Stating the obvious: The GT200 is a fraud | Bangkok Post: tech

OPEN Thought

It's the emperor's new clothes all over again. The GT200 is a fraud, but why are people so scared to say it?

As Nectec begins to test the GT200 dowsing bomb-detector divining rod, spare a thought to what happened back in 2005 when the centres was called in by the Prime Minister to resolve a disagreement between the ICT Ministry, who procured 12 million smart ID cards, and the Interior Ministry, who were to use the unusable cards as delays mounted in building a system around those cards.

In June 2005, the project to issue Smart ID Cards made headlines after the National Electronics and Computer Technology Centre, an agency under the National Science and Technology Development Agency, Ministry of Science and Technology, was called in to conduct a fact-finding study into the project, which at the time lay in tatters.

The ICT Ministry, charged with procuring the cards, and the Ministry of Interior (MoI), who were issuing and using them, were blaming each other for technical problems that had resulted in serious delays in the IT mega project.

The Nectec report found the cards sub-standard and non-compliant with the ToR on at least four key points. However, the ICT Ministry's own 10-person committee conveniently ignored the Nectec report and pronounced the cards compliant in a 5-3 vote. There was one abstention, one resignation and the representatives from the MoI, Nectec and the ICT Ministry's own legal affairs officer all voted the cards as non-compliant, but to no avail.

Democracy prevailed and the cards were compliant because the committee voted them as such, despite over- whelming scientific evidence to the contrary.

The four points identified by Nectec were that the 12 million cards were not Java-compliant; did not have any working PKI (public key infrastructure) encryption; did not have the required 32 KB of available memory; and could not safely add or remove applets without affecting other applets.

The vendor, ST Microelectronics, had supplied a card that had a non-Java, proprietary PKI engine which, while it may have worked, could not be tested, as it required a non-standard programming subroutine to invoke. They argued that the ToR did not explicitly call for official Java PKI, only that a form of PKI be present.

Nectec reasoned that a Java card without a Java encryption engine was not a Java card. Similar arguments ensued for the other points. Memory in particular was clear-cut to many, but not to the polit-bureau.

The card had 66 KB of memory, but only 32 KB was available to the JavaCard applications. However, 4 KB was used for a patch; a bug fix of sorts to help circumvent security to fix the memory management module.

That meant that only 28 KB was left for applications as delivered.

I asked the chairman of the acceptance committee how much 32 minus 4 was. She said: "They are compliant, as the committee voted them as compliant."

More worrying was the terms of the test. In his initial interview in 2005, then-Nectec Director Dr Thaweesak Koanantakool said the ICT Ministry and ST Micro had refused to give his team access to engineering documents which would have shown who signed off the production run, the memory partitioning and, more importantly, which programmes were installed in the native partition. He also said that during the test, the ICT Ministry had given his team only the minimum amount of time to run the tests and quickly took the card back afterwards.

However, Dr Thaweeksak's team did manage to find an EMV module - a Europay Mastercard Visa e-cash module - in the card hidden in the native partition.

Quite why ST Microelectronics provided a card that lacked what was called for in the Terms of Reference and instead provided lots of things that were not called for, such as the e-Money module, no doubt at considerable cost, remains a mystery to this day.

But back to the GT-200. The BBC's Newsnight programme has run an investigation on what it calls "magic wand" bomb detectors that include the AED-651 and the "almost identical" GT-200.

The BBC took the device to university scientists, who took the device and its substance cards apart only to find that the rod-holding device itself had no electronics all and the expensive substance cards were nothing more than pieces of cardboard with an RFID security tag glued to them to make them look a bit technical.

The black box holding the detector card was nothing more than an empty case.

Indeed, the summary was that the GT200 was nothing more than a (15th century) divining rod used by witches to find water.

Later, the UK business secretary slapped an export ban on the GT200 / AED 651 to Afghanistan and Iraq to protect the lives of British servicemen and the managing director of its maker was arrested on charges of fraud.

Makes one wonder why many politicians and specialists, as well as army people in Thailand, seem to be rallying behind the GT200. Should we not focus on the lives of the army personnel and villagers being blown up daily in the South rather than play political brinkmanship?

The device is a fraud. I fully expect my capable friends at Nectec to say it is a fraud, as much as I expect the Nectec report to find its way through committee after committee and a few years later, when dozens more have died from explosions, for a bureaucratic committee somewhere to vote it as being a proper bomb detector.

Of course, democracy is everything in this country and voting for an empty box with a wiggly diving rod attached as a bomb detector device makes it one. Besides, the blown-up soldiers and villagers who would argue otherwise are conveniently dead and thus do not get a say on the voting committee.

Why is society so scared of pointing out the obvious, that the emperor remains naked?