Traffic cameras, legal rules, and accusers

A few days ago, I watched Gone Girl on TV, a story about mounting evidence against an innocent person. And then, I looked at an article about challenging a traffic camera citation (in the US). The link between the two stories is evidence, of course.

Traffic camera evidence incriminates a car, not a driver. The paper, written by a law professor, is interesting because it shows that the current processes around such evidence are not well covered by law (at least by U.S. law). When reading this paper, it becomes obvious that a “normal” citizen (i.e., not a law professor) would have great difficulties challenging the traffic camera evidence.

Of course, this becomes scary when we add to the mix the gazillions devices that are currently spying or reporting on us. Google Maps tells us that Bob’s phone was around here at 10:33, Bob’s alarm system tells us that his phone or his badge was used to turn off the alarm at 10:36 exactly, Bob’s security camera recorded something at 10:39 exactly, Bob’s fitness sensor tells us he ran between 10:43 and 10:47. I am not sure that police would be able to get all this data, but I am quite certain that they will be able to get some in the very near future.

And I am also quite certain that most of these devices are hackable, clonable, or that cybercriminals could misuse them to plant digital evidence against many people (especially someone sleeping alone at home). Not sure that this will get anywhere, because there are ways to make a lot of money misusing connected stuff without doing anything that sophisticated.

Yet, the Gone Girl story reminds us that some people are highly motivated to do such things, and most likely ready to pay good money for it. I am really wondering how the legal system will deal with the flow of cyberevidence and other IoT data, and how they will combine it with the possibility that most systems collecting this data are fully automated (no real witnesses), and subject to many hacks. It will be interesting to follow how this evidence will be trusted in courts, compared to traditional forensic evidence like fingerprints, DNA, and other things who can also be planted.

We are moving into a post-truth world, not only in politics, and this lack of certitude will deeply impact our society.


The lowest hanging card

The latest news on six second card hacking is very entertaining, and frankly, not reassuring. This thing is just as simple that it is stupid. The CVV2/CVC2 is a secret number computed by banks using a secret key, so they are validated by the issuing bank. Apparently, most (all?) of them have chosen not to […]


Resilience for Connected Objects

Attacks occur, especially on IoT. While it is very hard to avoid an attack altogether, we can minimize its consequences. The first factor to consider is the impact of an attack; there are many ways to analyze such impact, for instance from a financial or technical point of view. In a very simple analysis, we […]


IoT Security as Externality: Cluelessness, Denial, and more

Not my problem. That’s the 3-word definition of an externality: something that you don’t need to deal with, because the adverse consequences are not affecting you directly. This has been an issue for cybersecurity forever (Schneier, 2007), and it is widely known that the issue is particularly pressing with IoT (Schneier again, 2016). I have […]


Logical Attacks in the Java Card security landscape

Logical attacks on Java Card have been known for a long time, and they have also been a focus of a lot of academic research, which still continues today. Earlier this week at Cardis 2016, there have been two presentations on logical attacks. I will not discuss the details of the attacks that are being […]


SMS-based 2-factor: Good or Bad?

Wired published recently an article about how SMS-based 2-factor authentication is not good. This article is making a buzz, and an article appeared on that topic in Fortune. The basis for these articles is that SMS-based authentication is not associated to something you have (your phone), but with something you are loosely associated to (your […]


Java Card software attacks

There have been two papers at SSTIC’16 that outline the limits of bytecode verification in the context of Java Card. One of the papers, by Guillaume Bouffard and Julien Lancia, describes a bug found in Oracle’s bytecode verifier through fuzzing (yes, it’s been fixed). The second one, by Jean Dubreuil, outlines several logical and combined […]


Beyond Java Card

When Java Card was created, the market for smart cards was quite simple: chip vendors would design specific chips, chip vendors would develop an operating system for the chips and produce cards embedding the chip. Since then, this market has become much more complicated. For traditional payment and ID, changes are minimal, as card vendors […]


Java Card LinkedIn stats

I was looking for updated statistics on Java Card, so I turned to LinkedIn to look at the Java Card skill. The information available is declining a bit (for instance, there is no trend or relationship to age any more, or at least I couldn’t find it). Yet, it reveals interesting information. Over 3000 people […]


Inside Java Card: From APDUs to CAP File and Interoperability

As promised in the previous post, here are a few Java Card stories. Over the almost 20 years of Java Card history, many design decisions have been taken on the product: some successful, some less successful. Here are a few stories of these discussions/decisions. API vs. APDU Before Java Card, a smart card specification consisted […]