ID card security

ID card security

Post by Dave Barne » Thu, 20 Oct 2005 18:04:46


If Muckysoft's UK National Technology Officer, Jerry Fisherman, is
warning that the UK ID card scheme will not be secure, he obviously
knows something (a lot) about the weaknesses of the OS that .gov.uk is
so in love with.
www.theregister.co.uk/2005/10/18/ms_fishenden_idcard_ *** / (See also
www.theregister.co.uk/2005/10/18/dame_pauline_id/ )

I am generaly agnostic about the scheme, apart from cost, but these
revelations and probably more to come could turn me to the NO camp.
Alternativly, a better OS (anything, including a beefed-up RISC OS?)
would seem to be essential if I am to be convinced.

Better project management, than that .gov.uk has recently demonstrated,
must top priority. Hopefully, this will lead to the adoption of an OS
that does not have the oversight of the CIA and the backdoors that the
hackers rely on and that appear to be mandatory in US sourced systems.

--
Dave
 
 
 

ID card security

Post by John M War » Thu, 20 Oct 2005 18:36:29

In article < XXXX@XXXXX.COM >,



If even MS execs (whose company produces systems that are hardly classed
as "secure" themselves) is this concerned, then the whole thing has to
be very worrying indeed.

Imagine if, in the early days of MFI, they looked at someone else's
furniture line and stated that it didn't seem very solid, and -- well,
you must have got the picture!


That would be a *part* of a possible solution, and at least it would
mean building on a more solid foundation. Without that firm base,
nothing built on top of it -- however clever and sophisticated -- can
hope to stand securely, just like a house built on sand.


Oh, I doubt that we as a nation would be permitted by our Merkin
"bosses" to have anything that didn't give /them. complete access to all
our information. If hackers and suchlike then gain easier access as a
result, well, it's the old breaking eggs to make an omelette scenario.
The USA's agenda will of course be self-serving first and foremost, as
always, and we -- as their minions -- will be easy enough to keep in
line in this respect.

I fully expect to see an XP logo on every ID card...

--
John M Ward : RISC OS computing since 1987, now Iyonix-powered!
Acorn/RISC OS web page: www.john-ward.org.uk/personal/john/computers

 
 
 

ID card security

Post by Steven Pam » Fri, 21 Oct 2005 03:23:18

In article < XXXX@XXXXX.COM >,




The next stage would be to explain how the work their company had recently
done was a much better solution.

Or is that too cynical.

--
Steve Pampling
 
 
 

ID card security

Post by Paul F. Jo » Fri, 21 Oct 2005 08:20:04


I don't actually care - I will never get an ID card - even if it mean
jail time as I honestly don't (a) see the need for them and (b) can't
see what they will achieve other than lining both MS's and the
government's pockets.

They will not stop terrorism, fraud or anything like that - it is just
another excuse to make a buck of the hard working people of this
country.
--
"Writing for a penny a word is ridiculous. If a man really wants to make
a million dollars, the best way would be to start his own religion" - L.
Ron Hubbard, an awful Sci-Fi author, WW2 fraud and founder of one of the
worlds most evil and incidious cults, Scientology.
 
 
 

ID card security

Post by greg » Fri, 21 Oct 2005 08:47:24

In article <1129764004.24822.26.camel@localhost>, paul@all-the-
johnsons.co.uk says...


Has the managing OS been announced yet?
I was pleasantly suprised to see Tux on the OS for the new computerized
MOTs, not sure what flavour yet though.


Gravy Train springs to mind.

--
Greg Harris (Norwich)
 
 
 

ID card security

Post by Dave Barne » Fri, 21 Oct 2005 16:37:47

In a recent message



[.....]

Or built out of sticks as so many are in the US. Katrina and other
storms regularly expose these weaknesses. Just as hackers regularly
expose the weaknesses in an OS.
[....]

Have you been (re-)reading the works of Eric Blair by any chance?

It is going to need some hefty sponsorship if the cost over-runs are to
be met.

Won't it be the OS after Vista by that time? ;-)

--
Dave
 
 
 

ID card security

Post by Dave Barne » Fri, 21 Oct 2005 17:24:33

In a recent message



[....]


If you have any doubts that the CIA (or SIS for that matter) are
insisting on keeping backdoors open: www.theinquirer.net/?article=27027

--
Dave
 
 
 

ID card security

Post by John M War » Fri, 21 Oct 2005 17:48:33

In article < XXXX@XXXXX.COM >,






I have never any doubts about this myself, but your message and link
will be useful to others reading this who are not (yet) convinced.

Reading the Enquirer article was at first a little confusing as it
mentioned EFF and printed dots. I momentarily wondered what the good Dr
Detyna had got himself caught up in... ;->

--
John M Ward : RISC OS computing since 1987, now Iyonix-powered!
Acorn/RISC OS web page: www.john-ward.org.uk/personal/john/computers
 
 
 

ID card security

Post by Theo Marke » Tue, 25 Oct 2005 01:21:21


Those are all quite reasonable concerns that the security community has
voiced. But I don't really see what they have to do with Windows. It just
happens that a Microsoft person has voiced them, and it just illustrates
that Microsoft employ some people who know something about security. I'm
sure Microsoft aren't stupid and know all about the security holes in their
OS (even if management has decided they aren't priorities to fix).

The ID card scheme is nowhere near a specification yet (there is still a
huge argument about exactly what the card is going to do, not even the first
step to specification) so it's a little premature to make assumptions about
what technologies the reader and database backend are going to use. Since
RISC OS is much more insecure than Windows I think it is unlikely to be
chosen though.

Theo
 
 
 

ID card security

Post by Chik » Tue, 25 Oct 2005 05:12:06

In article <vKF* XXXX@XXXXX.COM >, Theo Markettos




I wonder how they got in?


That makes one of you. No, seriously, I could take that in one of two
ways; first, they actually do know about all their own holes, in which
case one has to wonder why they persist in leaving them open. An ulterior
motive, mayhap? Second, they actually don't know and that statement is
awfully naive. Not sure which one to pick.


I'm not totally sure whether it would make a difference anyway. Even
Microsoft can only control so much when it comes to a government project,
and government agencies are experts in *** ing things up. They will either
specify something that is so improbably unworkable that it will leak like
a sieve, or they will actually produce a good specification, then
implement it in the cheapest, shoddiest, most inappropriate way possible.


Oh, that old saw again. IMHO both OS's have serious security bugs in them.
One of the biggest is called a "user". It's probably the only
cross-platform bug, affecting RISC OS, Windows (all versions), *nix and
Apple OS's, not to mention any other OS you care to mention. You can make
a system as secure as you like, but a user will work around the security
because it's "too much bother" or something like that.

A cynic? Me? Naaah... :)

--
//\ // Chika < XXXX@XXXXX.COM . - ROT13>
// \// Hitting Googlespammers with hyper-hammers!

... Can I stop typing in taglines now please?
 
 
 

ID card security

Post by druc » Tue, 25 Oct 2005 06:01:35


RISC OS has never been designed to have any security whatsoever. Anything
that can run on RISC OS, can do whatever it likes, gaining complete control
over the machine. A lack of security is not the same thing as not the same
thing as a vulnerability which allow an attacker to introduce rouge code on
to a mahine, via say a bug in a network service, webbrowser or email program.
RISC OS may have no security, but through well written applications and OS
components it also has almost no vulnerabilities either.

Windows on the other hand started out like RISC OS, as a desktop OS with
completely no security, the difference being now it is sold as enterprise
quality server and client OS, with strong security features. Windows
fundemental design does not allow this - none of the products my current
company makes would work if the OS had the sort of security it claims, and
other OS's such as Unix actually deliver. Also due to the chaotic and poor
quality of Windows development and the vast size of the OS code and enourmous
number of bundled components, it also has a seemingly infitine number of
vulnerabilities, which allow attackers to exploit the ineffective security.

---druck

--
The ARM Club Free Software - http://www.yqcomputer.com/
The 32bit Conversions Page - http://www.yqcomputer.com/
 
 
 

ID card security

Post by Steven Pam » Tue, 25 Oct 2005 06:53:47

In article < XXXX@XXXXX.COM >,


That's what Post-It notes are made for - posting on the side of the screen
with the password written on them.
Show me someone who says they have never seen this in a large organisation
and I will show you a liar/idiot.

--
Steve Pampling
 
 
 

ID card security

Post by Chik » Tue, 25 Oct 2005 07:18:51

n article < XXXX@XXXXX.COM >, druck
< XXXX@XXXXX.COM > wrote:



That doesn't change what I said one iota.


I'd qualify that statement, if only to note that the original Windows
platform had, if anything, less security than RISC OS, but that version of
Windows was a dead end ultimately once NT was developed and became a
stable product. The thing was that the original Windows, like RISC OS, was
developed in an age where networking was far less commonplace than it is
now. I doubt that Acorn would have designed RISC OS to be as it is if they
were in the position to start from scratch at this point, any more than
Microsoft would have produced Windows 1, 2, 3, 95, 98 or Me.


I agree that Windows has improved, but, as I said, it is still far too
easy to get around such things, purely because it is too much of a bother
to keep the security up. RISC OS may have no security, and there are
certainly reasons for that, but when Microsoft put in specific measures to
provide for a secure environment, you'd expect a user to use them,
wouldn't you? "Oh, I switched off my firewall because it stopped some
application from working" "I wanted to install something and forgot to
restart my anti-virus" "Why should I bother logging out of an admin user?
It all seems a bit of a bother". And don't, for one moment, think I'm only
considering Windows here. Linux might have a smaller following as far as
the desktop is concerned, but it still happens.

However, your comment about the infinite amount of vulnerabilities would
seem to back up what I said about Microsoft not really knowing all the
bugs in their code. In fact, each fix has the potential to add more bugs,
and has done on a number of occasions. I shudder to think what they have
done in Vista, but as I always say when new Microsoft stuff comes out,
leave it for at least a year to iron the worst of it out. Mind you, these
days, I'm not so sure that a year covers it anymore, especially when the
press starts getting suspicious when a set of security updates *isn't*
released for a particular month.

As one programmer had it; there is no such thing as a finished product.
Just one in a high state of debug. :)

--
//\ // Chika < XXXX@XXXXX.COM . - ROT13>
// \// Hitting Googlespammers with hyper-hammers!

... A closed mouth gathers no feet