Slashdot Mirror
CC Companies Scotch Mythbusters Show On RFID Security
mathfeel passes along a video in which Mythbusters co-host Adam Savage recounts how credit card companies lawyered up to make sure the Discovery channel never, ever airs a segment on the flaws in RFID security. "Texas Instruments comes on [a scheduled conference call] along with chief legal counsel for American Express, Visa, Discover, and everybody else... They [Mythbusters producers] were way, way outgunned and they [lawyers] absolutely made it really clear to Discovery that they were not going to air this episode talking about how hackable this stuff was, and Discovery backed way down being a large corporation that depends upon the revenue of the advertisers. Now it's on Discovery's radar and they won't let us go near it."
No disrespect to the MythBusters, but if they could figure it out, plenty of others will also.
If you could reason with religious people, there would be no religious people
I can't wait until they test my myths! Also, lawyers are the reason we no longer have habeas corpus, so the show should be filmed in Guantanamo Bay, Cuba.
My work here is dung.
Myth Confirmed.
Busting Security Through Obscurity!
This isn't at all about the hackers ... this is about making the general public aware just how bad this is.
"So, if I Understand this correctly, you knew of these security holes back in 2008, and rather than fix them, you prevented the Mythbusters from talking about them."
"Well, yes, Your Honor."
"Give me another reason why I should listen to one word of your defense against this class action suit?"
This will come back and bite them in the @$$. Hard.
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
I don't. They tend to be old, out of touch with modern technology. I think enough BS by CC lawyers would confound them and justice would not be served.
But I'm told I'm a cynic :)
Blar.
So, rather than face lawsuits over contractual obligations to build and maintain a secure system (hah), they litigate the party who exposes them for attempting fraud.
Should it be surprising that in a culture that prizes profits and pride over progress, that litigation threats are used to squelch otherwise good feedback and information?
"We are Microsoft. You shall be assimilated. Competition is futile."
Of course, now that the story is propagating all over the Net, pretty soon everyone will know about the alleged security flaws (if not the details), and the CC companies and their legal eagles will look quite villainous. When will they ever learn?
"Every great cause begins as a movement, becomes a business, and eventually degenerates into a racket." -- Eric Hoffer
freedom of speech.
Wildly popular Mythbusters television star Adam Savage resigned suddenly from his position as cohost of Discovery TV's Mythbusters. Said Mr. Savage: "I just want to take a little personal time with my family. I'll be taking some time out for a year or four in Belize."
Mr. Savage has not been seen since, and our repeated calls to his agent go unanswered.
The Discovery Channel has announced through media representative Linsay Patter "We'll miss him and wish him the best. His loss means we won't be able to continue with the show." Discovery will be filling the space with Annie Parkinson's "Crafts for Children".
Help stamp out iliturcy.
They weren't able to stop this one, which, if you haven't seen yet, is pretty amazing.
-------------------
This is my SIG. There are many like it, but this one is mine.
It's a all about risk management for the companies involved. On one hand you have the Discovery Channel which depends on advertising revenues. On the other hand you have several large corporations that are using a flawed system. The question for the credit card companies is whether or not it's cheaper to use the system in place and pressure others not to disclose flaws or come up with something that works better. Sort of reminds me of Mitsubishi and the wheels flying off their heavy vehicles a few years ago. It was cheaper to payout settlements than recall and fix the vehicles. http://en.wikipedia.org/wiki/Mitsubishi_Motors#Vehicle_defect_cover-up
I know the management of these companies have obligations to the shareholders but isn't about time they started to exhibit an obligation to not make fraud so easy with the current system?
I truly see Frontline as one of the last and only truly investigative journalism programs on TV. It's the only show where I have found myself thinking "wow what they are reporting is interesting but it raises question A" and then as if by magic, the show continues: "we decided to further investigate and here's what we found about question A and this lead us to questions B, C and D"
meep
...for Slashdot to hammer the crap out of some corporate bullies, it sounds like this might be it. Could someone appropriately knowledgeable perhaps post a detailed account of how incredibly hackable RFID security is? A couple of URL's leading to websites with all the red meat would also be appropriate. PGP proves that once the genii is out of the bottle, it can't be put back in all that easily.
Frankly, I'm sick and tired of all these corporate assholes and their attitude. You can bet your bottom dollar that they'll keep the current, flawed system as-is, and simply out-last any hacking victim who dares to challenge them in court. The best solution is to make sure everybody with even a grade school education and a card reader can screw them at will. Maybe then, they'll do something about fixing the problem.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
Bad analogy time:
It's like a ship with holes in it. If the ship is already at sea, you shut up and man the pumps. But if the ship is in the dock, you yell "Look, hole!" and hopefully you wont have to pump quite as much later on.
"CC Companies Irish Mythbusters Show On Security"
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
An expensive lawsuit would almost certainly be filed after the fact, but it stands no chance of success. Discovery could counter-sue for barratry and violations of anti-SLAPP statutes.
Schwab
Editor, A1-AAA AmeriCaptions
"...and I have decided to keep those revelations to myself so that it is not exploited by every script kiddie and wannabe hackers to try."
And you are the only person that will figure that method out, I guess. Hopefully, you are the smartest person alive, and the problem so difficult no one else can possibly figure it out too, and abuse it.
The way we move forward as a race is that we share information, both about what works and helps, and more importantly about what doesn't work or causes harm. If the people affected the most by the flaw that has been discovered do nothing about it, then disclosure is the way. That way everyone else is informed and warned, as they should be.
Make a note of this on their Wikipedia entry.
I assume they were going to demonstrate a MIFARE classic attack, on which papers are plentiful.
Belief is the currency of delusion.
That this clip is leaked to the Internet where it explodes in popularity.
The Discovery Channel should make sure that the media the episode is stored on is secured by means of RFID security devices to ensure that it is not stolen and leaked.
Or given that TI is mentioned, maybe it's more likely to be about Rubin et.al's attack on TI's Digital Signature Transponder. See Security Analysis of a Cryptographically-Enabled RFID Device (paper) and/or article.
Belief is the currency of delusion.
I remember bill moyers and his 'now' show. it was great, and he had this other guy (david b-something) as a second - and it did some good 'digging' on important stories.
from what I understand, he got shot down and was forced to 'retire' because he asked too many hard questions and bothered too many powerful bigwigs.
he did come back, but not on that show and he *was* put 'out of business' for about a year or two (iirc). ie, the chilling effect was done to PBS, which is a sacred cow, in US culture (more or less).
if moyers can be silenced, its proof our whole system is broken. PBS was a final hold-out but even PBS was *heavily* edited by bush-co and their henchmen.
TV is a wasteland; cable is mostly such; and even more and more of 'the net' is getting to be high in noise/signal ratio. the net is still mostly unregulated, but imagine the trend going from tv->cable->'teh internets'. we may see it in our lifetimes, too, if things don't get reversed soon.
--
"It is now safe to switch off your computer."
For a good reference describing some of the problems with RFID technology, check out the book "Spy Chips" by Katherine Albrecht and Liz McIntyre http://www.amazon.com/Spychips-Major-Corporations-Government-Track/dp/1595550208/ref=sr_1_1?ie=UTF8&s=books&qid=1220142206&sr=8-1 This has been our for over 2 years now, but the general public has no idea on the capabilities or consequences of RFID systems. Give it a look.
"Texas Instruments comes on [a scheduled conference call] along with chief legal counsel for American Express, Visa, Discover, and everybody else... "
After discovering a flaw in one of Texas Instruments' RFID tags, researchers from RSA Labs and Johns Hopkins University say they plan to continue their testing with exploits against other RFID equipment.
Doesn't look like the secret everyone thinks it is. Note the date. And this just from a few seconds with Google.
Shai Schticks:"You don't make peace with friends, you make peace with enemies"
Especially when it comes to things that might be used for criminal ends. Reason is, most criminals aren't all that smart. Especially small time criminals. To the extent there are smart criminals, they are usually the ones on top, the drug lords and such. The small time criminals usually aren't the sort of people who do research or think things through. You can see this in things like copper theft. This really is not a very profitable mode of operation. Even with the price having doubled, copper prices are still talked about in single digit dollars per POUND. That's also the price you'd pay on a mercantile exchange, not the price a scrap dealer gives you. Thus it is dangerous (both in terms of getting arrested and risking death if the wires happen to be live), a good bit of work, and probably doesn't pay any better than a job at McDonalds.
The point I'm getting at is that the large amount of petty, opportunity type criminals go for things their attention has been brought to. Copper prices skyrocketing made news so their attention got brought to it. They didn't realize that while the prices did double that was from about $2/lb to $4/lb.
Now as related to RFID, well Mythbusters certainly could lead to slightly more sophisticated petty criminals trying it. Right now, there's little information out there on it. So you'd be talking doing a good deal of research, perhaps some of it original, to build a device that could nab card numbers. This assumes that they've even had it brought to their attention that such a ting can be done. If they don't read a site like Slashdot, chances are they don't know it has security issues, and perhaps aren't even aware it exists at all.
However if Mythbusters calls attention to it, and shows a basic guide of how to exploit it, well then they might start trying.
Now I'm not saying that this means the problem shouldn't get fixed, or that it is Mythbusters job to keep it under wraps. I am saying that there really is some merit to the idea that if the public isn't aware of the problem it's not a problem. Sure there are people out there who are both aware it is a problem and know enough to exploit it. Perhaps you are one of them. However, are you going to actually do it? No? Then no problem.
I'm not saying this is the right way to approach the security of this issue, I am just saying that there is real merit to the idea that if the public doesn't know then it's not a problem. You probably meant that it would be happening but they'd be kept in the dark about it. No, not at all. What I mean is that if the public doesn't know about it, people won't try to exploit it.
Except lawyers *usually* can be counted on to turn on other lawyers and devour them, just like sharks in a feeding frenzy.
Yeah, 99% of lawyers give the rest a bad name.
A few inches? I was hoping to see Adam and Jamie with a parabolic antenna reading people's CC tokens from a couple of blocks. No, seriously. RFID security ranks right up there with Congressional oversight in the list of the top oxymorons of all time... okay, not all RFID hardware---some actually do use crypto in the right way---but a large enough percentage that my level of trust for RFID CCs is somewhere between zero and negative infinity.
I kind of wish someone would record (and post on YouTube et al) a MythBusters parody in which they act like Adam and Jamie et al and do an RFID shootout to see who can assemble the best RFID remote reader rig. Score the contest on accuracy, on ability to distinguish multiple cards, on range, and if they are really feeling lucky, on whether they were able to successfully make a purchase using the skimmed data with the opponent's credit card.... :-)
I doubt I'm going to see that any time soon, but it would be fun to watch the inevitable train wreck in a couple of CC companies' stock as they scrambled to dismantle those systems and come up with a more secure means of payment....
Check out my sci-fi/humor trilogy at PatriotsBooks.