More good stuff, including how to make a gummy finger, at
Six leading academics have written to a Parliamentary committee to express their dismay at the way biometrics has been used as a magic wand which would have supposedly stopped Darling's great data giveaway. The six said of claims by the Prime Minister and his Chancellor: "These assertions are based on a fairy-tale view of the …
More good stuff, including how to make a gummy finger, at
I suppose it is a lot more practical than my usual rants to el-Reg (and anyone else).
I do however question whether any politician with an ID card agenda will
a) Read it
b) Understand it
c) Care about it
They'll probably just spew the usual rubbish; mention the words Terrorist/Peadophile/Organized Criminals and just expect everyone to forgive and forget for the "sake of the children".
Isn't it wonderful how politicians never bother to answer any questions (even in Parliment) and just stick to their briefs/agenda/agreed position/party-line irrespective of the points raised.
Biometric technology has a long way to go. My former workplace didn't bother using the biometric logins on their laptops on the basis that removing the hard drive of a stolen laptop would gain access to the data anyway, so other (less irritating to the staff) encryption methods would have to be used on the data itself. Seriously, this is just a push to enroll everyone in a scheme where misuse and theft would become commonplace. Sigh.
a neat idea from a uk company fingerpin http://www.fingerpin.co.uk - they use a sequence of fingerprints so the user can change their sequence whenever... interesting one for british inventiveness.
It dismays me that the blatantly obvious seems to need to be pointed out all the time. What does that say about my fellow citizens, or those elected to high office on the basis of their own interest, who they know, and good social/people skills?
What seriously? You mean the bad guys can change the biometric details and still use the ID, and yet the ID is more trusted than ever before? Who'd have thought it? Well that's it then, everyone on the database, and police and shopkeepers and Uncle Tom Cobbley make spot checks of everyone's card data, say 5 times a day, on their hand held radio connections to the database? Just so long as the initial data load is ok, don't worry, just do as you're told. Trust me, I'm an authority figure, I don't go around tasing anyone.
It's about time these idiots stepped down. They are clueless about the technology, think the public are idiots and seem to think saying sorry and ordering a review will fix it.
Why not review all practices and examine the workings before anything goes wrong?
Have they not heard of the term "audit"?
The first thing any minister should do when they take the reigns of a department is discover how it works
"Once lost, it would be impossible to issue a person with new fingerprints."
Really? Maybe I watch too many movies, but can't you burn off your fingertips with acid? I would have thought you could at least alter them with a quick exposure.
If I'm right about this, the government will probably make regular fingerprint changes mandatory for security, like companies make employees change their work passwords regularly. It would at least be satisfying to watch El Reg's local IngSoc comment trolls go through it. "Yep, time to change my fingerprints. I don't mind, after all we do need to defeat terrorism and keep out those filthy ni^H^H^H^H secure Britain's borders. And I have nothing to hide, so I have nothing to OH GOD IT BURNS MAKE IT STOP OH GOD PLEASE PLEASE STOP IT BURNS PLEASE so anyway like I was saying it's a small price to pay for security, don't talk to me about human rights, what about our right not to be killed by terrorists, and if you don't like Britain, why don't you leave?"
It's interesting to see journalists in the mainstream media waking up to the shortfalls of biometric technology (The Register excluded of course). The movies have covered this many times; latex fingerprints, realistic face masks, severed digits or someone else's eyeballs. Biometrics are not a foolproof security mechanism - they are not secret (in particular facial biometrics!), can therefore be spoofed (depending on the level of countermeasures in the biometric system) and are really difficult to revoke once compromised (so-called cancellable biometrics have been researched but have somewhat limited applicability).
However - this does not make biometrics irrelevant as a means of adding security in relation to identity. After all, biometrics are used in this way by humans everyday - whether facial recognition, voice recognition or gait recognition. It is the appropriateness of the application that is important. Being able to access valuable services in an unsupervised environment using a total internal reflection fingerprint scanner based on a single factor only (i.e. the finger) is indeed foolish. It is relatively straightforward to overcome this security and once your biometric has been compromised you can't do much about it until the system is changed. Do the same thing with 2 factors however and the security is increased. The fraudster has to first get hold of your token or pin, which you can cancel like a credit card. This level of security is adequate for many applications.
In terms of "spoofability" - everyone agrees that faking fingerprints is relatively straightforward. This is partially true, though scanners by some manufacturers are much much more difficult to overcome, such as 3d systems (e.g. touchless biometric systems) and multispectral scanners (e.g. lumidgim) - something not covered by the somewhat poorly researched bad science article linked to by Neil. Others biometric modes such as fingervein are much more difficult to fake. Combine different modes together and the difficulty present to the fraudster is extremely high (imagine trying to present a fake 3d face biometric and fake hand biometric at the same time).
It’s also an exaggeration to say that a biometric "is lost for life" once compromised. We have a face photo on our passport to prove it is ours. If someone manages to create a Mission Impossible style mask so they can look like you is your facial biometric lost for life? Or a more realistic example - before chip & pin, if someone was able to forge your signature did that mean you could never use that signature again?
Anyway, the point is that while biometrics are not a panacea, and only form part of a security system anyway, they can in many circumstances add to that security (and here's the usual bleedin obvious ending) provided they're used appropriately.
Re "if you don't like Britain, why don't you leave?"
Lets go, then see them try to build a database. Anyone got any suggestions as to where? Should be lots of work in outsourced projects available, after all doesn't the fatherland need an ID card system? We could probably make a billion or two profit.
"Really? Maybe I watch too many movies, but can't you burn off your fingertips with acid? I would have thought you could at least alter them with a quick exposure."
Yes, you can use acid to remove your prints, but the problem is they re-appear as your body heals and come back the same as before.
well Sir David Varney may help with his plans "to create a giant centralised government database containing information about everybody in the country" might be enough to push it
I used to think HMG incompetence would be on our side with ID card scheme - i.e. they wouldn't be able to get it to work, but now it appears they can make it worse than paying a bit more tax - free data to fraudsters
Can't you cut out two or three equal-sized areas of skin (just a few mills across) and interchange them? After the initial agony, and the few weeks letting the grafts grow, you'd get new, semi-permanent patterns!
What's all this tosh about theft of biometrics ? There doesn't need to be any thievery involved, since the British Government has amply demonstrated that it is perfectly capable of releasing data into the wild on its own !
What's protecting the biometric data? What happens when someone gets the hashes/pictures/etc of the fingerprints, matched up to owners, then uses that data? There's still data to be lost/misappropriated/stolen/faked.
What I would like to know, is if they make the readers accurate, would that argument I once had with a blunt pen knife render me unrecognisable for a week?
What biometrics are they planning on using for people with no hands? There would have to be more than one biometric system in place to cater for that, but most biometric things I've seen either concentrate on finger prints or iris scans.
AC, "some perspective on biometrics", thank you for your +5 insightful post.
As is suggested, one of the traditional biometrics (the signature) is being phased out as it is too simple to defeat - not helped by the fact that the two security factors (the card and the signature) were kept together, and the signature was visible. For a number of years before Chip'n'Pin I had a cheque/debit card which had an additional biometric factor - my photo was etched into the reverse of the card. This works both ways - as this was genuine it would prevent the casual misuse of by card by an opportunistic villain, but if it had been falsified it would have presented a false verification.
The prevalence of identity fraud today is partly due to the security factors in many cases being *only* ones protected by obscurity. "What is your mother's maiden name" isn't much help if, like me, all your family details are published in Debrett. And so many systems today have a genuine security factor (a password) which can be defeated using a less secure factor. As long as agencies use obscurity protected security factors, sources like the NIR will be the ultimate honeypot, with or without the biometric silver bullet.
The thing is, villains don't need to defeat the tightest security, they only need to defeat the weakest bit. If your datacentre has a three factor security controlled front door, they only need to jemmy the yale on the back door (assuming it isn't on the latch). They don't need to guess your password, they only need enough information to reset it. They don't need to dive through your used teabags for your old bank statements, they just need to find a lost mailbag - you see, for most fraud they don't need to target a specific victim, anyone will do. That is why the HMRC discs are so valuable - if good fortune provides them with one security factor for *anybody*, the discs will provide other obscurity protected ones with a 50% likelihood of success.
Well I was going to do this but then I realized it was easier to just kidnap the target's family and make him do what I wanted. He was quite well off before he sold his house.
Your fingerprints may (indeed offen do) reappear after being burned off, depending upon how much scarring you leave behind, they are no good if they are compromised by scar tissue. What noone seems to have a solution to (or even be discussing) is what about the 5%ish of people who have jobs that constantly wear down their fingertips:
Brickies / builders
I'm sure there is more, but that would seem a significant portion of the population, enough to trash the whole biometrics aspect of the ID cards (if not the whole thing) anyway.
the current government have such a hard-on for biometrics.
It could have been just wishful thinking and a load of flannel from putative sellers of equipment but there have been so many people showing them how it can go wrong, so little saying how that could be fixed and so many adamant statements that it WILL go ahead that it cannot be just that.
But even if it were so that the current stock of MPs can go (like Blunkett did) to biometrics firms for a job when the MP job falls through, that would
a) be too obvious
b) not enough to override other venues of feather-bedding
so I'm left wondering what the clucking bell is happening to make them so blind to the problems with the NIR.
For Tony and GWB I could see that it could be religiously led: the rapture will be preceeded by several signs, including a hidden mark on each person without which they cannot live work and buy (oooh! NIR!!!) and then all the good people will be taken to heaven to watch the bad people being fried for all eternity.
But it can't be all that widespread.
So what's going on?
I think there is a general misunderstanding of how they propose to use biometrics to link individuals to an electronic identity/identity card. As far as I understand it the proposal is to use a biometric to unlock a digital certificate stored on a smartcard which may have other identifiers on it also, such as photo, name, mag stripe, 3D barcode etc. The biometric replaces the PIN normally used to release such information from a card (such as a credit card etc). I don't think anyone is proposing to have a single biometric identifier system since that would be pretty unworkable (the computing power needs to identify 'who am I' rather than 'am I who I say I am').
The biometric is just used to create a very large number when hashed through an algorothim; you can't steal it since it is just a number, and most secure systems will reject exact matches anyway, while encrypting and timestamping traffic between reader and card.
It does all work, but very expensive, and you need to be very sure who people are at registration. Only took 3 months to do paper ID cards though last time
It is sufficient to bind the issuing of the ID to biometrics.
From there on simple PKI will do which does not need any connection to the central database. That can be implemented using currently existing mass produced tech. Smart card readers have been around for ages. Most smart cards can carry 32-64K data which is enough for your certificate and a signed photo.
1. Forgery becomes practically impossible. You cannot forge a PKI signed ID.
2. It is trivial to hook up the reader to a display to show the data of the person.
3. It does not need verification versus a centralised database.
So the ID can work and it does not need an access to centralised database on every verification.
I know there are other biometric systems but I don't really expect my local branch to have a 3d body scanner outside the local hole in the wall. I don't really expect it to have an iris scanner. It will be a simple fingerprint reader on the card or on the machine itself followed by insertion of the card to read the chip (validated as being held by me) and then the PIN (which validates the chip).
I really don't see how this stops the criminal from mugging me as I extract the money from the machine. Tell you what would tho.. simple CCTV.
"Was this you taking the money out of this machine?" "Yes"
"And is this the guy mugging you?" "Yes"
"I'm sorry sir but he doesn't appear to have a National ID card on him, we therefore can't prosecute him".
I wonder how many Nulabour freaks watched Diamonds are Forever the other week where Q fashions a fake fingerprint Bond could stick on his fingers.
Extreme scifi you would think, I wonder if they saw the Mythbusters episode where the same thing was done for real, and fooled their vast array of security devices - even the airport style readers.
Now, would you want anybody downloading the data to do that to you!
Drill and sandpaper may be the only way of escaping fraid - thats if the meat cleaver is unavailable.
"Combine different modes together and the difficulty present to the fraudster is extremely high (imagine trying to present a fake 3d face biometric and fake hand biometric at the same time)."
Imagine also the cost of providing a hand and face biometric scanner at every EPOS in the country. Or even every benefit office. Imagine *another* zero on the end of the bill for implementing it. For no increase in the return.
Biometric ID will do nothing to protect the identities of members of the public in ways that are meaningful. Greedy loan companies will still allow postal applications in your name. Stuff can still be bought across websites from overseas using your details. How do you validate a biometric ID token from so far away?
FYI - based on what's happening in Japan I wouldn't expect simple fingerprint scanners to be used at cash machines. in Japan many cash machines already incorporate finger vein scanners, which are used by customers in conjuction with PIN and cash card. Simple fingerprint scanners weren't seen as appropriate by the Japanese Banks. Also worth adding that in Japan cash dispensers are rarely if ever outside "hole in the walls", and are instead located within shops, offices, stations etc.
While it's true that some of the bio systems you mention are hard to compromise, you can bet your boots that our governement will buy the cheapest, shittest hardware / software systems they can lay their hands on.
Then they'll 'protect' it by making sure anybody can access it ('admin' and 'password' are tried and tested favourites) - this should save on costs a bit (especially if somebody forgets their password)
Then they'll give every public servant you can think of access whilst selling as much of the information as they can to companies (and remember, the NIR has been enabled with statutory instruments that will allow the home secretary to increase the amount of data collated about you with NO recourse to parliament).
Well come on - how else are you going to raise revenue when we've got no industry and are massively in debt?
It beggars belief that this government don't understand that, by *losing* 25 million citizens' personal information, they have forfeited any rights they might conceivably have had to even consider thinking about collecting and storing even more personal information. Which is to say: Gordon, get f**ked.
"so-called cancellable biometrics have been researched but have somewhat limited applicability" - Forgive me, but I wondered how one might go about cancelling someone's biometrics - and then immediately thought of a large leather-clad bloke with a shotgun - "Your biomedric dada has been turminaded!" *BANG*
The only thing that biometrics would have achieved in this case would have been even more detail included in the data lost by Civil "Service" incompetence.
So as well as being able to obtain known accurate NI numbers, names, addresses, dates of birth, and bank details, they'd have had all the biometric data as well.
So, would Brown or Darling care to explain, in great detail, how the hell that's supposed to be better than what happened? Of course not, because they're a couple of stinking liars, just like everyone else who thinks ID cards are a great idea and will do anything to convince the general population, who sadly are unquestioning enough to fall for their crap. Bloody sheep.
Agreed regarding the cost issue (at present day prices anyway) but that's all part of the cost benefit argument - i.e. is the solution appropriate to the problem, funding etc. Some multibiometric systems can be achieved in theory at relatively low cost, e.g. 2d face + voice, face + finger etc. Then there are other issues around usability, ergonomics and the like. Anyway, stating the obvious I guess.
Regarding chopped off fingers, there's at least one biometric scanning mouse (!) available now that scans for vein action in the palm - it needs a living sample to do this by some process involving blood flow through the veins. That's one step in the right direction.
Regarding partial fingerprints, forget all your spy nonsense about acid and skin grafts. I have eczema which is worst on my fingers, and although it's not always present, when it gets bad, basically my outer layer of skin (= my fingerprints) dies and peels off. For a while I have no fingerprints, and depending how well I treat it or how badly I treat it, I may have blank or scarred fingertips for quite some time. This does not bode well for fingerprint logons.
Just some thoughts...
"1. Forgery becomes practically impossible. " - lol.
Following the theme the T1000 would have no problem cancelling its biometrics.
Joking aside, if you want to find out more on "cancellable biometrics" see this (not written by myself I hasten to add)
The trouble is, Anton, that, as you admit, biometric forgery is only 'practically' impossible. In other words it IS possible given enough time and effort.
And unlike when someone gets hold of your pin, once someone has forged your biometrics, you are totally f*cked!
Even if you manage to convince the powers-that-be that your ID has been forged (and you were lucky that it was just someone cleaning out your bank account and not buying bomb making gear using it) then the only option is to blacklist your ID so nobody can do that again. Trouble is, you are stuck with it, so YOU are, in effect, blacklisted yourself.
Imagine living with 'blacklisted' biometrics. Try to open a bank account, get a loan, rent a car, travel by air, etc, etc, etc.
"there's at least one biometric scanning mouse (!) available now that scans for vein action in the palm - it needs a living sample to do this"
And how many fingers will be chopped until all of the criminals realise it ain't working?
Will *every* machine have this feature, and a big sign telling the world and their dog, in multiple languages (for the foreign criminals...) that it needs a *living* finger to work?
You need to affect to key points (deltas/loops/whorls) to change/destroy your prints. It doesn't heal back the same if you use a chemical like lye:
This is (sort of) common knowledge. If you use a scalpel to cut the core, delta, and any other really bold characteristics (epidermis only, not deep into the dermis), making a 2-3mm incision and then use tweezers to insert a small grain of lye (yes, this will really really really hurt, and the chemical burn will take about a minute to complete) there will be a nice dark cavity burnt into the dermis with not too much outer damage. Clip away epidirmis to leave the cavity completely open, apply healing salve, bandage finger and move on to the next finger.
The traumatised dermis will heal, but it will do so unevenly and although the ridges in the epidermis will heal to an extent, the ridges will be misaligned, and your cores and deltas will be destroyed.
I've never tried this but I'm confident that it would work. I do have one missing print due to a sustained 240V shock that burnt a very deep hole into the end of my right index finger. This happened 14 years ago and theres still no ridge detail at all there.
I'm slightly confused and disappointed by the academics response and, to some extent, by the other comments on the piece. Either I'm missing the point or they are.
The real significance of the political comment of the form "Biometrics would have helped prevent" the datastrophe is that it reveals that politicians have no idea about the role of biometrics or data security.
The disaster happened because 25 million records were copied, insecurely, to CDs and then posted, insecurely to the Audit office.
At what point in this chain would they expect biometrics to be invoked? Personally, I would quite like it if only the person whose biometric matched the data being requested could access that data, but that is certainly not what government has in mind for large scale data sharing. (It would imply the need for 25 million people to log on, perform biometric authentication and agree to the data transfer)
The only role I can see for biometrics within that kind of data sharing transaction is in confirming the identity of those requesting the data and those transmitting it. How the hell would either of those prevented the leak of the actual sensitive data?
Given that they already know the identity of the guilty parties and those identities are not - so far as I know - being disputed, the biometrics would have added no value whatsoever to the process.
The world has changed. No longer do we live in small communities where everyone knows everyone. In the physical world we are anonymous, and in the online world even more so. So if we need to strongly prove or protect our identity, e.g. to open a bank account or perform and online transaction how do we do it? We can point to our biographic footprint and provide a whole range of credentials - passport, birth certificate, bank statements etc. But this is fairly weak in itself (see confidentialaccess.com as a scary example of how vulnerable many of these documents are) and many of these credentials give away a lot of other information about ourselves - e.g. where you've travelled to recently, your parent's middle names, and how good you are with your finances. Instead we can cryptographically tie a difficult to copy electronic measure of our personal biology (that says nothing about us as a person) to a credential that can be revoked. Am I the only one that thinks this is a technically reasonable solution? It might be expensive (though cost is a separate argument), and there may be flaws (there's always a security "arms race" to contend with, and not all biometrics are suitable for all people), but in principle it seems to me a good way forward.
Principle and practice can be very different, and cost-benefit debates depend a lot on your personal circumstances. What I want to understand is whether people here are against biometric credentials in principle, as a technical solution - or whether it's about implementation incompetence, lack of trust in government and/or cost?
The royal mail must be laughing at getting a nice christmas bonus
25,000,000 letters @24p = £6,000,000 of tax payers money wasted
Not much point in saying that the government has no "right" to do this. The government can do whatever it likes. That's what makes it the government. We lost /our/ right to question what rights the government had when we decided that having an entity periodically take over half our earnings away at swordpoint (now gunpoint) was not only bearable, but somehow right and proper.
Some require blood in the "finger" but don't use proper scanning techniques, so you can take a photocopy of someone's fingerprint (paper) and hold it there with... your LIVE finger.
Alternatively, jusr replay the data of a valid biometric validation and it doesn't matter what the *sensor* says. This is known as code injection.
So as long as this sort of identification can be done in private (or with a few people who you can buy off or include in the deal) you can bypass ANY security. As long as the payoff is enough.
"Code injection", or rather replay attacks, applies just as much to passwords etc as toit does to biometrics. You just have to handle the biometric data in a way that prevents code injection from the sensor to the recipient code.
As for the photocopied fingerprints - the attack works on *some* optical devices only. This is unlikely to work on capacitive sensors, and no fake finger attack that I'm aware of (including gummis) works on mutlispectral scanners (which use the subdermal layer to build a fingerprint image).
"...don't use proper scanning techniques" - what does that mean technically? In fairness though, most *fingerprint* biometric systems are poor at liveness detection (as opposed to fake finegr detection). Ones that check blood flow or pulse don't work well on those with poor circulation and even if they did this extra check introduces significant errors that increase the number of "false rejects" from a system. An interesting question here is what is "liveness"? I've seen demos of tech that can potentially detect the live activity of sweat glands in the skin but this too is likely to be prone to error.
You've hit the nail on the head in terms of ID in private. It's about payoff versus effort. If for example you design your biometric to use palm vein, then it's going to be expensive (assuming replay attacks are prevented) to overcome. If the payoff is enough though then you might want to kidnap the person with the biometric to get past the security, or construct an elaborate 3d vein model that can fool the system. I think many criminals would opt for the former - just as they have as a reaction to modern car security (many more car jackings now, and burglaries to get keys, than in the past - fewer overall car thefts though!).
I think that what Darling and Brown meant was that even though the criminals may have your bank account, NI, address, and childrens details, said criminals could not use it because they would not be able to do anything without your physical biometrics.
This assumes that all future credit applications will require a biometricly verified ID before it is granted. This may also close down the 'loans over the phone' service, unless someone sets up biometric actuaries to allow you to identify yourself remotely from the loan company (at the moment, it just requires signatures). Also, how are we to set up Direct Debits
What they appeared to say was that the data could not be seen without the biometrics. Imagine that.....
"Ring Ring... Good afternoon. This is the National Audit Office. We've been sent your child benefit details by Revenue and Customs, but we can't see it unless you come down and let us scan your fingerprints"
Repeat 17 million times.
No, biometrics will not PROTECT the data (which is what they said) but it may prevent it being USED. Or not. I'm sure you could scam your local Blockbuster, and get a few DVD's with the info. They will not check biometrics.
Biometric data cannot be confidential - anyone can capture someone else's fingerprints or iris or facial image. Biometric data could only be of value on the assumption that risk-holders will rely on unsupervised capture of biometric data - which would be thoroughly unsound. If that is what the scheme is proposing then it is flawed, however well protected the data in the register itself may be.
For remote or unsupervised access, other means - e.g. dedicated devices not unlike those some banks are issuing - could be used to provide two-factor authentication. This may not be quite as strong in theory as biometric verification (especially with match on chip) but it will cover most day-to-day risks. The larger risks will probably need additional measures anyway.
Sensitive data should at least use two-factor authentication. Truly critical data should use all three factors.
Something I know (password)
Something I have (security card)
Something I am (biometric)
Only the correct combination of all three factors should unlock sensitive data.
..are a bunch of f**kups trying to protect their own arses. The only people who will profit from this, at our expense of course, are EDS...go figure
Up the revolution
Well we already chip our pets these days...So why not the population as well!
We could use that to verify whats on the ID cards ... errr wait .. was that phase 2 of the national ID card scheme?
Well we already chip our pets these days...So why not the population as well!
We could use that to verify whats on the ID cards ... errr wait .. was that phase 2 of the national ID card scheme?
Ben Goldacre wrote a piece on the fallibility of biometrics in last Saturday's Guardian (http://www.badscience.net/2007/11/make-your-own-id/), and for his trouble, he was subjected to a bizarre rant by Andrew Orlowski on 27 November in El Reg (http://www.theregister.co.uk/2007/11/27/guardian_use_me_as_a_mouthpiece/).
Can someone please explain to me exactly how the points which Goldacre made are substantially different from those highlighted by the six academics, and reported in this article in El Reg?
And why did Orlowski's piece not have a link to enable readers to add their comments?
a) I'm over the age at which most other countries accept immigrants, and
b) all the other countries are on the same population control freak juice anyway.
Long live the revolution!
As the intrepid Miffbusting team proved, fingerprint scanners can be fooled. They set the lock to accept *only* Mr. Imahara's fingerprints, so his robot collection would be safe.
But then, Kari Byron used her Feminine Wiles on the poor defenseless robo-geek, flashed her big brown eyes at him and asked him: "Oh Grant, would you copy these CDs for me?" Grant, of course, was helpless. They then proceeded to lift his fingerprints off the nice smooth CD case, photo-copied them, cleaned up the thumb print and transferred it to a latex model. They were then able to open the door.
The main problem when dealing with fingerprints in a criminal context is *not* leaving them all over the place. Obtaining fingerprints that were inadvertently left somewhere incriminating, then identifying the miscreant, is one of the greatest blows against Crime.
fscked by SHA-1 collision? Not so fast, says Linus Torvalds