing Chip and Pin around 10 years before the rest of Europe, Air France is adopting the use of 3 cutting edge technologies in a new boarding pass.

The new boarding cards, which are being trialled with their “frequent fliers” between Paris CDG and Amsterdam Schipol until the end of the year, use RFID, Thermal printing and Biometrics to bring a reusable card that the passenger can keep.  The system allows online check-in, with the card being printed with the flight details by a machine at the airport.  The card holds the passenger’s thumb and fore-finger print and flight details, as well as having the flight information printed on the back in the same way as a traditional paper boarding card. Passengers using the card will board through a special gate which scans the fingerprints, and compares them to those on the card.

Air France also rolled out Mobile check-in earlier this month, such that passengers can check in using SMS or Email from their phone.  In using this system, all they need to board is their ID or passport.

Air France Smartboarding Press Release

This was brought to my attention from The Magistrate’s Blog

Police set to step up hacking of home PCs – Times Online.

I’d be very interested to see how they intend carrying this out.  Both from the legal and technical perspectives.

THE Home Office has quietly adopted a new plan to allow police across Britain routinely to hack into people’s personal computers without a warrant.

…

The hacking is known as “remote searching”. It allows police or MI5 officers who may be hundreds of miles away to examine covertly the hard drive of someone’s PC at his home, office or hotel room.

While the new powers might well enable them to do the searching “without a warrant”, I’d like to know how they intend to actually DO the searching.

He said the authorities could break into a suspect’s home or office and insert a “key-logging” device into an individual’s computer. This would collect and, if necessary, transmit details of all the suspect’s keystrokes. “It’s just like putting a secret camera in someone’s living room,” he said.

Police might also send an e-mail to a suspect’s computer. The message would include an attachment that contained a virus or “malware”. If the attachment was opened, the remote search facility would be covertly activated. Alternatively, police could park outside a suspect’s home and hack into his or her hard drive using the wireless network.

Okay, let’s address the three possible vectors they suggest.

1. Breaking into a property: While the ‘hacking’ might be done without a warrant, I doubt very much that breaking and entering could be.  Not to mention that coming home to find your door smashed in is hardly “covert”.  Where do they intend installing a key-logger on my macbook Air, or my work laptop? Am I going to ignore some anonymous USB item, or dongle that’s suddenly appeared on my machines?
2. Sending a ‘virus’ or malware: Most email systems are designed to quarantine and protect from viruses, so it’s unlikely that a significant proportion of the population would ever see this email, never mind actually open it, or it’s attachments.  In my case, even if the email somehow got through my mail-server’s spam and virus checking, as well as the local, client based virus and spam, checking, and then I was stupid enough to open it, AND run the attachment, can someone tell me how much damage this single attachment is going to do to either my Macbook or my work laptop running Ubuntu?  Are they intending sending three attachments  (or more), with one for each OS the suspect might be running?
3. Scanning via a wireless network:Most wireless networks are running WEP or WPA.  Yes, WEP can be cracked, but it takes a while and requires a significant number of packets to be sniffed to gain enough information to crack the key.  On a domestic network, I doubt that enough traffic would be sent to make this a quick or trivial task.  WPA is much mroe secure, and is unlikely it would ever be breached in a practical timescale.  Even if they managed to get onto the local wireless network, they then need to activate the aforementioned software to allow them access to the drive, or hope that someone’s shared their entire drive contents on the local network. Again, those of us running Linux or OSX would have to do something rather silly to enable this level of access to a guest user.  even moreseo, in my case, they’d have to access one of the laptops via SSH locally, and with my own username and password as both the drives and user partitions are encrypted.

On top of that, all these steps require the machine in question to be turned on and connected to the network in the firstplace, and that the information they seek is stored on the machine they are accessing, and not on another machine on the network which doesn’t use email or have outside access.

Police say that such methods are necessary to investigate suspects who use cyberspace to carry out crimes. These include paedophiles, internet fraudsters, identity thieves and terrorists.

Now bear in mind that the 3 points I address above are for me, with my standard setup.  The individuals they are targeting,  especially the latter 3 types, are likely to be running a far more secure system than my relatively simple setup.  I think the police and the home office are under the rather dated impression that everyone is running unpatched versions of Windows, on unsecured wireless networks with no virus or spam checking.  Now this might well be true for a fair proportion of the population, but I doubt that those being targetted would be as naive or illeducated in IT security.  This is potentially a massive project, both in terms of cost and it’s potential for infringing human rights, that will offer VERY little return in terms of convictions.