Tuesday, 24 March 2009
Monday, 23 March 2009
Save the children? ICANN opens debate on CyberSafety charter
The group behind the campaign to take porn off of port 80 is now lobbying ICANN to create a new "Cybersafety Constituency" to assist in the formulation of domain name system policy.
ICANN has been soliciting a lot of comments on its governance and future of late, including one petition to form a CyberSafety Constituency (CSC) within the Non-Commercial Stakeholders Group. (NCSG). The petition (PDF) as filed with ICANN is fairly innocuous and harmless-sounding, but the woman doing the filing—Professor Cheryl B. Preston, of Brigham Young University—has ties to other nonprofit organizations that should have been disclosed at some point within the application procedure.
Preston is general counsel for the nonprofit group CP80, which advocates for the creation of an Internet filtration system that would supposedly seek to keep porn and other adult content sandboxed away from the family-friendly tubes. The organization deserves credit for proposing a system that wouldn't automatically cripple Internet access speeds nationwide, force deep packet inspection, or turn ISPs into de facto Internet police. That said, failing to qualify as prima facie terrible does not automatically qualify CP80's legislative baby, the Internet Community Portals Act (ICPA) as a good idea.
Filtering at the port level
CP80's solution to the seemingly intractable problem of Internet filtering is to segregate traffic by port. All "normal" traffic (have fun defining that) would continue to flow over Port 80 or whatever port it's currently assigned to. Adult content, however, would be shifted away from Port 80 (hence the group's name, "Clean Port 80") and on to a new port—let's call it Port XXX. Were CP80's legislation to pass, the Internet would look something like this:
The system as illustrated would allow an ISP to sell access plans to both the filtered and unfiltered Internet, consumers could choose which they want, freedoms are preserved, and everyone goes home happy...at least in theory. CP80's proposal might deserve a small bit of credit for avoiding some of the obvious issues that sank the concept of an adult-content .XXX domain name—except for the massive technical flaws and political challenges inherent to the ICPA's design. If you're already wondering about international governance and enforcement, don't worry—CP80 has anticipated your concerns:
Got that?
The ICANN connection
Professor Preston describes the CSC as a group that would focus on Internet safety issues and cites her personal concern that "as Internet policies are developed at ICANN, the interests of families, children, consumers, victims of cybercrime, religions, and cultures become better represented...we need to carefully craft mechanisms involving law and industry that balance unfettered free speech and anonymity with some protections against exploitation of the most vulnerable, the ability to address and reduce criminal activity, and the right of Internet users to have choices in the nature of their access."
As proposed, the CSC would also function as a global outreach initiative and would attempt to coordinate international responses to what the paper posits are common cross-border, cross- cultural concerns. Again, as written, all of this is very kosher: everyone wants to balance rights and responsibilities, protect the "most vulnerable" from exploitation, and give users freedom of choice. Preston's letter advocating the creation of the CSC is consistent with her work for CP80, but some mention of the latter should occur in any discussion of the former, especially since CP80 makes it clear that they've considered the role ICANN might hypothetically play in the creation and international adoption of ICPA-equivalent legislation.
Preston's omission is made potentially more serious by the fact that CP80 itself isn't exactly a digital city on a hill. The organization is headed by Ralph Yarro III, CEO and largest shareholder of the SCO Group. He's also the Founder/CEO of ThinkAtomic; if you visit that company's website you'll note (for now, at least) that the "Featured Company" of the day is CP80. ThinkAtomic is a prominent backer of CP80, and is listed as providing the group with legal, strategic, medical, and technology contributions. Run down the page, and you'll note a common last name—Ralph, Justin, and Matthew Yarro are all listed as technology contributors.
If the BYU professor is serious about establishing the CSC, she'd do well to distance herself from either CP80 or the CSC petition before ICANN. There's nothing within the CSC's stated mission objective that would automatically create conflict with other actors interested in maintaining free speech and online anonymity. The best way to disperse accusations that she or the organization she currently represents has a hidden agenda is to cut ties with one or the other. Whether people agree or disagree with any particular position a hypothetical CSC might advocate, they won't respect the body as legitimate if its viewed as nothing more than the puppet of a US group.
As for CP80's ICPA proposal, it's a bad idea; there's no way feasibly address the political and technical challenges of the project. Even if all such barriers vanished, there would still remain the age-old question of censorship—who does the censoring and writes the standards? Pretending that these issues are irrelevant because we all agree that protecting children is important is whitewashing the topic at its finest. ICANN is accepting public comment on the issue.
By Joel Hruska
Tuesday, 17 March 2009
Forensics Tool for Firefox 3.X - F3e
An interesting article i stumbled upon while surfing .
Aparently Firefox uses SQLite databases to store all sorts of interesting stuff like :
Internet browsing history,Bookmarks,Settings,Downloads,Cookies,Form History etc.
Mr. Chris Cohen has written a very useful freeware tool that extracts data from these databases . The tool is called Firefox 3 Extractor or F3u and you can download it from here
The location of these databases , differ among operating systems and can be found at these locations :
Windows XP
C:\Documents and Settings\{user id}\Application Data\Mozilla\Firefox\Profiles\{profile folder}\
Windows Vista
C:\Documents and Settings\{user id}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile folder}\
Linux/Solaris
{User dir - See /etc/passwd for the location}/.mozilla/firefox/{profile folder}/
Aparently f3u has lately started to extract *experimentaly* same information from chrome browser , even though i haven't quite tested it yet.
If you would like to see a tutorial on how to use it you can click Keven Murphy
Aparently Firefox uses SQLite databases to store all sorts of interesting stuff like :
Internet browsing history,Bookmarks,Settings,Downloads,Cookies,Form History etc.
Mr. Chris Cohen has written a very useful freeware tool that extracts data from these databases . The tool is called Firefox 3 Extractor or F3u and you can download it from here
The location of these databases , differ among operating systems and can be found at these locations :
Windows XP
C:\Documents and Settings\{user id}\Application Data\Mozilla\Firefox\Profiles\{profile folder}\
Windows Vista
C:\Documents and Settings\{user id}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile folder}\
Linux/Solaris
{User dir - See /etc/passwd for the location}/.mozilla/firefox/{profile folder}/
Aparently f3u has lately started to extract *experimentaly* same information from chrome browser , even though i haven't quite tested it yet.
If you would like to see a tutorial on how to use it you can click Keven Murphy
Monday, 16 March 2009
12 changes that would give US cybersecurity a much needed kick in the pants
Potential cyber attacks against federal and private-sector networks loom larger every day and while the Department of Homeland Security (DHS) has made some important efforts, it has yet to fulfill many of the myriad responsibilities placed on it by the national cybersecurity plan.
Those were the main conclusions of a Government Accountability Office report out today on the status of US national cybersecurity efforts. The GAO report included input from a panel of cybersecurity experts including representatives from the Internet Corporation for Assigned Names and Numbers, Juniper, Verizon, the US Department of Justice and the Electronic Frontier Foundation.
The group came up with 12 cybersecurity improvements that DHS and others involved in the protection of national networked assets should employ. According to the GAO report these recommendations are as follows: :
1. Develop a national strategy that clearly articulates strategic objectives, goals, and priorities.
2. Establish White House responsibility and accountability for leading and overseeing national cybersecurity policy: Currently the DHS is the focal point for cybersecurity; however, according to panel members, DHS has not met expectations and has not provided the high-level leadership needed to raise cybersecurity to a national focus. Accordingly, panelists stated that to be successful and to send the message to the nation and cyber critical infrastructure owners that cybersecurity is a priority, this leadership role needs to be elevated to the White House. In addition, to be effective, the office must have, among other things, corresponding authority-for example, over budgets and resources-to implement and employ appropriate incentives to encourage action.
3. Establish a governance structure for strategy implementation. The strategy establishes a public/private partnership governance structure that includes 18 critical infrastructure sectors, corresponding government and sector coordinating councils, and cross-sector councils. However, according to panelists, this structure is government-centric and largely relies on personal relationships to instill trust to share information and take action.
4. Publicize and raise awareness about the seriousness of the cybersecurity problem. Experts suggested that an aggressive awareness campaign is needed to raise the level of knowledge of leaders and the general populace that our nation is constantly under cyber attack.
5. Create an accountable, operational cybersecurity organization. DHS established the National Cyber Security Division (within the Office of Cybersecurity and Communications) to be responsible for leading national day-today cybersecurity efforts; however, according to panelists, this has not enabled DHS to become the national focal point as envisioned. Panel members stated that currently, DOD and other organizations within the intelligence community that have significant resources and capabilities have come to dominate federal efforts. The group told the GAO there also needs to be an independent cybersecurity organization that leverages and integrates the capabilities of the private sector, civilian government, law enforcement, military, intelligence community, and the nation's international allies to address incidents against the nation's critical cyber systems and functions. However, there was not consensus among the panel regarding where this organization should reside.
6. Focus more actions on prioritizing assets, assessing vulnerabilities, and reducing vulnerabilities than on developing additional plans.
7. Bolster public/private partnerships through an improved value proposition and use of incentives. Panelists stated that the federal government should provide valued services (such as offering useful threat or analysis and warning information) or incentives (such as grants or tax reductions) to encourage action by and effective partnerships with the private sector.
8. Focus greater attention on addressing the global aspects of cyberspace. Panel members stated that the US should pursue a more coordinated, aggressive approach so that there is a level playing field globally for US corporations and enhanced cooperation among government agencies, including law enforcement. In addition, a panelist stated that the
US should work towards building consensus on a global cyber strategy.
9. Improve law enforcement efforts to address malicious activities in cyberspace. Panel members stated that current domestic and international law enforcement efforts, including activities, procedures, methods, and laws are too outdated and outmoded to adequately address the speed, sophistication, and techniques of individuals and groups, such as criminals, terrorists, and adversarial foreign nations with malicious intent.
10. Place greater emphasis on cybersecurity research and development, including consideration of how to better coordinate government and private sector efforts. experts stated that the US is not adequately focusing and funding research and development efforts to address cybersecurity or to develop the next generation of cyberspace to include effective security capabilities. In addition, the research and development efforts currently underway are not being well coordinated between government and the private sector.
11. Increase the cadre of cybersecurity professionals. Experts stated that actions to increase the number of professionals with adequate cybersecurity skills should include (1) enhancing existing scholarships and (2) making the cybersecurity discipline a profession through testing and licensing.
12. Make the federal government a model for cybersecurity. Although the federal government has taken steps to improve the cybersecurity of agencies, panelists stated that it still is not a model for cybersecurity. Further, they said the federal government has not made changes in its acquisition function and the training of government officials in a manner that effectively improves the cybersecurity capabilities of products and services purchased and used by federal agencies.
Those were the main conclusions of a Government Accountability Office report out today on the status of US national cybersecurity efforts. The GAO report included input from a panel of cybersecurity experts including representatives from the Internet Corporation for Assigned Names and Numbers, Juniper, Verizon, the US Department of Justice and the Electronic Frontier Foundation.
The group came up with 12 cybersecurity improvements that DHS and others involved in the protection of national networked assets should employ. According to the GAO report these recommendations are as follows: :
1. Develop a national strategy that clearly articulates strategic objectives, goals, and priorities.
2. Establish White House responsibility and accountability for leading and overseeing national cybersecurity policy: Currently the DHS is the focal point for cybersecurity; however, according to panel members, DHS has not met expectations and has not provided the high-level leadership needed to raise cybersecurity to a national focus. Accordingly, panelists stated that to be successful and to send the message to the nation and cyber critical infrastructure owners that cybersecurity is a priority, this leadership role needs to be elevated to the White House. In addition, to be effective, the office must have, among other things, corresponding authority-for example, over budgets and resources-to implement and employ appropriate incentives to encourage action.
3. Establish a governance structure for strategy implementation. The strategy establishes a public/private partnership governance structure that includes 18 critical infrastructure sectors, corresponding government and sector coordinating councils, and cross-sector councils. However, according to panelists, this structure is government-centric and largely relies on personal relationships to instill trust to share information and take action.
4. Publicize and raise awareness about the seriousness of the cybersecurity problem. Experts suggested that an aggressive awareness campaign is needed to raise the level of knowledge of leaders and the general populace that our nation is constantly under cyber attack.
5. Create an accountable, operational cybersecurity organization. DHS established the National Cyber Security Division (within the Office of Cybersecurity and Communications) to be responsible for leading national day-today cybersecurity efforts; however, according to panelists, this has not enabled DHS to become the national focal point as envisioned. Panel members stated that currently, DOD and other organizations within the intelligence community that have significant resources and capabilities have come to dominate federal efforts. The group told the GAO there also needs to be an independent cybersecurity organization that leverages and integrates the capabilities of the private sector, civilian government, law enforcement, military, intelligence community, and the nation's international allies to address incidents against the nation's critical cyber systems and functions. However, there was not consensus among the panel regarding where this organization should reside.
6. Focus more actions on prioritizing assets, assessing vulnerabilities, and reducing vulnerabilities than on developing additional plans.
7. Bolster public/private partnerships through an improved value proposition and use of incentives. Panelists stated that the federal government should provide valued services (such as offering useful threat or analysis and warning information) or incentives (such as grants or tax reductions) to encourage action by and effective partnerships with the private sector.
8. Focus greater attention on addressing the global aspects of cyberspace. Panel members stated that the US should pursue a more coordinated, aggressive approach so that there is a level playing field globally for US corporations and enhanced cooperation among government agencies, including law enforcement. In addition, a panelist stated that the
US should work towards building consensus on a global cyber strategy.
9. Improve law enforcement efforts to address malicious activities in cyberspace. Panel members stated that current domestic and international law enforcement efforts, including activities, procedures, methods, and laws are too outdated and outmoded to adequately address the speed, sophistication, and techniques of individuals and groups, such as criminals, terrorists, and adversarial foreign nations with malicious intent.
10. Place greater emphasis on cybersecurity research and development, including consideration of how to better coordinate government and private sector efforts. experts stated that the US is not adequately focusing and funding research and development efforts to address cybersecurity or to develop the next generation of cyberspace to include effective security capabilities. In addition, the research and development efforts currently underway are not being well coordinated between government and the private sector.
11. Increase the cadre of cybersecurity professionals. Experts stated that actions to increase the number of professionals with adequate cybersecurity skills should include (1) enhancing existing scholarships and (2) making the cybersecurity discipline a profession through testing and licensing.
12. Make the federal government a model for cybersecurity. Although the federal government has taken steps to improve the cybersecurity of agencies, panelists stated that it still is not a model for cybersecurity. Further, they said the federal government has not made changes in its acquisition function and the training of government officials in a manner that effectively improves the cybersecurity capabilities of products and services purchased and used by federal agencies.
Fingerprinting Blank Paper Using Commodity Scanners
Today Will Clarkson, Tim Weyrich, Adam Finkelstein, Nadia Heninger, Alex Halderman and I released a paper, Fingerprinting Blank Paper Using Commodity Scanners. The paper will appear in the Proceedings of the IEEE Symposium on Security and Privacy, in May 2009.
Here's the paper's abstract:
This paper presents a novel technique for authenticating physical documents based on random, naturally occurring imperfections in paper texture. We introduce a new method for measuring the three-dimensional surface of a page using only a commodity scanner and without modifying the document in any way. From this physical feature, we generate a concise fingerprint that uniquely identifies the document. Our technique is secure against counterfeiting and robust to harsh handling; it can be used even before any content is printed on a page. It has a wide range of applications, including detecting forged currency and tickets, authenticating passports, and halting counterfeit goods. Document identification could also be applied maliciously to de-anonymize printed surveys and to compromise the secrecy of paper ballots.
Viewed under a microscope, an ordinary piece of paper looks like this:
The microscope clearly shows individual wood fibers, laid down in a pattern that is unique to this piece of paper.
If you scan a piece of paper on an ordinary desktop scanner, it just looks white. But pick a small area of the paper, digitally enhance the contrast and expand the image, and you see something like this:
The light and dark areas you see are due to two factors: inherent color variation in the surface, and partial shadows cast by fibers in the paper surface. If you rotate the paper and scan again, the inherent color at each point will be the same, but the shadows will be different because the scanner's light source will strike the paper from a different angle. These differences allow us to map out the tiny hills and valleys on the surface of the paper.
Here is a visualization of surface shape from one of our experiments:
This part of the paper had the word "sum" printed on it. You can clearly see the raised areas where toner was applied to the paper to make the letters. Around the letters you can see the background texture of the paper.
Computing the surface texture is only one part of the job. From the texture, you want to compute a concise, secure "fingerprint" which can survive ordinary wear and tear on the paper, such as crumpling, scribbling or printing, and moisture. You also want to understand how secure the technology will be in various applications. Our full paper addresses these issues too. The bottom-line result is a sort of unique fingerprint for each piece of paper, which can be determined using an ordinary desktop scanner.
For more information, see the project website or the research paper.
By Ed Felten
Here's the paper's abstract:
This paper presents a novel technique for authenticating physical documents based on random, naturally occurring imperfections in paper texture. We introduce a new method for measuring the three-dimensional surface of a page using only a commodity scanner and without modifying the document in any way. From this physical feature, we generate a concise fingerprint that uniquely identifies the document. Our technique is secure against counterfeiting and robust to harsh handling; it can be used even before any content is printed on a page. It has a wide range of applications, including detecting forged currency and tickets, authenticating passports, and halting counterfeit goods. Document identification could also be applied maliciously to de-anonymize printed surveys and to compromise the secrecy of paper ballots.
Viewed under a microscope, an ordinary piece of paper looks like this:
The microscope clearly shows individual wood fibers, laid down in a pattern that is unique to this piece of paper.
If you scan a piece of paper on an ordinary desktop scanner, it just looks white. But pick a small area of the paper, digitally enhance the contrast and expand the image, and you see something like this:
The light and dark areas you see are due to two factors: inherent color variation in the surface, and partial shadows cast by fibers in the paper surface. If you rotate the paper and scan again, the inherent color at each point will be the same, but the shadows will be different because the scanner's light source will strike the paper from a different angle. These differences allow us to map out the tiny hills and valleys on the surface of the paper.
Here is a visualization of surface shape from one of our experiments:
This part of the paper had the word "sum" printed on it. You can clearly see the raised areas where toner was applied to the paper to make the letters. Around the letters you can see the background texture of the paper.
Computing the surface texture is only one part of the job. From the texture, you want to compute a concise, secure "fingerprint" which can survive ordinary wear and tear on the paper, such as crumpling, scribbling or printing, and moisture. You also want to understand how secure the technology will be in various applications. Our full paper addresses these issues too. The bottom-line result is a sort of unique fingerprint for each piece of paper, which can be determined using an ordinary desktop scanner.
For more information, see the project website or the research paper.
By Ed Felten
Thursday, 12 March 2009
New Side to Face-Recognition Technology: Identifying Victims
Since Sept. 11, discussion of the disputed technology of face recognition has focused on its potential for identifying criminals and terrorists -- and for invading citizens' privacy. But in England, the police are pursuing a different path: they want to use facial recognition software to identify crime victims.
Using software developed by a Canadian company, Britain's National Crime Squad is creating a database of nearly three million pictures seized in raids of child pornography rings. By matching the images against pictures of missing children, investigators hope to find them, or at least generate clues -- an unusual car or or distinctive scenery -- that can help identify the people making the photos and films.
Facial recognition has been in development for decades, but recent advances in computer power and software have made the systems less expensive and more accurate -- though just how accurate remains a subject of debate.
Most systems work by taking pictures of faces, comparing them to a template and making dozens of measurements of each one, including factors like the distance between the eyes. In the case of Imagis Technologies -- the company in Vancouver, British Columbia, that created the software out of earlier work on recognizing patterns in satellite photographs -- the program detects hundreds of ''light source positions.'' It also measures factors like the angle of the head and facial shape, said Andy Amanovich, the company's chief technology officer.
The mathematical description of those features is stored in a database, to be compared with other strings of numbers that have been derived from faces -- and also jewelry, clothes, scars and background objects like furniture or vehicles.
No facial recognition system is perfect, or even close: all make mismatches and overly broad matches. Many can be confounded by simple subterfuges like wigs or glasses. Civil liberties and other groups say they cast too wide a net, invading privacy and extending the reach of surveillance too far.
And the technology's credibility has not been helped, many experts agree, by exaggerated claims for its effectiveness. ''These software companies have popped off numbers that they can't really substantiate,'' said Ron Cadle, a vice president of Pellco Inc., which is adapting facial recognition systems for use in Fresno Yosemite International Airport. ''It's kind of given them a black eye.''
Mr. Amanovich agreed. ''There's a lot of false claims out there and a lot of specious claims to what all technologies can do,'' he said.
Nevertheless, Mr. Cadle, who uses recognition programs from Visionics Inc. and Viisage, said his company had boosted the reliability his partners' software so that it can make a match 80 percent of the time and falsely claim a match with just 1 of every 500 passengers. Mr. Amanovich, however, said such figures are so malleable at this early stage that claims are not useful.
The British project had its origins in a 1997 sweep in which 101 members of a child pornography trading ring called Wonderland were arrested in raids around the world.
Aficionados of child pornography tend to be obsessive collectors of pictures and films, and that and other raids led to a police database of some three million images -- too many for humans to sort through effectively. (Efforts to create books or CD's by hand had yielded 1,200 identifiable faces, leading to the identification of just 18 children, one of whom had been murdered.) So in December 2000, the squad signed an agreement with a contractor, Serco Group, to automate the rest of the process. Serco turned to Imagis.
Peter Spindler, a detective superintendent with the National Crime Squad, says he has been impressed with early results. The software was able to identify images from a test database -- not just images of children, but also of siblings. The feature could could help identify families participating in the porn trade.
But one expert in child pornography said the British efforts was ''not going to do much.''
Dr. John Philip Jenkins, a professor of history at Penn State and author of ''Beyond Tolerance: Child Pornography on the Internet,'' said child pornography photos were unlikely to lead investigators to the children involved. A child victim's identity, he said, ''is only likely to come to light if the child comes up in an abuse case.''
Many of the images, he added, now flow from the former Soviet Union, where lax enforcement allowed the trade to flourish. There, he said ''police corruption is going to limit the effectiveness of any attempt to use this technology'' successfully.
He called for international efforts to crush online image trading.
But Detective Spindler said the police had to try to do more than restrict the traffic in illicit images. ''It's not simply about identifying people who are abusing the Internet, people who are trading child pornography,'' he said. ''This is about people abusing children.''
Photo: A detective in London, Peter Spindler, left, says image identification from a test database was impressive. Dave Lutes, chief engineer of Imagis Technologies, demonstrates the program in Victoria with a mock photo. (Jeff Vinick for The New York Times); (Johnathan Player for The New York Times) Chart: ''How Face-Recognition Technology Works'' Face-recognition technology is increasingly being used in security systems and law-enforcement investigations. Here is one approach, the basis of systems made by several companies in the field. FIRST LOOK -- The system must decide whether the image before it is a human face. It looks for a pair of eyes and the borders of the face. RESIZING -- The computer adjusts the contrast and size of the image to make it similar in format to the other faces in its database. MATH -- The image is now a grid of pixels, each with a "gray scale" value between 0 for black and 255 for white. These can be expressed as numbers and used to process the image mathematically. COMPARISON -- The face is compared with 128 archetypal faces, or eigenfaces, made from thousands of faces in a database. The new face is described as being similar, by percentages, to the eigenfaces. RESULT -- The system compares the new face's eigenface against the eigenfaces of all the real people in its database, then displays all the people the new face resembles, in order of similarity. (Source: ''Face Recognition for Smart Environments,'' Alex Pentland and Tanzeem Choudhury, in the IEEE publication Computer; Jim Wayman, San Jose State University)
By JOHN SCHWARTZ
Using software developed by a Canadian company, Britain's National Crime Squad is creating a database of nearly three million pictures seized in raids of child pornography rings. By matching the images against pictures of missing children, investigators hope to find them, or at least generate clues -- an unusual car or or distinctive scenery -- that can help identify the people making the photos and films.
Facial recognition has been in development for decades, but recent advances in computer power and software have made the systems less expensive and more accurate -- though just how accurate remains a subject of debate.
Most systems work by taking pictures of faces, comparing them to a template and making dozens of measurements of each one, including factors like the distance between the eyes. In the case of Imagis Technologies -- the company in Vancouver, British Columbia, that created the software out of earlier work on recognizing patterns in satellite photographs -- the program detects hundreds of ''light source positions.'' It also measures factors like the angle of the head and facial shape, said Andy Amanovich, the company's chief technology officer.
The mathematical description of those features is stored in a database, to be compared with other strings of numbers that have been derived from faces -- and also jewelry, clothes, scars and background objects like furniture or vehicles.
No facial recognition system is perfect, or even close: all make mismatches and overly broad matches. Many can be confounded by simple subterfuges like wigs or glasses. Civil liberties and other groups say they cast too wide a net, invading privacy and extending the reach of surveillance too far.
And the technology's credibility has not been helped, many experts agree, by exaggerated claims for its effectiveness. ''These software companies have popped off numbers that they can't really substantiate,'' said Ron Cadle, a vice president of Pellco Inc., which is adapting facial recognition systems for use in Fresno Yosemite International Airport. ''It's kind of given them a black eye.''
Mr. Amanovich agreed. ''There's a lot of false claims out there and a lot of specious claims to what all technologies can do,'' he said.
Nevertheless, Mr. Cadle, who uses recognition programs from Visionics Inc. and Viisage, said his company had boosted the reliability his partners' software so that it can make a match 80 percent of the time and falsely claim a match with just 1 of every 500 passengers. Mr. Amanovich, however, said such figures are so malleable at this early stage that claims are not useful.
The British project had its origins in a 1997 sweep in which 101 members of a child pornography trading ring called Wonderland were arrested in raids around the world.
Aficionados of child pornography tend to be obsessive collectors of pictures and films, and that and other raids led to a police database of some three million images -- too many for humans to sort through effectively. (Efforts to create books or CD's by hand had yielded 1,200 identifiable faces, leading to the identification of just 18 children, one of whom had been murdered.) So in December 2000, the squad signed an agreement with a contractor, Serco Group, to automate the rest of the process. Serco turned to Imagis.
Peter Spindler, a detective superintendent with the National Crime Squad, says he has been impressed with early results. The software was able to identify images from a test database -- not just images of children, but also of siblings. The feature could could help identify families participating in the porn trade.
But one expert in child pornography said the British efforts was ''not going to do much.''
Dr. John Philip Jenkins, a professor of history at Penn State and author of ''Beyond Tolerance: Child Pornography on the Internet,'' said child pornography photos were unlikely to lead investigators to the children involved. A child victim's identity, he said, ''is only likely to come to light if the child comes up in an abuse case.''
Many of the images, he added, now flow from the former Soviet Union, where lax enforcement allowed the trade to flourish. There, he said ''police corruption is going to limit the effectiveness of any attempt to use this technology'' successfully.
He called for international efforts to crush online image trading.
But Detective Spindler said the police had to try to do more than restrict the traffic in illicit images. ''It's not simply about identifying people who are abusing the Internet, people who are trading child pornography,'' he said. ''This is about people abusing children.''
Photo: A detective in London, Peter Spindler, left, says image identification from a test database was impressive. Dave Lutes, chief engineer of Imagis Technologies, demonstrates the program in Victoria with a mock photo. (Jeff Vinick for The New York Times); (Johnathan Player for The New York Times) Chart: ''How Face-Recognition Technology Works'' Face-recognition technology is increasingly being used in security systems and law-enforcement investigations. Here is one approach, the basis of systems made by several companies in the field. FIRST LOOK -- The system must decide whether the image before it is a human face. It looks for a pair of eyes and the borders of the face. RESIZING -- The computer adjusts the contrast and size of the image to make it similar in format to the other faces in its database. MATH -- The image is now a grid of pixels, each with a "gray scale" value between 0 for black and 255 for white. These can be expressed as numbers and used to process the image mathematically. COMPARISON -- The face is compared with 128 archetypal faces, or eigenfaces, made from thousands of faces in a database. The new face is described as being similar, by percentages, to the eigenfaces. RESULT -- The system compares the new face's eigenface against the eigenfaces of all the real people in its database, then displays all the people the new face resembles, in order of similarity. (Source: ''Face Recognition for Smart Environments,'' Alex Pentland and Tanzeem Choudhury, in the IEEE publication Computer; Jim Wayman, San Jose State University)
By JOHN SCHWARTZ
Thursday, 5 March 2009
Self-encrypting drive standard gains momentum
I've long been a big proponent of self-encrypting drives as the best way to encrypt data-at-rest on PCs and storage systems.
This belief became a lot more real in January when the Trusted Computing Group published three storage encryption standards for laptops, enterprise storage, and software interoperability. Fujitsu, Hitachi, Seagate, and Toshiba support these standards and are already shipping self-encrypting drives.
In February, IBM joined the fray, further validating the self-encrypting drive standard. IBM announced that its massive DS8000 storage system will now offer self-encrypting drives to protect the confidentiality and integrity of data-at-rest. LSI, another leading storage system vendor, is also on board.
I have to believe that Fujitsu and Hitachi will soon follow this trend. Both companies currently offer encrypting storage systems that use a cryptographic processor resident in their storage controllers. Since both companies supply self-encrypting drives, it is likely that they will replace encrypting controllers with self-encrypting drives in future product revisions.
It seems to me that the dominoes are falling at an accelerating pace and that within two to three years, every device that ships with a hard drive or solid-state disk will offer self-encrypting drives. Chief information security officers, purchasing managers, management software vendors, and government agencies should plan for this inevitability.
by Jon Oltsik
This belief became a lot more real in January when the Trusted Computing Group published three storage encryption standards for laptops, enterprise storage, and software interoperability. Fujitsu, Hitachi, Seagate, and Toshiba support these standards and are already shipping self-encrypting drives.
In February, IBM joined the fray, further validating the self-encrypting drive standard. IBM announced that its massive DS8000 storage system will now offer self-encrypting drives to protect the confidentiality and integrity of data-at-rest. LSI, another leading storage system vendor, is also on board.
I have to believe that Fujitsu and Hitachi will soon follow this trend. Both companies currently offer encrypting storage systems that use a cryptographic processor resident in their storage controllers. Since both companies supply self-encrypting drives, it is likely that they will replace encrypting controllers with self-encrypting drives in future product revisions.
It seems to me that the dominoes are falling at an accelerating pace and that within two to three years, every device that ships with a hard drive or solid-state disk will offer self-encrypting drives. Chief information security officers, purchasing managers, management software vendors, and government agencies should plan for this inevitability.
by Jon Oltsik
Subscribe to:
Posts (Atom)