Slashdot Mirror
WSIS Physical Security Cracked
An anonymous reader writes "A group of activists has apparently bypassed physical security checks at the WSIS Meetings. Not only did they bypass the physical security with a fake card, they found the system uses RFID tags to monitor participants -- possibly even who they interact with and their movements through the conference."
These people are looking to be put in charge of my Packets, yet they cant even keep a couple of geeks out of a confrence room? I'm sure we'll all feel REALLY safe ordering online with them in charge.
When life gives you crap, Make Crapade.
Sluggy Freelance.
activism PPronunciation Key(kt-vzm)
n.
The use of direct, often confrontational action, such as a demonstration or strike, **in opposition to** or support of a cause
Nope, activist sounds right to me.
I believe the word you're looking for is conservative.
G
Days before the Summit no physical security was available. Anyone could bring anything inside the conference
Yep, it was fairly easy to sneak my tin foil hat in.
except they were walking around and stuff.... neato.
Huh? If you RTFA you'll find that what they did was use a fake ID with the name of a real participant to obtain a badge. Nothing very clever about that.
Basically the "researchers" represented themselves as being someone else and used a fake (potentially) illegal piece of identification. Doesn't seem clever, just seems fraudulent.
They then go on to speculate about how "data mining" and RFID might be used for all sorts of nasty tricks and end up sounding like a bunch of paranoid crack-pots.
So, if I buy a fake passport on a street corner and then use it enter Germany, did I just "crack" Germany's security and can I get my picture on Slashdot?
John.
The fact that the security was breached is not the most alarming thing about this. Nothing programmed by man is ever completely safe. The scary thing is that people professing to be security concious were bested because of something so simple, and which could have been prevented or easily stopped.
If my answers frighten you, stop asking scary questions.
The problem here was one of physical security-all these guys really needed to get started was a name. During the 80's/early 90's, one of the concerns in the security field was also physical security-a hacker posing as a janitor and accessing unsecured systems, or dumpster diving, or using personal connections to get at employees and talk something valuable out of them. I would think that people would have learned by now that it takes more than simple electronic measures to stop "hacking". This could have been prevented if the powers-that-are had made the ID process a little harder.
If my answers frighten you, stop asking scary questions.
begins.
They are going to put these in tires. When you buy your tires the seller is going to be required to enter your information in a database.
One day when you are going a little too fast in a school zone or run a yellow that switches to red too fast an underground computer is going to sense the rfid in your tire, immediately reporting the number via rf link to police headquarters.
You would think that this would be for the purpose of giving you a ticket. You're right, you will get a ticket. But that is not the end the trail for your rfid number.
It immediately gets sent to the state government where it checks to make sure you are not a deadbeat dad that the wherabouts of are unknown. Simultaneously sending it to the FBI to see if you are a name on the "patriot" act watchlist and indexes your location. If you drive on the same street on a regular basis they will know where to find you.
You're not a deadbeatdad, lawbreaker, or terrorist you say??? Well the trail that your rfid number takes does not end there. Your rfid number is sold by cashed-strapped states to a commercial database under the auspices of "risk mitigation" that insurance companies subscribe to. Because you were speeding, you are at an increased risk and your car insurance rates are subsquently raised. Because you drive dangerously, your health insurance rates are also raised. Maybe they cancel your policy outright.
You're thinking I'll just remove the rfid. No you won't. Driving with unregistered tires is against the law, and if the police can't scan you as you drive past his cruiser he pulls you over and immediately suspends your license and impounds your car. But you won't be able to remove it anyway, without destroying the tire, as it is purposefully integrated with the "steel belt".
Does the trail end for your rfid tire number now? No, it most certainly doesn't. To see where it leads further, you are going to have to talk to my patent attorney.
The linux hacker
You can't see the difference between this and a club?
One is a venue which wants to transfer money from your wallet to them in exchange for alcohol and a good time. The government says they aren't allowed to take money from people below a certain age, so they don't let them in. If you have a fake ID, then why would the club care that you choose to spend your money on their product?
One is a venue filled with the heads of governments of numerous countries, government ministers, UN bigwigs (like the Secretary-General), and other such VIPs (in some people's eyes). It doesn't want to sell people a product which the government has decreed you have to be a certain age to have, but possibly wants to stop VIPs being harrassed and bombs being planted.
Yeah, but I bet you would feel differently about it if you were proven innocent because you were buying hand lotion and copy of Maxim when the crime was being committed.
When I was in the US Navy, I got to learn a few things that most security experts get to learn the hard and embarrasing way:
1) Security is hard work and requires the involvement of people with great integrity willing to work very hard. Security requires the highest level of attention to detail, trust that proceedures will be followed and absolute trust that when the proceedures don't work, don't apply or are circumvented that the individual will make the right decisions.
2) You cannot delegate security to any machine. This includes padlocks, safes, computers, surveilance systems, and alarm systems. These are all designed to assist the hard working humans with great integrity. They have no ability to make decisions when their processes fail, are circumvented or don't apply.
3) The inclusion of anyone without great integrity inside a secured area is insecure. Loose lips sink ships. This is why security is so difficult in any semi-democratic organization - there is no way to exclude those you can't trust.
4) Confidence is like corrosion. It slowly destroys even the strongest security just as corrosion will eventually sink the most powerful ship in the fleet.
Sounds like WSIS violated three of four of these rules.
-- $G