Slashdot Mirror
New Controversy over Black Hat Presentation
uniquebydegrees writes "InfoWorld is reporting about a new controversy swirling around a planned presentation at Black Hat Federal in Washington D.C. this week. Security researcher Chris Paget of IOActive will demo an RFID hacking tool that can crack HID brand door access cards. HID Corp., which makes the cards, is miffed and is accusing IOActive of patent infringement over the presentation, recalling the legal wrangling over Michael Lynn's presentation of a Cisco IOS hole at Black Hat in 2005. Black Hat's Jeff Moss says they're standing by their speaker. A news conference is scheduled for tomorrow AM." Update: 02/27 20:10 GMT by Z :InfoWorldMike wrote with a link to story saying that the presentation has been pulled from the slate for Black Hat, as a result of this pressure.
Security is constant vigilence. Certain tools come in handy, but they are not by themselves security. Security is either part of your corporate culture and SOP, or it is not. You can't buy something and tack it on to make your business secure. The sooner PHBs learn this, the sooner we can get past all this nonsense.
Insisting on "correct" English is like saying that there is only one, definitive recipe for chili.
until you stop the toy when the door lock clicks.
countermeasures: use longer ident numbers when programming the things. put a GOOD camera above the door or use an IR detector and if somebody stays at the door for a minute, the guard should use the intercom and ask them if they want to sleep in another doorway, or if they need to talk to a sheriff's deputy.
moral: relying on any one layer of security is no security if somebody really wants in. multiple levels and somebody awake someplace who cares will fix every physical penetration attempt except wackos with bulldozers.
if this is supposed to be a new economy, how come they still want my old fashioned money?
From the article: "These systems are installed all over the place. It's not just HID, but lots of companies, and there hasn't been a problem. Now we've got a person who's saying let's get publicity for our company and show everyone how to do it, and it puts everyone at risk. Where's the sense of responsibility?" Carroll said.
This blows me away. Rather than taking the responsibility for having a flawed security system, rather than having the responsibility as a company to say "Hey, yeah we know about this and we are going to fix it after 15 years," the company accuses the security researcher of a lack of responsibility for "revealing" how to exploit these systems. I feel like bizarro world has become the real world when I read these kind of comments.
I thought you had to actually make something in order to infringe a patent. And patents, by definition, are public knowledge. If I stand up and read your patent to a crowd, how can you sue me?
If you base your security model singularly around patents instead of proper implementation, then there is something wrong with your security model.
You know, in fifteen years of carrying a credit card, I have never had one fail. The high-coercivity mag stripe cards are darn near indestructible. By contrast, the low-coercivity cards that they use at some hotels... I've had them just suddenly fail on the third or fourth use and have to be reprogrammed multiple times in a single night (and about the fifth time I had the same card reprogrammed, they tossed it in a trash can and programmed a fresh one for me, which never failed again).
Put simply, low-coercivity cards suck, but high-coercivity cards are pretty solid. Just don't cut corners on your card programmers and you'll be fine.
Check out my sci-fi/humor trilogy at PatriotsBooks.
The work of computer security professionals to reveal RFID vulnerabilities is integral to ensuring that the privacy, personal security, and public safety of millions of Americans are properly safeguarded.
With the Department of Homeland Security expected to release the Real ID regulations very soon and dictate what type of machine readable technology will be in every drivers' license and whether it will contain RFID chips, and the Department of State starting to roll out RFID-embedded passports, it is particularly important that the government and the public have all the information about RFID technology and understand that the use of RFID technology without proper protections can seriously threaten privacy, personal security, and public safety.
Lots more info about this story and RFID vulnerabilities at www.aclunc.org/techblog
Sure, you could make this a lot more secure, but it's not any worse than regular locks. It's basically the same as regular locks but with easy revocation.
And with a huge false sense of security. Oh, and it costs a lot more.
So, exactly what's the benefit again? Aside from the fact that employees can act all cool, by waving their badges at a sensor instead of sticking a metal piece in the door?
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Paraphrased:
Wear badge between neck and waist level at all times when on premises.
Put card away when off-base.
Never use card as a civilian-side ID.
Spent 5 years living this.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.