I just watched a german video about the total control through the BKA (a German organisation comparable to the FBI).

The attempts to control everything and everybody is based on the common misconception, that more security technology means more security. Often the opposite is true.

I don't even want to talk about the 'Bundestrojaner', malware that is used by the BKA to spy on our computers. But the normal 'security' features that give a feeling of security, but fail to provide real security.

1. Biometric Data in Passports. It is said that this would make the documents, passport or others more secure. But this happens at a substantial risk for the owner of the passport. Fingerprints can be stolen as described by the Chaos Computer Club or less friendly, by cutting of the finger. But even the friendly version of fingerprint theft is dangerous for the owner of the real finger. Assume you want to perform a robbery. A couple of years ago, an important point on your todo list would have been: get gloves. Today you might want to add: attach fake fingerprints of Mr Niceguy. Thereby you'll leave 'proof' that Mr Niceguy is the bad guy. The police will find the fingerprints you left, and will find they match those of Mr. Niceguy. They know this only because Mr Niceguy has a biometric Id. Good Luck to Mr. Niceguy proofing that he is innocent. A couple of years ago somebody sold non existing lawn mowers on ebay and used my names for the account. Thank god he had no fingerprints of myself. By the way: the fundamental flaw in the whole biometric scheme is: Biometric Data is a identifier equivalent to a user id: It is public and unique, it is not a password, which should always be private and not unique at all. Imagine the error message at Google Mail: "You can't use that password, it is already used by user LOLCAT23"

2. PKI or Public Key Infrastructure has a similar problem. In a PKI every participant gets a certificate, which proofs the identity of the owner. It's exactly what webserver do when you use https: the server proofs its identity through a certificate. But now the idea is, that everybody gets a certificate, similar to an ID. Problem: Do have ever lost anything? Something important? A photo ID? Not to big of a problem, there is a photo on it. A key? Not to big of a problem, exchange the locks that match the key, with a little luck you are done with it for a few hundred bucks. Lost your certificate in a world where PKI matters? You might as well clone yourself and kill the original. Whoever finds the certificate and cracks the password can impersonate you perfectly. He can buy books, cars, close your bank accounts and so on.

3. You think this is all paranoia? Maybe it is, but maybe the stories told about ec-cards are true. Fact is that banks claim, the PIN of ec-card (similiar to creadit cards where you can pay be inserting a PIN into a terminal) is safely stored in a way that makes it impossible to extract it from a stolen card. But there exists a rumor that says that this is not true. Problem: Since the judges belief the banks, you as a customer have to proof them wrong when your card gets stolen and used immediatly after. The bank will argue that you must have stored the pin next to the card. Good luck convincing your friends at the russian mafia testify for you.

So the next time a software vendor or a politician tries to sell you some security, think about how this could backfire, and act accordingly

Talks

Wan't to meet me in person to tell me how stupid I am? You can find me at the following events: