• the extending role of the Belgian EID

    without much oversight or governance

    in some cities in Belgium you have to pay to be able do dispose your trash that you can't set out with the dustbin and in others it is free.Sometimes those cities are next to each other which means that some habitants from the costly city want to bring their big trash to the collection points in the free city.

    But as this is a costly matter for the cities, they have installed a system to control who may have access.

    It uses the EID.

    another facet of identity and privacy that is now linked to this EID.

    a machine is scanning my EID.

    I don't have a clue what it is checking, what is registering and what is keeping.

    It is just one of these new machines that take the EID and its whole propaganda  for granted.

    With each new use and step the EID is becoming 'too big to fail'. But that doesn't mean that if it will fail, the government will have to step in big time.

    If you see more uses of EID that are strange or mind-blowing, inform us.

  • The continuing expansion of the unsecure EID card

    Unsecure means : it has no public technical norms and procedures, no verification and certification, no
    official technical platform, no external security tests.....

    and while nobody seems to care, it just get used for more and more functions for which it wasn't meant to be

    * traintickets : you can buy tickets online and the EID is used in the process
    * fidelity points : some firm thinks you should keep your fidelity points on your EID
    * Social security : instead of the seperate card, the EID will now be used in the pharmacy if you need medicine
    and if you go to the hospital and so on...

    Let's recapitulate.

    Your EID is becoming your single identity point of failure.
    YOur administrative identity.
    Your train travel
    Your shopping information.
    Your medical information

    what is next ?

    and this in a technical environment that wouldn't be accepted in any other serious IT process.

  • why giving your EID or passport out of hand and sight may make you a terrorist

    This is what probably happened with the European citizens who found their names on the frontpages worldwide as being part of the Israeli hit team.


    The report by the UK's Serious Organised Crime Agency (Soca) into the use of cloned British passports in the Dubai assassination makes clear their view that this is what happened as Britons travelled through the airport in the months and years before the plot was hatched to kill the Hamas commander Mahmoud al-Mabhouh.

    The Soca report concluded that the passports must have been cloned at the airport or at other interfaces with Israeli officialdom, such as airline offices in other countries. There were no other links between the 12 individuals whose identities were stolen.

    According to insiders, the language in the Soca report, produced after a four-week investigation, was "direct" and the findings unequivocal: the inquiry showed that the victims' data was taken, stored and passed on when they handed their passports to Israeli officials or those linked to them.

    "We cannot pin it on individuals, but the evidence draws us to the conclusion that the only place these passports could have been cloned is when they were inspected at the Israeli border or in other countries, where they were passed to Israelis," said one source."

  • how to infect drivers for smartcardreaders (or IED ?)

    First you find a website that sells such stuff and eventually downloads drivers or has the possibility to do so

    For example this one

    Than you hack it (but you don't deface it like they did)

    You install the soft with your trojan in (and keylogger) or you place the link to it on the helppage

    Do this before long holidays

    and if you are really into scenariobased attacks, try to get a hold first of the members- or clientlists so you can send them an email that they have to download a new driver or firmware for their box

    never download firmware or drivers from other sites than those that produce them




  • why we need a real EID official technical forum

    The only one is a WIKI that is being maintained by professionals

    By lack of official technical information they have to ask questions like this one


    Differences between middleware version 3.5 and 3.5.1...

    • Does anybody know the real differences between middleware 3.5 and 3.5.1 ?? -- AnonYmous - 26 Mar 2009, 15:34:33
    • The real differences are in the source code but this is what I found on the federal portal: http://eid.belgium.be/nl/Achtergrondinfo/De_eID_technisch/index.jsp
      In a nutshell: a more user friendly GUI, no picture showing when minimized, OCSP/CRL check by default switched OFF, windows installation via .msi
      Works OK here ! -- AnonYmous - 27 Mar 2009, 15:45:14
    • That's why I asked for the real smile
      Thanks anyway -- AnonYmous - 01 Apr 2009, 14:18:59
    • Does anybody know which bugs from 3.5.1 have been fixed in 3.5.2? -- AnonYmous - 10 Mar 2010, 11:56:07


    Just a reminder this is about the Middleware for the Belgian electronic Identitycard that is being used by all Belgians and being introduced in online applications for official and other business

    If it would be about an open source freeware game, one could expect this situation but about a software of that kind ?

  • Microsoft and the Belgian and German EID

    You remember the worldwide pics of Microsoft guru Gates with a fake Belgian passport. How proud all those people were. We were selected as one of the Microsoft projects. Microsoft would use the EID for MSN (when ?), Microsoft would integrate EID in its basic kernel of their OS and Microsoft would .......

    Sorry to say but after Lernaut and Hauspie (Microsoft would also integrate its technology in the kernel untill it learned how the code exactly worked...) I am a bit cynical about those PR declarations.

    Now I am reading that Microsoft is putting its full weight under the new German EID project with some interesting technologies

    - secure computing from a to z (code security and authentification and certification) 

    - forefront security (testing and controlling all the time)

    - people themselves chose what data they will share with whom (privacy preservering)

    They are not doing this with some never started new working group or with some other institution that yet has to be established and funded, no they are doing it with one of the most advanced computerresearchinstitutes of Germany.

    In fact I sam sure that it would be possible in Belgium to start an Interuniversity research and development center around EID that could do the real research and development the professional way.

    It is after all the professional integration in professional business tools that will make the difference if the EID will have its breakthrough in the identity management portfolio. And you can't have this breakthrough if the users can't be sure that they have total control over their data and that any system they use will be profoundly secure and is certified as such.

    Such an initiative will maybe also be a breakthrough in the debate about the security of the EID code that you may read between the lines of interviews and hear in off the record explanations.

    Maybe Microsoft has killed the EID site for Microsoft all together already


  • online cracking of your wireless WPA connection

    First they discovered wireless and forgotten all about security, who needs that anyway, the internet was made without security so why would the wireless protocol need any security.

    After a few incidents and questions the industry as they call themselves got together and decided to write some security protocols to have at least some security, but not too much or too heavy.

    This WEP was easily broken, so they had to make another WPA that would be much harder to break (meanwhile people are using no security or WEP) and there is even WPA2 now.

    But as with any security it can be broken and what can be broken can be sold and what can be sold can become a criminal business.

    So one of the new business models from the cloud is that you can ask a collection of servers and databases to break passwords and encryption. THousands of computers do it for you and you just have to pay for the result. Isn't that fantastic, the power of the cloud for the criminals, a criminal cloud. Imagine what the GRID or Internet2 could bring for organised online crime.


    Eerst was er geen beveiling toen ze begonnen met wireless. Gewoon vergeten, het moest natuurlijk eerst allemaal zo snel mogelijk gelanceerd worden.

    Dan kwamen ze uiteindelijk samen om een aantal veiligheidsnormen op te stellen voor de verschillende soorten draadloze verbindingen (protocollen).



    And it even doesn't has to be computers, but due to the enormous computing power for gameboxen are they the favourite tool to set up farms of boxes that will crack passwords and encryption.

    What would that mean for an EID attack - to get your national register number, the most unsafe combination of letters even rassembled as an unique identifier.

  • Drupal EID insecurity discussion : what is important here

    Here you can read the following comment from the drupal community/maker

    Get the facts about Drupal & eID

    Drupal.org did not make an eID module. It was made by a third party developer, and the code is hosted on Drupal.org.
    From a technical, internal Drupal point of view, the code is probably secure (no obvious runtime bugs, no SQL injections etc) so the code was admitted to drupal.org.
    But from a design point of view the code is of course totally wrong and in violation of Belgian privacy law.

    Amedee Van gasse
    amedee@vangasse.eu http://amedee.be

    This is totally wrong and it is just because it is totally wrong that such mistakes were made, not only in the drupal module but also in the EID middleware (first and second version).

    It is important that you check your code for insecurities and bugs and that processes of your different modules an sich are secure. But when that is done and you have secure code and secure modules who interact in a secure way the work only begins. You have at that time the building blocks of your infrastructure or module.

    Than you ask. What is the importance of the data or the transaction that I want to use this code for and which are the implications for my modules and my applications. The more important the data is, the more judicial and new other security mechanisms and monitoring and update mechanisms have to be put into place.

    If one had followed this route, than the biggest work would have only started after the 'secure' drupal code was finished. The second phase is to secure the important identity data that it was going to use. This is maybe not only done in this module in Drupal environments but it should be clear that this module should only be used if the securisation of the transactions, storage and monitoring is in place. This should in fact - if the data is so important that it could lead to judicial and financial problems if it were to be compromised - be independently certified and audited on a regular basis.

    Because in Belgian law there is the general principle that you didn't work as a good homemaker (traditional family expression) by not taking care from the beginning to limit the risks for the others you are responsable for. (the obligation of caution and professionalism). Can you sue Drupal or the makers of the Drupal module ? Maybe, maybe not...

    I know this all seems very odd for some in the open source community but if the open source community is to survive in the business environment than certification, control and automated update mechanisms are the only way to keep the trust.

    If I were drupal I would develop a complete secure framework or drop out of the financial/identitycard business alltogether. And give no permission to include any modules that aren't certified and updated this way which is what killed Joomla security. Once you lose the trust it is very difficult and costly to win it back again if you ever do.

    To conclude I don't care about the code an sich, I follow the data. And securing the data is the centerpiece of security. Securing the code to protect the data is only the very first step of many and this is a continuous process.

    And I understand the frustration of the developers who for the moment don't really know where to go for advise, secure code, testing, norms and all the other stuff that such a serious project like EID should have had from the beginning. There are some initiatives but lets all agree that even with all their enthusiasm, such a big project needs more professionalism and guidance. Not only for Drupal developers.

    And hereby I close this debate about open source because I don't care how open or closed a code is when we talk about security and privacy. Frankly my dear, I don't give a damn.

  • Belgian EID : not only open source initiatives make mistakes

    As this video proves, also commercial firms tend to develop EID products that are not really finished, tested or thought through.

    At the official demonstration of the EID for football matches there were so many mistakes that even the minister was getting angry (flemish)


  • If you want to test the Belgian EID software


    Here is it

    let me know if you find something

    It is more difficult to do research with your own national material than to link to it internationally.

  • University Researcher fears for more EID insecurity to come

    As the debate starts another time, people that were working in universities and other industries or centers are coming out of the bushes with their thoughts and proposals to advance the discussion and to get maybe the real Marshallplan one needs for EID going or started.

    http://www.pieter.verhaeghe.be/ is such a researcher who has already added some comments to the discussion about the drupal EID module.

    If you read the post before about EID and security than you will better appreciate the following comment by him

    free quick translation : as developers will use more and more local application authentification (sic) instead of https tunneling and that government (without any security process or certification for the EID environment) will lose control and so will over time also the users as they won't be sure which EID environment is safe and which isn't

    He has also some very interesting papers on his website, of which some are famous


  • Belgian EID security storm rises again (and it is not my fault)

    If you think that your security is important and you think that the data that is digitalised is important and should be secured and private.

    If you think that the identities and transactions of people online or on computers should be secure and private.

    Than you have to define what secure and private means and you have to compare what you prepared to do or accept with what should be done to keep that data and those transactions private. There is no other way to measure this if you want to build an infrastructure that is going to use the personal EID from people for public or professional transactions. You have to be sure that you can guarantee them the best standards in security.

    I don't know about you but what do you think when

    * there is no public platform with open standards and norms that are debated publicly and adapted over time (NIST example)

    * the audit reports about the EID seem to secret

    * there are no audits by totally independent auditors not linked to any commercial or public stakeholder

    * the code for the software is public without any controls (security and quality) and without any certification

    * there is discussion about the security mistakes that are being made in the first and last versions of the middleware

    I don't think that this corresponds to security guarantees.

    And this problem will become even greater when real securityresearchers will do real securityresearch on those modules and will publish their comments and research. You can try to suppress some of them during some time, but not all of them all the time.

    This is the case for the total insecure way Drupal has made an EID module all by itself that seems totally public and unsecure. By the way today there were several other drupal exploits published for those sites that use this Obama tool.

     the Zionsecurity research about EID

    If you want to read all the other research that has been published around here about EID the last years, click here

    And if you ask me, I am only looking at EID card readers that are US certified smart card readers that are adapted for EID without any middleware from anywhere else. This doesn't make the use of EID on websites with insecured modules like Drupal secure, but it is for internal use already the best available commercial solution if you think that you should guarantee your users the best privacy and security for their EID card that is on the market today.

    This is not about open source and closed source, this is about security and even a good Open Source project can have a very bad security just as the most closed source in the world (apple) or the closed source that invests so much in security (windows). Security is all about controls, audits, procedures and prevention and having an adequate response and communication strategy. Nothing less. Open source or closed source frankly, my dear I don't give a damn because if you don't have that your security and trust will be gone with the wind....

  • 45.000 belgian EID cards broken

    This has cost the firm already nearly 500.000 Euro's but some of these Belgian citizens have been unable to pursue their holiday or to board a plane. It was impossible to control the EID as the chip wasn't on the EID anymore (interesting news for crooks, now they only have to find out how to get another chip on the card without any automatic reader seeing somthing - it is not who is on the card but who is on the chip that may be of importance (unless you are passing real guarded borders)).

    But there is something else that is very interesting. It doesn't seem to worry anyone. It is normal. No protest from consumerists or parliamentarians. No checks of the production process (they say they are ISO something...).

    It is only half a million Euro's that are wasted without any problem by the production firm Zetes. In my thoughts there is something more : If a firm pays out so much money without any revision or without any protests, than they must be making a lot of money on these cards.....

    But who cares about audits and checks ? We don't have any reviewed public 'standards' for these cards and the developers who want to integrate it into their applications.....

  • Be sure you have updated your EID middleware

    There is a big spoofing hole in version 2.6. THe middleware is now in version 3.5. There are other issues with version 3.5 but version 2.6 is so easy to spoof that it is too risky to use it still for authentification and identification.

    I am not sure that the bugs that were in version 2.6 are resolved in version 3.5 because I can't find a list of resolved issues and the release document is just a bunch of propaganda crap, not a technical file that inspires trust.

    The spoofing vulnerability with openssl that can be found in the old EID readers is described here and here and here. By the way openssl is a can of bugs that you have to update every so many days or weeks. So I don't understand what this kind of open free stuff that ain't got enough maturity level to be used without the fear of fundamental bugs that go to the heart of its function did find its way into an Electronic Identity Card that is not only being given to all citizens in a country (and all habitants very soon) and that is being used in an ever increasing scale for authentification and identification (for example to fill in your taxes online....)

    Not one of the vulnerability reports states that by upgrading the bug has been solved. Or it is not solved. Or a big worldwide company like Zetes - leader in EID and all that kind of publicity - doesn't follow up on those even official reports.

    Because those reports say "The vulnerability is reported in version 2.6.0. Other versions may also be affected." and "Do not rely on the middleware for verification."

    Maybe this is why some in Microsoft are still off the record having doubts about this Middleware .....

    Meanwhile the propaganda caravan is going through Belgium promoting this tool. Come to see. Come to see.

    For international security researchers. Belgians can't try to crack or spoof or attack the code because the Belgian computer criminality law has no responsable disclosure. We have asked that since longtime but aside from promises there is nothing. And as there is no real Belgian security attack research, we don't have a clue about the security of the code and the product. And as there is no real open (free) best of practices and independent code-audit review there is nobody else that can give us some greencard. But you can download the code here (french/flemish) and let us know something .... Maybe there is a reason there is no official information in english.... but in english the researcher can also read this

    Yeah they say "norms and standards" but how in the hell did this happen than ?

    * a remote  spoofable bug without authentification since february 2009 and since than no official news or reaction or mention

    * the first bug that makes it possible to use malicious servers with specially crafted SSL packets (that people have been pressured to treat as always safe...) to bypass authentification which makes attack schemes on Belgians with vulnerable EID software on their computers for the first time easy and interesting.

    * no campaign to upgrade your EID software (if you don't use it the vulnerable softwareclient stays on the machine)

    just trust is not enough.


  • our social security number on our traintickets ?

    If you are living in the US you would be falling from your chair by now or just think that this is a joke. No, this is EID land Belgium and they didn't learn anything from what has happened to the social security number in the US and all the problems that arise from that universal use as an Unique Identifier.

    So on the site of our national railwaycompany they are so proud to have found the egg of columbus. They have in fact to find a way to link your electronic ticket to your Identity and have some real proof that you are the same person sitting before the controller.

    They have decided to use the National Register Number (which is the same). How the privacycommission could agree to something like that is a big question because normally the privacycommission is very reluctant about the use of that number - just because it is an unique identifier. But as the privacycommission is an institution without enough money, resources and political cloud and in which you can find as advisers the same people that have to decide about their own projects (ehealth for example) you shouldn't be surprised that you can do whatever you want with our national register number. source

    And so your national ID unique identifier is becoming without any legal basis or protection or overview an Unique Identifier for a lot of things and applications. This way Identitytheft is becoming nearer at an increasing speed.

    For privacyadvocates it is also worrying that electronic traintickets can be identified and linked to a person. If you have problems with that, don't use electronic tickets. Less electronic is better privacy.

  • some interesting presentations about the EID (dutch)

    But some of them (including the one from the Belgian official Privacycommission who points out that the readers that are used have NO legal basis for the moment) are quite interesting. The details are what it is all about.

  • EID : opensource against assured inspection discussion

    When we published last week the news that we found some good alternatives for the open source middleware for the EID if you didn't want to take any chances and wanted to invest in a secure smartcard environment, one of the programmers posted the following reaction.

    " If you have the money, you don't have to use the opensource solution from FEDICT if you want to be absolutely sure.

    I always wonder how long such FUD campaigns will last and what drives it? Of course I for one welcome other eID solutions since it increases diversity. This definitely has a positive impact on both probability that a system is being hacked and payoff once a system has been hacked. The probability for security weaknesses being exploited decreases once more eID solutions are available as the competition among these eID solutions will definitely have a positive impact on the code quality. As for the payoff once a system has been hacked we can also state that diversity reduces the number of systems that are vulnerable to a certain security attack on an eID solution. As security can be roughly defined by probability times payoff, diversity will have a positive impact the security property of eID solutions. But to state that commercial eID middleware solutions are more secure is somewhat far-fetched. The reason why I open sourced the new eID Applet is because I don't believe in 'Security through obscurity' and I want to invite security researches into constructing alternative viable eID solutions.

    Kind Regards,
    Frank.Frank Cornelis  info@frankcornelis.be "

    So we have to respond to some things in it

    * First it is NOT a FUD thing. It is based on the experience with only one aspect on the code - the so called firewall and the study from the professors that got some remarks about the socalled quality of the code and some of the mechanism (the attention to those remarks was only made here - as usual).

    * there is no drive behind it, no dark forces or commercial interests, just trying to keep the discussion going and wanting to drive the security and the discussion even further - because if we stop it, who will continue it ? And if we look at the way people are handled here when they try to show mistakes and other conceptual dangers with the middleware, than you can't speak about an open and professional discussion. And what is open source if the security of the source can't be discussed in an open process ? And in which the upgrade to the last version is even worse than the one before ?

    * so we think by talking with a lot of other people that a lot of people are looking for other solutions and want some middleware that is secret, but that can withstand all the security tests, also those from Microsoft .........

    Because what is the security of a system in which the middleware or the hardware reader aren't secure enough ? Open Source or not, That is not important because that is an ideological question, not an operational one. An operational one is how you check the code with different attack and analysis tools and how you permanently revise, upgrade and patch the software as efficiently as possible. And I am not saying that all commercial secretive code is good code. It all depends on the security-operations that are used before the code is used for real products.

    and yes we want more commercial adaptions for the EID cards from worldwide known companies who follow standards and have internal check processes and external community programs and so on. There is an enormous market over here for such product. So let them come and let the FEDICT middleware be a proof of concept that it is possible but I am sure there are other firms that can deliver other ways to integrate the EID in a secure way in a secure process.

  • EID there is other middleware that is compliant

    If you don't trust an open source middleware or just want to be compliant in your infrastructure from end to end there are products (middleware) that incorporate or use the EID but just as an card and use it in an secured and compliant environment.

    These are commercial products but as they are used in high secure environments they have to protect the authentification and the data on the EID in a better secure way.

    Some security products and installations that let you use EID also use these commercial middleware installation instead of the FEDICT software.

    one example is this

    If anyone has a list of commercial security compliant EID reader middleware, this may be interesting

    If you have the money, you don't have to use the opensource solution from FEDICT if you want to be absolutely sure.

  • a technical but very interesting presentation about EID (link added)

    The presentation in 63 slides shows in a detailed but very complete and comprehensive way (for security and IDM people) how the encryption (PKI) of the EID in Belgium is organised. It doesn't talk about any weaknesses or other conceptual or political questions one may have, but on the basis of this you can already have a theoretical idea about how it should work in theory.

    It is very interesting to read in the last slides he talks about the requirements for it to work securely but as nobody is responsable for certification one can ask who will do the monitoring and testing.

    But it is a document one should have read if you are interested in the future of our EID. Any remarks are welcome off course.

    Introduction to Belgian eID cards, presented at K.U.Leuven, 27 April, 2009

  • EID, omerta and propaganda (no security)

    First let us agree about something. Security means that something is certified, controlled and can be adapted and secured afterwards and that this done and rechecked by a transparent, frequently updated and outsourced process run by professionals and independent securityresearchers.

    Secondly there is nobody that says that the EID an sich as to be abolished. The problem is that the card - because of its increasing importance - needs to have that public and transparant securityprocess. This is not the same as making your source Opensource. It is not because your source is opensource that 'automatically' your code and process (ex incident handling and patching) is secure an sich. It doesn't even mean that your code has been revised by the most stringent standards by the community. In Belgium this last thing is absolutely NOT the case becuase the community has been blackmailed into silence by the very vague and dangerous cybercriminality law (and a total lack of other independent places where you can deposit this information safely without risk for your career or name in this small country of ours). For the record we have already shown that we know how to protect our informers and how to get information to the right persons in the right places without publicizing it immediately.

    Thirdly you don't have to shoot the pianist but you have to listen to the music and forget the pianist even if he or the band has no name. Discussions should be about the facts not the persons who are posing the questions.

    Some facts

    * Since the vulnerability that has been published last year a patch has been published 6 months later but that shows some conceptual errors that can pose problems for your security of your data on that card. Meanwhile a browserversion of the EID Middleware has been published - even if the banks are going from browserbased authentification to application/cardreader based double authentification. Securityresearchers and hackers can download the code and test or adapt it at will. There is no certification of your code and how secure your implimentation is.....

    * We have published last year that taxonweb (the online tax service that has been used by over a million people) can easily be phished. Forgive us if we are wrong, but we don't see much difference since than.

    * there are no public norms or standards, there is a private book with some best of practices from some years ago, but if you are looking how to implement this securily and how to let it be certified as safe you are looking at the wrong place.

    * there is no securitycertification of the readers that could be used. Some of those failed some securitytests that were done last year by some amateurs. I am holding my breath if real securityresearch is done against them.

    * And so I can go on and on.... and on and on...

    And yesterday I was between astonishment and anger when I saw on television that they want to use it for .... safe shopping. This card can't be used for safe shopping. In fact this card can't be used for anything webbased if you want to implement normal securitystandards for banking, shopping or real authentification.

    The card IS safe if you use within a secured network or on internally secured machines (like machines to print administrative forms) at the present time. This changes totally if you use it on the web for anything more than stupid things. (except if you use VPN links or highly secured specified connections).

    My astonishment with using this card for shopping is that now the card becomes really interesting for IDtheft. As long as it was only an administrative authentification for administrative procedures intercepting the information was only useful for espionage and blackmail and getting more information to bypass anti social engineering questions for example where do you live etc...). Once you can use it for financial transactions and payments the card itself and its digital information on that card become more than interesting. And even more as its security is that like those of the bank and creditcards (and even those are broken or intercepted on an unprecedented scale).

    It is even more astonishing as our greatest fear in the beginning of last year was that hackers or digital mobbers would constitute crime databases in which they would regroup the stolen financial information, the email passwords, the passwords for ebay or online shopping portals and so on. Apart this information is only worth pennies, but if you could re-organize it by person and profile it it is much more worth. Some first examples of such databases (although primitive) were found online last year. It shows that ecrime is becoming to look more and more like a normal ITProcess (done by professional ITpeople) and handled as normal commercial datasale processes.

    For those databases EID information has now become much more worth.

    Before you attack the wild wild west with a new secure solution you should be sure that your castle is secure. Otherwise you will be out on the wild wild west with no secure castle to return to because it has been broken into and taken over.