David Souter, one of the judges who supported the absurd eminent domain decision of the Supreme Court, might now have to swallow his own medicine:
In the small town of Weare in New Hampshire, an investment firm wants to build a hotel at the address 34 Cilley Hill Road. However, there is still a house at this very address. Coincidentally, it belongs to federal judge David Souter. Yes, he is one of the judges who signed the ruling. The "Lost Liberty Hotel" would unfortunately not make sense anywhere else, as it is supposed to contain a museum about civil rights. And finally, the entire citizenry would benefit from the tax revenues and so on.
The ruling was about the fact that eminent domain is also legal when the motivation for the construction is not the greater good of society but pure profit - whoever has money then gets the right to the land, even if it is already inhabited. Let's hope that the building committee of the city has backbone and treats the judge according to his own ruling.
The Danish Government advocates for significant changes to the software patent directive:
The goals expressed by Denmark in [the additional remarks to the EU Council proposal], namely to exclude patents on pure software and business methods as well as to ensure interoperability, are now specified by the Dane in the letter.
However, this does not really seem reliable to me - Denmark has aligned itself with the Council line and has only left an additional remark. Whether they will actually stand by their demands or whether this is all just a show for their own parliament remains to be seen. But at least they are making a show of it - unlike our Minister of Justice, who openly opposes the Bundestag resolution.
Already a bit older, but an interesting report on the dismantling of a thriving company through turbo-capitalism and greed for money.
Interesting about this is not only how the company itself was massively damaged through pure financial exploitation, so that in the end there is actually no good situation left - the effects on the environment, such as the lower business tax revenues of the city, are also interesting. A movement that we can observe in many places at the moment - companies are sold for short-term profit and then go down the drain because the new owners have no interest in the company or the employees, but only in the return on their investment. At the same time, the respective region goes down the drain as well - because the investors also have no interest in the established structures. Locusts simply have no real home.
At the same time, a good example of the fact that this stupid talk about promoting investment in the economy is exactly that - stupid talk. Our problems will not become smaller because of this, the social system will not be saved. The opposite will be the case - because the investors who are getting involved are increasingly hedge funds or private equity funds or other financial investors who just want to make a quick euro - and they are rubbing their hands at the plans of the government and the opposition (if they are to form the next government).
Locusts simply have no interest in vocational training, employee training, minimum wages and domestic production. They also have no interest in our society or our social system.
Error in Internet Explorer with uncertain consequences:
According to Bernhard Müller from SEC Consult, Microsoft can also reproduce the crashes but does not see any risk that foreign code could be executed. Therefore, Microsoft intends to make the handling of COM objects more robust in the future, but will not release a security update.
This is about a crash of the hard kind - in direct machine code. Anyone with even a rudimentary understanding of such things knows that this is a potential gateway for malware - appropriately set data for the crash and you might have a direct path into the system. But Microsoft sees no danger ...
A bit older, but still interesting: Biometrics/BSI Lecture Program at CeBIT 2005. Particularly interesting are the statements about the authorization of the passport chip readers:
The ICAO standard suggests an optional passive authentication mechanism against unauthorized reading (Basic Access Control). Kügler estimated its effectiveness as only minor. However, Basic Access Control would be suitable for the facial image, as this involves only weakly sensitive data.
This is the part currently being discussed regarding the passport - the authentication of the reader by the passport via the data of the machine-readable zone. This method is not protected against copying the key - once it is determined, it can be used to identify a passport. Even from a greater distance.
The contactless chip in the passport according to ISO 14443 will (naturally) be machine-readable and digitally signed as well as contain the biometric data. As the reading distance, Kügler mentioned a few centimeters, but pointed out that with current technology, reading from several meters away is possible. To ensure copy protection, the RFID chip should actively authenticate itself using an individual key pair, which is also signed.
Important here: the copy protection is handled by an active two-way authentication. A passport could therefore only be read with a stored key if it is actively involved. The keys then transmitted are so to speak bound to the respective communication - because both the passport and the reader would have their own key pair. This makes attacks via sniffing of the authentication significantly more complicated, as two key pairs must be cracked to do something with the data. Unfortunately, however, only the basic procedure is currently planned, i.e., only the keys per reader. And it gets worse:
Kügler rated the fingerprint as a highly sensitive feature. Therefore, access protection must be ensured by an active authentication mechanism (Extended Access Control). This was not defined in the ICAO standard and is therefore only usable for national purposes or on a bilateral basis.
Otto Orwell dreams of storing fingerprints - the procedure for how these must be secured is not yet defined and standardized. Such storage would therefore not be usable across the board. It is also important to ensure that only authorized devices are allowed to read. To this end, all readers would receive a key pair, which must be signed by a central authority. Anyone who has ever dealt with a certification authority knows that there must inevitably be a revocation list - a way to withdraw certificates. This is especially important for passport readers if, for example, they are stolen (don't laugh, devices also disappear at border facilities - hey, entire X-ray gates have been stolen from airports). Unfortunately, the experts see it differently:
In the subsequent short discussion, the question was asked whether a mechanism is provided to revoke the keys of the readers. Kügler indicated that this is not the case so far. However, it is currently under discussion to limit the validity of the keys temporally, but this has not yet been decided.
Hello? So there is no way to revoke a device's key. And there is - currently - no expiration of a key. If someone gains access to a reader, they have the key of the device and its technology at their disposal to read every passport in the vicinity. Without the possibility of getting rid of a device used improperly. This is like a computer system where there is no way to change the password and no way to delete a user - even in case of proven misconduct.
And once again, the extended check (and this key technology plus certificate in the reader is probably only intended for this) is only a proposal (which may not even be implemented due to the lack of interest of the Americans in the whole thing):
Kügler then described the BSI's proposal regarding Extended Access Control. According to this, an asymmetric key pair with a corresponding, verifiable certificate is generated for each reader (authorization only per reader). Therefore, the chip must be able to provide computing power for Extended Access Control. [...] Within the EU, access protection by Extended Access Control is currently only to be seen as a proposal, said Kügler. Another (unnamed) BSI colleague agreed with him and added that the Americans do not demand a fingerprint as a biometric feature on the chip at all, but rather the digital facial image would suffice for them. Only within America is a digital recording of the fingerprint planned. For this reason, the technical implementation of Extended Access Control is not urgent.
Only in this proposal is it provided that the devices receive unique key pairs and certificates based on them. Why is all this so critical now? Well, the discussion constantly focuses only on the data and the reading of the data - but these are not even that critical. Because even the stored fingerprints are not the complete fingerprints for reconstruction, but only the relevant characteristics for re-identification (although the discussion is still ongoing as to whether these stored characteristics are really unique - especially in the global context we are talking about - or whether more data does not need to be stored than in a purely national approach).
But what is always possible when we talk about such passports: the authentication and identification of a person. A two-way authentication can alone as authentication already say who is near me. If, for example, I have stored a key of a passport for the simplified procedure, I can then determine at any time without contact whether this passport is nearby - of course only within the framework of the security of the cryptographic algorithms, but that would already be a fairly secure confirmation, because it would be a pretty failure of the whole procedure if two passports with the same key allow an authentication and this has hopefully been excluded by the developers.
I can therefore obtain the keys of persons - for the simplified procedure, the machine-readable line of the passport is sufficient for this - for example, simply through simple mechanical means such as burglary, pickpocketing, social engineering, etc. - and store them. I can then feed a reader with this that, for example, in a defined area simply checks several passport data that interest me when passing through a gate - for example, a revolving door with a predefined speed is very practical for this. Only the passport with the corresponding data in the machine-readable zone will release its data for this, or provide confirmation of the authentication.
I could therefore, for example, determine when a person enters and leaves a building - without the knowledge of that person and fully automatically. With an authentication time of 5 seconds, you can already check several keys while someone walks through the revolving door.
Of course, this is still not the identification of the person - but only of the passport. But especially when the person being monitored does not know about the monitoring, the passport is worn by the person. There is no reason not to have the passport with you. And abroad, it is often a bad idea not to have your passport with you - so it is compulsorily near the person in these cases.
Well, but according to Otto Orwell, all this is just scaremongering and anyway not true and completely wrong. Unfortunately, it is based on statements by employees of the BSI - who are basically his people.
For example, with companies that rant against ALT attributes on IMG tags and then incorrectly refer to them as ALT tags. Well, incompetence is their concept:
Just exactly what text can a person read or see in a 1 x 1 pixel gif? Zippo. Thus, the text or line reader, JAWS, cynthia, etc, should be smart enough to see that the image size of Height="1" and Width="1" and automatically know it's a spacer and then make a if-then condition to NOT PRONOUNCE alt tag in the spacer.gif.
I have edited quite a few table layouts myself - among other things because they were simply there - and I can't remember when the spacers were actually output in 1x1 pixels. Of course, the image itself was only 1x1 pixels in size, but the width and height attributes on the IMG tags were naturally according to the size that was to be spanned. In addition, there were a lot of other layout elements in the source that were candidates for ALT="" - for good reason, layout graphics should be correctly bypassed by screen readers. But according to their idea, the screen reader should first load the graphic element, which is completely useless for it, and look at how big it is. Just because the trolls are too lazy to write ALT="" on IMG tags.
Oh, and they also demand more intelligence from screen readers:
HERE IS SIMPLE SOLUTION so EVERYONE WILL NOT HAVE TO RE-WRITE THEIR PAGES just for you.
READ THE BIG TEXT FIRST, either font tags with say 3 to 7, or CSS styles with the biggest fonts sizes.
Next, read the 2nd largest fonts second, and so on. This is JUST LIKE WHAT HUMAN WOULD DO ANYWAY.....So, look for Font tags with a setting 7 or 6 or 5 or 4 and down and in that order and then start reading it. Same with CSS, PIXELS sizes of say 24px should be read FIRST, NOT LAST!! How hard can this be? This what the browsers do anyway, so why can't you do it?
Exactly. The screen readers should just figure out what they need from the tag soup (including analyzing font tags and such junk), instead of the designer thinking about what he produces and providing a somewhat logical structure for text-only browsers. Hey, what are the h-tags and their friends for since HTML 1? Oh well, it's probably all just imagination ...
But you can find even more gems there, such as the discussion about CSS vs. Table Layouts, where CSS is of course made to look really bad. Because they just don't understand what CSS is all about and why you separate HTML and CSS and what's the good idea about it. Because they probably haven't had a single good idea in their entire sad designer life and therefore wouldn't even recognize a good idea if it hit them on the head with a big stick.
Oh yes, a word of warning to more current designers at the end: don't look at their source code, because it will give you hair loss, curled toenails, and rotten teeth.
