without much oversight or governance

in some cities in Belgium you have to pay to be able do dispose your trash that you can't set out with the dustbin and in others it is free.Sometimes those cities are next to each other which means that some habitants from the costly city want to bring their big trash to the collection points in the free city.

But as this is a costly matter for the cities, they have installed a system to control who may have access.

It uses the EID.

another facet of identity and privacy that is now linked to this EID.

a machine is scanning my EID.

I don't have a clue what it is checking, what is registering and what is keeping.

It is just one of these new machines that take the EID and its whole propaganda  for granted.

With each new use and step the EID is becoming 'too big to fail'. But that doesn't mean that if it will fail, the government will have to step in big time.

If you see more uses of EID that are strange or mind-blowing, inform us.

Unsecure means : it has no public technical norms and procedures, no verification and certification, no
official technical platform, no external security tests.....

and while nobody seems to care, it just get used for more and more functions for which it wasn't meant to be

* traintickets : you can buy tickets online and the EID is used in the process
* fidelity points : some firm thinks you should keep your fidelity points on your EID
* Social security : instead of the seperate card, the EID will now be used in the pharmacy if you need medicine
and if you go to the hospital and so on...

Let's recapitulate.

Your EID is becoming your single identity point of failure.
YOur administrative identity.
Your train travel
Your shopping information.
Your medical information

what is next ?

and this in a technical environment that wouldn't be accepted in any other serious IT process.

This is what probably happened with the European citizens who found their names on the frontpages worldwide as being part of the Israeli hit team.

"

The report by the UK's Serious Organised Crime Agency (Soca) into the use of cloned British passports in the Dubai assassination makes clear their view that this is what happened as Britons travelled through the airport in the months and years before the plot was hatched to kill the Hamas commander Mahmoud al-Mabhouh.

The Soca report concluded that the passports must have been cloned at the airport or at other interfaces with Israeli officialdom, such as airline offices in other countries. There were no other links between the 12 individuals whose identities were stolen.

According to insiders, the language in the Soca report, produced after a four-week investigation, was "direct" and the findings unequivocal: the inquiry showed that the victims' data was taken, stored and passed on when they handed their passports to Israeli officials or those linked to them.

"We cannot pin it on individuals, but the evidence draws us to the conclusion that the only place these passports could have been cloned is when they were inspected at the Israeli border or in other countries, where they were passed to Israelis," said one source."
http://www.guardian.co.uk/world/2010/mar/24/israel-ben-gu...

First you find a website that sells such stuff and eventually downloads drivers or has the possibility to do so

For example this one

Than you hack it (but you don't deface it like they did)

You install the soft with your trojan in (and keylogger) or you place the link to it on the helppage

Do this before long holidays

and if you are really into scenariobased attacks, try to get a hold first of the members- or clientlists so you can send them an email that they have to download a new driver or firmware for their box

never download firmware or drivers from other sites than those that produce them

The only one is a WIKI that is being maintained by professionals

By lack of official technical information they have to ask questions like this one

"

Differences between middleware version 3.5 and 3.5.1...

• Does anybody know the real differences between middleware 3.5 and 3.5.1 ?? -- AnonYmous - 26 Mar 2009, 15:34:33
• The real differences are in the source code but this is what I found on the federal portal: http://eid.belgium.be/nl/Achtergrondinfo/De_eID_technisch...
  In a nutshell: a more user friendly GUI, no picture showing when minimized, OCSP/CRL check by default switched OFF, windows installation via .msi
  Works OK here ! -- AnonYmous - 27 Mar 2009, 15:45:14
• That's why I asked for the real
  Thanks anyway -- AnonYmous - 01 Apr 2009, 14:18:59
• Does anybody know which bugs from 3.5.1 have been fixed in 3.5.2? -- AnonYmous - 10 Mar 2010, 11:56:07

https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/vi...

Just a reminder this is about the Middleware for the Belgian electronic Identitycard that is being used by all Belgians and being introduced in online applications for official and other business

If it would be about an open source freeware game, one could expect this situation but about a software of that kind ?

You remember the worldwide pics of Microsoft guru Gates with a fake Belgian passport. How proud all those people were. We were selected as one of the Microsoft projects. Microsoft would use the EID for MSN (when ?), Microsoft would integrate EID in its basic kernel of their OS and Microsoft would .......

Sorry to say but after Lernaut and Hauspie (Microsoft would also integrate its technology in the kernel untill it learned how the code exactly worked...) I am a bit cynical about those PR declarations.

Now I am reading that Microsoft is putting its full weight under the new German EID project with some interesting technologies

- secure computing from a to z (code security and authentification and certification) 

- forefront security (testing and controlling all the time)

- people themselves chose what data they will share with whom (privacy preservering)

They are not doing this with some never started new working group or with some other institution that yet has to be established and funded, no they are doing it with one of the most advanced computerresearchinstitutes of Germany.

In fact I sam sure that it would be possible in Belgium to start an Interuniversity research and development center around EID that could do the real research and development the professional way.

It is after all the professional integration in professional business tools that will make the difference if the EID will have its breakthrough in the identity management portfolio. And you can't have this breakthrough if the users can't be sure that they have total control over their data and that any system they use will be profoundly secure and is certified as such.

Such an initiative will maybe also be a breakthrough in the debate about the security of the EID code that you may read between the lines of interviews and hear in off the record explanations.

Maybe Microsoft has killed the EID site for Microsoft all together already

First they discovered wireless and forgotten all about security, who needs that anyway, the internet was made without security so why would the wireless protocol need any security.

After a few incidents and questions the industry as they call themselves got together and decided to write some security protocols to have at least some security, but not too much or too heavy.

This WEP was easily broken, so they had to make another WPA that would be much harder to break (meanwhile people are using no security or WEP) and there is even WPA2 now.

But as with any security it can be broken and what can be broken can be sold and what can be sold can become a criminal business.

So one of the new business models from the cloud is that you can ask a collection of servers and databases to break passwords and encryption. THousands of computers do it for you and you just have to pay for the result. Isn't that fantastic, the power of the cloud for the criminals, a criminal cloud. Imagine what the GRID or Internet2 could bring for organised online crime.

Eerst was er geen beveiling toen ze begonnen met wireless. Gewoon vergeten, het moest natuurlijk eerst allemaal zo snel mogelijk gelanceerd worden.

Dan kwamen ze uiteindelijk samen om een aantal veiligheidsnormen op te stellen voor de verschillende soorten draadloze verbindingen (protocollen).

 http://ph33rbot.com/wpa-password-cracker/

http://www.wpacracker.com/

And it even doesn't has to be computers, but due to the enormous computing power for gameboxen are they the favourite tool to set up farms of boxes that will crack passwords and encryption.

What would that mean for an EID attack - to get your national register number, the most unsafe combination of letters even rassembled as an unique identifier.

Here you can read the following comment from the drupal community/maker

Get the facts about Drupal & eID

Drupal.org did not make an eID module. It was made by a third party developer, and the code is hosted on Drupal.org.
From a technical, internal Drupal point of view, the code is probably secure (no obvious runtime bugs, no SQL injections etc) so the code was admitted to drupal.org.
But from a design point of view the code is of course totally wrong and in violation of Belgian privacy law.

Amedee Van gasse

This is totally wrong and it is just because it is totally wrong that such mistakes were made, not only in the drupal module but also in the EID middleware (first and second version).

It is important that you check your code for insecurities and bugs and that processes of your different modules an sich are secure. But when that is done and you have secure code and secure modules who interact in a secure way the work only begins. You have at that time the building blocks of your infrastructure or module.

Than you ask. What is the importance of the data or the transaction that I want to use this code for and which are the implications for my modules and my applications. The more important the data is, the more judicial and new other security mechanisms and monitoring and update mechanisms have to be put into place.

If one had followed this route, than the biggest work would have only started after the 'secure' drupal code was finished. The second phase is to secure the important identity data that it was going to use. This is maybe not only done in this module in Drupal environments but it should be clear that this module should only be used if the securisation of the transactions, storage and monitoring is in place. This should in fact - if the data is so important that it could lead to judicial and financial problems if it were to be compromised - be independently certified and audited on a regular basis.

Because in Belgian law there is the general principle that you didn't work as a good homemaker (traditional family expression) by not taking care from the beginning to limit the risks for the others you are responsable for. (the obligation of caution and professionalism). Can you sue Drupal or the makers of the Drupal module ? Maybe, maybe not...

I know this all seems very odd for some in the open source community but if the open source community is to survive in the business environment than certification, control and automated update mechanisms are the only way to keep the trust.

If I were drupal I would develop a complete secure framework or drop out of the financial/identitycard business alltogether. And give no permission to include any modules that aren't certified and updated this way which is what killed Joomla security. Once you lose the trust it is very difficult and costly to win it back again if you ever do.

To conclude I don't care about the code an sich, I follow the data. And securing the data is the centerpiece of security. Securing the code to protect the data is only the very first step of many and this is a continuous process.

And I understand the frustration of the developers who for the moment don't really know where to go for advise, secure code, testing, norms and all the other stuff that such a serious project like EID should have had from the beginning. There are some initiatives but lets all agree that even with all their enthusiasm, such a big project needs more professionalism and guidance. Not only for Drupal developers.

And hereby I close this debate about open source because I don't care how open or closed a code is when we talk about security and privacy. Frankly my dear, I don't give a damn.

As this video proves, also commercial firms tend to develop EID products that are not really finished, tested or thought through.

At the official demonstration of the EID for football matches there were so many mistakes that even the minister was getting angry (flemish)

http://code.google.com/p/eid-applet

Here is it

let me know if you find something

It is more difficult to do research with your own national material than to link to it internationally.

As the debate starts another time, people that were working in universities and other industries or centers are coming out of the bushes with their thoughts and proposals to advance the discussion and to get maybe the real Marshallplan one needs for EID going or started.

http://www.pieter.verhaeghe.be/ is such a researcher who has already added some comments to the discussion about the drupal EID module.

If you read the post before about EID and security than you will better appreciate the following comment by him

free quick translation : as developers will use more and more local application authentification (sic) instead of https tunneling and that government (without any security process or certification for the EID environment) will lose control and so will over time also the users as they won't be sure which EID environment is safe and which isn't

He has also some very interesting papers on his website, of which some are famous

If you think that your security is important and you think that the data that is digitalised is important and should be secured and private.

If you think that the identities and transactions of people online or on computers should be secure and private.

Than you have to define what secure and private means and you have to compare what you prepared to do or accept with what should be done to keep that data and those transactions private. There is no other way to measure this if you want to build an infrastructure that is going to use the personal EID from people for public or professional transactions. You have to be sure that you can guarantee them the best standards in security.

I don't know about you but what do you think when

* there is no public platform with open standards and norms that are debated publicly and adapted over time (NIST example)

* the audit reports about the EID seem to secret

* there are no audits by totally independent auditors not linked to any commercial or public stakeholder

* the code for the software is public without any controls (security and quality) and without any certification

* there is discussion about the security mistakes that are being made in the first and last versions of the middleware

I don't think that this corresponds to security guarantees.

And this problem will become even greater when real securityresearchers will do real securityresearch on those modules and will publish their comments and research. You can try to suppress some of them during some time, but not all of them all the time.

This is the case for the total insecure way Drupal has made an EID module all by itself that seems totally public and unsecure. By the way today there were several other drupal exploits published for those sites that use this Obama tool.

 the Zionsecurity research about EID

If you want to read all the other research that has been published around here about EID the last years, click here

And if you ask me, I am only looking at EID card readers that are US certified smart card readers that are adapted for EID without any middleware from anywhere else. This doesn't make the use of EID on websites with insecured modules like Drupal secure, but it is for internal use already the best available commercial solution if you think that you should guarantee your users the best privacy and security for their EID card that is on the market today.

This is not about open source and closed source, this is about security and even a good Open Source project can have a very bad security just as the most closed source in the world (apple) or the closed source that invests so much in security (windows). Security is all about controls, audits, procedures and prevention and having an adequate response and communication strategy. Nothing less. Open source or closed source frankly, my dear I don't give a damn because if you don't have that your security and trust will be gone with the wind....

This has cost the firm already nearly 500.000 Euro's but some of these Belgian citizens have been unable to pursue their holiday or to board a plane. It was impossible to control the EID as the chip wasn't on the EID anymore (interesting news for crooks, now they only have to find out how to get another chip on the card without any automatic reader seeing somthing - it is not who is on the card but who is on the chip that may be of importance (unless you are passing real guarded borders)).

But there is something else that is very interesting. It doesn't seem to worry anyone. It is normal. No protest from consumerists or parliamentarians. No checks of the production process (they say they are ISO something...).

It is only half a million Euro's that are wasted without any problem by the production firm Zetes. In my thoughts there is something more : If a firm pays out so much money without any revision or without any protests, than they must be making a lot of money on these cards.....

But who cares about audits and checks ? We don't have any reviewed public 'standards' for these cards and the developers who want to integrate it into their applications.....

There is a big spoofing hole in version 2.6. THe middleware is now in version 3.5. There are other issues with version 3.5 but version 2.6 is so easy to spoof that it is too risky to use it still for authentification and identification.

I am not sure that the bugs that were in version 2.6 are resolved in version 3.5 because I can't find a list of resolved issues and the release document is just a bunch of propaganda crap, not a technical file that inspires trust.

The spoofing vulnerability with openssl that can be found in the old EID readers is described here and here and here. By the way openssl is a can of bugs that you have to update every so many days or weeks. So I don't understand what this kind of open free stuff that ain't got enough maturity level to be used without the fear of fundamental bugs that go to the heart of its function did find its way into an Electronic Identity Card that is not only being given to all citizens in a country (and all habitants very soon) and that is being used in an ever increasing scale for authentification and identification (for example to fill in your taxes online....)

Not one of the vulnerability reports states that by upgrading the bug has been solved. Or it is not solved. Or a big worldwide company like Zetes - leader in EID and all that kind of publicity - doesn't follow up on those even official reports.

Because those reports say "The vulnerability is reported in version 2.6.0. Other versions may also be affected." and "Do not rely on the middleware for verification."

Maybe this is why some in Microsoft are still off the record having doubts about this Middleware .....

Meanwhile the propaganda caravan is going through Belgium promoting this tool. Come to see. Come to see.

For international security researchers. Belgians can't try to crack or spoof or attack the code because the Belgian computer criminality law has no responsable disclosure. We have asked that since longtime but aside from promises there is nothing. And as there is no real Belgian security attack research, we don't have a clue about the security of the code and the product. And as there is no real open (free) best of practices and independent code-audit review there is nobody else that can give us some greencard. But you can download the code here (french/flemish) and let us know something .... Maybe there is a reason there is no official information in english.... but in english the researcher can also read this

Yeah they say "norms and standards" but how in the hell did this happen than ?

* a remote  spoofable bug without authentification since february 2009 and since than no official news or reaction or mention

* the first bug that makes it possible to use malicious servers with specially crafted SSL packets (that people have been pressured to treat as always safe...) to bypass authentification which makes attack schemes on Belgians with vulnerable EID software on their computers for the first time easy and interesting.

* no campaign to upgrade your EID software (if you don't use it the vulnerable softwareclient stays on the machine)

just trust is not enough.

If you are living in the US you would be falling from your chair by now or just think that this is a joke. No, this is EID land Belgium and they didn't learn anything from what has happened to the social security number in the US and all the problems that arise from that universal use as an Unique Identifier.

So on the site of our national railwaycompany they are so proud to have found the egg of columbus. They have in fact to find a way to link your electronic ticket to your Identity and have some real proof that you are the same person sitting before the controller.

They have decided to use the National Register Number (which is the same). How the privacycommission could agree to something like that is a big question because normally the privacycommission is very reluctant about the use of that number - just because it is an unique identifier. But as the privacycommission is an institution without enough money, resources and political cloud and in which you can find as advisers the same people that have to decide about their own projects (ehealth for example) you shouldn't be surprised that you can do whatever you want with our national register number. source

And so your national ID unique identifier is becoming without any legal basis or protection or overview an Unique Identifier for a lot of things and applications. This way Identitytheft is becoming nearer at an increasing speed.

For privacyadvocates it is also worrying that electronic traintickets can be identified and linked to a person. If you have problems with that, don't use electronic tickets. Less electronic is better privacy.