Slashdot Mirror
CC Companies Scotch Mythbusters Show On RFID Security
mathfeel passes along a video in which Mythbusters co-host Adam Savage recounts how credit card companies lawyered up to make sure the Discovery channel never, ever airs a segment on the flaws in RFID security. "Texas Instruments comes on [a scheduled conference call] along with chief legal counsel for American Express, Visa, Discover, and everybody else... They [Mythbusters producers] were way, way outgunned and they [lawyers] absolutely made it really clear to Discovery that they were not going to air this episode talking about how hackable this stuff was, and Discovery backed way down being a large corporation that depends upon the revenue of the advertisers. Now it's on Discovery's radar and they won't let us go near it."
No disrespect to the MythBusters, but if they could figure it out, plenty of others will also.
If you could reason with religious people, there would be no religious people
I can't wait until they test my myths! Also, lawyers are the reason we no longer have habeas corpus, so the show should be filmed in Guantanamo Bay, Cuba.
My work here is dung.
Myth Confirmed.
Busting Security Through Obscurity!
This isn't at all about the hackers ... this is about making the general public aware just how bad this is.
"So, if I Understand this correctly, you knew of these security holes back in 2008, and rather than fix them, you prevented the Mythbusters from talking about them."
"Well, yes, Your Honor."
"Give me another reason why I should listen to one word of your defense against this class action suit?"
This will come back and bite them in the @$$. Hard.
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
I don't. They tend to be old, out of touch with modern technology. I think enough BS by CC lawyers would confound them and justice would not be served.
But I'm told I'm a cynic :)
Blar.
So, rather than face lawsuits over contractual obligations to build and maintain a secure system (hah), they litigate the party who exposes them for attempting fraud.
Should it be surprising that in a culture that prizes profits and pride over progress, that litigation threats are used to squelch otherwise good feedback and information?
"We are Microsoft. You shall be assimilated. Competition is futile."
Of course, now that the story is propagating all over the Net, pretty soon everyone will know about the alleged security flaws (if not the details), and the CC companies and their legal eagles will look quite villainous. When will they ever learn?
"Every great cause begins as a movement, becomes a business, and eventually degenerates into a racket." -- Eric Hoffer
freedom of speech.
Wildly popular Mythbusters television star Adam Savage resigned suddenly from his position as cohost of Discovery TV's Mythbusters. Said Mr. Savage: "I just want to take a little personal time with my family. I'll be taking some time out for a year or four in Belize."
Mr. Savage has not been seen since, and our repeated calls to his agent go unanswered.
The Discovery Channel has announced through media representative Linsay Patter "We'll miss him and wish him the best. His loss means we won't be able to continue with the show." Discovery will be filling the space with Annie Parkinson's "Crafts for Children".
Help stamp out iliturcy.
They weren't able to stop this one, which, if you haven't seen yet, is pretty amazing.
-------------------
This is my SIG. There are many like it, but this one is mine.
That this clip is leaked to the Internet where it explodes in popularity.
It's a all about risk management for the companies involved. On one hand you have the Discovery Channel which depends on advertising revenues. On the other hand you have several large corporations that are using a flawed system. The question for the credit card companies is whether or not it's cheaper to use the system in place and pressure others not to disclose flaws or come up with something that works better. Sort of reminds me of Mitsubishi and the wheels flying off their heavy vehicles a few years ago. It was cheaper to payout settlements than recall and fix the vehicles. http://en.wikipedia.org/wiki/Mitsubishi_Motors#Vehicle_defect_cover-up
I know the management of these companies have obligations to the shareholders but isn't about time they started to exhibit an obligation to not make fraud so easy with the current system?
I truly see Frontline as one of the last and only truly investigative journalism programs on TV. It's the only show where I have found myself thinking "wow what they are reporting is interesting but it raises question A" and then as if by magic, the show continues: "we decided to further investigate and here's what we found about question A and this lead us to questions B, C and D"
meep
...for Slashdot to hammer the crap out of some corporate bullies, it sounds like this might be it. Could someone appropriately knowledgeable perhaps post a detailed account of how incredibly hackable RFID security is? A couple of URL's leading to websites with all the red meat would also be appropriate. PGP proves that once the genii is out of the bottle, it can't be put back in all that easily.
Frankly, I'm sick and tired of all these corporate assholes and their attitude. You can bet your bottom dollar that they'll keep the current, flawed system as-is, and simply out-last any hacking victim who dares to challenge them in court. The best solution is to make sure everybody with even a grade school education and a card reader can screw them at will. Maybe then, they'll do something about fixing the problem.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
Bad analogy time:
It's like a ship with holes in it. If the ship is already at sea, you shut up and man the pumps. But if the ship is in the dock, you yell "Look, hole!" and hopefully you wont have to pump quite as much later on.
"CC Companies Irish Mythbusters Show On Security"
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
An expensive lawsuit would almost certainly be filed after the fact, but it stands no chance of success. Discovery could counter-sue for barratry and violations of anti-SLAPP statutes.
Schwab
Editor, A1-AAA AmeriCaptions
"...and I have decided to keep those revelations to myself so that it is not exploited by every script kiddie and wannabe hackers to try."
And you are the only person that will figure that method out, I guess. Hopefully, you are the smartest person alive, and the problem so difficult no one else can possibly figure it out too, and abuse it.
The way we move forward as a race is that we share information, both about what works and helps, and more importantly about what doesn't work or causes harm. If the people affected the most by the flaw that has been discovered do nothing about it, then disclosure is the way. That way everyone else is informed and warned, as they should be.
Alright, showing my ignorance of our legal system here, but where does law fit in here? I don't see how the DC could get sued over this info. I *do* see the issue of ticking off their sponsors, but why are the lawyers involved?
Let's hope they don't run a segment on how bad fast food is for you any time soon...
Make a note of this on their Wikipedia entry.
I assume they were going to demonstrate a MIFARE classic attack, on which papers are plentiful.
Belief is the currency of delusion.
Today, I've been seeing some jack-boot operations by the St. Paul police on some folks who didn't mean anyone any harm. The cops arrested lawyers and reporters, too. There are some lawyers who are going to make those cops and their puppet masters pay big. And I'm glad that their is financial incentive for folks to go after Government when it so egregiously violates people's rights and makes a mockery of our Constitution that those disgraces to the name of police made in St. Paul.
The St. Paul and Denver police departments are a disgrace. I hope some lawyers representing their clients (some are veterans) get rich while punishing those imbeciles. And I really hope some of those cops go to jail themselves.
The banking industry in general isn't the more secure place. While they'll spend money on intrusion detection systems etc, a simple low tech approach can defeat most bank security measures.
There's a nice thought.
Or given that TI is mentioned, maybe it's more likely to be about Rubin et.al's attack on TI's Digital Signature Transponder. See Security Analysis of a Cryptographically-Enabled RFID Device (paper) and/or article.
Belief is the currency of delusion.
I remember bill moyers and his 'now' show. it was great, and he had this other guy (david b-something) as a second - and it did some good 'digging' on important stories.
from what I understand, he got shot down and was forced to 'retire' because he asked too many hard questions and bothered too many powerful bigwigs.
he did come back, but not on that show and he *was* put 'out of business' for about a year or two (iirc). ie, the chilling effect was done to PBS, which is a sacred cow, in US culture (more or less).
if moyers can be silenced, its proof our whole system is broken. PBS was a final hold-out but even PBS was *heavily* edited by bush-co and their henchmen.
TV is a wasteland; cable is mostly such; and even more and more of 'the net' is getting to be high in noise/signal ratio. the net is still mostly unregulated, but imagine the trend going from tv->cable->'teh internets'. we may see it in our lifetimes, too, if things don't get reversed soon.
--
"It is now safe to switch off your computer."
But if no one ever shouts "Look, hole" even when at sea, no one ever man's the pumps or patches the holes.
The Last HOPE was awesome. Adam gave a really fun talk and was really good from the front row! And when he came out with this information it was especially fun and really said something to the open flow of ideas at the conference. Hopefully, Discovery or any of the other companies don't give him any crap for it. Cheers. Some Last HOPE vids are available: http://hopetracker.donthax.me/
You're either misguided or disingenuous.
That wing of the party left with George Wallace after passage of the Civil Rights Act and the Voting Rights Act. Nixon was only too happy to pick up the so-called "States' Rights" voters, and pander to racists with his "the first civil right is safety [from black people]" rhetoric. Kennedy and Johnson's bravery in abandoning that voting block to the Republicans was heroic, and the South is majority Republican to this day.
Your assertion that the Democratic party is the party of racists is moronic. You should listen to less opinion radio.
For a good reference describing some of the problems with RFID technology, check out the book "Spy Chips" by Katherine Albrecht and Liz McIntyre http://www.amazon.com/Spychips-Major-Corporations-Government-Track/dp/1595550208/ref=sr_1_1?ie=UTF8&s=books&qid=1220142206&sr=8-1 This has been our for over 2 years now, but the general public has no idea on the capabilities or consequences of RFID systems. Give it a look.
Discovery is doing the right thing.
Just to be safe they should keep this episode locked away in a secure vault out in the middle of nowhere guarded by a lock which requires two RFID keys to open so that it will never see the light of day.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
If there weren't any lawyers, you wouldn't have any stuff in the first place because someone would have already ganged up and kicked the shit out of you.
Only the biggest, fastest, and strongest is free in a lawless environment. Corporations don't need the law to collect power, but individuals do to fight it.
There is no need. A few detailed videos, posted on PirateBay and Wikileaks by people who can do a decent job from a country where the DMCA does not apply, would do quite well to publish. Why spend all the money?
We already saw this with US passports, where the details on how to read the RFID tag is already available with a bit of Google searching. It's happening with subway passes in US cities such as Boston, which tried to prevent some hackers from presenting their paper at Defcon.
"Texas Instruments comes on [a scheduled conference call] along with chief legal counsel for American Express, Visa, Discover, and everybody else... "
After discovering a flaw in one of Texas Instruments' RFID tags, researchers from RSA Labs and Johns Hopkins University say they plan to continue their testing with exploits against other RFID equipment.
Doesn't look like the secret everyone thinks it is. Note the date. And this just from a few seconds with Google.
Shai Schticks:"You don't make peace with friends, you make peace with enemies"
Especially when it comes to things that might be used for criminal ends. Reason is, most criminals aren't all that smart. Especially small time criminals. To the extent there are smart criminals, they are usually the ones on top, the drug lords and such. The small time criminals usually aren't the sort of people who do research or think things through. You can see this in things like copper theft. This really is not a very profitable mode of operation. Even with the price having doubled, copper prices are still talked about in single digit dollars per POUND. That's also the price you'd pay on a mercantile exchange, not the price a scrap dealer gives you. Thus it is dangerous (both in terms of getting arrested and risking death if the wires happen to be live), a good bit of work, and probably doesn't pay any better than a job at McDonalds.
The point I'm getting at is that the large amount of petty, opportunity type criminals go for things their attention has been brought to. Copper prices skyrocketing made news so their attention got brought to it. They didn't realize that while the prices did double that was from about $2/lb to $4/lb.
Now as related to RFID, well Mythbusters certainly could lead to slightly more sophisticated petty criminals trying it. Right now, there's little information out there on it. So you'd be talking doing a good deal of research, perhaps some of it original, to build a device that could nab card numbers. This assumes that they've even had it brought to their attention that such a ting can be done. If they don't read a site like Slashdot, chances are they don't know it has security issues, and perhaps aren't even aware it exists at all.
However if Mythbusters calls attention to it, and shows a basic guide of how to exploit it, well then they might start trying.
Now I'm not saying that this means the problem shouldn't get fixed, or that it is Mythbusters job to keep it under wraps. I am saying that there really is some merit to the idea that if the public isn't aware of the problem it's not a problem. Sure there are people out there who are both aware it is a problem and know enough to exploit it. Perhaps you are one of them. However, are you going to actually do it? No? Then no problem.
I'm not saying this is the right way to approach the security of this issue, I am just saying that there is real merit to the idea that if the public doesn't know then it's not a problem. You probably meant that it would be happening but they'd be kept in the dark about it. No, not at all. What I mean is that if the public doesn't know about it, people won't try to exploit it.
Except lawyers *usually* can be counted on to turn on other lawyers and devour them, just like sharks in a feeding frenzy.
I wonder how much of this is in response to that episode they did a while back on security systems and showed how easily they could be gotten around (most notably the trivial to subert finger print scanner).
After making those companies look like liers and fools, I can imagine that the credit card companies would not want to risk the bad press too.
Yeah, 99% of lawyers give the rest a bad name.
A few inches? I was hoping to see Adam and Jamie with a parabolic antenna reading people's CC tokens from a couple of blocks. No, seriously. RFID security ranks right up there with Congressional oversight in the list of the top oxymorons of all time... okay, not all RFID hardware---some actually do use crypto in the right way---but a large enough percentage that my level of trust for RFID CCs is somewhere between zero and negative infinity.
I kind of wish someone would record (and post on YouTube et al) a MythBusters parody in which they act like Adam and Jamie et al and do an RFID shootout to see who can assemble the best RFID remote reader rig. Score the contest on accuracy, on ability to distinguish multiple cards, on range, and if they are really feeling lucky, on whether they were able to successfully make a purchase using the skimmed data with the opponent's credit card.... :-)
I doubt I'm going to see that any time soon, but it would be fun to watch the inevitable train wreck in a couple of CC companies' stock as they scrambled to dismantle those systems and come up with a more secure means of payment....
Check out my sci-fi/humor trilogy at PatriotsBooks.
"If you don't do business with the credit card companies, you will have a very low credit rating."
The only thing a credit rating is good for is getting into debt.
"it is legal for a business to refuse cash purchases."
But it is illegal to them to refuse cash in repayment for a debt.
"The credit/currency corporations are the key to being "in the system" and if you are "out of the system" you will be homeless or in government housing in short order."
That's a load of nonsense. Many people pay their rent with cash. You can buy a house and a car with cash, if you have the cash. You can immediately cash you paycheck and never use a bank account.
You must be new.
In this country, we paint the hole to look like a window, then have anyone who calls it a hole walk the plank.
In case anyone wants to watch it in context, here's a torrent of the whole keynote speech he made at The Last HOPE. He talks about the censorship of RFID hacking 45 minutes into it.
Worse, the companies will be continuing to claim how great the new security system is, even as they furiously try to shut up anyone that has a counter claim.