Comments

Clive Robinson May 1, 2024 8:28 AM

@ Bruce, ALL,

In a world that is moving rapidly to a “man in the middle” paradigm where “Face to Face”(F2F) nolonger happens

Two important points,

1, How do we prove we are who we say we are?
2, How do you verify someone is who they say they are?

As far as I’m aware there is no easy or even realistically workable solution to this.

In the past the likes of the head of MI5 Stella Rimington pointed out it was actually not possible. And many “National ID Card” systems have failed because those involved did not take it onboard.

But more than a quarter of a century ago I fell foul of a couple of simple things,

“Authenticating the channel is not authenticating the transaction”.

“Anything an individual can do another individual or system can impersonate.”

Reading Ross Anderson’s comments on the difference in “trust” should be mandatory reading.

Winter May 1, 2024 9:13 AM

Plus ça change, plus c’est la même chose

A similar ruse was described in the Count of Monte Cristo, but then using a telegraph.

I am not the first to mention this on this blog. Six years ago this also came up:
‘https://www.schneier.com/blog/archives/2018/05/1834_the_first_.html/#comment-321505

Direct link into the story:
‘https://www.gutenberg.org/files/1184/1184-h/1184-h.htm#linkC2HCH0061

Winter May 1, 2024 10:32 AM

@Clive

Re : Plus ça change, plus c’est la même chose

Great minds think alike?

Or, maybe, everyone uses that phrase because it is true.

JonKnowsNothing May 1, 2024 10:46 AM

@Clive, All

re: Modern phone etiquette

In old movies which depict the new telephones being used, the butler answers the phone

  • (dialog) The XYZ Residence.

Later businesses with human operators answered

  • XYZ Company. How may I direct your call?

Now, there are no more humans in the call routing software and you can punch at any variety of numbers or shout a variety of “trigger” words to try to get to human. How much of this gets gets recorded as part of their “All calls are recorded…” statement would certainly yield new levels of “profanity laden curses”.

At home we used to answer

  • You have reached XYZ PhoneNumber

Which later turned into a simpler

  • Hello?

Many people no longer identify their phone number as Caller ID does it for them. Many people do not identify the name(s) of the answering destination since it’s available from reverse phone number look up. Many people have learned not to say “Hello?” because they do not know who is on the other end, even if Caller Id shows a name.

Now it’s best not to say anything at all. Even breathing near the phone might not be wise. Who ever is calling is Not Your Friend.

  • Friends send you Direct Messages and know your DID number

This is a bit of defensive self-preservation shielding.

Like when an Insurance Company calls you to discuss your health insurance claim and starts the conversation with

  • Hi, this is ABC from XYZ Heath Company calling. How you are you doing?

People auto-answer with

  • Fine.

Which returns the following

  • Oh, since you are “fine” we will close your application and case.

After that, you might not Have A Nice Day.

Social Engineering is used by Big Businesses, not just scammers. Well… it is a form of scam.

mark May 1, 2024 12:44 PM

Bruce, can you, or anyone here, explain to me why an Artificial Idiot service should be legal to fake voices?

JonKnowsNothing May 1, 2024 1:15 PM

@mark, All

re: legal to fake voices?

Are these voices fake? I don’t think so.

There is a class of comedians who specialized in voice mimicry. (1) They have great ability to make a voice “sound” like that of another famous person. Sometimes they included mannerisms or hand gestures that the famous person used.

These are “fake voices”, they sound OK to our hearing but technically they are not the same.

AI and Recordings use actual snippets of real voices. They do not need much, Hello will do. They take the real voice and rearrange it so that it says something else. Like movie, music and voice editors can rearrange word order.

AI can do something more specific. It can take a sample of a word and reconstruct how the sound of the word is produced. The way the word is vocalized. (2) AI can then create any sentence or word order it wants.

  • It’s not fake, because it is your voice.
    • It is fake, because you did not say it.

===

h ttps :/ /en.wikipedia.org/wiki/Impressionist_(entertainment)

  • An impressionist or a mimic is a performer whose act consists of imitating sounds, voices and mannerisms of celebrities and cartoon characters. The word usually refers to a professional comedian/entertainer who specializes in such performances and has developed a wide repertoire of impressions, including adding to them, often to keep pace with current events.

  • Impressionists are a major part of animation; many film and television cartoons (especially adaptations of franchises) used impressions of famous celebrities of the era. Voice actors are known for their celebrity impressions.

2)

In telephony the voice is divided in 256 samples.

vas pup May 1, 2024 3:59 PM

@JonKnowsNothing related to post: https://www.schneier.com/blog/archives/2024/05/ai-voice-scam.html/#comment-436089

Some thoughts:
https://cyberguy.com/news/can-a-i-help-someone-stage-a-fake-kidnapping-scam-against-your-family/

https://cyberguy.com/security/are-you-ready-for-ai-voice-cloning-on-your-phone/

https://cyberguy.com/security/beware-of-the-say-yes-phone-scam/

https://cyberguy.com/security/how-scammers-use-google-voice-verification-codes-to-steal-your-identity-and-money/

My nickel:
1. All those BS messages from the private or government regarding recording your call. You as caller should be granted by Law the same right, i.e. record this conversation for any including legal purpose for balance of power and rights.
Company or government should accept all liability of using your voice for cloning and any its future usage and your possible losses occurred.
2. Option ‘0’ to switch to the real person should be mandatory remains to avoid those jumping through the hoops.
3. Caller ID service and name service in particular in US is currently miserable.
All our alphabetic soup of LEAs do have almost instant access to this information but you, customer, paying fees for this service monthly does not. Access should be universal in real time. Like C-SPAN created by many cable providers, such comprehensive DB should be created by all phone service providers and maintained by kind of pool of them.
Government calls should (except with Court authorization) specify general name information ‘Federal Gov Call’, ‘State NY Gov Call’, ‘Lake Count Gov’, ‘City Gov of LA’, etc.
4.All caller id #/name spoofing applications should be banned: and punished as felony except when LEAs use it with Court Authorization.
5. Data Base of ALL Toll Free numbers should be maintained by FTC DB and available for search.

But as I stated many time on this respected blog – until top ranking legislator become victim personally or their close relative, they will listen not the customer needs but what lobbyists tell them. Bitter but true observation.

vas pup May 1, 2024 4:11 PM

How AI is testing the boundaries of human intelligence

https://www.bbc.com/future/article/20240501-how-ai-is-testing-the-boundaries-of-human-intelligence

https://www.bbc.com/reel/video/p0hv591s/ai-v-the-mind-who-has-the-edge-

“It can spot signs of cancer that doctors often miss, appear to wax lyrical about how it “feels”, decipher ancient texts that have flummoxed researchers, predict the weather and even help us unravel animal communication. In many respects, artificial intelligence (AI) has become so advanced it’s more interesting to examine the things it can’t do.

Despite AI’s world-bending abilities, machines still pale in comparison to the
human mind on a host of tasks. Even algorithms built to replicate the function
of the human brain – known as neural networks – are relatively unsophisticated
compared to the inner workings of our minds.

“A grand mystery in the study of intelligence is what gives us such big
advantages over AI systems,” says Xaq Pitkow, an associate professor at
Carnegie Mellon University who studies the intersection of AI and neuroscience.

“The brain has a lot of deep neurological structures related to different functions and tasks, like memory, values, movement pattens, sensory perception and more.” These structures let our minds dip into different kinds of thinking to solve different kinds of problems. It’s what gives humanity the edge over the robots, for now.

The AI algorithms that dominate the market are essentially prediction machines.
They crunch massive amounts of data and analyse patterns, which allows them to
identify the most likely answer to a given question. On a fundamental level, much of human cognition centres around prediction, too, Pitkow says,

but the mind is built for levels of reasoning, flexibility, creativity and
abstract thinking that AI still hasn’t replicated.

Think about social problems, such as having to apologize to someone you have
offended. Is AI ready to take the job of a talented musician? What about telling a joke, or coming up with a creative recipe? Chefs and comedians spend years honing their skills in these areas through practice, instinct and trial and error. How would a machine measure up, and why?

This series will aim to explore just where the limits of cutting-edge AI lie,

and learn a little about how our own brains work along the way.

Look out for the first article coming on 15 May.”

bnw May 1, 2024 4:43 PM

“Scammers tricked a company into believing they were dealing with a BBC presenter. They faked her voice, and accepted money intended for her.”

Reads more like: “Company tricked a BBC presenter into believing they had been scammed.”

brave
new
world

JonKnowsNothing May 1, 2024 8:24 PM

@vas pup, All

re: All those BS messages from the private or government regarding recording your call

In USA, undisclosed recording of someone’s conversation without express agreement is a violation of Wire Tap Laws. You need a warrant for undisclosed recording.

There have been many exposes that became exposes themselves when it was revealed that the recording was made without permission. Mostly in the whistleblower category where someone wanted to expose a questionable practice (illegal dumping) or when someone was concerned they themselves would be legally culpable for a questionable practice (conspiracy). They often use a small recorder or a smartphone hidden in a pocket.

Sometimes they still get into trouble even if they expose something much more significant.

(USA) Publicly recording someone is allowable unless otherwise stated it’s prohibited (museums, government offices, health care clinics).

echo May 1, 2024 10:27 PM

In USA, undisclosed recording of someone’s conversation without express agreement is a violation of Wire Tap Laws. You need a warrant for undisclosed recording.

I sometimes make covert recordings without consent which are never shared with anyone other than for legal purposes and are stored on access controlled encrypted media.

In the UK recording by organisations requires consent. Private individuals do not need to obtain consent whether overt or covert. However… If you retain the recording for anything other than evidence for presenting to the courts they take a dim view of you releasing it and if you did release it other law might kick in if someone made a complaint unless you had a good public interest defence but if you did that if it was relating to legal action a court would likely throw the case out if there was the slightest whiff of frivolity. Journalistic media has more latitude.

Who? May 2, 2024 4:13 AM

@ Clive Robinson

As far as I’m aware there is no easy or even realistically workable solution to this.

As far as I know, cryptography is our only friend on this scenario. Anything should be digitally signed to authenticate the sender. Obviously this open another problem: these digital certificates should not be emitted by a central (i.e. “government”) authority, should be local certificates emitted by our own organizations, teams or business, to preserve some degree of privacy.

We should provide simple ways to revoke these certificates too.

Winter May 2, 2024 6:29 AM

@Clive Robinson

As far as I’m aware there is no easy or even realistically workable solution to this.

@Who?

As far as I know, cryptography is our only friend on this scenario.

But then, how to check the original certificates? It boils down to the key distribution problem of verifying you did get your certified key from the right person.

If you go this route, you end at Descartes only certainty: Cogito ergo sum, which is utterly useless in this context.

In the end, everything can be falsified and you will have to trust some biometric identity, eg, meeting in person and taking fingerprints/iris scans and compare them to some earlier, trusted, set of biometrics.

But this is all overkill for common situations. In the original case of the BBC presenter, a simple phone call or email to the BBC to check the details would have worked.

Who? May 2, 2024 11:15 AM

@ Winter, Clive Robinson

Matters were easier in the nineties; at that time OpenPGP just worked, but the world was more pleasant too.

Clive Robinson May 2, 2024 1:20 PM

@ Who?, Winter, ALL,

Re : You are not information and information is not you.

“Anything should be digitally signed to authenticate the sender.”

Only it can not.

One of the failings of bio-metrics is,

“A measurement is of an object at a single point in time, it most certainly is not the object nor is it valid at any other point in time.”

But worse,

“Any measurement is not unique to the object.”

That is there will be other objects for which the measurement is valid.

As an overly simplistic example, let’s say you weigh 75kg +-5% for how many other people will that be valid for?

Thus you can only conclude that whilst the measurment is of an object it is in no way the object. Thus you can further conclude,

“Information is not in any way a physical object.”

And that is the fundamental problem there is no way of reliably linking information objects and physical objects.

From there on out the issues just cascade into complete insecurity thus lack of any kind of privacy or trust.

It’s why I really do not like the idea of the three authentication factors of,

1, Something you are (biometric).
2, Something you have (token).
3, Something you know (pass phrase).

I’ve shown above that the first is not at all reliable and hey look at all the fuss kicking off about facial recognition in recent times to see just a fraction of the reality on the failure of biometrics.

As for the second of some kind of physical token they don’t work credit cards demonstrated lots of ways tokens fail back in the 1960’s and we still are not learning the lesson.

Also you might notice that actually most biometrics and tokens are logically the same so what fails with one will also similarly fail with the other.

Quite a few times in the past I’ve detailed on this blog why the third “something you know” is a failure with most humans. The two most obvious are demonstrated with credit card PIN’s. Many people can not remember a four digit number unless it has easily guessable connection to them like their birthday so is in effect “public knowledge”. But as the PIN remains constant from use to use if it’s observed in some way it has zero security value.

I could go on to say that things like Private Keys suffer from the same issues, but actually it’s worse. Humans can not use Private Keys apart from a very few they lack the ability to do the maths in a secure way. So they use a “token” to do it for them…

So the three standard authentication factors that in reality are information based, are realistically a complete nonsense as there is no way to securely tie them to a physical individual.

echo May 2, 2024 3:15 PM

Anything MI5/MI6 chiefs say is either obvious known stuff or to be read for entertainment purposes only. Neville-Jones is technically correct but context, history, and proportionality deal with some of the overthinking going on in here as do degrees of assurance, threat profiles, and usability. If you want to get really picky with anything physical quality of data package, quality, and reliability. Also note all of the above may cross reference with all of the above.

You can complain forever about some rabbit warren of theoretical loopholes but by the gods who has the time. You can get tail chasing in some hierarchical rote learned professions as they go up their own ivory tower. They forget there’s this thing called applied and timeliness and achievable.

A genius who does an end run of everything may get away with it but then only get away with it so many times or only to a certain degree and, maybe, that was good enough because if it was perfect it would be unusable and if it’s not usable then it’s useless.

JonKnowsNothing May 2, 2024 3:36 PM

@Clive, @ Who?, Winter, ALL

re: how to check the original certificates?

The kick-off to the Windrush Scandal in the UK (on going) was Theresa May’s decision to shred and destroy the original and only copies of the manifests (list of passengers) under her 2018 Hostile Environment Policy.(1)

A MSM Report (2) is an on going fight over the Chagos Islands where the huge USA Diego Garcia base is located, leased on land claimed by the UK (BIOT) and where the Chagossians were forcibly removed to the UK or Mauritius.

The Government of Mauritius is re-stating the birth certificates of people born in the Chagos Islands.

  • In Mauritius, during any administrative procedure, such as opening a bank account, citizens must present a birth certificate reissued within the previous three months.
  • “The passport officer told me my homeland doesn’t exist…”
  • To qualify for UK citizenship, people must prove they were born on the Chagos Islands or are a descendant of somebody who was.

The problems of birth certificates are legion. There are all sorts of Official Fakes, often for Stolen Children programs. Such programs exist globally. USA has its own version of Stolen Children programs; all of them quite active. When you add in Religious Based Stolen Children, that’s a significant increase in trafficking. No one is going to arrest the Pope over child trafficking by Catholic Organizations and Church Officials. Not then and not now.

Then there are the Changes in Boundary or complete wipe out of countries. Countries that were consolidated and then fractured along ethic lines. People that were born in Colonial Countries which no longer exist have multiple problems proving who they are and where they were born. (some names you can no longer say)

===

1)

h ttps:/ /en.w ikipedia.org/wiki/Windrush_scandal

  • The Windrush scandal was a British political scandal that began in 2018 concerning people who were wrongly detained, denied legal rights, threatened with deportation, and in at least 83 cases wrongly deported from the UK by the Home Office.

  • As well as those who were deported, an unknown number were detained, lost their jobs or homes, had their passports confiscated, or were denied benefits or medical care to which they were entitled. A number of long-term UK residents were refused re-entry to the UK; a larger number were threatened with immediate deportation by the Home Office.

2)
HAIL Warning

htt ps://w ww.th eguardian.com/global-development/article/2024/may/02/chagos-islanders-fear-loss-of-identity-as-birth-certificates-altered-to-remove-disputed-homeland

  • Chagos Islanders fear loss of identity as birth certificates altered to remove disputed homeland
  • Birthplace and parents’ names are being removed from passports and birth certificates as Mauritius stakes claim to the island

Winter May 3, 2024 1:19 AM

@Clive

“Information is not in any way a physical object.”

Re: biometrics

Take a fingerprint or iris scan at two different time points, and you can be pretty sure they were or were not from the same person.

It is up to you whether you trust the two recordings of the biometrics.

Now, if you go the Descartes’ route of not trusting anyone, you simply have to give up. If you trust no one, you cannot do anything. Period.

Robin May 5, 2024 4:00 AM

@JonKnowsNothing, All

re: Modern phone etiquette

We, and many of our friends adopt the habit of only answering calls from people on our contact list, knowing that that is not a perfect filter for well prepared scammers, but gets rid of the random, crap that is a royal pain in nether regions.

Our logic is that anyone who really wants to contact us will leave a message. We also try to tell organisations (important but transient contacts) that we prefer written (SMS, email) comms rather than voice comms. But our logic is defeated regularly because they quite simply prefer to call and talk in real time: obviously cheaper for them. Result: we refuse their business if at all possible. They probably don’t give a cuss.

We’ve started to get a lot of spam emails purporting to come from one family member and I am trying to train them to adopt a “keyword” system in the subject line, but it’s an uphill struggle.

Escaped the Moderator May 6, 2024 4:11 AM

Using digital certificates issued by a single central authority for identification/authentication is obviously a bad idea.

As Clive points out reasonably often, what is most interesting about people’s communications are their metadata, which are a multiplicity of data points. It takes very little such metadata to identify/deanonymise a person.

It therefore follows that from a large population of certificate issuers that are independent, a reasonably small multiplicity of certificate issuers independently associated with you are sufficient to identify you.

Historically, this was done in the UK – identity was authenticated by querying your relationship with banks, utility providers, local government, health service and driving records, and people who are members of accredited occupations.

As a result, a model of identification can be built that does not rely on a single central authority, but rather your footprint of interactions.

Advertisers do this already.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.