without much oversight or governance

in some cities in Belgium you have to pay to be able do dispose your trash that you can't set out with the dustbin and in others it is free.Sometimes those cities are next to each other which means that some habitants from the costly city want to bring their big trash to the collection points in the free city.

But as this is a costly matter for the cities, they have installed a system to control who may have access.

It uses the EID.

another facet of identity and privacy that is now linked to this EID.

a machine is scanning my EID.

I don't have a clue what it is checking, what is registering and what is keeping.

It is just one of these new machines that take the EID and its whole propaganda  for granted.

With each new use and step the EID is becoming 'too big to fail'. But that doesn't mean that if it will fail, the government will have to step in big time.

If you see more uses of EID that are strange or mind-blowing, inform us.

Unsecure means : it has no public technical norms and procedures, no verification and certification, no
official technical platform, no external security tests.....

and while nobody seems to care, it just get used for more and more functions for which it wasn't meant to be

* traintickets : you can buy tickets online and the EID is used in the process
* fidelity points : some firm thinks you should keep your fidelity points on your EID
* Social security : instead of the seperate card, the EID will now be used in the pharmacy if you need medicine
and if you go to the hospital and so on...

Let's recapitulate.

Your EID is becoming your single identity point of failure.
YOur administrative identity.
Your train travel
Your shopping information.
Your medical information

what is next ?

and this in a technical environment that wouldn't be accepted in any other serious IT process.

This is what probably happened with the European citizens who found their names on the frontpages worldwide as being part of the Israeli hit team.

"

The report by the UK's Serious Organised Crime Agency (Soca) into the use of cloned British passports in the Dubai assassination makes clear their view that this is what happened as Britons travelled through the airport in the months and years before the plot was hatched to kill the Hamas commander Mahmoud al-Mabhouh.

The Soca report concluded that the passports must have been cloned at the airport or at other interfaces with Israeli officialdom, such as airline offices in other countries. There were no other links between the 12 individuals whose identities were stolen.

According to insiders, the language in the Soca report, produced after a four-week investigation, was "direct" and the findings unequivocal: the inquiry showed that the victims' data was taken, stored and passed on when they handed their passports to Israeli officials or those linked to them.

"We cannot pin it on individuals, but the evidence draws us to the conclusion that the only place these passports could have been cloned is when they were inspected at the Israeli border or in other countries, where they were passed to Israelis," said one source."
http://www.guardian.co.uk/world/2010/mar/24/israel-ben-gu...

First you find a website that sells such stuff and eventually downloads drivers or has the possibility to do so

For example this one

Than you hack it (but you don't deface it like they did)

You install the soft with your trojan in (and keylogger) or you place the link to it on the helppage

Do this before long holidays

and if you are really into scenariobased attacks, try to get a hold first of the members- or clientlists so you can send them an email that they have to download a new driver or firmware for their box

never download firmware or drivers from other sites than those that produce them

The only one is a WIKI that is being maintained by professionals

By lack of official technical information they have to ask questions like this one

"

Differences between middleware version 3.5 and 3.5.1...

• Does anybody know the real differences between middleware 3.5 and 3.5.1 ?? -- AnonYmous - 26 Mar 2009, 15:34:33
• The real differences are in the source code but this is what I found on the federal portal: http://eid.belgium.be/nl/Achtergrondinfo/De_eID_technisch...
  In a nutshell: a more user friendly GUI, no picture showing when minimized, OCSP/CRL check by default switched OFF, windows installation via .msi
  Works OK here ! -- AnonYmous - 27 Mar 2009, 15:45:14
• That's why I asked for the real
  Thanks anyway -- AnonYmous - 01 Apr 2009, 14:18:59
• Does anybody know which bugs from 3.5.1 have been fixed in 3.5.2? -- AnonYmous - 10 Mar 2010, 11:56:07

https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/vi...

Just a reminder this is about the Middleware for the Belgian electronic Identitycard that is being used by all Belgians and being introduced in online applications for official and other business

If it would be about an open source freeware game, one could expect this situation but about a software of that kind ?

You remember the worldwide pics of Microsoft guru Gates with a fake Belgian passport. How proud all those people were. We were selected as one of the Microsoft projects. Microsoft would use the EID for MSN (when ?), Microsoft would integrate EID in its basic kernel of their OS and Microsoft would .......

Sorry to say but after Lernaut and Hauspie (Microsoft would also integrate its technology in the kernel untill it learned how the code exactly worked...) I am a bit cynical about those PR declarations.

Now I am reading that Microsoft is putting its full weight under the new German EID project with some interesting technologies

- secure computing from a to z (code security and authentification and certification) 

- forefront security (testing and controlling all the time)

- people themselves chose what data they will share with whom (privacy preservering)

They are not doing this with some never started new working group or with some other institution that yet has to be established and funded, no they are doing it with one of the most advanced computerresearchinstitutes of Germany.

In fact I sam sure that it would be possible in Belgium to start an Interuniversity research and development center around EID that could do the real research and development the professional way.

It is after all the professional integration in professional business tools that will make the difference if the EID will have its breakthrough in the identity management portfolio. And you can't have this breakthrough if the users can't be sure that they have total control over their data and that any system they use will be profoundly secure and is certified as such.

Such an initiative will maybe also be a breakthrough in the debate about the security of the EID code that you may read between the lines of interviews and hear in off the record explanations.

Maybe Microsoft has killed the EID site for Microsoft all together already

First they discovered wireless and forgotten all about security, who needs that anyway, the internet was made without security so why would the wireless protocol need any security.

After a few incidents and questions the industry as they call themselves got together and decided to write some security protocols to have at least some security, but not too much or too heavy.

This WEP was easily broken, so they had to make another WPA that would be much harder to break (meanwhile people are using no security or WEP) and there is even WPA2 now.

But as with any security it can be broken and what can be broken can be sold and what can be sold can become a criminal business.

So one of the new business models from the cloud is that you can ask a collection of servers and databases to break passwords and encryption. THousands of computers do it for you and you just have to pay for the result. Isn't that fantastic, the power of the cloud for the criminals, a criminal cloud. Imagine what the GRID or Internet2 could bring for organised online crime.

Eerst was er geen beveiling toen ze begonnen met wireless. Gewoon vergeten, het moest natuurlijk eerst allemaal zo snel mogelijk gelanceerd worden.

Dan kwamen ze uiteindelijk samen om een aantal veiligheidsnormen op te stellen voor de verschillende soorten draadloze verbindingen (protocollen).

 http://ph33rbot.com/wpa-password-cracker/

http://www.wpacracker.com/

And it even doesn't has to be computers, but due to the enormous computing power for gameboxen are they the favourite tool to set up farms of boxes that will crack passwords and encryption.

What would that mean for an EID attack - to get your national register number, the most unsafe combination of letters even rassembled as an unique identifier.

Here you can read the following comment from the drupal community/maker

Get the facts about Drupal & eID

Drupal.org did not make an eID module. It was made by a third party developer, and the code is hosted on Drupal.org.
From a technical, internal Drupal point of view, the code is probably secure (no obvious runtime bugs, no SQL injections etc) so the code was admitted to drupal.org.
But from a design point of view the code is of course totally wrong and in violation of Belgian privacy law.

Amedee Van gasse

This is totally wrong and it is just because it is totally wrong that such mistakes were made, not only in the drupal module but also in the EID middleware (first and second version).

It is important that you check your code for insecurities and bugs and that processes of your different modules an sich are secure. But when that is done and you have secure code and secure modules who interact in a secure way the work only begins. You have at that time the building blocks of your infrastructure or module.

Than you ask. What is the importance of the data or the transaction that I want to use this code for and which are the implications for my modules and my applications. The more important the data is, the more judicial and new other security mechanisms and monitoring and update mechanisms have to be put into place.

If one had followed this route, than the biggest work would have only started after the 'secure' drupal code was finished. The second phase is to secure the important identity data that it was going to use. This is maybe not only done in this module in Drupal environments but it should be clear that this module should only be used if the securisation of the transactions, storage and monitoring is in place. This should in fact - if the data is so important that it could lead to judicial and financial problems if it were to be compromised - be independently certified and audited on a regular basis.

Because in Belgian law there is the general principle that you didn't work as a good homemaker (traditional family expression) by not taking care from the beginning to limit the risks for the others you are responsable for. (the obligation of caution and professionalism). Can you sue Drupal or the makers of the Drupal module ? Maybe, maybe not...

I know this all seems very odd for some in the open source community but if the open source community is to survive in the business environment than certification, control and automated update mechanisms are the only way to keep the trust.

If I were drupal I would develop a complete secure framework or drop out of the financial/identitycard business alltogether. And give no permission to include any modules that aren't certified and updated this way which is what killed Joomla security. Once you lose the trust it is very difficult and costly to win it back again if you ever do.

To conclude I don't care about the code an sich, I follow the data. And securing the data is the centerpiece of security. Securing the code to protect the data is only the very first step of many and this is a continuous process.

And I understand the frustration of the developers who for the moment don't really know where to go for advise, secure code, testing, norms and all the other stuff that such a serious project like EID should have had from the beginning. There are some initiatives but lets all agree that even with all their enthusiasm, such a big project needs more professionalism and guidance. Not only for Drupal developers.

And hereby I close this debate about open source because I don't care how open or closed a code is when we talk about security and privacy. Frankly my dear, I don't give a damn.

As this video proves, also commercial firms tend to develop EID products that are not really finished, tested or thought through.

At the official demonstration of the EID for football matches there were so many mistakes that even the minister was getting angry (flemish)

http://code.google.com/p/eid-applet

Here is it

let me know if you find something

It is more difficult to do research with your own national material than to link to it internationally.