We have been reading strange things in the comments about the articles that mention the video, so lets make some things clear
* We are not part of any FUD campaign by any firm that wants to get money from Fedict for whatever reason. The only reason of these postings is to have an open discussion about the procedures, security, democratic control just as we have about thousands of other subjects in everyday life and politics. So why is any discussion about an aspect of IT dangerous or suspect ? And why should citizens and politicians and other stakeholders have no active say and play in what we do with the IT infrastructure and our privacy in it ?
We even volunteered to get together with FEDICT without any pay to exchange ideas only we aren't sure how to organize this and guarantee our privacy and relative anonimity (and freedom of speech as a result of this) and also the legal status under the cybercriminality law.
* We are not a "bunch of open- source geeks" that try to get the EID project broken or whatever obscure manipulative scheme that is being imagined. We are all professionals working in professional environments following professional rules and books in a professional way. THis is our freedom of speech - how amateuristic it may look. As we are professional and read and work a lot, we have too little time to do everything the way we would like it to be done, but within that timeframe we try to do our best.
* We are not agents of the prime minister trying to destroy the federal IT infrastructure as some french speaking commentor thought. We will work with any active democratic politician that has the honest and responsable belief that our IT infrastructure in Belgium needs more resources and policies to be defended. We will work with any democratic politician of any region to do the same thing there. If you read the postings you will see that no one in the .be atmosphere is being ruled out. It also depends a bit on time.
* we are not hackers but professional securityresearchers of which some have chosen to be public, others to publish some things under their own name and other stuff under the 'mixed' belsec name and still others that just want or need to be somewhat anonymous. It is not who says it, but what is being said that is important. The brightest minds can say sometimes the most stupid things.
Hackers just destroy or manipulate things. The stuff in the video was given to the parliaments some months ago. It is only because the subject in the video was being mentioned in the parliament that we deemed it necessary to make it public so everybody knows what we are talking about.
We try always to be responsable and not everything that we receive is being published and not everything that we know is being tested and not everything that we find is being published immediately. We haven't published that there was sometime ago a serious programming error on a xxxxxx linked to a nuclear facility in Belgium. We informed our backchannels about it and waited three months to get it fixed.
This is why we want first and foremost that there would be a general responsable disclosure policy in Belgium.
You know, the big problem with the Belgian EID card is that almost everybody forgot about their PIN code anyway. So for an EID enabled application of the first hour to become deployable you're actually forced to use the Belgian EID card without ever invoking any operation (like the compute digital signature APDU 0x00, 0x2A, 0x9E, 0x9A) that requires a PIN code. Even the security pop-up of the EID middleware about some application that will readout your private data from the card might freak out end users this much that they will flood your help desk in no time. Making the big audience to use the Belgian EID will take some time and will require us (security developers, architects, whatever it is you're doing with this freaking card) to lower the security constraints in a controlled way
or is it a Titanic ?
They say that they were together the persons responsable for the development and management of the EID program of the Belgian government
"The eID Company is in 2007 van start gegaan. Als stichters en aandeelhouders waren wij aanvankelijk belast met de ontwikkeling en het beheer van het eID-programma van de Belgische federale overheid. Wij hebben aan de basis gelegen van de ontwikkeling van nieuwe kaarten (bijvoorbeeld kids-ID...), de evolutie van bestaande kaarten, de engineering van systemen met PKI-certificaten en het ontwerp van softwaretoepassingen voor eID.
Wij hebben onder meer de toegangscontrole met eID van een groot aantal officiële diensten ontwikkeld: Tax-on-Web voor de online belastingaangifte, het federale portaal http://www.belgium.be, het elektronische loket Police-on-Web,….
Let's await an external professional auditreport about EID before deciding if this is good or bad for the future development of EID.
To the comment : we know that there are still people available, but you can't deny that this doesn't send a good image, some even asks how it is possible that people in which the government has invested that much can leave with this knowledge and start their own business using this knowledge. It is not me, it are the comments around me when we hear about this, and so as always - it is my bad character - I am throwing the stone in the water and look for the reactions.
We appreciate the fact that some people stay available and do the hard work and we respect that
It has been confirmed by different sources that did some test themselves, but because of our Cybercriminality Law we can't show it and I think I have a total amnesia about who these sources are but I have dreamt that those voices in my head are real (sic). Oh yes, there are no written or telephone records of these conversations neither....
The voices tell me that it is possible to intercept the pincode of at least some of the keypads for E-ID with a keylogger.
I ask myself if it would be possible to intercept the password and login with a keylogger or with a screenscraper (that takes a screenshot).
Maybe FEDICT should do some tests and retire those keypads that aren't safe enough for any use. If they can't scramble enough the pincode, even if it is only 4 numbers, than they aren't worth a cent even if you give them away for free.
I really hope you can proof them wrong.
Online it seems so.
We read in an online pressarticle that ex Minister Van Velthoven and L-Sec proposed the DIS institute that was to certify which firms complied with their standard. The presentations of the event in march 2006 can be found here. The purpose was to introduce the DIS-Eid standard and to audit compliance with it. The members are big names like Microsoft, Ernst Young, Deloitte and some other big names. But it all seems very dead.
It now seems that L-Sec has stopped working with the project long ago but forgot to change the website and that some auditors had problems with setting up a norm that they would have to audit afterwards (which seems logical but why didn't they think about that before putting their names on that paper ?).
Next week we will report more on the people that are trying to continue the work on this standard. The main question is why the work on the standard is being done behind closed doors and why the community can't participate a bit. It has now been nearly two years since the launch and we haven't seen any proposal yet or was it just part of the propaganda machine that E-ID had become ?
Let's cut the crap and the propaganda and get on with the real work.
In many ways, the Belgian eID card is the worst nightmare come true of the smartcard’s original inventor, Ronald Moreno. Moreno came up with the card in 1974 as a means of replacing low value cheques, and repeatedly warned of the slippery slope dangers of the card when used for other purposes. In one famous statement, Moreno warned about the potential of smartcards to become “Big Brother’s little helper”.
Each eID chip contains two X.509v3 identity certificates (each specifying the citizen’s name and RRN number, one for authentication and one for digital signing), as well as a basic signature key to authenticate the card with respect to the RRN. The certificates and public keys, which are assigned by the central issuing authority, by themselves serve as “omni-directional” identifiers that are globally unique. For a detailed account on the various privacy problems caused by this use of PKI, see, for instance, here.
Apadid is a project that should be finished in 2009 and is funded by the Flanders government. It is being coordinated and researched by COSIC from Leuven together with a Canadian authority on digital identities. The purpose is to analyse the security and privacy problems with the present E-ID and to propose solutions to it so the cards can be used for many more purposes without endangering the privacy of the users. But when you read the requirements report (2006, 140 pages, pdf) it is just astonishing as to how much personal information (example medical) they want to store on that card. More published information is here.
A reaction to the comment. I am not so sure as what is more manageable and secure. Having millions of people walk around with all their data on a card or having it in some databases that only needs the investment and willpower to defend them correctly. It is a strategic choice, maybe even ideological.
According to the participating Canadian professor there is even an unpublished report.
COSIC has in fact been consulted by the Belgian government regarding the security design of the current eID card. During the consultation, the COSIC experts expressed their concerns about privacy and mentioned that a variety of privacy technologies are available to build a privacy-protecting eID card. At the time, the Belgian government chose not to follow up on these recommendations, primarily due to short-term objectives and its desire to buy off-the-shelf commercial products instead of considering new solutions
The report (which is non-public) describes the privacy and security problems of the current eID card and proposes a four-year industry-academia research project aimed at redesigning the card in order to address the problems
Nearly every Belgian has a National Register Number a kind of unique identification number. It is one of the most important identifiers one has, next to the number of the E-ID itself and ones Social Security number, but that will be on the same cards if the mad plans go through.
So what is this number all about ?
It is a total of 11 numbers of which the first 6 are your birthdate JJMMDD followed by three numbers to distinguish the people that were born on the same day (even for men, uneven for women) and the last two numbers are a control number. So if you know the birthdate and the sex of the person, you only miss two numbers to recompile his national register number.
Some people find that it is time to abolish such numbers that identify the person too easily.
reaction to comments : First it should be clear that it is not evident for everybody to use the present RRN number as an Unique Identifier across systems that would replace other identification systems. Discussions about that exist. If we should take or have an unique identifier than we should be sure that it is solid. There are doubts that this number isn't. If one says it is, lets proof it. We are legally not capable of proving the contrary (surely not under the truce).
If you have read a lot about phishing than you will remember that securitypeople are sometimes astonished that banks and other financial institutions mail customers emails with links to website to change information. For real. This while everybody is telling them not to click on links in emails not to be fooled.
What does the E-ID do ? Well once you receive your E-ID, you must ask a token at a website. They will send you an email with a link on it that you have to click. But the SSL process is faulty so your browser alerts you that you have a certificate that isn't recognized and can't be trusted. The email states that you shouldn't worry and just go ahead.
Maybe they would do the same if I would send them an email with a link to my website in Russia telling them that their tokens are revoked and that they need to re-enter their information to get new ones. They shouldn't worry about my certificate either..... The programs to set up the server are all downloadable for free. Thanx for that.
There is an alternative to the E-ID that lets everybody reads whatever they want without that you have any control over it, the ethical-EID. It empowers the individuel E-ID user to chose which information on the smartcard E-ID should be visible.
More information in French and Dutch can be found here
It has been developed by a Belgian official IT-institution. Some people asks themselves why Zetes hasn't build this possibility into the E-ID itself.
eID and Identity Management technologies have been developing at a strong pace in the course of 2006 and 2007. Especially the development of eID in itself is no longer a hype in Belgium. It is becoming ever more integrated into the mainstream of Identity management Solutions.
Moreover, major Identity Management and Access Management solutions have been implemented in the course of 2007.
For that reason, LSEC organizes a conference, on the current developments of eID and Identity Management during the afternoon of Thursday February 28 focused on the practical implementations and lessons learned from other installations. The conference has the intention to provide a status of the present situation with lessons learned, best practices and experiences from the eID market in Belgium. See for the extensive program and the formalities at the site.
Well, we were as proud as when Bill Gates went to Lernaut and Hauspie to see their new software (remember that) when he came to Belgium, the Bill Gates and said that our Belgian EID card was a new wonder.
Microsoft would use that technology for MSN and for plenty of other services. Microsoft would do this and that and Bill Gates received a fake Belgian identity card and the Minister VanVelthoven was happy with all the press that got.
We are now 2 years further away and since 2005 the Microsoft website hasn't been updated about EID. Have they forgotten about it ? Msn doesn't use it.
But there seems also to be an integration with Office 2003 that lets you sign documents.
So you have stolen or got your hand on a number of Belgian E-ID's and you need the information on it for whatever reason I don't wanna know ? Well this is what you need.
You need to buy an E-ID reader which costs peanuts and you need to install the software you can download freely. Than you insert the cards and the software reads the information. Even the unique identifier. Easy as that.
No you don't need the pincode or a password or to identify yourself or whatever. There is no security on that level. This is a card that is easy to use for anyone - IDthieves included.
The answer will be that that information was public before and so on. Yes but you couldn't transfer or copy it electronically. And even it is just a level of security that could have been included without much work that could have strengthened the privacy and use of the E-ID.
The problem is that they want to include much more information on that card.
Privacy International is a respected international organisation that tries to keep a watch on the privacy regulations and defenses in most countries around the world. It publishes yearly a report. The general status for Belgium is yellow meaning "some safeguards but weakened protections"
Belgium is the first country in Europe to embed a digital signature in an ID card and to massively roll out ID smart cards at a national level. The "e-ID" (which stands for "electronic ID") embeds a digital certificate that will, according to the government, allow Belgians to communicate online and conduct secure transactions with government agencies, access e-government applications, and perform e-banking, or other future private applications. Under the plan, every Belgian citizen (as young as 6 years old) gets an identification card with his or her name and other identifiers, photograph and two digital certificates. One is to be used for authentication, the other as a digital signature to sign documents such as declarations or application forms, which will have the same legal value as documents signed by hand.
The e-ID project, which was originally called "BELPIC" (or Belgian Personal Identity Card) started in July 2001, when the Council of Ministers (Conseil des ministres) approved the idea of introducing an electronic identity card for all Belgians. In February 2003, the Parliament approved the introduction of BELPIC and the new chipcards were tested in 11 municipalities (communes) until September 2003. After the government considered the test satisfactory, it decided to roll out the cards to the rest of the Belgian population – about nine million individuals – on a schedule that would end in late 2009. By Royal Decree, the government began issuing Kids-ID for Belgian children between the ages of 6 and 12. The Kids-ID card replaces paper identity certificates and shows the child’s name and an emergency contact number. All other information, such as home address, is contained on the chip. Six pilot projects are currently being conducted.
The Commission and civil liberties organizations criticized the new ID card as presenting a serious threat to individuals' privacy. The data protection authority noted that it was still unclear how the government answers several important privacy concerns due to the uncertainty of many aspects of the project, and the information that the Commission has so far been provided with from the government. Other critics say that the e-commerce identity of Internet users should not be linked to day-to-day authentication, that integration of data damages the integrity and rights of users, and that the fact that the Belgian government handed the project to a private company (security firm Ubizen) jeopardizes citizens' privacy rights. While it does not appear such concerns have been thus far addressed, both the public and private sectors have already developed several new applications and services compatible with e-ID, including online tax returns, certified e-mail, online request of official documents, Internet banking services and electronic library services. The Commissioner expressed serious reservations regarding the inclusion on the e-card of such information as organ donation choices, or medical files. The Commissioner states that the inclusion of information extraneous to identification and authentication sets a dangerous precedent.
Belgium began a test program in May 2004 that made it the second country in the world (after Malaysia) to issue passports with an imbedded computer chip for personal information. The government began producing the RFID passports in November 2004, and issuing them to the public on January 30, 2005, in full compliance with the current European, US and ICAO standards and deadlines for biometric based e-passports. Initially, the chip will be used only for basic information, such as name, date and place of birth, passport number, issuing date and place, digital photo and signature. However, it has the ability to store fingerprints, an iris scan and other biometrics. Although the Belgian passport received "the world's most secure passport" award from Interpol in 2003, now that it is equipped with a RFID chip, it may present new privacy and security risks, including the unauthorized reading of its data.
to be continued.....
I said they were not digitally signed, they are - but in such in a way that it is not done the right way - that is to say without any doubt. As the code is not digitally signed as it better should be for confidential smartcards like these - it is quite possible with a bit of spoofing and phishing to make people download bogus software(updates). For windows users it will make no difference.
If you have any research or thoughts or experiments with the Belgian E-ID project, please let us know or mail it to us. We'll publish it - except for blackhat and real exploit-stuff that will have to be backchannelled first.
There is for the moment no discussion about the E-ID and everything is presented as it is the most beautiful and perfect solution that there is. We prefer to advance by discussions and testing, not by discovering afterwards when it is too late.
Keep it coming. If you are feeling Omerta, we know how to deal with that.
By the way, any idea for february ?