Who Are You? Mobile ID Devices Find Out Using NIST Guidelines

Devices that gather, process and transmit an individual’s biometric data—fingerprints, facial and iris images—for identification are proliferating. Previous work on standards for these biometric devices has focused primarily on getting different stationary and desktop systems with hardwired processing pathways to work together in an interoperable manner. But a new generation of small, portable and versatile biometric devices are raising new issues for interoperability.

“The proliferation of smaller devices including advanced personal digital assistants (PDAs), ultra-portable personal computers and high-speed cellular networks has made portable biometric systems a reality,” computer scientist Shahram Orandi says. “While the portable systems have made leaps and bounds in terms of capability, there are still intrinsic limitations that must be factored into the big picture to ensure interoperability with the larger, more established environments such as desktop or large server-based systems.”

The new mobile biometric devices allow first responders, police, the military and criminal justice organizations to collect biometric data with a handheld device on a street corner or in a remote area and then wirelessly send it to be compared to other samples on watch lists and databases in near real-time. Identities can be determined quickly without having to take a subject to a central facility to collect his or her biometrics, which is not always possible.

Soldiers are beginning to use these devices to control access to secured areas, and first responders can use them to ensure that only approved workers are on-site during an incident or investigation.

Special Publication 500-280: Mobile ID Device Best Practice Recommendation Version 1 offers guidelines to help ensure that, if followed, mobile and stationary systems will work together. It was developed by NIST researchers working with first responders, criminal justice agencies, the military, industry and academia.

For example, most current law enforcement applications require capturing all 10 fingerprints from an individual. Desktop fingerprint scanners provide a large scanning area—a platen—that can capture all 10 fingers in a fast, three-step process. Most portable devices, however, have platens that are a fraction of the size of a desktop scanner. The Mobile ID best practices publication provides guidelines that allow for the capture of all 10 fingerprints on a scanner with a smaller platen using a two-fingers-at-a-time approach.

Hacking GSM

Security expert Karsten Nohl plans to hack the GSM encryption standard using distrubuted computing strategies. With this project he wants to force operators to fix a security issue that exists for 15 years now.

Cnet reports that the project to hack the GSM A5/1 encryption standard shall be realized as open source distributed computing project. The project has been announced at the Hacking at Random 2009 conference, which took place in the Netherlands in August.

A software shall be able to calculate the secret keys. Nohl plans to afterwards release the codebook, which will make it possible to decrypt short messages as well as phone calls and other data. 80 state-of-the-art computers would require about three months for a brute force attack but 160 super computers could do the job within one month to calculate the  Rainbow Tables. Nohl’s software therefore uses state-of-the-art techniques that allow to use the CPU as well as the GPU  to calculate the keys.

According to Nohl new security issues won’t be created. It would be all about making a security issue public that now exists for 15 years. This security issue should be used actively, therefore commercial tools exist, says Nohl.

Nohl recommends operators to change the entire encryption scheme or to switch entirely to UMTS that uses a better encryption standard. As long as the operators have not fixed this problem, customers should use a proper encryption software. Nohl mentions that organizations like Amnesty International and Greenpeace already would already make use of third party security software. Since security is a bi-directional functionality, this only works if both clients involved in a communication process share the same software and keys.

Diablo 3: 4th Class Revealed on BlizzCon 2009

Because of a screenshot provided by a Korean website rumours were afloat about another character class in Diablo 3. On BlizzCon 2009 Chris Metzen and Mike Morhaime confirmed what many of you may have thought before: The Monk will be the fourth character class playable in Diablo 3. It is not surprising since the Witch Doctor, the Barbarian and the Mage just lead to this conclusion. Following details have been published for the Combat Monk so far:

• The monk uses staffs as main weapons
• He has a holy shield to reflect magic attacks
• He is a skilled martial arts monk
• He has attacks that involve whole areas
• In the trailer he is shown in a dessert
• He has got a shield
• Speed is a main criterium for the monk
• A spell allows the monk to jump from enemy to enemy in a fight
• The monk is part of a theocratic society

• According to Blizzard the monk shall rely on some kind of dirty oriental influences.
• A special skill forces enemies to bleed. When the enemy dies because of this spell, it explodes in a fountain of blood.

Future Vision Featuring Deus Ex 3 and Virtual Reality

VirtuaSphere should be a power up for all Wii Fit users with long pockets. VirtuSphere, a rotating, 200 kilograms heavy and 3 meters high sphere that has been developed by a Russion team, opens users with a little help of loads of sensors a new way of virtual reality. Whether you are jumping or crouching the system recognizes every single movement and reflects them on a display in front of your head. How VirtuSphere works is demonstrated by the following movie.

Does anybody remember the first artwork of Deus Ex 3? This artwork shows the facility where the hero of the game (Adam Jensen) works. Designer Scott Butler reconstructed the area shown on the concept art and produced a 3D picture of the room. Besides the clone Scott did a second scene showing the room from a different point of view. However, Scott is neither involved in the developing process for Deus Ex 3 nor is he a member of Eidos Montreal.

VirtuaSphere

First Deus Ex 3 Concept Art

Rendered 3D Scenary

Facility – Different Point of View

Toward Making Smart Phone Touch-screens More Glare And Smudge Resistant

Scientists have discovered the secret to easing one of the great frustrations of the millions who use smart phones, portable media players and other devices with touch- screens: Reducing their tendency to smudge and cutting glare from sunlight.

In a report at the 238th National Meeting of the American Chemical Society, they describe development of a test for performance of such smudge- and reflection-resistant coatings and its use to determine how to improve that performance.

Steven R. Carlo, Ph.D., and colleagues note in the new study that consumer electronics companies value the appearance of their flagship devices just as much as their functionality. As a result, smudge, scratch and reflective resistant coatings have become standard on high-end touch-screen cell phones and MP3 players. These coatings are effective. However, their structure and mechanisms are poorly understood, so Carlo and colleagues developed a test to determine the chemical composition and effectiveness of smudge and reflective resistant materials. The test could also lead to a better understanding of the chemistry of these coatings and allow improved formulations and performance, Carlo says.

“Surfaces are particularly important in consumer products. This work investigates how products can be modified to reduce smudging and reflections. These modifications can offer improved resistance to fingerprints, anti-reflection properties or enhanced physical resistance,” Carlo explains.

The basis of anti-smudge coatings is a compound called perfluoro alkyl ether, a derivative of Teflon with added ether groups to enhance its repellent effects. Anti-reflective materials use alternating layers of material, including silica and aluminum layers, to bend and diffuse light to reduce glare.

Since traditional chemical techniques could not be used on these super-thin coatings, Carlo and his team used depth profile X-ray photoelectron spectroscopy (XPS). That’s a tool for comparing the chemistry of these coatings to predict their performance. The data allowed them to compare chain length, degree of branching and the hydrocarbon and fluoroether content of various samples. The fluoroether content has a key effect in enhancing efficacy. Anti-reflective coatings need alternating layers, which have differences in their refractive index (RI), a measure of how fast light travels through a material. Fluorocarbons in general have low RI and they offer anti-smudge properties. XPS allowed the scientists to visualize the multi-layer structure and the chemical species present in each layer. In general, the greater the number of layers there are in a coating, the greater the anti-reflective properties. Carlo and his team also discovered that more silica and aluminum layers led to better glare reduction.

Graphic Card for 1k €

The Asus Mars GTX 295, which is limited to 1000 copies, is now available for 1000€ at the cheapest provider. The price is insane but so is the performance: The Asus Mars GTX, available for 1000€, broke acording to pcgameshardware.de loads of benchmark world records. On the site, a user presents an exemplar and provides the first pictures of a Mars GTX 295 Retail Version.

ASUS Mars GTX 295 retail

Super Mario Bros: Artificial Intelligence takes over control

Computer are superior humans. Therefore, they should also control your video games – no more game over. No time or ambition to play a computer game on your own? It seems that the British student  Robin Baumgarten is confronted with this problem. Therefore, he developed an Artificial Intelligence based on the so called A* (pronounced “A star”) algorithm that controls Super Mario in his world. In computer science, A* is a best-first graph search algorithm that finds the least-cost path from a given initial node to one goal node (out of one or more possible goals). It uses a distance-plus-cost heuristic function (usually denoted f(x)) to determine the order in which the search visits nodes in the tree. The distance-plus-cost heuristic is a sum of two functions: the path-cost function (usually denoted g(x), which may or may not be a heuristic) and an admissible “heuristic estimate” of the distance to the goal (usually denoted h(x)). The path-cost function g(x) is the cost from the starting node to the current node. The h(x) part of the f(x) function must be an admissible heuristic; that is, it must not overestimate the distance to the goal. Thus for an application like routing, h(x) might represent the straight-line distance to the goal, since that is physically the smallest possible distance between any two points (or nodes for that matter).

As a suitable reason or excuse for the development of this algorithm served the Mario AI Competition 2009. All competitives have to create source code that leads the super plumber through the universe of Infinite Mario Bros, which is a modified JAVA version of Super Mario Bros. To prove that Robin’s algorithm works he provided a video on youtube that shows the result.

HTC Leo: Windows Mobile Smartphone exceeds GHz border

HTC are planning to launch at least one  Qualcomm Snapdragon-based mobile device in Q2 2009, according to market sources in Taiwan.  The devices are expected hit the market one quarter later than Toshiba’s own Snapdragon-based handset, the TG01, which was announced earlier this week.

As can often be the case with Digitimes reports, there’s a little confusion with the dates.  At the Toshiba TG01 launch earlier this week, we were told that the smartphone would launch sometime during the Summer; the way we’re interpreting the Digitimes article, although HTC will announce their own Snapdragon devices in Q2 they won’t actually go on sale until after the TG01 does, in either Q3 or Q4 2009.

There’s no word on exact specifications for the upcoming HTC devices, but comparing what we know about Snapdragon and looking back at the January leak of HTC’s 2009 line-up, the two most obvious candidates are the Whitestone and the Thoth.  Each is a slate-style tablet, with the Thoth (that’s believed to be the Athena 2) having a clip-on QWERTY keyboard.

Windows 7 RTM is available

Since Monday, the English Version of Windows 7 RTM is available for MSDN customers on the Microsoft Developer Network and for users of the MSDN Academic Alliance(http://msdn.microsoft.com/de-de/default.aspx). The German version will be available by August, 14th.

Microsoft Rushes to Fix IE Kill-bit Bypass Attack

Microsoft has been forced to issue emergency patches for its Windows operating system after researchers discovered a way to bypass a critical security mechanism in the Internet Explorer browser.

During a video demonstration posted by Smith shows how the researchers were able to bypass the mechanism, which checks for ActiveX controls that are not allowed to run on Windows. They were able to then exploit a buggy ActiveX control in order to run an unauthorized program on a victim’s computer.

Although the researchers have not revealed the technical details behind their work, this bug could be a big deal, giving hackers a way of exploiting ActiveX problems that were previously thought to have been mitigated via kill-bits.

“It’s huge because then you can execute controls on the box that weren’t intended to be executed,” said Eric Schultze, chief technology officer with Shavlik Technologies. “So by visiting an evil Web site [criminals] can do anything they want even though I’ve applied the patch. “

Microsoft commonly issues these kill-bit instructions as a quick way of securing Internet Explorer from attacks that exploit buggy ActiveX software. The Windows Registry assigns ActiveX controls unique numbers, called GUIDs (globally unique identifiers). The kill-bit mechanism blacklists certain GUIDs in the Windows registry so that the components cannot be run.

According to sources familiar with the matter, Microsoft is taking the unusual step of releasing an emergency patch for the bug on Tuesday. Microsoft typically only releases these “out-of-cycle” patches when hackers are exploiting the flaw in real-world attacks. But in this case the details of the flaw are still secret and Microsoft said that the attack is not being used in attacks.

“This must have really scared Microsoft,” said Schultze said, speculating on why Microsoft might have issued the out-of-cycle patches.

It may also reflect an awkward public relations problem for Microsoft, which has been working more closely with security researchers in recent years. If Microsoft had asked the researchers to hold off on their talk until the company’s next set of regularly scheduled patches — due August 11 — the company might have faced backlash for having suppressed the Black Hat research.

Microsoft itself has provided few details on the emergency patches, which are set to be released on Tuesday at 10:00 a.m. West coast time.

Late last Friday, the company said it planned to release a critical fix for Internet Explorer as well as a related Visual Studio patch rated “moderate.”

However, the problem that lets the researchers bypass the kill-bit mechanism may lie in a widely used Windows component called the Active Template Library (ATL). According to security researcher Halvar Flake, this flaw is also to blame for an ActiveX bug that Microsoft identified earlier this month. Microsoft issued a kill-bit patch for the problem on July 14, but after looking into the bug, Flake determined that the patch didn’t fix the underlying vulnerability.

One of the researchers presenting at Black Hat, Ryan Smith, reported this flaw to Microsoft more than a year ago and this flaw will be discussed during the Black Hat talk, sources confirmed Monday.

A Microsoft spokesman declined to say how many ActiveX controls are secured via the kill-bit mechanism explaining that the company “doesn’t have additional information to share about this issue,” until the patches are released. But Schutze said that there are enough that the Tuesday patch should be applied as soon as possible. “If you don’t apply this, it’s like you’ve uninstalled 30 earlier patches,” he said.

Smith declined to comment for this story, saying he was not allowed to discuss the matter ahead of his Black Hat talk. The other two researchers involved in the presentation work for IBM. And while IBM declined to make them available for comment Monday, company spokeswoman Jennifer Knecht confirmed that the Wednesday Black Hat talk is related to Microsoft’s Tuesday patches.