Monday, May 23, 2022

What could you do with an Australian drivers license?

https://www.schneier.com/blog/archives/2022/05/forging-australian-drivers.html

Forging Australian Driver’s Licenses

The New South Wales digital driver’s license has multiple implementation flaws that allow for easy forgeries.

This file is encrypted using AES-256-CBC encryption combined with Base64 encoding.
A 4-digit application PIN (which gets set during the initial onboarding when a user first instals the application) is the encryption password used to protect or encrypt the licence data.
The problem here is that an attacker who has access to the encrypted licence data (whether that be through accessing a phone backup, direct access to the device or remote compromise) could easily brute-force this 4-digit PIN by using a script that would try all 10,000 combinations….
[…]
The second design flaw that is favourable for attackers is that the Digital Driver Licence data is never validated against the back-end authority which is the Service NSW API/database.
This means that the application has no native method to validate the Digital Driver Licence data that exists on the phone and thus cannot perform further actions such as warn users when this data has been modified.
As the Digital Licence is stored on the client’s device, validation should take place to ensure the local copy of the data actually matches the Digital Driver’s Licence data that was originally downloaded from the Service NSW API.
As this verification does not take place, an attacker is able to display the edited data on the Service NSW application without any preventative factors.

There’s a lot more in the blog post.





I saw this as inevitable, even though I have been waiting over 40 years for it.

https://www.cpomagazine.com/cyber-security/personal-liability-for-directors-who-disregard-cybersecurity/

Personal Liability for Directors Who Disregard Cybersecurity

In recent months, a trend has begun to emerge among plaintiffs’ lawyers seeking to file cybersecurity incident-related shareholder derivative lawsuits – attorneys are increasingly now filing claims specifically based on failures surrounding duty of oversight. In November of 2021, a shareholder derivative lawsuit was filed against T-Mobile USA’s board of directors, pointing to a lack of monitoring and acting upon obvious red flags. Kevin M. Lacroix excellently outlines this trend in The D&O Diary. Directors should take notice.





I can see by your face that you live in the UK...

https://www.theverge.com/2022/5/23/23137603/clearview-ai-ordered-delete-data-uk-residents-ico-fine

Clearview AI ordered to delete facial recognition data belonging to UK residents

Controversial facial recognition company Clearview AI has been ordered to delete all data belonging to UK residents by the country’s privacy watchdog, the Information Commissioner’s Office (ICO). The ICO also fined Clearview £7.5 million ($9.4 million) for failing to follow the UK’s data protection laws.

It’s the fourth time Clearview has been ordered to delete national data in this way, following similar orders and fines issued in Australia, France, and Italy.

However, although ICO has issued a fine against Clearview and ordered the company to delete UK data, it’s unclear how this might be enforced if Clearview has no business or customers in the country to sanction. In response to a similar deletion order and fine issued in Italy under EU law earlier this year, Clearview’s CEO Hoan Ton-That responded that the US-based company was simply not subject to EU legislation. We’ve reached out to both the ICO and Clearview for further clarity on these points.





More intrusive than I had imagined, but I guess even a simple license plate reader wants to offer more and better technology.

https://www.stltoday.com/news/local/crime-and-courts/meet-the-falcon-ai-powered-license-readers-multiply-as-police-tool-in-st-louis-suburbs/article_25ee76f8-836a-5610-9d0e-613be652c55c.html

Meet the Falcon: AI-powered license readers multiply as police tool in St. Louis suburbs

In the hours after Metro bus driver Jonathan Cobb was shot on Dec. 3, detectives started with a broad lead: The shooter drove a red or maroon PT Cruiser.

Cobb was shot and critically injured seemingly at random that night while ferrying a bus full of passengers in the Normandy area.

… Falcon cameras from Atlanta-based startup Flock Safety have over the past three years proliferated on area roadways. They record license plates, but also use artificial intelligence to collect what the company calls a “vehicle fingerprint” — the make, model, color and identifying features from each passing car.

In the Metro shooting case, Flock allowed police to search for every PT Cruiser matching the description that passed a growing network of Falcon cameras in the St. Louis suburbs

… Martin is among the law enforcement officials pushing for more Flock cameras in the region. He said license plate readers have been used in 75% of homicide arrests in the cooperative’s jurisdiction since 2018.

Critics worry the databases Falcon cameras create of each passing car are invasive and ripe for abuse by police and private entities with access.

Law enforcement will always cite stories where the tool saves the day, but I think that as citizens we have to go beyond the question: Will this ever solve crimes?” said Jay Stanley, a senior policy analyst with the American Civil Liberties Union who wrote a paper published in March on the spread of Flock Safety.There’s no question that if you record everyone all the time you could solve more crimes. We could solve crimes if you let the government put cameras in everybody’s bedrooms, but we’re not willing to go there. Are we willing to let cameras change the nature of our public spaces?”

Last month, Flock introduced the Raven, a gunshot audio detection tool that competes with ShotSpotter, which is already used to cover miles of areas with high crime rates in St. Louis and St. Louis County.

Flock says the Raven can use artificial intelligence to identify “sounds that indicate crimes in progress,” including screeching tires, the sawing of catalytic converters or the breaking of glass.





This raises another question, What other “crimes” might attract similar increases in surveillance. Entering a mosque? Registering to vote? Eating a vegan diet?

https://www.csoonline.com/article/3661689/data-protection-concerns-spike-as-states-get-ready-to-outlaw-abortion.html#tk.rss_all

Data protection concerns spike as states get ready to outlaw abortion

The use of personal data from brokers, apps, smartphones, and browsers to identify those seeking an abortion raises new data protection and privacy risks.

… Enforcement of the law will likely hinge on increased digital surveillance by authorities to more efficiently identify, arrest, and prosecute pregnant people who contemplate or seek abortions.





Resource. (I hope to improve all the way up to “Not too bad!”)

https://www.makeuseof.com/reedsy-poetry-next-level/

How Reedsy Can Help You Take Your Poetry to the Next Level

Reedsy can guide you in three key areas: understanding poetry formats, practicing the creative process, and publishing your work.



No comments: