The website of Popular Mechanics has cool robots to look at. Look here, here, here and here. And here.

Robots are cool, no question about it. And we’re going to be using more of them, especially in the military (which means they will end up in law enforcement a few years later…) and in healthcare (Clean robot, clean. Now clean some more.)

What are we going to do when robots first get stolen and pumped dry of their information? Think blueprints, rules of engagement, patient records… And what are we going to do when robots first get hijacked and hacked, and they start doing (first) funny things we didn’t want them to do and (later) malicious, criminal or terrorist acts…

Don’t get me wrong–I want robots–lots of them. I want robots to do everything it is possible for a robot to do. Human beings are too important to waste on robotic work.

But I don’t see any evidence of information assurance being built into these things. Do you?

Finally posted this. Would appreciate review of the maturity/impact assessment numbers, also I suspect we can do better on quotes and experts.

Meantime, Tom and I began a discussion by email we thought would be better opened up to those assembled here: what will the impact of NGNs be on the Internet?

Tom wrote that he thinks NGNs will either kill or cure the Internet: either it will force the network to grow up and become more mature and reliable (more disciplined) or it will I guess slice stuff up and destroy it. (To me, the first of those options is also a kind of destruction, as having the phone companies control the Internet would turn it into a controlled network like the old telephone networks and unlike the Internet we’ve known so far).

If Tom gives permission, I’ll copy and paste his email in here; there were more thoughts.

I think I’ve been living in the hope that the telephone companies wouldn’t gain total control; I do wonder, though, about the reliability of these NGNs. I remember Matt Blaze saying at a CFP years ago that no computer anywhere was ever engineered to the standard of the old telephone networks. Will we be able to make up for that with massive redundancy?

wg

Welcome to those few of you who are not adorning a beach somewhere, and I offer my commiseration. Let’s try to entertain you by persuading you to resolve a dilemma involving rights to information and privacy. My challenge to you is, not only do you have to decide who has the right, but to devise more real world scenarios that bring these new issues and old rights together in conflict. Attend:

You are an individual of mixed race, both races minority (for convenience think Asian and African). You can pass as full-blooded in either race and often do. You have a child or children from a previous relationship. And you are ill.

As part of your treatment you need genetic analysis of predisposition towards several disease pathways. You are frightened that exposure of the results will a) reveal your mixed race heritage and b) prejudice your employability, insurability and sociability. So you agree with your consultant to test under an alias. And your treatment proceeds and you get on with your life.

Unbeknownst to you (does Beyonce have an evil twin called UnBeyonce?), your consultant also treats your child/children from a previous relationship, and recognizes that your genetic results are relevant to them. Your consultant knows that you would refuse to release your information, but their continued good health is dependent on having this information available. Just for the sake of preserving the moral dilemma, getting the genetic information from the children is not adequate, sufficient or practical (they live now in a foreign country, or something like that).

1. Is your right to control of information regarding your genetic history absolute?
2. Does your consultant have ethical responsibilities to act despite your desire for secrecy?
3. If sperm donors are required to disclose identity to their children, is a precedent established for requiring you to yield your genetic information?
4. Who should make the final decision?

Extra points for better dilemmas in the comments.

Via Bruce Schneier, this story about a test of facial recognition systems in Germany.

“Face Recognition Test Results
For a few months, German police tested a face recognition system. Two hundred frequent travellers volunteered to have their faces recorded and three different systems tried to recognize the faces in the crowds of a train station. Results (in German): 60% recognition at best, 30% on average (depending on light and other factors).”

Perhaps this comment summarizes it best:

“Yawn. Automatic face recognition again. It just doesn’t work except in highly controlled conditions, and as this test shows, not well enough even then: with a self-selecting group of peop;e who wanted to be recognised (or didn’t mind if they were recognised) it could only manage 60% at best.
The face isn’t even a reliable way to identify people, as personal experience shows. On the one hand, people look like each other; on the other hand, people’s appearances change, deliberately or fortuitously, enough to confuse a computer program.
Face recognition is one of the things humans can do better than computers, and even we aren’t 100%”

I’m in a session on Google click fraud, and the ultimate problem, Broward Horne, is saying is that the TCP/IP and the Web were never designed to uniquely identify individual people or enforce identity - but that is what Google’s business is based on (when it charges and pays based on clicks on advertising links). So far, this fundamental mismatch has not hurt Google’s business or its stock price, but eventually…

…a link that turned up to a Wired article by Bruce Schneier points out that this problem is endemic online and turns up all over the place, hence so many systems (captchas, etc.) to ensure that a real human is at the keyboard. We can fool computers better than they can fool us.

wg

And then there’s just plain getting the underlying database wrong.

(I note that my own street was placed wrong - and differently wrong - in several older A-Zs, and taxi drivers even now sometimes still go to the wrong place. Contrary to popular belief, I do not live *in* Syon Park.)

wg

Tom raised the possibility of satellite failures a couple of days ago; turns out that as usual the worries were too modest. This Black Hat session features Andrea Barisani and Daniele Bianco explaining their project to hack satellite navigation systems via RDS-TMC to make them give the “victim” false information using off-the-shelf components and cheap electronics. Their presentation is beyond my technical ability to follow - a lot of detailed explanations and coding - but the point is clear enough: drivers trust the information they get from their in-car satellite navigation systems including the real-time traffic information RDS sends. Capture an hour of traffic messages, plot on Google Maps…(”Getting laid drives our research,” they say. “Your experience may differ.”)…sniff the RDS packets. Using a commercially available RDS encoder…FM transmitter…TX antenna (which got them a TSA tag for inspection on their way into the US)…AFAICT you find a channel that provides RDS-TMC and obscure it, then fake a broadcast (either exist an exiting channel or find an unused frequency and use that). It’s pretty involved and complicated, but you know the way these things go: it’s hard today and involves a lot of custom stuff, but the next generation just needs to download a software pack and buy a few pieces of electronics.

The overall message from Black Hat is pretty clear: over and over again people build things with little thought to security (in the case of satnav, it probably never occurred to them anyone could hijack it DESPITE Captain Midnight and HBO way back in 1980)…yet we go right on basing massive corporate/government/commerce systems on top of these things. The Web being the most notorious example, of course.

In this case, they can create accidents, weather, traffic jams…

wg

I’ll be writing a daily blog from Black Hat and Defcon for the next five days for the Register (Dan Goodin is also writing security news pieces, so I’m not sure what else there’ll be.) This morning I talked to a guy from the Firefox security team. He made the (I thought interesting) point that what concerns the team most (ensuring that updates don’t break anything, so that users don’t turn them off) is not the biggest problem users have, which he says is typically old copies of Java lying around on their machines that they don’t know where they got them. JREs are often installed by software or OEMs; often you have no idea how old they are. Users don’t think to clean them out and you don’t update what you don’t know is there. And they pose significant security risks.

wg

Hi, all. Good to be back. One of the things I was thinking about on the train back from lovely Winchester was the vulnerability of satellite communications. How many government services are (or soon will be) dependent on satellites? Anybody have a list?

Satellites are quite vulnerable. Two GPS satellites failed (in 1995 and 1997), launches have been known to go quite wrong, they are susceptible to jamming (both intentional and un) and as China demonstrated earlier this year, a missile explosion in a satellite’s orbital path is easy to do, if you have a few extra missiles lying about (and who doesn’t, these days?).

Quick question: How many vulnerable services could be backed up? HMG let a £15m contract for Loran back-up for navigation… How far off is equivalent functionality from mobile telephony services?

Anybody else thinking about this kind of stuff, or is it just the train ride that produces this effect?