 this is a man that needs no introduction guess I'm on then okay so you guys are here because you're curious about what the hell US visitors how about now okay US visit is Homeland Security system for tracking visitors to the United States why should you care about it why why is any of this worthy of a Defcon presentation well let me start with a quick show of hands here how many people in this room do not have American passports raise your hand if you don't have an American passport okay keep your hand up if when you enter the United States you filled out the green visa waiver form okay keep your hand up if that lower portion of that green visa waiver form is either in or with your passport okay everyone with their hands in the air you have RFID tags in your passports at least if you don't Homeland Security has stated that they will be deploying home RFID into your passports as soon as they've got the money to actually buy the chips that's why you need to care in addition to RFID tags there is massive biometric data harvesting massive distribution of this data I'll be getting on to exactly how Homeland Security appears to be using cryptographic algorithms that are not NIST approved so in addition to collecting all of this data they're not actually handling it properly and has anyone ever seen one of these before this is the receipt that you get when you're on the US visit program and you leave the United States this is an entirely new biometric form of ID that Homeland Security have introduced now that's how it affects foreigners how does US visit affect US nationals well the first thing is a lot of these technologies have already been tried to be deployed in American passports on against American citizens RFID tags in passports in particular there was a big uproar not so long ago when Homeland Security announced that they would be adding RFID tags to US passports such a big uproar that they eventually changed the system so that the covers of the passports now include foil to supposedly shield the RFID tags so that you can't read it unless the passports open unfortunately Homeland Security can quite honestly currently turn around and say well we've been deploying all of this technology to foreigners for a couple years now we've not had any problems why should we not deploy it to everyone else in the world so foreigners should care because you're directly being affected by this US nationals should care because Homeland Security is setting a precedent here you are going to be hit with this technology sooner or later unless we can convince Homeland Security that it's actually a bad idea so let me establish some credibility here I married my lovely wife a couple years ago she's an American citizen and it's taken me three years to obtain my green card I know a fair amount about the US immigration system combined with 20 or more trips to the USA coming under this US visit system and the fact that hell I'm a geek I'm curious means that I've been able to find out some stuff about it the only public documentation that I've been able to locate has been one document from Homeland Security with a privacy statement it's very vague it's very woolly there's a whole lot of stuff that's missing from it that should be but you can combine that with a whole lot of stuff that you can gain from interacting with the system and interacting with these barcodes and you can figure out quite a lot about it so that's where a lot of my information comes from anyway you can visit this on the website if it's all tall interesting to you it's it's a fascinating read it's about a 40 page document of which over half is just references not a whole lot of information there so what is it well from this privacy document from Homeland Security this is what Homeland Security claims US visit is supposed to do personally I don't see how it actually achieves any of those goals I don't see how adding an RFID tag to someone's passport enhances their privacy is it just me or is it actually doing completely the opposite if you can spot a foreigner from ten meters away in reality what happens large scale data harvesting data mining tracking of foreigners if anyone's ever come through the Canadian border you may have seen there's large white sensors in all of the various lanes for the cars those are RFID tag readers there's like seven or eight in each lane and they're just harvesting data as you're going through the border the upshot of it all is that your personal privacy gets screwed over so this is US visit I'm not going to explain the architecture of it in detail because you don't need to know it what you do need to know is that there are a colossal number of databases involved there's a colossal number of systems US visit is a system of systems many of these are not actually owned by Homeland Security so a lot of the links between the different components you have no idea whether or not they're secure you have no idea how data is being transmitted between them you have no idea what protections have been put in place to protect your data as it flows around these systems it's very big it's very complex and as far as I'm aware no one has ever done any security assessment of it probably internally in the government but hey how good are they so how does US visit work well you come in on the plane you fill out your I-94 form this is the the long green visa waiver form when you sign that form if you've ever read the back of the form you're actually signing away your right to appeal so if you disagree with any of the things that your data will be used for if you disagree with any decisions that are made based on your data you have no right of appeal the guy at the desk of the immigration line that that takes your fingerprints he is the authority you don't even have the right to ask to see a supervisor his decision goes and you have signed away all rights that you have if you do not accept each and every one of the terms of the I-94 you do not get into the United States it's as simple as that so you get to the immigration line the guy takes two fingerprints and a digital photo the information is stored in an in the IDENT system for later use this is a component of US visit in parallel to this your finger scans are actually sent to IAFIS as well so you're automatically compared against the FBI's IAFIS database to see if you know you have a criminal record or anything finally assuming that you've passed the criminal check the guy should normally staple part of the I-94 form into your passport and nowhere does it actually mention that there's an RFID tag in it so informed consent just simply does not exist in this situation so when you leave the United States you check in at the airport you take the check-in agent should remove the the remainder of the I-94 from your passport they're then legally obligated to notify Homeland Security that you've left the country so that's your that's your departure record fortunately it means there's no RFID tag left in your passport anymore this is a good thing you clear security and you end up at a number of machines that look like ATMs but you swipe your passport through them they take a digital photo two more finger scans and they print out one of these receipts now at no point during that check do they actually validate that the person who is getting scanned by the system is the person that actually owns the passport so there is no correlation between this receipt and me there's no no guarantee that that you know I haven't faked a fingerprint or whatever there's no security guards around a lot of the time so as a form of ID it's it's kind of useless I'll get into more detail about the barcodes later but suffice it to say that this is the only form of ID that will actually get you on to a plane Homeland Security is absolutely entitled to conduct secondary screening at the gate just before you get on to the plane and they will check your fingerprints as they as they are scanned right there and then against this receipt if they don't match you don't get on the plane it's as simple as that so what's with these RFID tags then well the the text in italics here comes directly from Homeland Security's privacy statement they will provide the capability to automatically passively and remotely record the entry and exit of covered individuals using RFID and they're not encrypted and they could be subject to interception Homeland Security admits it accepts it doesn't care when the subject of RFID and passports was discussed not so long ago this is what Bruce Schneider had to say about it and I completely agree with them it is a clear threat to privacy personal safety and it's a bad idea doesn't stop Homeland Security from doing it though as foreigners in the United States you have very few rights in this situation at least so the biometrics two fingerprints digital photo fingerprints are relatively easy to fake it's been known for a while that you can melt down some gummy bears you can take someone's fingerprint printed onto a transparency etch it into a PCB and use that as a mold for a section of gelatin which you can then just paste over your finger they can be faked really easily considering how easy it is to get hold of someone's fingerprints and I'll show you some more examples in a few minutes it's pretty bad now the way that the fingerprints are actually stored they're not stored as pictures so you can't just decode one of these things and recover someone's fingerprint directly it's sort of minutiae now minutiae if you examine the ridges on your finger a minutiae is where a light is where a ridge either splits stops or breaks there's a few other classes but those are the main ones so your actual fingerprint is stored as a series of XY coordinates with the type of minutiae and the direction of the minutiae such as the direction that the ridge continues on now from that information it's possible to reconstruct the fingerprint it may not necessarily be the same fingerprint but as long as it has the same minutiae in the same places it counts as the same fingerprint you don't need very many points of correlation and it's it's fairly easy to do it it can absolutely be done now I mentioned that when you get your fingerprints taken it's automatically compared against IAFES I'm not a lawyer here but over here you have the fourth amendment which says that you can't search someone without due process I'm not aware of walking through immigration as you know sufficient justification to be able to do a criminal background check on me but because you've signed the I-94 you've consented to it fourth amendment doesn't really apply because you've explicitly signed for consent the digital photo that's taken it's in the form of a low resolution photograph according to Homeland Security in the days of 10 12 megapixel digital cameras who knows what Homeland Security classes low resolution I have no idea I have no idea what the specifications are of that picture I don't know if we can ever find out so all of this information is printed onto these receipts so what is it well it's a high resolution two dimensional barcode it's roughly 200 pixels by 100 pixels so there's about 20 kilobits of data on it about 25% of the data on this is error correction information so it's entirely possible to lose large chunks of the barcode if it gets folded or torn or whatever and still scan it it's very robust it's very reliable the actual symbology used is called Aztec code the barcode standard is Aztec it's an open standard it's not very common but you can pick up readers on eBay I got this with change from 100 bucks there is also absolutely the possibility of using a smartphone to to recognize these barcodes I have software on my smartphone that will recognize other two-dimensional symbologies of similar data density it's it's very easy to do so you could gather these things in a lot of different ways the information on the barcode consists of both of your fingerprints all of the information on your passport there's a little bit more information printed at the top your digital photo the whole lot all of it is on this barcode ready to be retrieved supposedly it's encrypted if you I'll show you a plot of the data in a second that supports the theory that it at least looks random but you can deduce some information about the encryption algorithm used if you look at the block size cryptographic algorithms work on fixed size blocks of data so if you've got a a series of chunks of data that align on 64-bit boundaries you can use that information to take a guess at what algorithm is in use with these I actually have a couple of these and the the block size appears to be 16 bit which is inconsistent with desks as any of the really good algorithms it's possible that it could just be a direct RSA cipher I doubt it it's possible that it could be a stream cipher such as RC4 if it is a stream cipher such as RC4 RC4 is not NIST approved so Homeland Security should absolutely not be using it quite what the algorithm is I've no idea but it's certainly not AES so if you actually take a few of these this is a plot of four of these barcodes so you scan these into a PC and you just get a binary blob of data if you count how many times each byte appears it's a good a good way to take a guess as to whether or not something is actually random so at the bottom here you've got four individual barcodes and the frequency of each byte on each barcode and then at the top you've got the total there are some mild inconsistencies there's a spike around 50 I investigated it and it's nothing there's no particular byte sequences in it there's an unusually high occurrence of 0d0a but it's not consistent across all of the barcode so again you currently do you deduce anything from it it looks random it looks encrypted but looks can be deceiving it may not be encrypted at all so to scan the image you grab your barcode scanner it's that quick and I've now got all of the information on this barcode there is actually two barcodes on here right next to each other so it looks like one but you can scan the second one just as quickly Homeland Security reckons that the encryption codes used for these are changed daily now if they are changing the codes daily then it means that they have to have some kind of key distribution system and something that people doing every day for years at a time there's going to be mistakes made there's going to be weaknesses in the key distribution systems there's going to be ways to retrieve the keys directly from the system I believe that at the moment they're transmitted over Wi-Fi networks so you can sniff the keys out of the air they're probably encrypted over some kind of communications channel but again who knows I don't really want to speak caught by security sitting in an airport sniffing traffic off the US visit network so the other thing about them is that even if they are changing the codes daily it doesn't really matter because you can legitimately take a flight through an airport and you can just harvest some of these codes if you break the encryption key on one if you particularly target one barcode and you retrieve the key then you retrieve the key for all of the barcodes for that day so you can just spend a day in the airport harvesting codes and decrypt it all once you break a single key it's trivial to harvest these things working around an airport with a barcode scanner hooked into a laptop in your backpack kind of a little bit suspicious certainly taking pictures of people with camera phones isn't as suspicious dumpster diving for these receipts who's honestly gonna care people don't know what information is on these so you get situations like this some guy published one of these on Google images now this looks like a fairly low quality image but the fact is there is so much error correction data in these that that barcode could probably be recognized with a little bit of image cleanup with a little bit of processing and edge detection you could probably scan that barcode and you could probably retrieve that guy's fingerprints digital photo passport information name date of birth flight information the whole lot now if he had known what was on this do you honestly think he would have put it on Google images I don't think so so the upshot of all of this is that these things constitute an entirely new form of ID it's biometric information it can be compared at any point during the your your flight on entry on exit it can be checked people don't actually understand that it's a form of ID though so people don't treat it with the respect that it deserves as a form of ID that contains a copy of my fingerprints it's it's ridiculous that there is no information telling people what these things are the first time I retrieved one of these from the machine I didn't know what it was I saw it was a big 2D barcode and thought hey it'd be great to get a scanner for that and see what's in it but then never thought about it again people don't know so they don't understand the precautions that you have to take to protect this information the other thing is yes it is a form of ID but all it does is it verifies that the individual boarding at the gate is the same individual who completed the exit process at the kiosk so all it proves is that the person who scanned their fingerprints at the machine at the ATM box is the same individual that's in front of them now it does not guarantee that it's the same person who owns the passport it does not guarantee that you're supposed to be there as a form of ID it is utterly utterly useless but at the same time it's the only thing that will get you on to a plane so let's look at data retention policies and who can access this this is a section from Homeland Security's privacy assessment where there's some very interesting things in here the data that they retrieved can be subpoenaed file a civil lawsuit against someone you can apply to Homeland Security to retrieve all of their US visit data because they explicitly state that it will be made available in civil lawsuits foreign agencies law enforcement or otherwise I don't know you know which countries they'd share this with which ones they wouldn't which cut classes of law enforcement they would share it with as far as this statement indicates they'll share it with anyone who is lawfully engaged in collecting law enforcement information now to me this strikes me as deliberately vague this seems like Homeland Security just saying hey we'll give it to anyone if you can at least make a decent case that you're lawfully engaged in collecting this information yeah we'll give you as much as you like I'm not happy with my data being given out in that manner I don't think I don't think many people in this room would be along similar lines to this is the green cards I recently obtained my own green card and on the back is rather nice shiny surface this is actually a CD what a CD does in a circle this does in a straight line fortunately along the very bottom of the section of the data section they print the patent numbers got a lot of the US PTO because it's all open it's all completely public you can just retrieve the patents you can track down the manufacturer you can obtain readers you can obtain more cards you can do whatever you like and according to the pattern the absolute minimum amount of data that you can fit on one of these is 250 kilobits according to the manufacturer's website this card contains 2.8 megabytes of data I have no idea what is on this I suspect that it is a complete copy of every form that I filled out in order to receive my green card I would not be surprised if that's the case 2.8 megs were certainly in the right ballpark unfortunately the readers for it are rather pricey you can't really pick them up on eBay it's heavily patented it's heavily controlled it's very very pricey I've seen estimates of fifty thousand dollars for the readers so I'm not going to be getting my hands on one anytime soon and I doubt I'll be able to build one so who knows so what's the big deal with all of this why why is this an issue the whole point is that US visit is setting precedence Homeland Security is is using this to establish these technologies to deploy these technologies in real-world scenarios so that they can then go back to the lawmakers and they can say hey we've been putting RFID tags and passports for years we've had forms of ID that include biometrics that include large quantities of data that include fingerprints on the front of the card so whenever anyone takes a copy of this as is fairly standard practice when you use it as a form of ID that person then has my fingerprint Homeland Security can quite legitimately turn around and say we've been doing this for years we've never had a problem why should we care about deploying it to everyone else in the United States US Barker US driving licenses already have large barcodes on the back large two-dimensional barcodes these are different symbology the symbology that they use is PDF417 which is a absolutely common symbology you can pick up readers absolutely anywhere for these barcodes there's there's two different types of barcodes on the back of the US driving license that I've seen there's a small barcode about about half an inch thick that just contains a machine readable version of the front of the passport of the front of the driving license there is a much larger version that's about three times the size I have no idea what's on it because none of my American friends will let me scan it so could be anything I suspect it's a digital photo but if any volunteers would like me to scan their driving licenses and find out come talk to me where's it all going to end where is all of this going you can already spot foreign passport from 10 meters away with an RFID tag reader you can pick out bars where foreigners like to hang out foreigners generally tend to carry their passports with them in the United States in a lot of situations probably Defconn is the exception to that but certainly it's it's a very easy form of ID for a foreigner in the United States a lot of you know bounces at clubs don't actually know how to understand a foreign driving license or a foreign ID card so a passport is the easiest form of ID and you can spot them from a reasonable distance away using a high gain RFID antenna the major point about this though is that there is no informed consent people are forced to sign up for this not knowing what is involved not knowing what is going to happen with their data not really understanding what is going on with this system not having any clue you know where their data is going to go who it's going to be shared with where it's going to end up how it's going to be destroyed none of these questions are answered and the simple fact is unless you agree to everything the Homeland Security ever wants to do with your data you don't get into the United States it is as simple as that and I don't know about you but I think that's wrong I think that Homeland Security needs to to address this they need to figure out exactly which bits of the US visit system are actually worthwhile because certainly these things aren't these thing these receipts present an unacceptable risk to personal privacy and they don't actually serve any purpose so why is it being deployed the only answer can be to set a precedent for American deployment now I know I've got a fair amount of time left so deliberately so because I wanted to get some questions going anyone question over here I believe they are believe I didn't matches them it matches it against your passport number so every time you enter the United States it automatically compares it against the previous visits so if you turn up in the United States on a completely new passport with a completely new set of fingerprints they've got nothing to match it against but it should be compared against previous versions yes I have considered microwaving my green card general was asking if I've ever considered microwaving my green card yes I have but not sure how useful it would be afterwards it's just a piece of plastic so I wouldn't want to melt it so much effort to get hold of the thing it's also a federal offense for me to not have it with me at all time if I'm ever stopped by a police officer and I don't have my green card with me that is a felony it's great I'm sorry is that really the case okay I was actually advised that it was at any time I was stopped by a police officer I shall I shall look into that and find out the proper answer yep the European court few weeks ago decided that the agreement under which the EU supplies passenger information data to the US DHS is actually illegal under EU data protection law how do you think that one's going to play out the actual illegal component of it is I believe the Americans demand for it if the individual states elect to submit that information to Homeland Security I believe it's it's still legal obviously if you also get the consent of the passengers involved again it becomes legal so it's all a question of whether you actually sign away your rights to this so it may well be the case that the actual process is illegal on its own but once you attain the consent of the people involved in the process it stops becoming illegal so as far as I'm aware Homeland Security has not been affected by this in any way they're going to carry on doing exactly what they have been doing anymore oh in the red I'm sorry no I'm absolutely not aware of any US visit success stories US visit was introduced in full stealth there was no real warning of its deployment it just appeared at airports one day it's been very much taken under the radar there's been no real numbers published about success or failure of the system there's been no information about AFIS hits nothing at all as far as I'm aware the there has been no successes so no it's the simple answer yeah okay um this on on the success thing I have actually read a bit they do have some numbers where they claimed who have identified you know X number of criminals leaving the country there are a bunch of GAO reports talking about US visit auditing it and basically in those reports they also say that the program is horribly mismanaged and pretty much in that and I'm wondering what you think about that beyond the nefarious you know aims that the government might have what about the fact that it's just really inept well as I mentioned in the if you go back to the architecture diagram a system this large and this complicated it's extremely difficult to manage it's not like a large banking back end where everything has been designed from the ground up the system has very much been a quite a case of Homeland Security setting some goals and then just pulling in components from completely different agencies in order to to build a system that kind of works so as far as the ineptness goes I think it's just inherent in the way that the system was designed and constructed it was just kind of thrown together to solve a problem which is why it's such a failure I'm sorry front corner into what yes absolutely absolutely some of these systems are owned by CIA some are owned by FBI NSA is distinctly missing from this conspicuously so so I would not be surprised at all of this architecture diagram was missing a couple nodes that are managed by NSA who knows we we may never find out I'm certainly not I don't have the resources to to fight a freedom of information act case so we may never find out as far as screening the RFID tags goes yes absolutely the problem is that at the moment that will work because Homeland Security is still deploying the RFID tags into the the the I-94 forms some do have them some don't have them certainly if you come if you enter the United States by land or by sea it should have an RFID tag in it and they're deploying it to air track air passengers at the moment so at the moment if you get an I-94 without the RFID tag in then yes it will still be recognized in the longer term they're going to be basing the I-94 system off the RFID tag directly so you'll have the choice of either queuing up in a very long line to for manual processing or just walking through the gate getting your RFID scanned and then just clearing security yes to answer the question about success stories it's interesting there's there's one real big one actually they picked up a guy in Afghanistan I think his name was com see this is in the New York Times a couple years ago but he was picked up he wasn't talking he was taken off the Gitmo or something like that and they finally ran his fingerprints against the identity base and it turns out that he showed up at the Florida airport didn't have any good information on where he was staying or who he was staying with so they kicked him out of the country but they took his fingerprints and so they went back to their records when they when they ran his fingerprints they identified him as this guy and they looked at the security camera videos and sure enough rental car registered to Muhammad Ata drove through the airport to pick him up that day he was the 20th hijack it wasn't you know we saw you or anything like that that's but granted that's the one good success story they've had you know to counter terrorism the other I also had a question what's the source on them running the fingerprint data against IAFIS the FBI database it's in their privacy statement it's not directly listed but they do say that they will compare against federal and state fingerprint databases and later on in the document they they have a section on acronyms and they mentioned IAFIS in the acronym section so believe what they did is they originally mentioned that in the document but then later redacted it and left the acronym in there so they do mention that they compare against federal and state fingerprint databases IAFIS is in the acronyms because I imagine it would have computationally that's extraordinarily hard to take all the visitors and compare them against all the people on IAFIS so well the whole point about fingerprint matching based on minutiae is that it stops being about image recognition and it starts being about geometry because with with the the fingerprint reduced to a set of minutiae you've just got a set of coordinates and you just need to figure out whether the points that you have and the points that you're comparing against have the same coordinate space and the same angles between them and all this kind of stuff so you all you need to do is is simple set of trigonometric lookup tables so that you don't have to compute signs and cosines every time and then just pattern match it's very very fast it used to be the case that it would take approximately 24 hours for an IAFIS check it can now be done in seconds for a single search for a single search yes thank you yes I understand that the UK is developing a similar system known as UK borders do you know anything about that I'm not familiar with the the UK system at the moment my focus on on UK identity systems is on the UK ID card which is just entered law and is being deployed now I'm actually quite glad that I've got my green card and I'm not going to come under it because from what I understand it's considerably larger scale than us than the the green card systems considerably more invasive from what I understand it also somehow hooks into the license plate recognition system that is currently being deployed into the United Kingdom where they're collating data from every CCTV camera that they can possibly get their hands on feeding it into a number plate recognition system and tracking their their goal is to track every single car journey that occurs anywhere in the United Kingdom at any time given that and given the the overwhelming opposition for ID cards and the the fact that the UK government is deploying them anyway it would not surprise me in the slightest to hear that there is a UK equivalent of US visit thank you yes is there a question okay yes where can we get hold of them give us a URL give us a URL where can we buy them gentlemen from Germany pointing out that ccc is now selling RFID screens for German passports with RFID tags in them I'd rather like to know where to get hold of one yeah I'll put it up on the screen be you do okay apparently that might be dot org but RFID tag screeners they're wonderful things I didn't even know that they well I suspected that they existed people have been wrapping their passports in tinfoil for a large amount of time it's nice to know that there is actually a commercial effort to sell them it is anything is good yes I have a question it's there are studies which suggests that the instance of false positives in large populations where you collect fingerprints is very high there was a study done in the UK which estimated that on 60 million people the the false positive rate of matching will be as in excess of 40 percent now if you look at the numbers on US visit if they estimate 60 million visitors a year to the United States that means 40% of the fingerprints are not going to match so the more people that visit the United States the less valuable this is or it means that the people who are unfortunate enough to get hit get stopped absolutely another thing that that can be done with US visit is if the fingerprint does generate a match in AFIS or any other databases they can stop you at the border they already have your digital photo and they will make you wait at the border while they find the relevant law enforcement officer and get them to actually look at your picture so if you're ever trying to clear US visit on entry to the United States and you're stopped for 20 minutes staring at the camera that's what's going on I can say from personal experience that if you're unfortunate enough to have flat fingerprints or fingerprints do not image properly the scanners in the airports don't work another very good bookcase for redeploying US visit under a different persona should we say well as a German coming over here for the first time about three months ago I thought about the same problem because we don't like to give out a fingerprint and have a fingerprint skin at home done some testing and on the flight I just realized that I had some very super sized Americans left on the right side from me sitting so I put the fingers under my angled and this came out that when you come to the fingerprint scanner and you have the your hands all the time very wet they are swollen up and this gets you to the point also that it cannot be read correctly they had problems reading them the first times I then tried this was my fingerprint at home and after about 30 minutes of fingers under your arms my fingerprint at scan at home was not able to let me access my computer anymore so yes fingerprint recognition is a very unreliable technology there's a lot of ways to defeat it there's a lot of ways to confuse it even something as simple as putting up drywall can etch off your fingerprints at least temporarily it's it's really not a reliable biometric identifier and more importantly if this information does get leaked if if someone does figure out a way to decrypt one of these barcodes and retrieve your fingerprints it's not like a password you can't change it you only have 10 fingers and they have two of them on the barcode so you know what are you gonna do surgery yeah interesting thing that might be to just try to let them not scan your fingers on the first entrance because I've never had scanned my fingers after that while I was in the USA so just at the borders that being scanned of they don't get a good picture from that I think that will well they they do make exceptions for physical and mental limitations so if you're physically unable to get your fingerprints scanned or you're so crazy that you're incapable of keeping your finger on the scanner for long enough for it to recognize it you may well get away with that but expect a couple of hours in a small room with a man with a rubber glove just to verify that you are crazy but yes they do make exceptions for physical and mental abnormalities right no no the the visa waiver form states that you've never been ruled what is it mentally incapable by a judge something like that but you can still be slightly slightly not right in the head I think it's it's if there's there's ever been a legal ruling that you are mentally incompetent then you may have issues but I don't actually know what's kind of circumstances they would they would classify mental deficiency is unable to scan your fingerprints who knows if someone braver than me can try it at US immigration yes earlier on you mentioned your concerns about the ability to appeal the information that's on the initial card that you fill us the data repositories within the US visit system should constitute a system of records and per US code you're able to appeal anything that's contained within a system of records maintained by the federal government potentially yes I believe you can get access to it but the the right of appeal is less about how your data is used as more it's intended as more towards giving ultimate authority of the decision to the immigration officer at the desk when you actually cross the border yeah it's not a timely thing unfortunately yes so as far as Homeland Security concerned they're giving authority to the the desk officers and as a byproduct removing all of your rights from the rest of the system given that you sign away those rights it would be an interesting court case at best well a minimum I should say any more questions oh yes hello first of all I think this is a very important issue so I'd really like to thank you for bringing that to the forefront for us I'm someone who my domestic partner she's also foreign national and so as a as an American I'd like to apologize to foreign nationals everywhere this is a complete travesty in a representation of the worst kind of xenophobia that we've experienced in a long time my back to my question actually my first question is on has any been work been done or do we know of any projects to decode or decrypt the information in the barcodes on the on the receipts I've put in a reasonable amount of time on my own I don't know if anyone here saw Dan Kaminsky's blackout presentation he's presenting it again tomorrow I believe about figuring out protocols using nothing but captures of the protocols he and I work together for a fair amount of time on this and well we didn't actually get anything productive out of it the moment at the moment all I'm left with is inconsistent block sizes that mean it's it's not any commonly used encryption algorithm that's certainly that's NIST approved and it looks random unfortunately I don't add I don't actually come under US visit anymore so I can't collect any more of these barcodes and given the amount of the information that I've just told everyone is on them I doubt there's very many people that would give me any if there are any volunteers in the audience I would absolutely love to get any of these receipts that you have you have my assurance if that's worth anything that I won't do anything bad with it but given that I'm currently on stage at DEF CON you may not believe me I have a second question that is on what's the prognosis or the direction that you're going down the road for more research on US visit or more activities regarding that well the most productive Avenue would probably be a freedom of info freedom of Information Act request FOIA with Homeland Security historically is not very successful so I don't know if there's any leak any lawyers out there that would be interested in filing any lawsuits to try and get more information about the system in the absence of legal recourse I I'll be focusing on the barcodes as soon as I can get my hands on some more samples I can do a bit more in-depth statistical analysis of them possibly get some more data I don't really know it's it's very much up in the air we're pretty much stone walled at this point yes okay I read a couple weeks ago in the federal register and on CNN that if US visit has their way as a green card holder you actually will be part of US visit again yes so I would expect so they are moving toward doing that well it's like I say it's it's a land grab from Homeland Security they've had such success or rather lack of problems deploying US visit as widely as it has been so far it would not surprise me at all to hear that they're planning to deploy it to green card holders and eventually to US citizens as well wouldn't surprise me in the slightest any more questions yes you are legally required to use the system if it is present alternatively the way that they would find out that you haven't used the system is when you try and get on the plane you don't have the receipt and you'll be denied boarding what you what you've just described is how the system was deployed at first it was deployed at a few key airports around the United States Seattle San Francisco couple of others they were used as test beds for you know validating the technology making sure that it worked and it's in the process of being deployed everywhere so expect to see it at every airport pretty soon any more questions fabulous let's get beer then