One aspect of SR4 that I've been struggling with for months is how identification works, particularly with regard to law enforcement.
1) When in an area that demands the broadcasting of your SIN, does everyone in range get to see it? What about your access ID? Could a hacker simply spot an executive on the other side of the street and immediately be able to spoof the guy's life to hell and back?
2) How much information can a cop/security team get on you from your SIN (assuming you don't have a criminal record)? Address? Biometrics?
3) You've been a smart boy and have had several fake SINs created, each for a different purpose and at least one being the respectable homeowning wageslave disguise you need just to get through life. Then you slip up and the cops find your prints somewhere they shouldn't be and they run a check. Do they rumble ALL your IDs? If so, then as far as I can see the only way to safeguard each ID would be to not repeat any biometric data: one ID gets your fingerprints, one gets your mugshot, one gets your DNA profile, etc. Does that sound right?
I could probably go on for pages, but hopefully answers to these questions will make other niggling issues easier to get my head around.
Full Version: SIN and the Law
Think in terms of Third party authentication.
1) I'm broadcasting my SIN and my name is Fred. Your system checks against a third party system by asking, Does Fred of ARES SIN XXXX exist in your system? You get back yes or no. (This is all they care about at this point, are you a real person that a legitimate system I trust validates you exist.)
2) Hi, my name is Fred, my SIN is XXXX. I want to buy this. The vendor asks ARES, does Fred with SIN XXXX have the nuyen for this? They get back yes. Next step is the Vendor askign Fred to Authorize the transaction. Fred has to enter a SIN PIN to authorize the financial transaction. (For the PIN, you can substitute some other form of authentication, such as retinals, fingerrpints, dna scan, secret questions, etc etc to the level you wish.)
3) Which system did they check against? ARES fingerprint database? EVO's? UCAS? CAS? PCC? each one might return a different answer from, Access Denied, to Yes, No, and maybe. All depends. The Cops are likely to have their own data they've collected, but anything outside their own system can be unreliable.
1) I'm broadcasting my SIN and my name is Fred. Your system checks against a third party system by asking, Does Fred of ARES SIN XXXX exist in your system? You get back yes or no. (This is all they care about at this point, are you a real person that a legitimate system I trust validates you exist.)
2) Hi, my name is Fred, my SIN is XXXX. I want to buy this. The vendor asks ARES, does Fred with SIN XXXX have the nuyen for this? They get back yes. Next step is the Vendor askign Fred to Authorize the transaction. Fred has to enter a SIN PIN to authorize the financial transaction. (For the PIN, you can substitute some other form of authentication, such as retinals, fingerrpints, dna scan, secret questions, etc etc to the level you wish.)
3) Which system did they check against? ARES fingerprint database? EVO's? UCAS? CAS? PCC? each one might return a different answer from, Access Denied, to Yes, No, and maybe. All depends. The Cops are likely to have their own data they've collected, but anything outside their own system can be unreliable.
QUOTE (Aerospider @ Jan 21 2010, 03:19 PM) 
One aspect of SR4 that I've been struggling with for months is how identification works, particularly with regard to law enforcement.
1) When in an area that demands the broadcasting of your SIN, does everyone in range get to see it? What about your access ID? Could a hacker simply spot an executive on the other side of the street and immediately be able to spoof the guy's life to hell and back?
2) How much information can a cop/security team get on you from your SIN (assuming you don't have a criminal record)? Address? Biometrics?
3) You've been a smart boy and have had several fake SINs created, each for a different purpose and at least one being the respectable homeowning wageslave disguise you need just to get through life. Then you slip up and the cops find your prints somewhere they shouldn't be and they run a check. Do they rumble ALL your IDs? If so, then as far as I can see the only way to safeguard each ID would be to not repeat any biometric data: one ID gets your fingerprints, one gets your mugshot, one gets your DNA profile, etc. Does that sound right?
1) When in an area that demands the broadcasting of your SIN, does everyone in range get to see it? What about your access ID? Could a hacker simply spot an executive on the other side of the street and immediately be able to spoof the guy's life to hell and back?
2) How much information can a cop/security team get on you from your SIN (assuming you don't have a criminal record)? Address? Biometrics?
3) You've been a smart boy and have had several fake SINs created, each for a different purpose and at least one being the respectable homeowning wageslave disguise you need just to get through life. Then you slip up and the cops find your prints somewhere they shouldn't be and they run a check. Do they rumble ALL your IDs? If so, then as far as I can see the only way to safeguard each ID would be to not repeat any biometric data: one ID gets your fingerprints, one gets your mugshot, one gets your DNA profile, etc. Does that sound right?
QUOTE (Page 41 @ Anniversary BBB Printing)
With [your SIN], however, the system can track almost every move you make—what you buy, where you go, what you connect to on the Matrix.
QUOTE (Page 266 @ Anniversary BBB Printing)
In addition, all of a person’s credentials and necessary personal data (licenses, credit history, health insurance, cred accounts, etc.) are stored in encrypted form on her commlink (with a default Encryption rating of 5).
QUOTE (Page 266 @ Anniversary BBB Printing)
These personal details can also be transmitted (again in encrypted format) on an as-needed basis, as authorized by the user. For example, a store may ask for your cred account information (and possibly credit history or even licensing if you’re buying restricted goods), a hospital will ask for your medical records and insurance, while a security checkpoint might demand your SIN, passport, and criminal record.
The answer to question 3 is "insufficient information". I don't know how biometrics are handled in 2070.
Well, without looking at any of my SR rulebooks, let's take each q and swer it in plain terms [because I prefer to have things make sense via words, rather than just use numbers]...
1) In order for a wireless system of ID reading to work, it'd have to broadcast your ID to anyone who asks.
Ideally the basic ID ping will just provide something that is OK'd by the asker ["should this person be here" asks the Corp facility ?? "ID correlates to authorised person" says the corp facility after getting an ID], but for it to work it has to respond to anyone who ask for ID - unless the ID can be set to only respond to certain pingers.
For example -
Company/government allocates ID/account to user
Details get written to card
System with user details queries card, using allocated ID/account
Card responds with confirmation.
Systems accepts ID/account, responding or allocating privileges based on details attached to ID/account
2) I'd imagine the answer to be information given based on authority/level/clearance of the asker.
But really all the information should be with the asker, not held on the card - all an ID pinger should be asking is "what's your ID".
3) For the ID to work, there must be a match between your details and the details connected to the ID.
If you do a search using a set of details, you should expect multiple confirmations [it's how US border guards spot immigrants crossing the border - their face pictures and fingerprints are the same, regardless of the name they use. It's also why relying on biometrics to be 100% accurate is such a bad idea].
To split your details amongst multiple IDs would mean each would have incomplete details for you, probably requiring further authentication and probably requiring you to complete the details when noted by someone.
How's that.
1) In order for a wireless system of ID reading to work, it'd have to broadcast your ID to anyone who asks.
Ideally the basic ID ping will just provide something that is OK'd by the asker ["should this person be here" asks the Corp facility ?? "ID correlates to authorised person" says the corp facility after getting an ID], but for it to work it has to respond to anyone who ask for ID - unless the ID can be set to only respond to certain pingers.
For example -
Company/government allocates ID/account to user
Details get written to card
System with user details queries card, using allocated ID/account
Card responds with confirmation.
Systems accepts ID/account, responding or allocating privileges based on details attached to ID/account
2) I'd imagine the answer to be information given based on authority/level/clearance of the asker.
But really all the information should be with the asker, not held on the card - all an ID pinger should be asking is "what's your ID".
3) For the ID to work, there must be a match between your details and the details connected to the ID.
If you do a search using a set of details, you should expect multiple confirmations [it's how US border guards spot immigrants crossing the border - their face pictures and fingerprints are the same, regardless of the name they use. It's also why relying on biometrics to be 100% accurate is such a bad idea].
To split your details amongst multiple IDs would mean each would have incomplete details for you, probably requiring further authentication and probably requiring you to complete the details when noted by someone.
How's that.
QUOTE (Aerospider @ Jan 21 2010, 11:19 AM)
1) When in an area that demands the broadcasting of your SIN, does everyone in range get to see it? What about your access ID? Could a hacker simply spot an executive on the other side of the street and immediately be able to spoof the guy's life to hell and back?
I can see you are Aerospider. You are telling everyone on dumpshock you are Aerospider. You have authenticated yourself to DS as an authorized Dumpshock poster. Can I come to dumpshock, see that there is an Aerospider, then post as Aerospider? Not just by knowing your clearly displayed identity. To spoof Aerospider I need far more then your broadcast SIN(Forum Handle). I need your account authorization codes. Can I Hack those? Possibly. If I did, could I then spoof the rest of your life? Possibly, but there would be a lot of extra steps of additional hacking and spoofing and exploiting. It can't be simply done by you displaying your forum handle.
QUOTE (DireRadiant @ Jan 21 2010, 04:12 PM)
I can see you are Aerospider. You are telling everyone on dumpshock you are Aerospider. You have authenticated yourself to DS as an authorized Dumpshock poster. Can I come to dumpshock, see that there is an Aerospider, then post as Aerospider? Not just by knowing your clearly displayed identity. To spoof Aerospider I need far more then your broadcast SIN(Forum Handle). I need your account authorization codes. Can I Hack those? Possibly. If I did, could I then spoof the rest of your life? Possibly, but there would be a lot of extra steps of additional hacking and spoofing and exploiting. It can't be simply done by you displaying your forum handle.
Excellent example !!
QUOTE (DireRadiant @ Jan 21 2010, 03:39 PM)
Think in terms of Third party authentication.
1) I'm broadcasting my SIN and my name is Fred. Your system checks against a third party system by asking, Does Fred of ARES SIN XXXX exist in your system? You get back yes or no. (This is all they care about at this point, are you a real person that a legitimate system I trust validates you exist.)
2) Hi, my name is Fred, my SIN is XXXX. I want to buy this. The vendor asks ARES, does Fred with SIN XXXX have the nuyen for this? They get back yes. Next step is the Vendor askign Fred to Authorize the transaction. Fred has to enter a SIN PIN to authorize the financial transaction. (For the PIN, you can substitute some other form of authentication, such as retinals, fingerrpints, dna scan, secret questions, etc etc to the level you wish.)
3) Which system did they check against? ARES fingerprint database? EVO's? UCAS? CAS? PCC? each one might return a different answer from, Access Denied, to Yes, No, and maybe. All depends. The Cops are likely to have their own data they've collected, but anything outside their own system can be unreliable.
1) I'm broadcasting my SIN and my name is Fred. Your system checks against a third party system by asking, Does Fred of ARES SIN XXXX exist in your system? You get back yes or no. (This is all they care about at this point, are you a real person that a legitimate system I trust validates you exist.)
2) Hi, my name is Fred, my SIN is XXXX. I want to buy this. The vendor asks ARES, does Fred with SIN XXXX have the nuyen for this? They get back yes. Next step is the Vendor askign Fred to Authorize the transaction. Fred has to enter a SIN PIN to authorize the financial transaction. (For the PIN, you can substitute some other form of authentication, such as retinals, fingerrpints, dna scan, secret questions, etc etc to the level you wish.)
3) Which system did they check against? ARES fingerprint database? EVO's? UCAS? CAS? PCC? each one might return a different answer from, Access Denied, to Yes, No, and maybe. All depends. The Cops are likely to have their own data they've collected, but anything outside their own system can be unreliable.
There's some good advice in there, thanks.
I've now found the relevant text for number 3:
"The GSINR (the Global SIN Registry, a fully-funded project of the Corporate Court) is the regulatory body that sets the worldwide standards of how SINs are used and assigned - and also what data is correlated with them ... they keep data confidential, only making it available to law enforcement and other appropriate agencies." SR4A p.266
So the cop sends your prints to the GSINR which searches its database for all matches (not a lengthy process in 2070s if the fluff text is anything to go by) and voila - the fuzz knows everything about you except which of your many addresses is the real one. What have I missed?
QUOTE (DireRadiant @ Jan 21 2010, 04:12 PM)
I can see you are Aerospider. You are telling everyone on dumpshock you are Aerospider. You have authenticated yourself to DS as an authorized Dumpshock poster. Can I come to dumpshock, see that there is an Aerospider, then post as Aerospider? Not just by knowing your clearly displayed identity. To spoof Aerospider I need far more then your broadcast SIN(Forum Handle). I need your account authorization codes. Can I Hack those? Possibly. If I did, could I then spoof the rest of your life? Possibly, but there would be a lot of extra steps of additional hacking and spoofing and exploiting. It can't be simply done by you displaying your forum handle.
Good example, except a SIN is more than a nickname and does more than differentiate you from the next guy on paper. Can't find the text right now, but somewhere it says how a trained eye can tell a fair bit about you from your SIN (probably age, place of birth, that sort of thing) and anyone who's seen half an episode of a two-bit TV series on con artistry will see possibilities in that.
As for spoofing, that was more about the access ID issue. Don't those have to be broadcast as well? It's my understanding that an access ID and a spoof program is all you need to convince a device you're a valid user. Have I got this wrong?
QUOTE (Aerospider @ Jan 21 2010, 03:35 PM)
Good example, except a SIN is more than a nickname and does more than differentiate you from the next guy on paper. Can't find the text right now, but somewhere it says how a trained eye can tell a fair bit about you from your SIN (probably age, place of birth, that sort of thing) and anyone who's seen half an episode of a two-bit TV series on con artistry will see possibilities in that.
So you can tell it's an ARES mid level SIN Issued 30 years ago in Detroit. Is that enough information to pass as that person when you spoof it?
Roll the dice. Sometimes it will, sometimes it won't. If it passes, then it was enough, if it didn't pass, then it wasn't enough.
QUOTE (Aerospider @ Jan 21 2010, 03:35 PM)
As for spoofing, that was more about the access ID issue. Don't those have to be broadcast as well? It's my understanding that an access ID and a spoof program is all you need to convince a device you're a valid user. Have I got this wrong?
For some devices it will suffice, for others it won't. Roll your spoof test. If the test succeeds, it was enough, if it fails, then it wasn't.\
You can also choose not to roll the dice, saying it works most of the time, and only roll whenever you think it's a good time to have a roll.
There's a range of possible outcomes, both in game and in the real world. It doesn't always work one way or the other.
Work it the other way. If the PC fails the roll, it's because the target system was doing X when the Spoof program was doing Y. If the roll was a success, it was because the system was expecting X and the Spoof program was doing X. If you got a glitch, then the system was expecting X, but the Spoof program started with Y, but then switched to X, but now there's going to be some minor issue.
QUOTE (DireRadiant @ Jan 21 2010, 09:12 AM)
It can't be simply done by you displaying your forum handle.
Except in the real world encryption works, and none of us are layer 2 adjacent to the server or the user. With wireless you are L2 adjacent and encryption doesn't work. So by RAW it's trivial to spoof and you get all the credentials you need from anyone else querying.
QUOTE (Aerospider @ Jan 21 2010, 11:35 AM)
Good example, except a SIN is more than a nickname and does more than differentiate you from the next guy on paper. Can't find the text right now, but somewhere it says how a trained eye can tell a fair bit about you from your SIN (probably age, place of birth, that sort of thing) and anyone who's seen half an episode of a two-bit TV series on con artistry will see possibilities in that.
As for spoofing, that was more about the access ID issue. Don't those have to be broadcast as well? It's my understanding that an access ID and a spoof program is all you need to convince a device you're a valid user. Have I got this wrong?
As for spoofing, that was more about the access ID issue. Don't those have to be broadcast as well? It's my understanding that an access ID and a spoof program is all you need to convince a device you're a valid user. Have I got this wrong?
I knew a guy in Marine Corps admin who'd been doing it for so long, he could deduce your state of birth and approximately when you were born just by your SSN.
Your SIN alone, however, is probably not sufficient to spoof yourself as someone else, just as a Social Security Number by itself is not sufficient today. Hell, when opening a bank account, you have to provide a SSN AND 2 forms of ID.
Just because a SIN is a number derived from real data about a person, there are probably lots of other cross checking things going on in the background to keep bad people from doing bad things to your information.
For example, if you spoof Joe Wageslave's SIN to buy a Suit from Mortimer's of London, it might check it against other purchases associated with that SIN. If Joe Wageslave isn't in management and has never bought a suit in his life, the system might start more cross checking... such as checking the location of Joe Wageslave's comcodes on record. If it pings Joe Wageslave, and he's at work in the Ares building in Detroit while you're in Seattle, the system will probably call KE on the spot.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.