Slashdot Mirror
Gillette Buys Half a Billion RFID Tags
prostoalex writes "Gillette announced its intent to purchase 500,000,000 RFID tags from startup Alien Technology. The company expects to introduce RFID tags into its pallets and cases, according to the article. Alien Technology was the first company to introduce an RFID tag with price lower than 10 cents, even though some people claimed it could not be done."
Was to get first time working silicon ... not what you suggested.
I have to wear my tinfoil hat while shaving too??
"I would say that 99 per cent of what my father has written about his own life is false." - L. Ron Hubbard Jr.
But when posting an acronym that is not that common / RFID? why not put up the translation for those not in the know?
And why do they have a "journal?" I guess I just don't get it. I was expecting a news story, but instead there was a press-release about how cool it was that Gillette was doing this.
Quote from the article:[snip] "People couldn't stop talking about it over lunch," says one person present, who didn't want to be identified. [/snip]
he was later scanned, and identified as RFT number 167434343
According to the article, the larges prior order was for 30 million tags. It doesn't give a time frame other than delivery starts in March, so I wonder how well the company can absorb such an order. One assumes this order is not a complete suprise to the upper management. People may think huge orders are always great but if production capacity is exceeded, it can be a serious curse in disguise.
that it bears out everything Slashdot, the Million Book Project, Kahle and so on have been saying about the benefits of freeing IP, how this does *not* hurt large companies, and how it lets everybody do more.
The Auto-ID Centre, who developed the standard and technology are 'a not-for-profit group established by MIT to develop a system for using the Internet to identify goods anywhere in the world...It is funded by large companies who want to use RFID to track goods and who believe an open standard is critical..just as the world uses one network to share information -- the Internet -- it may be possible to use that same network to share information stored initially on an RFID tag...Strictly speaking, the intellectual property belongs to the universities where the research is being conducted. However, the intellectual property will be freely available to any company that wants to use it...the Auto-ID Center may be the first time in history that companies from different industries and different regions of the world have come together to develop technology they feel would benefit their businesses - and their competitors' businesses.' (quotes from http://www.rfidjournal.com/FAQ2.html)
These guys get it, and as they've convinced companies of the size of Gillette, Cocoa-Cola, Pepsi, P&G, Johnson & Johnson, Unilever, Wal-Mart and others to sponsor this, maybe that's a sign that these companies are, or will, getting it too. There's hope yet.
The article read like a company press release and doesn't really cater to the uninitiated so, to those of you in the "know":
What exactly is an RFID tag and why would Gillette want so many of them?
RFID = Read the Fucking Identification?
http://www.rfid.org/
yes, I am karma whoring!
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Now they'll be able to tell if I'm shaving in the car, by tracking me with the RFID tags! Er... wait, oh, they're putting them in the shipping palettes. You had me worried there. Uh... wait, why is this on the front page then? I'm confused, better go get my tinfoil hat.
using namespace slashdot;
troll::post();
...an average product label, say on the back of a TV or computer monitor, costs approx. 10 cents right now.
I can see RFID taking off, but I can also see issues, such as Japan not allowing this technology at this time, and later, some countries charging a fee to dump this little ditty into a land fill, as part of the original product.
If they can BlueTooth the output, and the cost of read/write comes down, I've got a ton of uses for these things today...
They plant these things in the scalps of newborns? Talk about big brother!
...that the name of the company is ALIEN technology. Oh my god it's starting! Quick! somebody get Mel Gibson and a glass of water.
Yes, this is a tad redundant since quite a few people have given links to FAQs which thoroughly give this information. Mod kindly.
That said, RFID = Radio Frequency IDentification. Narrowing our vision to current practical uses, RFID tags are embeded in something one wishes to scan, identify, or track. The idea with low cost RFID tags like Gillette is buying is that they are passive. Readers for the chips emit a signal which actually supplies the power for the chip. For those who haven't had physics, this is akin to how a crystal radio works (with no battery at all). Low-cost, passive chips like this have a range of only about 10 ft, however, so don't go too 1984.
You like splinters in your crotch? -Jon Caldara
posted as AC for karma rasonZ
What Is Automatic Identification?
Automatic identification, or auto ID for short, is the broad term given to a host of technologies that are used to help machines identify objects. Auto identification is often coupled with automatic data capture. That is, companies want to identify items, capture information about them and somehow get the data into a computer without having employees type it in. The aim of most auto-ID systems is to increase efficiency, reduce data entry errors, and free up staff to perform more value-added functions. There are a host of technologies that fall under the auto-ID umbrella. These include bar codes, smart cards, voice recognition, some biometric technologies (retinal scans, for instance), optical character recognition, radio frequency identification (RFID) and others. Back to Top
What is RFID?
Radio frequency identification, or RFID, is a generic term for technologies that use radio waves to automatically identify individual items. There are several methods of identifying objects using RFID, but the most common is to store a serial number that identifies a product, and perhaps other information, on a microchip that is attached to an antenna (the chip and the antenna together are called an RFID transponder or an RFID tag). The antenna enables the chip to transmit the identification information to a reader. The reader converts the radio waves returned from the RFID tag into a form that can then be passed on to computers that can make use of it. Back to Top
How does an RFID system work?
The system consists of a tag, which is made up of a microchip with a coiled antenna, and an interrogator or reader with an antenna. The reader sends out electromagnetic waves that form a magnetic field when they "couple" with the antenna on the RFID tag. A passive RFID tag draws power from this magnetic field and uses it to power the microchip's circuits. The chip then modulates the waves that the tag sends back to the reader and the reader converts the new waves into digital data. Back to Top
Is there any health risks associated with RFID and radio waves?
RFID uses the low-end of the electromagnetic spectrum. The waves coming from readers are no more dangerous than the waves coming to your car radio. Back to Top
Why is RFID better than using bar codes?
RFID is not necessarily "better" than bar codes. The two are different technologies and have different applications, which sometimes overlap. The big difference between the two is bar codes are line-of-sight technology. That is, a scanner has to "see" the bar code to read it, which means people usually have to orient the bar code towards a scanner for it to be read. Radio frequency identification, by contrast, doesn't require line of sight. RFID tags can be read as long as they are within range of a reader. Bar codes have other shortcomings as well. If a label is ripped, soiled or falls off, there is no way to scan the item. And standard bar codes identify only the manufacturer and product, not the unique item. The bar code on one milk carton is the same as every other, making it impossible to identify which one might pass its expiration date first. Back to Top
Will RFID replace bar codes?
Probably not. Bar codes are inexpensive and effective for certain tasks. It is likely that RFID and bar codes will coexist for many years. Back to Top
Is RFID new?
RFID is a proven technology that's been around since the Second World War. Up to now, it's been too expensive and too limited to be practical for many commercial applications. But if tags can be made cheaply enough, they can solve many of the problems associated with bar codes. Radio waves travel through most non-metallic materials, so they can be embedded in packaging or encased in protective plastic for weather-proofing and greater durability. And tags have microchips that can store a unique serial number for every product manufactured around the world. Back to Top
If RFID has been around so long and is so great, why aren't all companies using it?
Many companies have invested in RFID systems to get the advantages they offer. These investments are usually made in closed-loop systems - that is, when a company is tracking goods that never leave its own control. That's because all existing RFID systems use proprietary technology, which means that if company A puts an RFID tag on a product, it can't be read by Company B unless they both use the same RFID system from the same vendor. But most companies don't have closed-loop systems, and many of the benefits of tracking items come from tracking them as they move from one company to another and even one country to another. Back to Top
Is the lack of standards the only thing that has prevented RFID from being more widely used?
Another problem is cost. RFID readers typically cost $1,000 or more. Companies would need thousands of readers to cover all their factories, warehouses and stores. RFID tags are also fairly expensive - 50 cents or more - which makes them impractical for identifying millions of items that cost only a few dollars (see below). Back to Top
How much do RFID tags costs?
They can cost as little as 30 cents or as much as $50 depending on the type of tag and the application. Generally speaking, finished smart labels that can be applied top products typically cost 50 cents or more. Active tags - those with a battery - can cost far more. And if you bundle in a sophisticated sensor, the cost can rise to more than $100. Back to Top
What is the difference between low-, high-, and ultra-high frequencies?
Just as your radio tunes in to different frequency to hear different channels, RFID tags and readers have to be tuned to the same frequency to communicate. RFID systems use many different frequencies, but generally the most common are low- (around 125 KHz), high- (13.56 MHz) and ultra-high frequency, or UHF (850-900 MHz). Microwave (2.45 GHz) is also used in some applications. Radio waves behave differently at different frequency, so you have to choose the right frequency for the right application. Back to Top
How do I know which frequency is right for my application?
Different frequencies have different characteristics that make them more useful for different applications. For instance, low-frequency tags are cheaper than ultra high frequency (UHF) tags, use less power and are better able to penetrate non-metallic substances. They are ideal for scanning objects with high-water content, such as fruit, at close range. UHF frequencies typically offer better range and can transfer data faster. But they use more power and are less likely to pass through materials. And because they tend to be more "directed," they require a clear path between the tag and reader. UHF tags might be better for scanning boxes of goods as they pass through a bay door into a warehouse. It is probably best to work with a consultant, integrator or vendor that can help you choose the right frequency for your application. Back to Top
Do all countries use the same frequencies?
No. Europe uses 868 MHz for UHF and the U.S. uses 915 MHz. Japan currently does not allow any use of the UHF spectrum for RFID. Government's also regulate the power of the readers to limit interference with other devices. Some groups, such as the Global Commerce Initiative, are trying to encourage governments to agree on frequencies and output. Tag and reader makers are also trying to develop systems that can work at more than one frequency, to get around the problem. Back to Top
I've heard that RFID doesn't work around metal and water. Does that mean I can't use it to track cans or liquid products?
No. Radio waves bounce off metal and are absorbed by water at higher frequencies. That makes tracking metal products or those with high water content problematic, but good system design and engineering can overcome this shortcoming. In fact, there are applications in which RFID tags are actually embedded in metal auto parts to track them. Back to Top
What's the difference between passive and active tags?
Active RFID tags have a battery, which is used to run the microchip's circuitry and to broadcast a signal to a reader (the way a cell phone transmits signals to a base station). Passive tags have no battery. Instead, they draw power from the reader, which sends out electromagnetic waves that induce a current in the tag's antenna. Semi-passive tags use a battery to run the chip's circuitry, but communicate by drawing power from the reader. Active and semi-passive tags are useful for tracking high-value goods that need to be scanned over long ranges, such as railway cars on a track, but they cost a dollar or more, making them too expensive to put on low-cost items. The Auto-ID Center is focusing on passive tags, which cost under a dollar today. Their read range isn't as far - less than ten feet vs. 100 feet or more for active tags - but they are far less expensive than active tags and require no maintenance. Back to Top
How much information can the tag store?
It depends on the vendor and the application, but typically a tag would carry no more than 2KB of data - enough to store some basic information about the item it is on. Back to Top
What's the difference between read-only and read/write tags?
Chips in RF tags can be read-write or read-only. With read-write chips, you can add information to the tag or write over existing information when the tag is within range of a reader, or interrogator. Read-write tags are useful in some specialized applications, but since they are more expensive than read-only chips, they are impractical for tracking inexpensive items. Some read-only microchips have information stored on them during the manufacturing process. The information on such chips can never been changed. A more flexible option is to use something called electrically erasable programmable read-only memory, or EEPROM. With EEPROM, the data can be overwritten using a special electronic process. Back to Top
What is reader collision?
One problem encountered with RFID is the signal from one reader can interfere with the signal from another where coverage overlaps. This is called reader collision. One way to avoid the problem is to use a technique called time division multiple access, or TDMA. In simple terms, the readers are instructed to read at different times, rather than both trying to read at the same time. This ensures that they don't interfere with each other. But it means any RFID tag in an area where two readers overlap will be read twice. So the system has to be set up so that if one reader reads a tag another reader does not read it again. Back to Top
What is tag collision?
Another problem readers have is reading a lot of chips in the same field. Tag collision occurs when more than one chip reflects back a signal at the same time, confusing the reader. Different vendors have developed different systems for having the tags respond to the reader one at a time. Since they can be read in milliseconds, it appears that all the tags are being read simultaneously. Back to Top
What is the read range for a typical RFID tag?
The read range of passive tags depends on many factors: the frequency of operation, the power of the reader, interference from metal objects or other RF devices. In general, low-frequency tags are read from a foot or less. High frequency tags are read from about three feet and UHF tags are read from 10 to 20 feet. Where longer ranges are needed, such as for tracking railway cars, active tags use batteries to boost read ranges to 300 feet or more. Back to Top
Are there any standards for RFID?
Yes. International standards have been adopted for some very specific applications, such as tracking animals. Many other standards initiatives are under way. To see a list of standards initiatives prepared by AMR Research, click here. The most interesting efforts involve GTag, which is promoted by EAN and UCC as a way to communicate with UHF tags; ISO 18000-6, which is an international effort that forms the foundation for the GTag standard; and the Auto-ID Center's electronic product code. The EPC and the technology surrounding it is not a standard in any formal way, but the Auto-ID Center hopes that it will be widely adopted and become the de facto standard. Back to Top
Who are the leading RFID vendors?
There are many different RFID vendors with different areas of expertise. We have compiled a director of vendors around the world. Click here to locate the type of vendor you are looking for. Back to Top
What are some of the most common applications for RFID?
RFID is used for everything from tracking cows and pets to triggering equipment down oil wells. It may sound trite, but the applications are limited only by people's imagination. The most common applications are tracking goods in the supply chain, tracking assets, tracking parts moving to a manufacturing facility, security and paymant systems that let customers pay for items without using cash. Back to Top
I've heard RFID can be used with sensors. Is that true?
Yes. Some companies are combining RFID tags with radiation sensors. One day, the same tags used to track items moving through the supply chain may also alert staff if they are not stored at the right temperature, if meat has gone bad, or even if someone has injected a biological agent into food. To learn more, read Low-Cost RFID Sensors: From Battlefield Intelligence To Consumer Protection. Back to Top
What are intelligent software agents and how do they fit into RFID?
Software agents are basically autonomous applications that automate decision making by establishing a set of rules. For instance, if X happens, do Y. They are important to RFID because humans will be overwhelmed by the amount of data coming from RFID tags and the speed at which it comes (real-time in many cases). So agents will likely be used to automate routine decisions and alert employees when a situation requires their attention. SAP and a company called BiosGroup are working on an automated replenishment system in which software agents would make decisions when trends indicate a product will be out of stock. See BiosGroup's Intelligent Agents Could Hold the Key to RFID-Driven Supply Chains. Back to Top
What is "energy harvesting"?
Most passive RFID tags simply reflect back waves from the reader. Energy harvesting is a technique in which energy from the reader is gathered by the tagged, stored momentarily and transmitted back at a different frequency. This method may improve the performance of passive RFID tags dramatically. See Is Energy Harvesting the Breakthrough that Jumpstarts RFID Adoption?. Back to Top
Where can I learn more about the Auto-ID Center and its technology?
We have created a separate page of Frequently Asked Questions about the Center and how its
You might want to read the article. Or even the paragraph that was submitted with the story.
They're using them to identify pallets and shipping cases. Presumably, so they can be most efficient mofos that ever shipped anything anywhere. Imagine shipping inventory that tells *you* where it is, where it was last, what's on it, where it was seen last, tied directly into the ERP system, so you know where it was manufactured, the product numbers, what the TCO is involved...
Suddenly, FedEx becomes nothing more than a transport company (one of hundreds), and Gillete can manage thier own JIT inventory, track "spoilage" (theft), do on-the-spot inventory recounts without tying up personnel...
Interesting. I just started doing some preliminary research on the security of RFID badge readers, based off of hazy memories that somebody had shown they were absolutely trivial to capture and replay.
:-)
Haven't been able to find that paper yet, but I can tell you what I've seen ain't great. Here's the story:
RFID stands for Radio Frequency Identification, and is essentially a Tesla-esque hack to allow contactless, bidirectional storage of small amounts of data on trivial circuits powered by the reader infrastructure itself. It's most commonly deployed nowadays as a replacement for magnetic-swipe oriented systems, as the lack of an exposed data surface and the absence of contact during scanning make RFID astonishingly reliable. The functionality is quite compelling, as Gilette's mass purchase shows -- what if you never needed to do inventory? What if you could just have a few sensors throughout your warehouse do a "mass ping" and acquire from the mass of replies precisely what needs to be restocked?
And it would only take a few sensors, too. Badge readers may only provide a few inches range, but there was a pretty big fuss a while back about RFID becoming functional at nine meters. At that point, you're quite a bit beyond the forklift knowing precisely what it's carrying. It's pretty clear that Gilette will make its $50M back within a year.
Oddly enough, Inventory Tracking is much, much better use of RFID than as a badging technology, even though the latter remains much more common than the former. Badging, like all trust management systems, attempts to differentiate the few who are trusted from the many that aren't.
The problem is, the many that aren't trusted aren't trusted for a reason -- they'll spy, they'll steal, they'll break stuff. Against that backdrop, mounting an attack against the security system isn't particularly unimaginable -- and here's where things get problematic.
You see, RFID tags make 802.11 look like Alcatraz.
Passive RFID systems are powered by the outside world -- the evil demon of Cartesian yore is handing over the battery. Given a cooperative RF field, the chip spews the same bits, over and over and over again.
When an employee is standing in front of the legitimate badge reader, this is a good thing. When an employee is sitting on the subway on his way to work and some guy walks by with a power source and 13.56Mhz sniffer in his briefcase...well, I guarantee you that briefcase ain't going to beep "Thank you for your access credentials, I'll be you now." All the attacker needs to do is forge a standard plastic badge and covertly trigger a transmitter when approaching the door -- there's no way for anyone to know the badge wasn't the source of the RFID transmissions!
Just because your badge reader only works from a few inches away doesn't mean anyone's reader will. If all I need to do to get access to your entire corporate infrastructure is sit in the lobby "waiting for someone" as your CEO strolls by, you don't actually have a security system. You just have doors
Now, I've got my suspicions of whether magnetic strips can be read at a distance, but to be honest, I'm more than willing to concede that it's a longshot at best (and a hilariously laughable descent into paranoia at worst). But RFID is not the kind of technology people should be carrying around with them at all times, assuming that as long as they still have their card, they still have the value the card represents.
To be fair, it's an extraordinarily difficult problem for TI et al to solve: The chips are necessarily trivial -- they're *powered* by the sensors, for crying out loud. Not only is it nearly impossible to build any kind of cryptosystem into a chip that small and weak, but the system itself would remain utterly defenseless against electrical skullduggery: Manipulating a chip's power source is one of the definitive ways of divining its cryptographic secrets, as Satellite TV hackers have been pointing out for quite some time.
Security hasn't been left completely unaddressed by the RFID industry; they're well aware of the problems and have attempted some manuevers to compensate. As mentioned, some RFID systems can be both read and written to. This would be perfect for creating a "universal badge" that could spoof any identity without even a separate transmission system that could be examined and recognized. So what some companies have done is create a 64 bit region that cannot be modified and remains unique to the badge itself. So you use those 64 bits as a badge identifier that authenticates the rest of the data, and trust that your vendor will never release a badge that either a) repeats identifiers (unlikely, 2^64 is a very large number) or b) can have its identifier changed.
Of course, they can't do anything about c) somebody hacks together their own badge that doesn't play by the same arbitrary restrictions.
Now, I could get up and say "Oh my god! You just can't do this, it's horrifyingly insecure, just use IPSec/SSH er wait wrong wireless technology..."
But that wouldn't be useful. Maybe this might be:
There are some techniques that can minimize the exposure from insecure RFID badge authentication systems. Exploiting the Read/Write capacity is moderately elegant and requires only a badging infrastructure that supports RW. Essentially, every time somebody attempts to enter the secure facility and provides a valid bitstream from their badge, upload a new unique bitstream and verify the badge accepted it. This reduces the window of opportunity for an attacker and significantly increases their risk of discovery, since now the bits they steal today will stop working the moment the legitimate employee uses their badge next. Furthermore, if the attacker does manage to get to a badge reader before the employee returns for another update cycle, he has two major problems: First, his equipment must be minorly more complex, because it must inform the system that it has completed updating its internal RAM with the new (possibly cryptographically signed) bitstream. This is only a minor deterrent; having the equipment to spoof the badge reader means you likely have the equipment to read from one too. Second, and more importantly, because the interloper cannot control the bitstream submitted by the reader and expected upon next examination, the legitimate card will possess an out-of-date bitstream, allowing Security to discover the unauthorized entry.
That works OK. Not great -- especially if badge access translates into an ability to hack the central authentication server to accept whatever bits the legitimate card originally had -- but OK. Really, once the attacker gets access to the card's bitstream, it's game over.
So, lets prevent that. RFID may be contactless but that doesn't mean the badges themselves are -- they're attached to a living, breathing, thinking human being. One with fingers. Fingers that, for the last hundred thousand years or so, have had the ability to pinch two things together, like contacts inside a card. "Pinch here to activate badge", if you will. Just embed a cheap "squeeze sensor" into the card such that two contacts need to be forced together for the card to respond to the RF power source. It's cheap, it's easy, and it can be designed to fail towards functionality or security (i.e. the contacts either can't be separated or can't be attached).
I did see some mention of work to embed cryptographic constructs into Passive RFID systems; one paper pointed out that hash algorithms can be made using very little silicon, so having the card read some value from the badge reader and return a that value hashed with a shared secret can be a valid solution. As I pointed out earlier, these things are *so* vulnerable to power assult that any shared secret inside of them wouldn't last for long. (It's the kind of thing where you run some data through and you look at which gates are glowing -- thus you see which memory blocks are 1 and which are 0.) But this type of analysis usually requires physical access to the security card much greater than simply walking past the mark, so there's a definite win. Plus the system is inherently immune to replay attack because the output of the card is dependant upon the particular input of a given badge reading. Excellent -- if it works(and the hash is cryptographically secure, not CRC-32!).
Of course, this is all mildly off topic. Gilette's security posture is vastly different; they're more worried about five finger discounts and overly optimistic projections than they are about a rogue batch of razor blades sneaking in the back door! But since we're only a precious little amount of time away from the definitive displays of RFID remote compromise, I thought it worthwhile to go into some depth about the security concerns of RFID.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
You put your loot in the cart. You walk up to the scanner. You swipe your credit card. You leave. No cashier to deal with. No lines. No need to even remove the items from the cart.
I love technology.
Small update.
Alien is using 915mhz/2.45ghz. I assumed they were using the tech described here:
13.56 MHz Frequently Asked Questions
There's no shortage of equipment that can capture and transmit on these frequencies; cordless phones do analog work in this domain all the time. But, again -- Alien is not trying to do badging, they're trying to do inventory control.
Very, very different problems. Worst case scenario is that a competitor drives by your facility and gets the same realtime updates of your inventory that you do.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
This works very well for high value items, but it is interesting seeing the concept trickle down the chain to low price items, and providing tracking all the way down the delivery chain.
See my journal, I write things there
I shave with a straight razor. My annual shaving costs are $3, for a new bar of shaving soap.
Find an old barber to teach you how to use it. Once you get the hang of it, it's no harder than a safety razor, and it shaves just as well.
Another interesting one is hand guns. If a hand gun can be tagged and the owner recorded on the tag, then it becomes very easy to verify firearms ownership, i.e., that AK47 has a tag claiming it is a small smith and wesson revolver with the owner named Mr. Bin Laden. I guess that will go down like a lead balloon with the NRA.
See my journal, I write things there
Hmmm...How much data can the tag store?
Why not put the data on the chip encrypted?
- James
Gilette are using this technology, presumably to make tracking their shipments much easier and automated better. (the article is a bit light on details).
I wonder how long until they'll be able to get a RFID that will hold enough data to be able to store a Public or Private encryption key on it. RFIDs are used in some credit card sized swipe-cards, maybe one day we'll have our public keys embedded in our business cards? That'd be handy, especially once we need to have 2048 byte keys! :)
Insert-standard-comments-here about this not being News That Matters, but I think this is a relevant article because we'll be seeing lots of this sort of technology in the future.
Reading the Auto-ID Centre website, they show a soda can with an RF tag attached. It seems the ultimate plan is to track individual items. Presumably everyday items such a clothes will be carrying RFID tags, which will be so small the consumer may not be aware of their presence? Does this leave the possibility open for tracking individuals without their knowledge? Surely a large antenna array, with high performance receivers, could track an RFID tag from much further away that its designed distance? Perhaps as far away as low earth orbit?
While I can't match the parent for length and information, I can provide an example of a real-world application of security that is so insecure as to be ridiculous. Unfortunately, it's at the company I work for.
Somebody went and told our clients that "security" for information systems was a problem. The clients demanded "security", so we obligingly delivered. On the software side, it meant making the login process onerous, ensuring that multiple passwords will be written on paper and taped to every client's monitor. Wow, how secure! But the suits like it.
But the clients wanted physical security for the servers, too, and that's where the RFID badges came in. For after-hours access, we already had a system where the badge was placed on a plate (I think it read a metallic signature on the card), so they replaced that with an RFID "wave the card" receiver with a keypad. Now, we were required to wave the card *and* enter a 5-digit number -- which we all immediately wrote on the card. A message came down from data (in)security: "Don't write your number on your card!" The message was universally ignored.
But the "security" gets even better. To promote the idea that we've implemented a real security system, the company installed "optical turnstiles" at the public entrances. When you walk in the lobby, you pass between hip-high black boxes with an RFID/keypad unit. If you don't wave your card *and* enter the PIN (which you wrote on the card), you'll trip an infrared beam and the unit will sound an alarm. The purpose of this alarm is to wake up the receptionist so that she can make you pick up a visitor badge. No, that's not fair... she's not always asleep; sometimes she's on the phone gossiping. Or playing Solitaire.
The first day the unit was installed, I just jumped over the IR beams. This resulted in a well-deserved nastygram from (in)Security. After that, I just made sure to enter the wrong PIN several times... and found out that the last digit can be any one of three values! Hmmm...
And one more tidbit: a co-worker's badge quit working, and when she got a new one, she had to learn a new PIN. It looks like the badge readers aren't cross-referencing the data at all... any bozo who types in the number that his badge transmitted can probably defeat the system... though surely they've done something better for the after-hours system. (Please let me believe that...)
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
I don't think identification of eg persons are the intended goal of RFID. But the vulnerabilities are interesting none the less.
If it replaces bar codes in stores then attacks could be "useful" if you want to shoplift. (I.e. just hide the item from the scanner.) Or if you want to see who bought a porno mag. But barcodes have zero security, and they seem to work quite fine.
Everything doesn't have to be cryptographic as long as you don't try to use one tech for all applications.
I think this is just an attempt at getting all those Mach 3 razor packs back out in front of shoppers. It must make it hard to sell them when they are locked up with the cigarettes all the time.
This way, they can promote impulse shopping and avoid getting those damn things lifted by nimble-fingered, course-bearded hoodlums like me. I mean, c'mon! Who wants to pay $12 for four damn razors? Gimme a break! Now I'll have to line my pockets with aluminum foil or something...
I've got a bad attitude and karma to burn. Go ahead. Mod me down.
Good questions.
The Auto-ID system that Alien Technology is implementing supports 96 bits of data, apparently read only. They are attempting to deploy the next generation of UPC Barcodes, something they're calling ePC. Some good information about the tech can be found here:
Introduction to Auto-ID.
The 13.56mhz spec that appears to be used for badge reading supports 2048 bits, with 64 being read-only. It's irrelevant to encrypt this data, not because the space is small (encryption does not necessarily expand the size of your data) but because you don't need to understand what you're replaying in order to replay it.
I walk next to you on a train, spit out power, sniff some bits, and spit out the bits when I'm nearby your badge reader. Poof. I win.
Again, I need to emphasize that while this use of RFID -- inventory control -- does have some creepy personal and corporate privacy issues, it's nothing at all like the situation with badges.
There is the Legitimate Counterfeit issue, though. Large US currency now contains a magnetic strip to authenticate its validity. People were talking about using that strip to detect whether or not a bill was real. Well, there's a problem -- the strip is almost invisible to the naked eye, but can be easily removed without rendering the actual bill in any way, shape, or form visibly molested. So you've got this disturbing corner case where an attacker can strip the value from a twenty, attach it to a counterfeit bill, and still have a completely legitimate looking original on his hands. So, end result has been that as far as I know nobody uses the strip as a final arbiter of whether currency is real or not.
The equivalent problem with ePC is that you can tell when a UPC has been rendered inoperable, because it's just a visual series of stripes on paper. We're good at seeing stripes -- we're *not* good, however, at seeing RF bitstreams. At the end of the day, people are buying goods, not codes -- but the issue of the two being separated can be problematic.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Please, people, define your terms when you submit an article.
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
I happened to be operating the AV for the meeting of the Australian Packaging Organisation, and they were discussing RFID's, and their applications, and the interest from razor manufacturers.
Basically, razors are regarded as the most expensive small item avaliable in a store. Closed research showed that on average for one location, about 2 packs of razors per hour were sold. By introducing RFID's, the the base station notices that morethan the average of razors are removed, then there is the possiblity of theft.
Apparently, investment in this tech. would significantly reduce the costs of theft.
Hast--
As the rule goes, "Bad security is worse than no security, because with bad security, you think you're secure -- with no security, you know you're not."
It's not entirely true, of course, since there is no perfect security and thus everything posesses some degree of badness. But in the barcode case, people have responded to the triviality of shoplifting by attacking hard-to-remove ink and radio attachments to devices before sale. RFID systems are being sold as a replacement for this; everything will have a tag -- even after you buy it -- so the door will be able to sense you walking out of it with anything you might try to shoplift.
And yes, you yourself will have an RFID tag on your "Safeway Club Card" or whatnot; they'll cross reference who you are vs. what you purchased and alert if there's something expensive extra. Turns out it doesn't even need to be the club card from that store -- any ol' one will do, as they can silently interrogate your wallet while you're standing in line. (This is yet another reason for the squeeze tech.)
What's funny is that there's a decent cost to throwing on these security measures that'll be removed anyway, better to just make the authenticators ship with the goods and disposable. But you see, once it's convenient to keep after purchase, look what suddenly gets much more powerful...
Your statement about cryptography is quite accurate. But barcodes do have some major security to them, compared to radio systes -- line of sight.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
You need to get a bit more cynical, Mr. Pony. Ever actually *deployed* a security system?
:-)
Broken policies create noncompliance. Only two ways to define a broken policy -- a) the trusted refuse to participate, or b) the untrusted don't need to. You have to understand, it's not the job of your authorized users to spend all their time dealing with your security system. Since that's not their job, don't be surprised if they're not particularly willing to go along with arbitrary rules.
All security creates a cost for the legitimate user; the goal is to keep the cost heavily asymmetrical. In other words, those you trust are hurt a little, whereas those you distrust are utterly wiped out. A locked door still requires the legitimate user to wait while he pulls out a key, after all. Lock or not, that guy should be able to walk on in.
Turns out the best way to get people to use a security system is to install a new door -- some new functionality they've never seen -- but, oh yeah, it has this security limitation, but look! New door! New functionality!
I enjoyed your comment about security having reasons you don't grasp -- you don't seem to grasp how quantifiable noncompliance really is with various degrees of onerousness. Don't believe the hype
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
RAM -- able to Read and Write -- as opposed to ROM (Read Only Memory).
--Dan
yeh, i guess it's pretty easy to read bar-codes from far away too. anyone using bar codes for security of course would be an IIIDIOT.
world was created 5 seconds before this post as it is.
In the short term, they will, as other people have said, be attached to palettes and be used for warehouse and back-of-store inventory control. But the proponents hope that soon *everything* in your supermarket trolley will have one of these babies (good term, in view of its size) attached to it. At that point, you don't have to unpack your trolley at the checkout and have it scanned by some bored hosewife. You just wheel it past a checkout point which scans the whole trolley, works out the total and prints your bill. Swipe your credit card, maybe input a PIN or some form of biometric ID, and walk out. Saving for you - the checkout queue and the whole nauseating checkout routine. Saving for the store - all the checkout operators; one problem solver can supervise three or four checkout queues, each of which can probably handle two to three shoppers a minute. Its a *big* store that needs more than one such. Cost - perhaps 3-5% on the gross bill, but you have already saved some money in the warehouse, now more at the checkout. Better security - the goods you shoved in your pocket or under your hat get billed as if they were in the trolley.
Consciousness is an illusion caused by an excess of self consciousness.
What is being discussed here is the slow acceptance of mass tracking.
It's simply one more step towards tracking ALL goods and people. 24/7.
Share that on the internet.. what you bought, what you wore, when you got on the bus, and whom you saw when you got to your destination, and what you ate...
Scares the hell out of me.. Not tracking pallets, but the slow progression/acceptance towards its ultimate conclusion.
---- Booth was a patriot ----
Half a billion tags is probably close to the total number of RFID tags in use today. "People couldn't stop talking about it over lunch," says one person present, who didn't want to be identified.
Do those two sentences right next to each other strike anyone as unbelievably funny?
A bit of background information on why Gillette specifically might be interested in implementing this quickly. I worked in retail security until just recently and one the trade magazines had an article on the Mach3 razors and how, worldwide, they are one of the most stolen items; Gillette didn't officially give an estimate, but I think the theft was placed at upwards of 20%. At most flea markets you can find at least one stall selling Mach3's at ridiculously low prices, and suprisingly enough they don't like questions about where their stock comes from.
Point being, a great big portion of the stolen razors are taken before the razors make it to the stores, obviously with this new level of tracking available they can find out where the bleeding is.
Ideally, this would mean you (the smooth faced consumer) will get a price break with less theft, but let's be realistic, it just means more profit for the companies.
When Gilette pushed hard for Mach 3 in advertising, many supermarket chains actually made a loss on selling Gilette due to large amount of theft. So on top af having Gilette re-imbursing them, Gilette also started putting RFID tags on most of their products priced at at $3-$4 and up.
SO now that they have experience, they are pushing it towards the US as well.
awesome link - inspired me to search google for a home-made alternative to "protect" my RFID badge.
"Alien Technology" is not even trying to hide their involvement with aliens. And look at the photo of the Gilette VP! Clearly an Andorian who has had his antennae surgically hidden. Soon they will know where all my razor blades are. Think of the children!
RAM -- able to Read and Write -- as opposed to ROM (Read Only Memory).
/dev/null)
Boink!!
RAM = Random Access Memory (any CD, DVD, DRAM)
SAM = Sequential Access Memory (tape drives)
ROM = Read Only Memory (ie. CD-ROM)
WORM = Write Once Read Many (like CD-R)
WOM = Write Only Memory (i.e.
Often the term RAM is used for Read-Write random access memory because one of the other common acronyms is not appropriate i.e. ROM. In reality RAM can be applied to any device that allows random access to the stored data, i.e. a CD-ROM is also RAM. This is why the terminology CD-RW is used, NOT CD-RAM.
Unfortunately some pointy-haired idiot decided to use the term DVD-RAM for what is really a DVD-RW format. This is a mistake (Pioneer BAD).
Worst case scenario is that a competitor drives by your facility and gets the same realtime updates of your inventory that you do.
Assuming the signal is even that powerful, Faraday Cage.
"And like that
"A small, but vocal, contingent even argues that tin is superior, but they are held by most to be the lunatic fringe of Foil Deflector Beanie science. I would advise people wishing to build a Deflector Beanie to stick with aluminum whenever possible since it is a proven technology."
Aluminum Foil Deflector Beanie: An Effective, Low-Cost Solution To Combating Mind-Control.
That is an amazing link! Someone who is a good writer has put a huge amount of time into documenting nonsense. And it says that the site is rated Cranky by Crank.net
The internet is an amazing virtual place where every comedian can be heard: Zapato Productions intradimensional -- "Serving the Paranoid Since 1997". It says this web site is a member of the (no doubt prestigious) "Yes, there really IS a VAST Right Wing Conspiracy!" web ring.
These little puppies have been sought after for airport baggage tracking for a long time. Getting the cost low enough has been the hold up. My bet is this will be the eventual prime consumer of this technology. Think about how many pieces of luggage move through all the airports every day. The ability to replace the optical barcode tags with RFID will improve the baggage system quite a bit.
Also, you would not believe the cost and panic associated with every single abandond piece of luggage in an airport. The ability to know it's grandma's will save $millions, as well as give some bomb squad dogs a rest.
slashdot troll = you make a compelling argument I do not like the implications of.
To be fair, it's an extraordinarily difficult problem for TI et al to solve: The chips are necessarily trivial -- they're *powered* by the sensors, for crying out loud. Not only is it nearly impossible to build any kind of cryptosystem into a chip that small and weak, but the system itself would remain utterly defenseless against electrical skullduggery: Manipulating a chip's power source is one of the definitive ways of divining its cryptographic secrets, as Satellite TV hackers have been pointing out for quite some time.
When developing a new technology there are technical problems and fundamental problems. A technical problem is "friction must be reduced an extra 20%", a fundamental problem is "this only works if there is no friction whatsoever".
What you describe is a technical problem. Technical problems are rarely unsurmountable and quite often ingenious work arounds can be found.
RFIDs are closer than you think....
the next badge readers will be based on a combination of Gilette razors in your pocket? =)
Many pets now receive RFID implants. It wouldn't be to hard to implant the children either..
>Unfortunately some pointy-haired idiot decided to use the term DVD-RAM for what is really a DVD-RW format. This is a mistake (Pioneer BAD).
;-)
Um.. DVD-RAM *is* a random-access format. DVD-RAM is an extension of the ages-old "optical" disk formats. Back in the day before the ZIP disk, optical discs were the only "high capacity" random-access format. The other characteristic of those optical disc formats was, there were a million incompatible formats... all vendor-specific. DVD-RAM basically offered a lingua franca for all those vendors.
Yes, yes, DVD-R, -RW, +R, +RW are all use optics to record the media. But they are not "random access" like a hard drive. Magnetic or optical for the bits is not the differentiator... it's the tracking mechanism, head logic, error correction and whatever else goes in there (I'm not afraid to admit I'm not an expert on Slashdot
Think of it this way:
Rewritable != random-access
DVD-RAM has a *much* higher shelf life than other "rewritable" media. I've read data stored on DVD-RAM discs expect to survive 100 years, while I've read CD-RW last about 3 years (which is about right in my experience... I mistakenly archived data to a bunch of scratch-free CD-RW and they can't be read any more).
Here's another example:
You can use `dd` to read and write to any part of a hard drive. Can you do this to CD-RW or DVD-R+R? No.
Can you `dd` sectors on a DVD-RAM? Yes.
Disclaimer: I don't own a DVD-RAM drive. I did consider one on several occasions, but I'm content to stick with DVD-R (gain some compatability, and shelf life is OK if I avoid the -RW or +RW formats).
Sure, there are always ways to cheat, thats not the point i was making.
The fact they will do it in the first place is what scares me, and eventually making it illegal to deactivate them will come afterwards..
Sure *WE* can get around it.. but its still wrong, and the common Joe wont beable to...
---- Booth was a patriot ----
I read in Frontline that one of the holy grails is to get "smart staples" that you would attach to printed documents (even one page documents) that would allow tracking of paper documents -- the price target for that application is $0.02 per tag.
Don't forget about the biggest money making part of this technology - with bar code I can watch the register and (sometimes) catch it when they overcharge me. I could catch it if they undercharged me too, but somehow that never happens. With technology to read the entire cart as it passes by the checkout point in a fraction of a second, the overcharging problem isn't likly to improve - at least from the comsumer's viewpoint.
I'm an American. I love this country and the freedoms that we used to have.
Those expensive blades are why Gillette is so interested in technology like this. They have the distinction of being the most-often-stolen retail items.
With RFID tags, you should be able to implement a challenge-response protocol that's non-replayable. Not with the $0.10 tags, but with the credit card sized ones. And the cards are much harder to copy even with physical access to them.
I tend not to shave but my mom called me up and told me that I wouldn't be allowed in the house for Thanksgiving if I had hair on my face so I went out to get a razor. Where the shaving supplies were was a little card saying, "Mach 3 razors are available behind the counter." Which is funny because condoms and pornos are available at the front desk but the razors are behind the counter w/ the cigarettes and blunts? Wacky...
[o]_O
As has been pointed out elsewhere, while UPC's are barcodes, the reverse is not necessarily true. I said UPC codes weren't used outside of the U.S. and Canada.
Silicon doesn't contain toxins. It's completely non-toxic, and appears widely in nature (Especially in the ocean).
- James
spelling corrected, thanks :)
Two problems with this sentence. One, no, it doesn't. And it never has. Various proposals for such a thing have been floated from time to time, but US currency does not contain a magstripe in any way, shape or form. Perhaps you're thinking instead of the plastic security thread incorporated into new bills since 1990, which has the denomination printed on it. I'm not sure what you mean from your post, but I assure you, removing that thread is far more trouble than it's worth - even if you removed the strip from a $20 bill, you'd wreck the bill in the process, and then you have a thread that you can't do anything with to boot.
One thing most people don't know, though, is that under a suitable UV light, that plastic thread glows different colors, depending on the denomination of the bill. Try it sometime - it's pretty cool ;)
And the second problem is with this notion of "large currency". The largest denomination that the Bureau of Engraving and Printing currently produces is the $100 bill. Denominations of $500 and up haven't been issued since 1969, and haven't actually been printed since 1945 - which predates the use of magnetic stripes by a fairly wide margin, I think.
ABSURDITY, n.: A statement or belief manifestly inconsistent with one's own opinion.
I doubt that's entirely true. The company that I work at (to remain nameless) is implementing RFID product tracking currently. The only intended use of RFID though, is basically to be able to track packages throughout a warehouse. Replace the barcode printers and scanners and people with RFID. When a box hits the end of an assembly line, the system knows. When the box hits a pallette, the system knows. When the pallette hits the truck, when the truck hits the store, and when the box is unloaded from the truck, the system knows. After that, they don't know jack. Each box (not item) has an RFID, because, basically, it doesn't make sense to put add a 5 cent cost per item, when it's just as easy to add 5 cents to a pack of 50 items and achieve the same result.
The system doesn't care what happens to the product after it hits the store, and it doesn't care where each item goes afterwards, but instead is used to inventory warehouses, monitor shipping and delivery and whatnot. To a degree, it might be able to predict number of boxes needed to produce, but that would be an extension of its intended use that we don't plan to implement.
That said, I see a lot of talk around here about these being used for national IDs and chip-in-the-head implants, and whatnot, and in all honesty, I don't think that's what this announcement is about. I'm not saying it won't evolve that direction, and I think a little bit of paranoia is a good thing to have, but I don't see that happening here.
-9mm-
Fair critiques -- I was under impression the the plastic strip had a readable magnetic signature to it; I'm very happy to hear that they scrubbed that (probably for the reasons I described).
:-) So by large, I did mean 20's, 50's, and 100's. One gets the impression that the use of cash is very, very slowly being phased out (and being replaced with me handing over my entire wallet and believing that the other guy will only take out as much as I've authorized them to.).
You are incorrect that it's difficult to remove the strip -- try it, it takes only a little bit of effort. It requires intent, though -- the thing ain't accidentally falling off.
I did know it glowed -- I think all thin plastics glow under UV; it's a raver-kid thing. I did NOT know it glowed different colors...hopefully nothing actually uses this property to differentiate bills, or else a bit of UV dye could go a long way...
As for large currency -- Five Dollar Bills just got redesigned
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Produce might be one of the few exceptions where this won't work. So self-checkout will work almost anywhere else, like K-Mart, the Gap, etc., but not grocery stores. Or maybe the produce section will be sectioned off and have its own cashiers, and the rest will be self-service.
I've noticed that two stacked cards won't work; you need to present them to the reader one at a time. Will that prevent 'sniffing' like you describe? Then you could just issue employees two cards (for two different doors) and plastic holders.
They will make you buy things in pre-measured bags. Soon ala-carte dishes will become passe, "No you cannot have a specified assortment of a dozen donuts, you must take one of our pre-packaged configurations."
If this is tied with credit cards, you wouldn't even need casheirs any more.
I don't think this is a bad thing. Imagine if you didn't have to pay the cashier who checked you out? That's, even at 6 (US) dollars per hour, a significant savings considering how many casheirs and baggers are staffing some stores at peak hours.
Of course, you'll have to bring your own bags, or buy them in-store for home. Probably better for the environment that way, any how.
Dan
But they are not "random access" like a hard drive.
n t/ random.asp
h tm l
Of course they are. Random access means that I can access data directly without having to read the entire volume preceding as in a sequential access device.
In fact, one of the standard performance tests that labs run on CD-ROM drives is called the 'random access test'.
Here is a link to a description of one such test:
http://www.etestinglabs.com/bi/cont1999/1999pri
Here is a product spec from Plextor that also lists 'random access time':
http://www.plextor.be/english/products/px40max.
If CD-ROM drives aren't random access devices why do the manufacturers and testing labs list specs for this??????
You can use `dd` to read and write to any part of a hard drive. Can you do this to CD-RW or DVD-R+R? No.
I use dd all the time to verify CDs that I burn.
Packet writng software like DirectCD and the Linux UDF patch lets you use a DVD+/-RW, CD-RW OR DVD-RAM drive exactly like you would a floppy or hard drive. There is also a DVD tools package for Linux that lets you format a DVD+RW drive as any file system, although some are not good choices because of the limited number of R/W cycles this media supports.
Think of it this way:
Rewritable != random-access
That's what I said originally. A tape drive is RW, that does not make it random access. Likewise a CD-ROM may not be RW, but it sure is random access. If it wasn't, you would not be able to read data from the end of the track without reading the entire disk first.
As far as DVD-RW, DVD+RW and DVD-RAM, the primary differences are in the low level formats, not in how the data is accessed. CD-RW, DVD-RW, DVD+RW and DVD-RAM support packet writing, so are capable of random access reading AND writing. I can format a DVD+RW drive in any file system I want, just like I can a hard drive. The primary advantage of DVD+RAM is that it is capable of more R/W cycles than is DVD+RW.
Since CD-R, DVD-R and DVD+R are WORM media, packet writing is not possible (you can't overwrite an entry in file block allocation table). That still doesn't prevent random access though - multisession drives allow writing at arbitrary, previously unwritten areas.
And of course ALL of these optical drives are capable of reading data at addressable locations, just like a hard disk.
No queues means much less buying by impulse while waiting.
__
Men with no respect for life must never be allowed to control the ultimate instruments of death.
GW Bu
Look back at the post; the RFIDs are for their pallets and cases. From that, it appears that what Gillette is doing is addressing the problem of 'shrinkage' while the products are sitting in warehouses. With RFID tags in the pallets and cases, it means that anyone who wants to 'lose' a few pallets or cases is going to have to tear apart the cases and pallets in order to find and destroy the RFID tags before they can get the product out of the warehouse, or rip open the cases and transfer the product to new packaging, both of which make it hard to disguise that pilfering is going on, and the damaged or nonexistent corp case packages will make it harder to gray-market bulk product.
>Of course they are. Random access means that I can access data directly without having to read the entire volume preceding as in a sequential access device.
:-)
You left out writes.
If a device is not read only for both reads and writes, I wouldn't think it's fair to call it "random access".
Heck, even some tape drives like the OnStream offer "random access reads".
>I use dd all the time to verify CDs that I burn.
Try using `dd' to *write* data to a CD. Nope, no random access. Now try it with DVD-RAM.
For the mostpost, RFID readers is quite limited in range. Ideas that RFID's will have them tracking you by hidden tags on your pants, etc, is not really a legit worry. They *may* be able to track you when you walk through a doorway with a reader, but it's not likely that they'll be able to find you in your car in the middle of an interstate.
The last place I worked used RFID tags in their product. The readers weren't cheap, but even they had to be fairly well calibrated to get a consistent read. Large long-range RFID readers would be really expensive, and probably large. You won't be seeing any helicopters over your car shouting "citizen #3849932919, we have identified you, please come peacefully."
On the flipside, this could be a biatch for advertising. If they tag clothes,etc then they may be able to track you in malls and know your purchasing trends... which would be annoying
Prove it.
Slashdot community, please notice: I am looking for a girlfriend.
Nave H. Weiss