WSIS Physical Security Cracked

An anonymous reader writes "A group of activists has apparently bypassed physical security checks at the WSIS Meetings. Not only did they bypass the physical security with a fake card, they found the system uses RFID tags to monitor participants -- possibly even who they interact with and their movements through the conference."

'Activist' is such a misnomer

[ObviousGuy]

They are more reactionary than anything, opposing change at all turns.

You could call them anti-activists and it would make more sense.

Re:'Activist' is such a misnomer

activism PPronunciation Key(kt-vzm)
n.

The use of direct, often confrontational action, such as a demonstration or strike, **in opposition to** or support of a cause

Nope, activist sounds right to me.

Re:'Activist' is such a misnomer

[glpierce]

I believe the word you're looking for is conservative.

Re:'Activist' is such a misnomer

[iminplaya]

I kind of interpret "activist" to mean that they are ...uhh..."active"? whether they are opposing or otherwise.

Re:'Activist' is such a misnomer

[michaeltoe]

Change can be good, and it can also be stupid...

Like Forest Gump, only with political clout.

Re:'Activist' is such a misnomer

[anagama]

What's this WSIS about? It seems you sneer at activists when in fact, they might just be protecting your freedom.

• It doesn't help that there are several topics of great import but huge controversy. The chief among these is Internet governance. In short: who gets to run the Internet?
  ***
  The United States, Europe and English-speaking partners such as Australia favour the existing private-company organisation, ICANN. Whereas developing nations, China, India, Brazil, South Africa and others all want a recognised international body to run the show, ITU.

Follow the links back a bit.

And for posters below who seem unimpressed that a quasi governmental agency can monitor who it is you mingle with, or go to private areas for private discussion - you deserve what you'll get. The internet so far has been a model of a borderless world. But many countries are terrified by this concept - you really want them collecting data, manipulating who the attendees will be to prevent certain individuals from blocking their plans? That's nuts.

Re:'Activist' is such a misnomer

Yes, but you see, if you're demonstrating or striking, you're really not doing anything positive yourself, you're just trying to tell someone else what to do for you, in a very obnoxious fashion.

I believe in changing the system from within. That is why when I am king you will be first against the wall, with your opinion which is of no consequence at all.

Re:'Activist' is such a misnomer

[Orne]

No, Reactionary is one tick stronger on the scale

Political Leaning - "Left" to "Right"
Revolutionary - Liberal - Status Quo - Conservative - Reactionary

Government Intervention - "Weak" to "Strong"
Anarchist - Libertarian - Status Quo - Authoritarian

Re:'Activist' is such a misnomer

But it can mean either working for or against something... you just don't notice the ones working for something in a positive way because they're not tempting cops to beat the shit out of them.

Re:'Activist' is such a misnomer

Radiohead? Is that you?

Re:'Activist' is such a misnomer

[utlemming]

Reactionary carries such a strong meaning -- it is the direct oppossite of a radical. A reactionary is one that reacts voilently, or vehemitly to ANY change from traditonal values or ideas. By definition, a reactionary is above a conservative. The ranking goes from Conservative to Ultraconservative to Reactionary. A reactionary make Rush Limball look mild.

Re:'Activist' is such a misnomer

[JonKatzIsAnIdiot]

You're right. An 'activist' is someone who screams very loudly about something they know nothing about. Gun control activists whose knowledge of firearms is limited to what they see on TV. Anti-GM food protesters without a working knowlege of genetics. Hordes of anti-globalization weenies who can't explain what globalization is, much less why they're against it, and really only came to the march to hang out with their friends.

Re:'Activist' is such a misnomer

demonstrating and striking often brings about positive change. there is nothing negative about protests, unless you count the riot cops beating children over the head and shooting journalists

Re:'Activist' is such a misnomer

I prefer the term "dirty hippie" it seems to fit all cases of "activists"

Re:'Activist' is such a misnomer

[JonKatzIsAnIdiot]

And what's more - they don't take criticism very well.

(see above)

Feels good

[Hi_2k]

These people are looking to be put in charge of my Packets, yet they cant even keep a couple of geeks out of a confrence room? I'm sure we'll all feel REALLY safe ordering online with them in charge.

Re:Feels good

[KrispyKringle]

So what's the point? I don't get it at all. You trust a loan officer with your financial information, but you don't expect him to be an expert in good eating.

What the ``activists'' did was present a fake ID. Whoop de freakin' do. Certainly something stupid on part of the summit organizers, but not exactly failing to ``keep a couple of geeks out of a conference room.''

The part I really don't get, though, is the fuss about the RFID tags. Guess what? I bet they were using them for the same thing that supermarkets and department stores use them for--electronic identification. If the ID cards had bar codes, would they complain that the bar codes are being used to electronically ID the holders? Sure, they can be read remotely, and that would bother me if they were given to ordinary consumers (say, like in Minority Report, when Cruise walks into a store and is greeted by name by a sales display). But at a conference you volunteer to attend to, run by a trusted organization (in theory, at least) with far less motive to engage in remote tracking and profiling than a major retailer, I'd say it's just not a huge concern.

But maybe that's just me. It's still an interesting article.

Re:Feels good

[DataPath]

It's even better than that.

The security at the conference is weak, and they're collecting personal data while they navigate the conference.

I think they've pretty much proven they're the wrong people for the job.

Re:Feels good

[Geek+of+Tech]

But don't worry about the data they collect! They're probably using 2-bit encryption! It's the only thing you can use with their 2-bit security measures......

Re:Feels good

[cduffy]

It's a security conference. There's a reasonable expectation is that security experts:

1. Are innately concerned about avoiding unnecessary exposure of personal data (say, by displaying it in such a way that 3rd parties could observe or record personal information about other attendants).
2. Will be able to use access control which is not circumvented by such a blatantly trivial mechanism as a fake ID.
3. Will not permit other physical security measures (such as the use of metal sensors) to be trivially circumvented (as by smuggling in items which would not be permitted to be taken in during the conference itself beforehand).

And so forth. The issue is not necessarily so much that the organizers are hostile as that they're incompetant in the very matter they're holding a conference about.

Re:Feels good

very believable at MobiComm this year the host hotel's wireless cisco routers were open for non authenticated access through telnet...

one would have thought that the net admin would have been a little worried when you're network is going to be used by a conveference on mobile computing

Re:Feels good

They're using quad-ROT13 encryption. Maybe even octo-ROT13!

Re:Feels good

[vtweb]

The point in the article was the lack of notification to attendees of the data collection.
In addition, no privacy policy was provided when requested.

Re:Feels good

[utlemming]

They are experts in theory AND politicians. Further, they used contractors to implement the security. So for the most part, they were there to hash out a political agenda, not to actually worry about what they were talking about. In politics, people rarely care about the actual implementations of the goings-ons in a meeting, as long as they get to be heard. Unlike a Linux conference, security perse is not as important. If it was a Linux conference every geek would be looking over the security and judging it.

huh?

[junkymailbox]

Ok, so these guys "cracked" the system by finding the name of a person, got a fake id, went there, took a picture and walked in.

sidenote: all them kids in the clubs must be great crackers .. I see them "cracked" and "bypassed physical security" all the time ..
oh wait .. this is slashdot .. no one goes to clubs here ..
then they disect the card that were given to them to find out that they have RFID chips but no one seems to know what it does. .. Wait .. how's this different than any other place that asks for your information .. like Police and Lawyers Love E-ZPass?

Re:huh?

[Cumstien]

From a forensic science conference I learned that law enforcement will use supermarket discount cards to place individuals at a particular place and time. You'd better think twice about saving $.79 before whacking an adversary.

Re:huh?

[michaeltoe]

The problem is that this is not a night club. It isn't different, it's stupid, and it's a big fat birthday invitation for potential abuse.

None of this would be a problem if the people making these decisions were in any way whatsoever educated in computer science. They're not, however, and considering their complete and utter incompetence regarding everything else they do... why should their involvement here be any better?

Re:huh?

[sholden]

You can't see the difference between this and a club?

One is a venue which wants to transfer money from your wallet to them in exchange for alcohol and a good time. The government says they aren't allowed to take money from people below a certain age, so they don't let them in. If you have a fake ID, then why would the club care that you choose to spend your money on their product?

One is a venue filled with the heads of governments of numerous countries, government ministers, UN bigwigs (like the Secretary-General), and other such VIPs (in some people's eyes). It doesn't want to sell people a product which the government has decreed you have to be a certain age to have, but possibly wants to stop VIPs being harrassed and bombs being planted.

Re:huh?

[Geek+of+Tech]

>>> Ok, so these guys "cracked" the system by finding the name of a person, got a fake id, went there, took a picture and walked in.

Even worse. I think the article said "...a name from the WSIS website of attendees." No cracking, unless you consider surfing the web "cracking".

Re:huh?

[segfault7375]

Yeah, but I bet you would feel differently about it if you were proven innocent because you were buying hand lotion and copy of Maxim when the crime was being committed.

Re:huh?

[Trigun]

In that case, I've been proven innocent in about a million crimes already! I love technology!

And Maxim...

Re:huh?

That's why my VONS card is under the name Jeffery Lebowski

Re:huh?

[ATMAvatar]

Not really. If I were buying hand lotion and Maxim, there would be witnesses to corroborate my story (the people in line and the person at the register). Not to mention, if you used a credit/debit card in that purchase, there would be a log of the transaction occuring and where it happened.

Re:huh?

So, I guess what you're saying is that if this place would have had a cash bar and music, these guys wouldn't have gotten in...

Re:huh?

[ParadoxDruid]

This is exactly why my friends and I have started a policy of trading Grocery cards with anyone new that we meet, and encouraging them to do likewise.

You get the same discount, you get to have some fun trading cards around and stuff, and they can't track you nearly as easily.

Re:huh?

"Not really. If I were buying hand lotion and Maxim, there would be witnesses to corroborate my story (the people in line and the person at the register). Not to mention, if you used a credit/debit card in that purchase, there would be a log of the transaction occuring and where it happened."

Yeah, I'm sure the person at the register will remember you even though a hundredd people went through the line that day. And how will anyone know who else was in line if they didn't use cards either? And if you used a credit card, but didn't want to use a store card, that's just stupid.

Re:huh?

I go to clubs. I gave my phone number out to three different girls, nd they will call me soon because I'm the shidznatz in town. My roommate is currently passed out on my bathroom floor from too much alchohol, and I won't be able to see this monitor in a few hours from the dissoociative drugs IU just induces,

I've made numerous people fake id's, and I advise corps in my town (in the top 50 population, more I won't say) on compsex issues. IU'll soon be getting some from the fifth person this year, and their all clean. My reputation as a second-story man tells them I am REAL. I can make $6,000 extra a year by utilizing my skills late at night.

I AM cyberpunk. People don't believe half the stories I tell, until I include details that they know I would have to be in their office to know.

I'm posting this anon, to protect myself from people who would connect my name here with someone real. I go to clubs at least 2-3 times a week, getting in free often due to my pirate radio station.

Re:huh?

[anagama]

I do this too! There should be a website to host such an exchange program - send in a [somestore] card, a SASE, and get a random [somestore] card back (same kind as you send in of course).

Re:huh?

[HeghmoH]

I'd rather go to jail for a crime I didn't commit than have a thousand strangers know that I read Maxim.

Re:huh?

*lol* here quite a few people workign in stores actually participate in it :)

Re:huh?

And now that millions of geeks know you read it?

Re:huh?

[Spyder]

1. Open phone book
2. Get some shmucks name and address
3. Use the shmucks info for your gorcery discount card
4. ????
5. Profit!

Just one more disconnect between the reliablity of authentication vs. identification. Not a novel or interesting hack, but the problem is so pervasive in these half-assed security systems that is almost always works.

Quote from George MacDonald's Flynn:
"The problem is, when you reduce people to little pieces of paper, somebody is going to give you the piece of paper and not the person." -- Flynn aka NN 13
(Might be a little off, I'm going from memory, and I haven't read the book in a few years)

Re:huh?

[fenix+down]

And that's why we have "beyond a reasonable doubt".

Re:huh?

There was a bust a few years ago where the discount card was used as evidence. It trackes purchases and the suspect was buying a couple boxes of sandwich bags a week...

May be be urban rumor.

Re:huh?

[kchayer]

I'd rather go to jail for a crime I didn't commit than have a thousand strangers know that I read Maxim.

But you just admitted that very thing to a thousand strangers. :)

</tongue-in-cheek>

Well. . .

Days before the Summit no physical security was available. Anyone could bring anything inside the conference

Yep, it was fairly easy to sneak my tin foil hat in.

so this is like 'hacking'

except they were walking around and stuff.... neato.

Re:so this is like 'hacking'

[Grey+Tomorrow]

I like to call it "warwalking". Catchy huh?

Re:so this is like 'hacking'

[dahamsta]

This comment is much funnier than the parent. Who's in charge around here?

Re:so this is like 'hacking'

And Columbine was just Unreal Tournament.

"Bypassed security"

[JohnGrahamCumming]

Huh? If you RTFA you'll find that what they did was use a fake ID with the name of a real participant to obtain a badge. Nothing very clever about that.

Basically the "researchers" represented themselves as being someone else and used a fake (potentially) illegal piece of identification. Doesn't seem clever, just seems fraudulent.

They then go on to speculate about how "data mining" and RFID might be used for all sorts of nasty tricks and end up sounding like a bunch of paranoid crack-pots.

So, if I buy a fake passport on a street corner and then use it enter Germany, did I just "crack" Germany's security and can I get my picture on Slashdot?

John.

Re:"Bypassed security"

[irokitt]

Nobody is saying the "crackers" were clever. We're saying the "Safety Experts" were stupid. They should have taken precautions in both the physical and electronic realms.

Re:"Bypassed security"

[JohnGrahamCumming]

> We're saying the "Safety Experts" were stupid. They should have taken precautions in both the physical and electronic realms.

So to fix the problem that the "researchers" exposed you need a participant to submit _prior_ to the conference some token that only they would know or have. So they could have demanded a photo, fingerprint, eye scan, urine sample before hand. Then they could have demanded the same when getting your badge.

But you have to ask whether that would be an appropriate level of security for this event, and that comes down to assessing the level of threat.

Rather than being "stupid" I suspect that the security people didn't believe that such a high level of identification was necessary. They seemed to have used the same level that any US airport would use: show me a government issued ID and I'll accept it as genuine.

John.

Re:"Bypassed security"

[sholden]

So, if I buy a fake passport on a street corner and then use it enter Germany, did I just "crack" Germany's security

Obviously.

And it would be of great concern to Germany. Just as this should be of great concern to the organisers of the summit.

The probably don't want protesters or terrorists getting in just as much as Germany doesn't want illegal immigrants or terrorists getting through its security.

Re:"Bypassed security"

We'll remember that the next time someone forges a passport to get on a plane to go to some country and bomb the hell out of them..

All they did was use a fake piece of identification, nothing to worry about there, right?

Re:"Bypassed security"

[dark404]

I think the pseudo-slang term you are looking for to describe what they did is, "Social Engineering." Unfortunately, the weakest link in any system of security (real or virtual) is the user. A parallel can easily be drawn from what was done here to the old days of AOL (maybe the current days too, been years since I used AOL) where script kiddies and wanabe hackers would 'phish' (compromise) accounts by impersonating AOL employees and asking people for their passwords over Instant Messages. Of course people FELL for that even with "AOL will NEVER ask for your password" plastered on every IM box on the system.

We should be able to trust our fellow man, and on many levels we want to trust people. Because of our predisposition to trusting people (when meeting them face to face, obviously on the internet it is a tad different) the unscrupulous take advantage of that trust. On one hand we're too trusting and get taken advantage of, on the other hand we're too untrusting and our society becomes overly unfriendly. Rock and a hard place.

Re:"Bypassed security"

[DataPath]

I don't think the purpose of the writeup is to give m4d pr0pz to the 133t m34tsp4c3 haxxorz. It seems to me that the points they were trying to get across were:

1) These people have little concern for security, seeing as how they didn't even comply with the multiple applicable laws governing that sort of conference
2) These people have little concern for privacy, again, as they didn't comply with multiple applicable laws on the matter
3) Their ineptitude could possibly be opening these people for extortion or blackmail, or even endangering their lives.
4) These are the people who are deciding how the internet is going to be governed

Re:"Bypassed security"

[jmv]

Well, they still proved that the security system was pretty much useless because the weakest link was somewhere else (only a simple ID with no other info is sufficient). It's like saying "my front door lock is unbreakable" and leaving the back door open. And BTW, I believe it's still harder to get a fake passport with your picture on it than to do what they did.

Re:"Bypassed security"

[ShaunC]

If you RTFA you'll find that what they did was use a fake ID with the name of a real participant to obtain a badge. Nothing very clever about that.

You'll also find that they should have been required to produce their letter of invitation and a registration number. They had neither, but got in anyway. Perhaps not so much clever as scary, this place is hopping with "important people" and anybody can walk right in with no invite and a fake ID.

The security at freaking MacWorld was better (or worse, depending on your perspective) than this the last time I went! Unless you got your badge via mail, you had to produce not only your ID but also the credit card that you used to register. Not infallible, but at least a challenge - and Javits wasn't full of diplomats, either.

Re:"Bypassed security"

[Trigun]

Or they could have just sent out invitations by registered mail. If you wanted to get fancy, you could put the RFID in the invite, or *gasp* number them!

Re:"Bypassed security"

[whereiswaldo]

So, if I buy a fake passport on a street corner and then use it enter Germany, did I just "crack" Germany's security and can I get my picture on Slashdot?

Give it a try. I think that's how David Hasselhoff got his big break.

Re:"Bypassed security"

[GQuon]

can I get my picture on Slashdot?
No. That could only happen in three ways:

• Paying for an ad.
• Hacking slashdot.
• Being so obnoxious that you get your own topic icon. Like Bill Gates.

Re:"Bypassed security"

[ScrewMaster]

... and can I get my picture on Slashdot?

No, but I'm sure it would appear on a few mug shots.

Re:"Bypassed security"

[penguin7of9]

So, if I buy a fake passport on a street corner and then use it enter Germany, did I just "crack" Germany's security

Yes.

and can I get my picture on Slashdot?

No, because there is no particular expectation that German security is any better than that of, say, France or the US. European nations don't have a lot of security along their borders with other Western nations. So, it isn't hard for an American to enter Germany, France, or the UK illegally.

However, there is a natural expectation that security experts have better security at their own conferences than the annual conference of, say, Flower Arrangers of America.

Re:"Bypassed security"

2) These people have little concern for privacy, again, as they didn't comply with multiple applicable laws on the matter

Please do expand on this idea - were they breaking some UN law? A Swiss law? US law? Natural law? Law of a nation participant to this conference?

And just because some tin-foil-heads say that they might have been using the RFID tags for data mining that doesn't immediately make it true.

Re:"Bypassed security"

[LynXmaN]

Well and I've bypassed American border controls after September 11th with my Spanish passport, and the best thing is that I even didn't want to, they just made me bypass it because there was no contact telephone at my entering visa... and I still keep it since nobody wanted it back, they just told me to keep going.
So... no country or no place is secure when there is a human that have the final decision to overpass the system at his own will ;)

Re:"Bypassed security"

[DataPath]

From the article:

The procedures of how personal data is being handled during WSIS break the principles of the Swiss Federal Law on Data Protection of June 1992 [2], the European Union Data Protection Directive 95/46/EC [3] and the United Nation guidelines concerning Computerized personal data files adopted by the General Assembly on December 1990.

They said "how the data is being handled", they didn't elaborate more, and I'm not qualified to speculate on the legality of anything. My objective was more to restate rather than reinforce the original article.

easy solution

[markov_chain]

microwave for 1s

WTF

[scottblascocomposer]

I've really got to stop reading /. because every time I read something like this, I get all frustrated with the ridiculous means the powerful will use to stay powerful. If the RFID tracking assertion is true, am I right in imagining that it probably has no innocuous intention behind it? Or am I just crazy and paranoid because of what's happening to my country right now (USA)?

I just want to go move to some Mediteranean island and grow a garden, buy from the local small businesspeople, and live life free and simple. Is it too much to ask that the folks "in charge" let a true people's democracy develop without being waylaid and corrupted by corporate and special interests?

Whoa. That just got a lot broader than it started! Sorry about that... life in conservative parts of the country gets a bit depressing sometimes :)

Re:WTF

[KrispyKringle]

Or am I just crazy and paranoid because of what's happening to my country right now (USA)?

Yes.

Is it too much to ask that the folks "in charge" let a true people's democracy develop without being waylaid and corrupted by corporate and special interests?

Well, got a history book? I'd say yes to this, as well.

Re:WTF

[bhima]

Yeah, He's way too late wanting a true people's democracy in the US. His grand parents sold him out for giant cars with fins, colour TVs and cheap consumer goods made by 3rd world slave labour.

Further proof (as if any was needed)

that geeks are merely terrorists under another name!

Re:Further proof (as if any was needed)

And I shall name them terrorgeeks
And they shall be feared by all
None shall wish to speak with them
None shall wish to associate with them
Such is the fear spread
Such is the way

Of the TERRORGEEK.

Re:Further proof (as if any was needed)

They really ought to be t-errorists

Tracking locations?

[fred911]

In order to track locations to see who's close to who, you need many, many rfid transceivers. Probably so many, so close there'd be other issues (rf issues).

Re:Tracking locations?

[interiot]

Read the article, the badges are "passive" in that they only reflect radio waves sent to it. Also, the RF transmitters/sensors are placed only at entrances and pop machines, so attendees weren't tracked really closely, and apparently they can't sense much more than 20 feet away, making RF interference much less of a problem.

Re:Tracking locations?

Oh come on, have you even READ about RFID? Tracking movement etc is EXECTLY what it does. Saying that RF issues would enter into it is ludicrous!

Since RFID is being used to track stock in a warehouse, how is that different from tracking people in a conference?

Nothing is safe.

[irokitt]

The fact that the security was breached is not the most alarming thing about this. Nothing programmed by man is ever completely safe. The scary thing is that people professing to be security concious were bested because of something so simple, and which could have been prevented or easily stopped.

Re:Nothing is safe.

[slazar]

As opposed to something programmed by god? :P

so these are new over....bozos?

but...it does beg the question... who do these people think they are to try and set themselves up in a position to be the new overlords?

Its one thing if someone "outsmarts" (i.e. id theft like the group did) your security when its good... but this is funny, so laugh until this group gets control over something...

Still Important

[digitalvengeance]

Though many have criticized this article as not really representing cracking or bypassing security in any impressive manner, I think there is a deeper issue here.

What information of use could be gleaned at future meetings or other UN events? The same people very likely do event security for this and other conferences, and the type of information that could be gleaned or the damage that could be done at other events is something to be taken seriously.

Personally, I despise the UN - but they (through US) are a force in the world and a breach of their security is nothing to laugh at too quickly.

Historical parallel..

[irokitt]

The problem here was one of physical security-all these guys really needed to get started was a name. During the 80's/early 90's, one of the concerns in the security field was also physical security-a hacker posing as a janitor and accessing unsecured systems, or dumpster diving, or using personal connections to get at employees and talk something valuable out of them. I would think that people would have learned by now that it takes more than simple electronic measures to stop "hacking". This could have been prevented if the powers-that-are had made the ID process a little harder.

Re:Historical parallel..

This is also the biggest thing that kevin mitnick mentioned as his #1 tactic...

so all the 'its not hacking' folks can stfu - i think the amount of jail time that kevin did would convince you that this IS hacking

and this IS scary because these people purport to know what is best for the future of the internet - to the point that they are kicking ICANN people out of their meetings for who-knows-what reasons...

[RFID] Late night on slashdot and the nightmare...

[the+man+with+the+pla]

begins.

They are going to put these in tires. When you buy your tires the seller is going to be required to enter your information in a database.

One day when you are going a little too fast in a school zone or run a yellow that switches to red too fast an underground computer is going to sense the rfid in your tire, immediately reporting the number via rf link to police headquarters.

You would think that this would be for the purpose of giving you a ticket. You're right, you will get a ticket. But that is not the end the trail for your rfid number.

It immediately gets sent to the state government where it checks to make sure you are not a deadbeat dad that the wherabouts of are unknown. Simultaneously sending it to the FBI to see if you are a name on the "patriot" act watchlist and indexes your location. If you drive on the same street on a regular basis they will know where to find you.

You're not a deadbeatdad, lawbreaker, or terrorist you say??? Well the trail that your rfid number takes does not end there. Your rfid number is sold by cashed-strapped states to a commercial database under the auspices of "risk mitigation" that insurance companies subscribe to. Because you were speeding, you are at an increased risk and your car insurance rates are subsquently raised. Because you drive dangerously, your health insurance rates are also raised. Maybe they cancel your policy outright.

You're thinking I'll just remove the rfid. No you won't. Driving with unregistered tires is against the law, and if the police can't scan you as you drive past his cruiser he pulls you over and immediately suspends your license and impounds your car. But you won't be able to remove it anyway, without destroying the tire, as it is purposefully integrated with the "steel belt".

Does the trail end for your rfid tire number now? No, it most certainly doesn't. To see where it leads further, you are going to have to talk to my patent attorney.

Too much to ask?

If the location you want to move to is of no value to them they might not care. If they decide you'd be a good escape goat for what they've done or a diversion for what they want to do they might come knocking again. I don't think you being a bad example from living a non-dominated life would be an issue since their proproganda machine is well oiled(pun).

Yawn

> they found the system uses RFID tags to monitor participants -- possibly even
> who they interact with and their movements through the conference.

Or they could just use a camera to follow your movements through the conference and see who you interact with. Nothing new here... move along.

What a load of bull

If anyone really wanted to track people by "remotely activating" their RFID tags without them knowing, they would need so many of these close-range readers that you wouldn't be able to walk! Plus you would need to figure out who's who by getting into the "DATABASE" that nobody knows about.

You might as well drop one of these nifty wireless camera in each corner of the room, betcha it would be way more effective for tracking people's whereabouts.

PS/ I hear they (Privacy Enemies) can track me down and see whatever I'm doing only by knowing my IP address!!! pH34r

Re:What a load of bull

Plus you would need to figure out who's who by getting into the "DATABASE" that nobody knows about.

The Swiss government knows about it. That's who's potentially doing the monitoring, tracking, human interaction analysis, etc. If you don't see why it might be interesting to someone that the techie from China spent most of his time walking around with a Peekabooty developer (this is a hypothetical example, of course) then I'm afraid this story isn't for you.

Re:What a load of bull

I'm glad I'm not the only one to think the whole thing was made up. They say no one knew anything about the RFID tags when they asked, yet they claim to know exactly what they are being used for. Where did this info come from?

Convenience vs Security

[pbug]

The problem with any system in place is that when convenience is place ahead of security. The more convenient it is made for the people who it is going to protect and the people who are enforcing the system the less secure it will become. Well at least that is what I think part of the problem is.

Since when did /. report on physical security?

[LostCluster]

This wasn't a technical hack by any means... they brought a fake ID with the name of a real person on the guest list, and they got that person's badge issued to them. From that point on, they had as much clearance as that real person had, not surprising at all.

Just goes to show the inherent insecurity in demanding only a government-issued ID when many governments are involved. Any given state's drivers license has many anti-forgery features, but unless you have an inch-thick book with all of the features of every acceptable ID listed, an international event is gonna have a hard time relying on that alone.

Still, what's newsworthy about this failure? It happened at an important-to-the-Internet event, but it didn't really cause and damage...

Re:Since when did /. report on physical security?

>Since when did /. report on physical security?

No kidding. When CmdrTaco's doctor said "dude, you need more physical activity," I don't think he was talking about articles on Slashdot... Oh well, at least he put in some effort!

Re:Since when did /. report on physical security?

[surprise_audit]

From that point on, they had as much clearance as that real person had, not surprising at all.

Was anything done to prevent the real person showing up? If the organisers had discovered that person's badge had already been issued, they should have cancelled its clearance and sent someone through the crowd with a scanner looking for the associated rfid tag.

Re:[RFID] Late night on slashdot and the nightmare

What is it that makes you think RFID technology suddenly enables this?

Lemme clue you in, there's this wild and crazy technology that puts a unique identifier on every automobile driving on public roads. It's linked to your name in state databases and it's required by LAW. It's called a license plate, you dumb shit.

And amazingly, if you get caught by an officer speeding in a school zone or blowing a red light, they will run your license plate in their little laptop to see if you have any warrants out, like for being a deadbeat dad.

And your car insurance company has the ability to look up your driving record to see any tickets or accidents within the past few years.

I'd assume that most anyone has this ability, an assumption based on the fact that if you get a speeding ticket, within 2 days you'll receive about 150,000 postcards in the mail from ticket attorneys and driving schools.

Get a clue you dumb piece of shit.

The Spelling Nazi says...

Insightful

...yet

[learza]

Since when did /. exclusively report on computer security?

You're right, it wasn't a technical hack, but that doesn't mean it's not important. Social engineering (which I guess this comes under) deserves more respect than it currently gets. Your organisation might have God's own firewall but that's not a lot of use if an attacker attends a conference at your workplace, gets a temporary ID and then gets lifts a couple of laptops at lunch.

Mitnick should take advantage of this one

[MagicBox]

His biggest *break-ins* were physically walking into a computer room. Nowadays that is the least talked about security issue. Mitnick does a lot of educating on the topic but a lot of people called him *old fashion*. Well there you go, it happened, and to none other than WSIS. I think you should check those locks on your server rooms again.

Re:Mitnick should take advantage of this one

Mitnick has already taken advantage.. that's why he went to prison. WHy take advice from a loser that got caught?

Re:Mitnick should take advantage of this one

[MagicBox]

Mitnick has already taken advantage.. that's why he went to prison. WHy take advice from a loser that got caught?
Is he a loser because he got caught, or because he did what he did? I wasn't suggesting he should take advantage by starting to hack again, I was suggesting he should take advantage of the situation to get the message out there.....a lot more people might be willing to listen

Ja sehr guter Punkt

Sie haben zu viel Zeit auf Ihren Handen, wenn Sie wirklich dieses ubersetzten.

Re:[RFID] Late night on slashdot and the nightmare

My Tires have tinfoil hats thoe??

Re:[RFID] Late night on slashdot and the nightmare

You must be quite the stud at the annual holiday party, what with all your wit and all. Seriously, if you are just being hyperbolic in an attempt to discredit pathetic losers, that's great. If you're serious, you need a life. I doubt it is too late for you to change, but it might be close. Contact me if you need some help through your struggle.

Re:[RFID] Late night on slashdot and the nightmare

How can I contact you?

Mr Delegate Do You See Why We Need To Crack Down!

[Linus+Sixpack]

Group of idiots commit fraud to crash an important meeting and discover -- rf tags. Then in sanctimonious puffery they tell the world about it because...

Do you not think the organizers knew there were limits to what they had to spend on security?

Rfid tags have the advantage of not needing an interpreter if the delegate only speaks another tongue.

See who gets painted by the same brush as these jerks, not scientists, not researchers...

Some More Information

Can be found here

New, unique technology

[djupedal]

...that allows people to be tracked by their looks, voice, smell, gait, handedness, hair color, height, skin color and sex.

It is possible to track interaction around a room or hall between individuals, while also recording conversations, gestures and purchases.

The collected data can be recalled at any time, based on any combination of queries or profiles.

What kind of techical gadget is this?

My memory. Be afraid....be bery, very afraid.

U.N. and the Internet

[TWX]

"4) These are the people who are deciding how the internet is going to be governed"

Not to get too off-topic, but I don't think that I like the direction that they want to take the Internet. Yes, it spans the globe, but it's something that a lot of private and public American funding went into designing, developing, and maintaining. I understand the need for standards, but I don't think that the U.N. is really right for governing the Internet. They have a hard enough time running peacekeeping missions in European countries, let alone anywhere else in the world, and that's stuff that there has been established methods around for quite some time.

My basic idea is this-- The U.S. had the single largest contribution to the idea of a global information network in the form of the Internet. If the rest of the world wants one of their own, let them create it themselves. There are enough people in enough other countries that if they want to slowly combine into one government with it's own infrastructure, let them. It's called competition, and it's been proven, that when coupled with the right amount of cooperation, to be very good at advancing things. If the U.N. builds their own global information network and it's better than the Internet, people will switch. If it's not, either through information availability problems, or through censorship, then it won't. Seems fairly simple.

Re:U.N. and the Internet

[DataPath]

I agree. There aren't many organizations that would be a poorer choice for governing the internet, but if I understand correctly, that is EXACTLY what WSIS is intended to be doing.

Re:U.N. and the Internet

[You're+All+Wrong]

"It's called competition, and it's been proven, that when coupled with the right amount of cooperation, to be very good at advancing things."

The giraffe and the crab are a product of competition.
They consider themselves the most advanced long-necked-thing and walks-sideways-thing in the world.

Want an IT example? The browser with the blink tag was more advanced than the browser that came before it.

YAW.

Re:U.N. and the Internet

[Stachel]

They [the UN] have a hard enough time running peacekeeping missions in European countries

The UN might be more capable/powerful running those missions if the U.S. were paying their share of the contribution.

The U.S. had the single largest contribution to the idea of a global information network in the form of the Internet. If the rest of the world wants one of their own, let them create it themselves.

Ha, but a European guy invented HTML, without which 'American' internet would be pretty useless, wouldn't it?

--
Stachel

Re:U.N. and the Internet

[j-b0y]

I think that the U.N. as an entire organization gets a bad rap due to the going-nowhere and doing-nothing nature of the General Assembly (a talking shop, par excellence) and the Security Council (almost always veto-deadlocked, and impotent even when it does agree on something). However, the ITU, along with other organisations under the U.N. umbrella (like the UNHCR), doesn't actually do a bad job as such.

If it wasn't for some obtuse decisions and the opaque decision-making process which ICANN has specialised in, and the commercialisation of the Internet at a core level (Hi VeriSign!); I doubt very much if anyone would care who ran the Internet. Unfortunately, the running of the Internet does have the look of an elite club about it (for good historical reasons), and those on the outside feel disenfranchised by the process through which decisions are made for them.

In the end, this isn't about who's better at running the Internet, but rather a case of who has the power.

Re:U.N. and the Internet

> a European guy invented HTML, without which 'American' internet would be pretty useless, wouldn't it?

Oh my god - you're serious, aren't you?

Isn't it time to get away from the keyboard and beg your mommy for milk and cookies?

Re:U.N. and the Internet

[DataPath]

having used the internet quite a lot before the "invention" of HTML, I find your statement uninformed. We had a world wide web before the world wide web - it was called gopher. It didn't have graphics or blink tags, or even a choice of fonts, but darnit! We liked it anyway! IIRC it had something resembling hyperlinks, which with or without this "a European guy" (I've never heard the story of the invention of HTML), would have evolved just like everything else on the internet.

Oh yeah - what made the internet useful when I was a kid. Usenet, of course - you have user communities and support forums on the web - that was all on Usenet. ftp - downloading games and a few shareware productivity programs that made windows 2.0 just a little bit nicer. e-mail, not that I at that age had anyone to email, but it was there. And those are just the things that my little 9 year old self had contact with, there were all kinds of unix utilities that used the internet (or networks of one sort or another) to do useful, productive things.

I say

+1 Inciteful

RTFA

[lurker412]

The World Summit on the Information Society is not a security conference. It is concerned with much broader issues of society and technology. You can find more info here

Re:RTFA

[cduffy]

Pardon. I did indeed read the article, but my eyes somehow read "Information Security".

That said, I would argue that privacy and security are key among such issues, and would hope that those involved in such a society would be knowledgable regarding it.

Re:RTFA

The only thing these 'activists' are trying to do is give RFID tags a bad wrap. The security badges they scammed are no different than the ones we've all been wearing to get into our day jobs for the past 10 years.

Re:RTFA

[cduffy]

The only thing these 'activists' are trying to do is give RFID tags a bad wrap.

No, they also pointed out issues completely unrelated to the badges -- such as displaying members' information in such a way that others could observe or record it, easy circumvention of the metal detectors, and the like.

The security badges they scammed are no different than the ones we've all been wearing to get into our day jobs for the past 10 years.

The badge I wear to get into my day job is passive -- needs an EM field from the reader to do anything at all -- and readable only at a range tantamount to actual contact.

Re:RTFA

[John+Harrison]

I would guess that the badges are standard Mifare badges and can be read from a distance of about 5 cm at most. This is not something that is useful for passive tracking. You would have to knowingly present your badge to a reader. Funny how the article didn't mention that.

There are a variety of smart card and RFID standards, and the two are different animals. This "press release" did nothing to clarify what the cards were. If these guys were such amazing hackers we would know if it is a tag or a card and what the make and model are. We would know what was stored on the card and what security was in place on it. Instead we know just about nothing.

This could have been really interesting, but the press release is short on information and long on FUD.

RFID Tags sucks

Why does everyone think RFID tags can be used to monitor the actions of people?

RFID tags are un-powered. In fact, they are powered by the RF signals that are used to read the RF tag. Because of this RF tags have transmission range of inches.

Re:RFID Tags sucks

[surprise_audit]

Wanna bet that a tag in any battery powered device would be limited to inches?

How far can a cellphone can reach out to hit a cell tower? A mile or two? A tag in the battery ought to be able to reach out many yards, at least. Similarly, a tag in a car battery ought to have a good range...

Re:[RFID] Late night on slashdot and the nightmare

[narratorDan]

Simple way of taking care of the RFID tags in this tin hat situation;

Pay cash, (until the gov stops printing it, they must accept it) give them a fake name and phone number (the phone book is full of them), buy or make a RFID reader and locate the tag in the tire and cut that section of the tire out and put it in a microwave for about 30 seconds. DING! The RFID tag is fried, now replace the cutout in the tire and freely run down kids in school crosswalks with the red lights.

Hmm, just read the rest of your post. You're screwed.

NarratorDan

Re:[RFID] Late night on slashdot and the nightmare

[RzUpAnmsCwrds]

"Pay cash"

What if they put RFID in the cash?

Re:[RFID] Late night on slashdot and the nightmare

> Pay cash, (until the gov stops printing it, they must accept it) give them a fake name and phone number

You can't rely on that much longer.

Ever try to rent a hotel room these days? They're taking to scanning your license and up pops your customer profile.

It is not a substantial leap to expect the computer to verify the name on that license with the state. Or that, for various transactions, the state will not require same.

The RFID in tires! eureka is a a bit of delayed paranoia, tho. They're already fully enabled to accomplish the poster's goal -- with simply cameras. They already "read" dozens of plates per second at nearly every toll road, most garages and parking lots, and other key traffic areas. Isn't the UK already thinking of taxing every car "seen" on key roads once a day, every day they show up?

Why bother putting RFID detectors everywhere when you can get SOOO much more coverage with a camera?

More than just Physical Security Issues

[MojoReisen]

This is probably another case of "You get what you pay for", but the issues here go beyond simply using a fake ID to breach physical security. The fact that the data needed to fake the ID was culled from the attendee list on the website speaks volumes as to how much thought actually went into the security architecture for this event. I mean, really, someone should of thought of that possibility. Why didn't they verify or vet this identification in some way ?
Another frightening fact is that these jokers' security processes, if you consider the RFIDs as 'security',are violating the laws of both the host country and the EU. This is the biggest issue, IMHO. "Security" also means adhering to all applicable laws and regulations, in order to limit your liability, and the liability of your employer.
And what about these guys walking around snapping photos of the screener's monitors ? Whats up with that ?
The bottom line is that these "security experts" at SportAccess, or wherever, are incompetent. Their security model was ill-conceived, poorly executed, needlessly intrusive and (obviously) completely ineffective.

Re:More than just Physical Security Issues

[nagora]

if you consider the RFIDs as 'security',are violating the laws of both the host country and the EU.

I'm sorry but you seem to be confused: laws are for little people, not big, wise, important people that can be trusted like our leaders.

TWW

Mental image

Speaker at WSIS: blah blah blah

Disembodied Voice: The bomb has been planted.

Speaker: What the hell?

Crowd: *murmurs, confused looks*

*KABOOM*

Disembodied Voice: Terrorists Win.

Re:[RFID] Late night on slashdot and the nightmare

[surprise_audit]

Four different tags, one for each tire? Or just one tagged tire? How long would it be before folks started holding swap-meets to exchange tires? Make that illegal too, I suppose.

But then, are you going to make illegal the large parking lots full of swappable tires outside, say, WalMart? Or any Mall? How long would it take to exchange 1 "hot" tire without the knowledge of the donor?

Why stop at tires anyway? A tag in the battery would be more difficult to remove, and look at all the power available for it to punch a signal out with when it gets pinged by the detector... Tag the oil filter, engine crankcase, transmission. All this would be done in the guise of tracking down thieves that steal cars and strip them for parts...

Forget tagging car parts, consider how much easier it would be to tag the people... No need to carry a forgeable ID, just let the officer ping your embedded tag. Think you don't have one? Remember that prostate exam, or the last flu shot, or that root canal, or other similar procedure? Hmmm...

I'm assuming I'm remembering correctly something I read recently about the tags only being about the size of a grain of rice. Obviously anything bigger would be difficult to implant without the implantee being aware.

They Fell For It

Too bad they didn't attend the real conference. They got caught by the decoy conference.

Everyone else they saw was doing the same thing they were, and nobody knew because they weren't talking about it..or at least they didn't happen to do so within earshot of someone who understood their language.

Re:[RFID] Late night on slashdot and the nightmare

[Grue]

RFID technology automates all this, no need for the cop anymore. No need for visually checking license plates. Suddenly everyone and anyone is tracked.

That is the big difference. The fact that this information will be entered into several hundred databases automatically.

Re:[RFID] Late night on slashdot and the nightmare

[narratorDan]

They could, but cash changes hands so quickly it would be a lesson in futility. The better idea would be to ban cash (cash is too easy for terrorists to counterfit) and go solely with credit/debit cards which do have RFID tags as part of the smart chip.

NarratorDan

So what about the person who was imitated?

[GodLogiK]

I'm curious what happened to the person who they pretended to be... were they sick? Just didn't show up? Or when they came did security say, "sorry sir you've already signed in" deemed him a fake and locked the real guy away and are torturing him even as we speak? I dunno curious about that....

Re:So what about the person who was imitated?

I'm curious what happened to the person who they pretended to be... were they sick?

Concrete shoes in the Hudson dude.
Never watched a gangster movie?

Re:So what about the person who was imitated?

[moumine]

The Hudson does not flow through Geneva dude, it is the Rhone that does

Re:[RFID] Late night on slashdot and the nightmare

[fuzzybunny]

-Hotels.

-Flights.

-Rental Cars.

-Anything via the Internet or phone.

Good luck with the cash, dude. I like the sentiment, I agree with it, but realistically?

Re:[RFID] Late night on slashdot and the nightmare

[Slayer]

AFAIK there exist cameras which automatically pick up license plate information. Here in Austria it's used for section control, where they place two such cameras at a given distance and automatically issue a ticket if you need too little time to cover the distance.

Point is: RFID serves interesting purposes but certainly not that of surveying ordinary citizens. One good purpose might well be intercepting car thieves at the border. Remember. it's simple to swap license plates, whereas it takes time and effort to swap all four tires without getting noticed.

Reminds me of Apple Stores

[TubeSteak]

This article came to mind because of the quote:

For example, Allen has discovered that Apple uses a sophisticated video-monitoring system to automatically count the number of customers who enter the store, and to document their behavior once inside.

According to Allen, Apple uses a ShopperTrak system to count the number of people passing the store, the percentage who enter, and the percentage of those who make a purchase. Allen declined to state his source. An Apple spokeswoman confirmed that the company carefully tracks consumer traffic and buying patterns, but wouldn't discuss its methodology.

Its not to hard to extend this type of technology to a large gov't bulding and integrate it with your rfid database of movements. I know its tinfoil hat material, but its not much of a stretch.

Counterfeit - cash or card?

[moncyb]

CASH too easy to counterfeit??? As a certified terroristcriminal(TM), I'd rather work with the credit/debit cards. Smart chips are fun to hack. Anyway, CC companies don't care about fraud, they just push the costs onto the merchant. ;-)

Fake ID cards

[Zog+The+Undeniable]

If this was the type of card you just flash at an underpaid, gum-chewing security guard, the authors of the article didn't have to go to much effort to produce a fake.

As part of physical security testing, my colleagues have successfully gained access to premises using

• a white sachet of tartare sauce
• a square-cut jam sandwich

It's difficult enough getting security guards to turn up for work on the minimum wage, let alone actually *challenge* people.

Re:[RFID] Late night on slashdot and the nightmare

[Seahawk]

The difference is that a RFID reader is much cheaper than a videocamara + a system that enables it to actually read a dirty license plate.

And since it is cheaper, it will be more easy to setup more places.

And why stop at tires - what if(when?) it gets integrated in clothes?

(Not that I think it will happen where I live - just trying to make a point!)

Total BS - been there

[cocotoni]

The part about RFID tags used for tracking is utter and total BS. In fact yesterday I was at WSIS. I did have the badge, and yes it is marked with a RFID, but the bugger is passive and I had to put it real close to the scanner to read it. I tried to just casualy swipe it from afar, but I had to actualy put it right in front of the reader.

More on security: at the entrance you walk through metal detector gates, with a X-ray scanner for the bags. You are processed by 4 security guys - one takes your bags, other works the gate and X-ray scanner, third scans your badge and compares your face to picture on the badge to picture in the DB they get based on the RFID tag. All these images have to match. If there is any problem there is the fourth guy standing behind with a rifle.

Yes - the 1337 h4x0rz could have bypassed this by getting the official badges, because when you have the badge you don't have anything standing in your way. No - they could not have gotten to the bigwigs, because that part of the conference was separated, with stronger security checks, which were obviously not done just at the place, since the bigwigs were escoreted from their mansions, with the whole entourage, and I suppose that you don't expect presidents and prime-ministers to go around carrying badges on the straps around their necks, and walk through the metal-detector gates a few times.

In fact, the easiest way for "terrorists" to sneak in would be to get listed as active participants by a frendly government of a rogue state.

I wish that people would concentrate more on the positive results of WSIS, instead of spreading FUD.

Re:Total BS - been there

[HeghmoH]

I suppose that you don't expect presidents and prime-ministers to go around carrying badges on the straps around their necks, and walk through the metal-detector gates a few times.

You know, if there was some kind of law that said all those powerful politicians have to wait in line and go through the security screenings just like us "little people", I bet airport security would be a lot better and more convenient than it is right now. I thought the President was a person, just like you and me. So if I have to wear a badge and go through a metal detector, I think He (whoops, I mean "he") should to.

Politicians making decisions that have no effect on themselves piss me off to no end.

Re:Total BS - been there

[zaroastra]

I wish that people would concentrate more on the positive results of WSIS, instead of spreading FUD.
I wish they would indeed.
Some interesting things there. Just today I was talking with Mr. Edgar Villanueva after a open source debate.
I saw several nice projects from underdeveloped countries.
I hope it will go beyond the good intentions.

Now security wise, it seems a litle like fud. I had some problems getting an exibitor badge (not even the picture/rfid enabled one), because i only had an id card and the guys where asking for passports.
In the end, the easiest way to compromise security would be bringing the "things" on the days preceding the exibition, where no security checks where made. I carried boxes containing 15 computers. Of course none opened them to see if something was inside.

Re:Total BS - been there

[HardCase]

Hey, don't blame the politicians...for the most part, they don't demand special treatment. It gets offered by their hosts. As an example, if you do any amount of travelling to Washington, DC, you may notice your representatives or senators up there in first class. Chances are pretty good that they didn't buy a first class ticket, but no airline offering first class seating is going to watch as a high ranking politician sits with the hoi polloi. They get upgraded as a "courtesy". Ditto with the standing in line business, although here in Idaho, everybody stands in the same line to get screened by security, whether you're me or the governor.

Given that the president has his own plane, I guess he isn't subject to the same security screening as the rest of us. For that matter, the reason that the heads of state tend to not have to go through the same screenings as you or I is because the security is there for their benefit.

And as far as politicians making decisions that have no effect on themselves goes, every decision that they make has an effect - make a good one, stay in office. Make a bad one, get voted out.

That being said, I do understand your frustration at endless lines of waiting because of security "requirements". But even if the bigwigs had to go through the lines, nothing would change. Part of the problem is the one size fits all approach to nationally mandated security requirements. What works for New York City doesn't fit the bill for Boise, Idaho.

-h-

Re:Total BS - been there

[HeghmoH]

I will happily blame the politicians. Even if they aren't the ones deciding to skip all of the security, they are the ones making all of the useless rules in the first place. And I don't think that they would be making such useless rules if they were also subjected to them, particularly since politicians travel by air more often than other people.

The problem isn't really one-size-fits-all requirements. The problem is that the people who decide these things have decided that making people feel safe is more important than making them be safe. There are a dozen freight-train sized holes in airport security today which any intelligent person can discover from simply flying a few times, and could exploit with little effort. Meanwhile, security guards are patting down grandmothers and confiscating miniature swiss-army knives. But since the people who make these rules never have to deal with the consequences, they have no incentive to get rid of the inconveniences that only make people feel safe, and replace them with things which are simultaneously more convenient and more secure. This is not an oxymoron; nearly any imaginable setup would be more secure than what we have today. The only thing today's security setup can really stop are crazies who try to bring a duffel bag full of AK-47's or dynamite onto the plane. It won't stop anybody with half a brain, and as we have seen, there are quite a few people who have half a brain and want to do harm.

No Seriously...

[TubeSteak]

would this work?
google seems to think so The truth of the matter is that a microwave oven is massively over-powered for the job of killing RFID tags

Re:No Seriously...

[idiosync]

Just wait until microwave ovens are illegal in the US under the DMCA.

Re:[RFID] Late night on slashdot and the nightmare

[badboy_tw2002]

Hi there! Here's the deal: A system you envision would require thousands of readers in a local area to even get just the major chokepoints in a moderate sized metropolitan area. This is going to require a dedicated group of workers to maintain these buggers (power, networking, and eventual breakage from exposure to the elements because unlike velcro the aliens didn't give the tech to us) Thats a bunch of people. I'll tell you what: I go outside on MY street and I see a bunch of freaking potholes in the street. Traffic is congested all over the place, and nonstop construction doesn't keep pace with population growth in the area.

So you're telling me that the good people of the land are going to vote this system in? Ahead of say a new lane on the bottleneck highway or perhaps some new pavement so we don't all actually reaquire H2s to navigate the streets?

Who's paying for this tinfoil technology? Not the state governments, that's for sure. You seem to forget that despite the wild slippery slope theories people come up with, no one really looks at the practicality of making such a system work. Embedding millions of RFID tags nation wide at the cost of billions and billions of dollars to build and operate just doesn't seem like something people want.

But don't worry, this is just FUD. I work for THEM, and now that you're onto us Mr. Slashdot #ID 710711, we're going to have to shut you up. After all, we know where you are! (Cue creepy music)

Two comments

I'm a delegate to WSIS, so I've been here for going on three days...

First, the security here is quite interesting...as other posters have mentioned, getting into the actual facility is more or less impossible without the proper badge. The exploit that these individuals used was to simply trick the badging desk - a location right next door manned (mostly) by teenage girls. I highly doubt that they're trained security professionals.

Two, the RFID badge has a range of about an inch. If there are transponders all over the place, I have yet to see them. The physical layout of the building would kaie it difficult to place them inconspicuously...there's far too much open space, with thirty foot ceilings...

Just my two cents (CHF)...

don't underestimate 2-bit encryption

[SHEENmaster]

If you guess wrong, you have to guess again! And if you get it wrong again, you must guess a third time! If you guess a fourth time without repeating guesses, you're in of course, but we're hoping no one will notice.

Security

[salesgeek]

When I was in the US Navy, I got to learn a few things that most security experts get to learn the hard and embarrasing way:

1) Security is hard work and requires the involvement of people with great integrity willing to work very hard. Security requires the highest level of attention to detail, trust that proceedures will be followed and absolute trust that when the proceedures don't work, don't apply or are circumvented that the individual will make the right decisions.

2) You cannot delegate security to any machine. This includes padlocks, safes, computers, surveilance systems, and alarm systems. These are all designed to assist the hard working humans with great integrity. They have no ability to make decisions when their processes fail, are circumvented or don't apply.

3) The inclusion of anyone without great integrity inside a secured area is insecure. Loose lips sink ships. This is why security is so difficult in any semi-democratic organization - there is no way to exclude those you can't trust.

4) Confidence is like corrosion. It slowly destroys even the strongest security just as corrosion will eventually sink the most powerful ship in the fleet.

Sounds like WSIS violated three of four of these rules.

Re:[RFID] Late night on slashdot and the nightmare

[clickety6]

Isn't the UK already thinking of taxing every car "seen" on key roads once a day, every day they show up?


Noppe, not thinking of it - in the "congestion zone" of London they are already DOING this!

Just more proof

[CaptainFrito]

that only an utter fool would throw away civil liberties for the [impossible] promise of enhanced "security" via technology. While it is clear this monitoring and surveillance is useful in harrassing the innocent citizenry just trying to get through their pressure-filled day, there is zero proof it does anything more. More anxiety, less actual security, higher taxes, more days in court, more fines. Perfect.

The inexperienced put faith in every word, the shrewd look to history as prologue.

Re:Just more proof

[Hiigara]

Uhh... did you even read the article?

Re:Just more proof

[CaptainFrito]

Uhh...yes I did. Here's the relevent excerpt for my comment:

"An international group of independent researchers attending the Word Summit on the Information Society (WSIS) has revealed important technical and legal flaws, relating to data protection and privacy, in the security system used to control access to the UN Summit. The system not only fails to guarantee the promised high levels of security but also introduces the very real possibility of constant surveillance of the representatives of the civil society." (Italics added.)

The so-called "security system" indeed used advanced technology, not for security but for surveillance of the innocent, violating the basic human right to presumption of innoncence and 'the right to be left alone'. AS a security system it was useless, but then again it was obviously not meant to be one. Homeland Security. Patriot Act. Etc.

Umm, so, did YOU read the article?!?

And I have a weapon against this.

Alzheimer's.

You're not a deadbeatdad, lawbreaker, or terrorist

[way2trivial]

Or a speeder....... what now?

How is this different than a ticket issued by a cop who's using radar, and by the way-
the state I live in, and every one I have lived in- automatically does give moving violations to insurance agencies, and rates do rise! based on violations of the motor vehicle sort..

I've been having this ethical oddity lately.. from my youth when I was a rebellious sort, to now when I have wife child home, and don't believe in 'breaking the law'

I do feel strongly people are entitled to privacy and freedom of choice.. but the solution to the original post is Don't be a deadbeat, lawbreaker, terrorist, or speeder (interesting the OP doesn't consider speeders under lawbreaker)

They should have identified themselves clearly

Pre-Criminal

Might have been an inside job

[John+Harrison]

caption from one of their photos:

The system includes also a X-Ray and metal screening system. Two days before we were in the Congress bringing all kind of boxes and equipment. No physical access security was implemented until the very late time and we could move inside freely carrying any items.

Why were they bringing in equipment two days before? Were they testing security or were they employeed to carry stuff around by the conference? If the latter is true then it isn't much of an accomplishment to have gotten in.

Also in one of the photos of the "ominous security screen" the name is clearly "John DOE". Why is this the case? No explaination is given. This whole writeup is poorly done. They also offer no proof that they actually got in. Just some pictures of the security area. They don't even have a high-resolution shot of the card itself.

So what exactly does this article prove? That /. will post any crap that makes RFID look bad. That's about it. It isn't even clear if they are using RFID as opposed to say ISO14443 cards.

Re:You're not a deadbeatdad, lawbreaker, or terror

but the solution to the original post is Don't be a deadbeat, lawbreaker, terrorist, or speeder (interesting the OP doesn't consider speeders under lawbreaker)

That is not a valid solution. I'm sure there are a hundred people waiting right now to tell you why.

I'm so very confused..

Sure I really dug Information Society, and they haven't put out any new material since 2001, but is that any reason to hold a frickin' World Summit??

*duck*

Better case is made by the "pictures" page

[Halo-]

I have to admit the main link was a bit of a let-down, but after following the link to the pictures page, I start see why this is a big deal. A few things happened which aren't well expressed in the main link:

1. Participants were sent credentials which were supposed to serve as a second form of ID. The activists circumvented this second ID by simply claiming to be someone else and showing a generic fake ID. The list of participants was available beforehand, which was a mistake. Think of it like if an airport published lists of all the passengers on a plane and allowed "ticketless" travel using any form of ID. (instead of governement issued photo ID) You just need to say you're "John Smith" and present a fake anything (library card, etc...)
   
2. Notice all the cameras in the photos? That's sorta creepy. My bank doesn't have that many.
   
3. There are pictures of RFID scanners, which means the whole "they are gonna track participants movements" bit isn't entirely tinfoil-hat paranoia. The presence of the sensors implies they plan to track.
   
4. There were metal detectors and X-Ray machines maned by the Swiss Army (insert knife joke here) at the entrances, but they didn't get placed until very later. The "safety" this buys the participants is marginal unless the entire conference center was sweep very, very carefully after the gates were put up. Most people with the motive to blow up an international conference don't do it as a spur of the moment thing. When a head of state visits somewhere, an advance team sweeps the room/route/etc and seals it as they go.
   
5. Privacy and data security are totally lacking. The organizers failed to inform participants about what information was to be collected, and more severely, couldn't produce a detailed accounting when asked. The data collected was visible on monitors to casual observers, which completely negates most of the value and allows for theft.
   

In short, the photos show a group that appears to know how to spend a lot of money on toys, but doesn't know how to use them. I think this is a serious concern. The information they are collecting isn't providing security, and could actually undermine it.

The illusion of security is worse than no security at all.

License plate

[ajlitt]

I hear that the DOT has developed a new driver identification system called 'license plate'. It uses a specially developed optical identification system that can be read at a distance not only by sensors but by individual motorists. The serial number encoded on each 'license plate' can be used with a government database to identify the owner of the vehicle and even reference their criminal record.

Re:[RFID] Late night on slashdot and the nightmare

[DarkVader]

So, this is a bit offtopic, but a serious question about this system.

Why can't you just put an LCD shutter over your license plate, and trigger it when you pass the camera? They'd be unable to read the plate, and you would be effectively invisible to the tracking.

If you wanted to get really fancy, you could record the GPS positions of all the cameras, and automate the shutter.

It seems to me that as long as there wasn't a cop car behind you, it would be pretty close to zero risk.

you must be a homosexual

see subject.

This little stunt proves nothing

[JonKatzIsAnIdiot]

from the article:

The World Summit of Information Society has contracted SportAccess, a Company of Kudelski Group, as the main responsible of an integrated solution for physical access control solution during the United Nations Summit of Information Society.

This stunt proves nothing about the security and privacy practices of WSIS, despite the general clamour in this forum. This was a minor slip-up of a third party, not WSIS itself. SportAccess gave passes to people who misrepresented themselves.

BTW - what's up with the 'bypass physical security' euphemism? I always thought it was called 'sneaking', as in 'I snuck into a bar' or 'I snuck into a movie' and was done by underage punks who wanted to go where they had no business being. Now it's done by 'independant researchers' and it's 'bypassing physical security'? Hmmm ... maybe I'll do some 'independant research' of my own at the ROTK premiere next week ...

Re:This little stunt proves nothing

BTW - what's up with the 'bypass physical security' euphemism? I always thought it was called 'sneaking', as in 'I snuck into a bar' or 'I snuck into a movie' and was done by underage punks who wanted to go where they had no business being.

More like I snuck into the White House or I snuck into a military base. Indications are they wanted/needed some level of security above a simple theater usher.

troll

troll

Re:[RFID] Late night on slashdot and the nightmare

[Slayer]

When it came to surveiling and oppressing their own people, money was never an issue even for the poorest countries in the world. Laws against unreadable license plates exist in at least every country which issues automated speeding tickets through radar boxes.

Integrating RFID in clothes won't work. Cars are strongly regulated - people are used to the fact
that they have to ask their government for kind permission to operate a car. If you put restrictions on clothes, even the dumbest soap opera watching pop corn munchers will start an outcry.

Re:[RFID] Late night on slashdot and the nightmare

[ToadSprocket]

*Gasp* You mean, with an RFID tag in my credit card, the collective evil "they" will know exactly when and where I use it, only mere moments afterward?

Re:[RFID] Late night on slashdot and the nightmare

[ToadSprocket]

Why do the foil hatties come out in droves whenever the subject of RFID's comes up? If someone really cares about you so much that they want to track your every waking moment, they will. There is only so much usefulness in an RFID anyway. One ex-cop thrown off the force for drinking Thunderbird following you around all day will give you much more info than an RFID tag ever could. And you can pay him in grain alcohol.

RFID == increase of portable microwave emitters

[l8apex]

y'know- for frying RFID tags embedded in things that won't fit in your microwave..

Troll

[GoneGaryT]

Dear Mr/Mrs/Miss/Ms/Dr/Prof/etc Moderator, please recognize the above post by prisoner 303978 Idiot as a troll.

Thank you.

Re:[RFID] Late night on slashdot and the nightmare

Or you could just pay the fucking fee. Or use public transportation (GASP).

Re:[RFID] Late night on slashdot and the nightmare

[YrWrstNtmr]

Pay cash,

And the tire guy merely records your car license plate and/or VIN in the transaction. Same result.

Re:[RFID] Late night on slashdot and the nightmare

[f0rt0r]

Of course, I purchased the tires and donated them to a poor(er) person who could not afford new tires on their own. Looks like I got busted for someone elses crimes. Damn, this will hold up in court for sure!

Privacy & WSIS

[privaterra]

The issue is bigger than one of the the use of RFID's, but one of data handling practices and policies. Held in Geneva, it's a UN summit, but what if any data privacy and freedom of information policies exist at the UN - NONE. That that issue wasn't raised at all , by anyone, is the tragedy.

Re:[RFID] Late night on slashdot and the nightmare

[Loosewire]

they reqire an airel so this makes them much bigger, still worrying....

why would you want to read maxim?

the writing sucks, and it's not pornography