Slashdot Mirror
CC Companies Scotch Mythbusters Show On RFID Security
mathfeel passes along a video in which Mythbusters co-host Adam Savage recounts how credit card companies lawyered up to make sure the Discovery channel never, ever airs a segment on the flaws in RFID security. "Texas Instruments comes on [a scheduled conference call] along with chief legal counsel for American Express, Visa, Discover, and everybody else... They [Mythbusters producers] were way, way outgunned and they [lawyers] absolutely made it really clear to Discovery that they were not going to air this episode talking about how hackable this stuff was, and Discovery backed way down being a large corporation that depends upon the revenue of the advertisers. Now it's on Discovery's radar and they won't let us go near it."
No disrespect to the MythBusters, but if they could figure it out, plenty of others will also.
If you could reason with religious people, there would be no religious people
I can't wait until they test my myths! Also, lawyers are the reason we no longer have habeas corpus, so the show should be filmed in Guantanamo Bay, Cuba.
My work here is dung.
Myth Confirmed.
Busting Security Through Obscurity!
This isn't at all about the hackers ... this is about making the general public aware just how bad this is.
"So, if I Understand this correctly, you knew of these security holes back in 2008, and rather than fix them, you prevented the Mythbusters from talking about them."
"Well, yes, Your Honor."
"Give me another reason why I should listen to one word of your defense against this class action suit?"
This will come back and bite them in the @$$. Hard.
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
So, rather than face lawsuits over contractual obligations to build and maintain a secure system (hah), they litigate the party who exposes them for attempting fraud.
Should it be surprising that in a culture that prizes profits and pride over progress, that litigation threats are used to squelch otherwise good feedback and information?
"We are Microsoft. You shall be assimilated. Competition is futile."
Of course, now that the story is propagating all over the Net, pretty soon everyone will know about the alleged security flaws (if not the details), and the CC companies and their legal eagles will look quite villainous. When will they ever learn?
"Every great cause begins as a movement, becomes a business, and eventually degenerates into a racket." -- Eric Hoffer
freedom of speech.
Wildly popular Mythbusters television star Adam Savage resigned suddenly from his position as cohost of Discovery TV's Mythbusters. Said Mr. Savage: "I just want to take a little personal time with my family. I'll be taking some time out for a year or four in Belize."
Mr. Savage has not been seen since, and our repeated calls to his agent go unanswered.
The Discovery Channel has announced through media representative Linsay Patter "We'll miss him and wish him the best. His loss means we won't be able to continue with the show." Discovery will be filling the space with Annie Parkinson's "Crafts for Children".
Help stamp out iliturcy.
They weren't able to stop this one, which, if you haven't seen yet, is pretty amazing.
-------------------
This is my SIG. There are many like it, but this one is mine.
It's a all about risk management for the companies involved. On one hand you have the Discovery Channel which depends on advertising revenues. On the other hand you have several large corporations that are using a flawed system. The question for the credit card companies is whether or not it's cheaper to use the system in place and pressure others not to disclose flaws or come up with something that works better. Sort of reminds me of Mitsubishi and the wheels flying off their heavy vehicles a few years ago. It was cheaper to payout settlements than recall and fix the vehicles. http://en.wikipedia.org/wiki/Mitsubishi_Motors#Vehicle_defect_cover-up
I know the management of these companies have obligations to the shareholders but isn't about time they started to exhibit an obligation to not make fraud so easy with the current system?
I truly see Frontline as one of the last and only truly investigative journalism programs on TV. It's the only show where I have found myself thinking "wow what they are reporting is interesting but it raises question A" and then as if by magic, the show continues: "we decided to further investigate and here's what we found about question A and this lead us to questions B, C and D"
meep
Bad analogy time:
It's like a ship with holes in it. If the ship is already at sea, you shut up and man the pumps. But if the ship is in the dock, you yell "Look, hole!" and hopefully you wont have to pump quite as much later on.
"...and I have decided to keep those revelations to myself so that it is not exploited by every script kiddie and wannabe hackers to try."
And you are the only person that will figure that method out, I guess. Hopefully, you are the smartest person alive, and the problem so difficult no one else can possibly figure it out too, and abuse it.
The way we move forward as a race is that we share information, both about what works and helps, and more importantly about what doesn't work or causes harm. If the people affected the most by the flaw that has been discovered do nothing about it, then disclosure is the way. That way everyone else is informed and warned, as they should be.
There is also no law that requires the credit card companies to spend their advertising dollars on the Discovery Channel, or any other media outlet owned by the same company. That's what this is all about.
The key sequence to access my Slashdot bookmark in Firefox is Alt-B-S. I don't believe this is a coincidence.
Make a note of this on their Wikipedia entry.
That this clip is leaked to the Internet where it explodes in popularity.
The Discovery Channel should make sure that the media the episode is stored on is secured by means of RFID security devices to ensure that it is not stolen and leaked.
For a good reference describing some of the problems with RFID technology, check out the book "Spy Chips" by Katherine Albrecht and Liz McIntyre http://www.amazon.com/Spychips-Major-Corporations-Government-Track/dp/1595550208/ref=sr_1_1?ie=UTF8&s=books&qid=1220142206&sr=8-1 This has been our for over 2 years now, but the general public has no idea on the capabilities or consequences of RFID systems. Give it a look.
"Texas Instruments comes on [a scheduled conference call] along with chief legal counsel for American Express, Visa, Discover, and everybody else... "
After discovering a flaw in one of Texas Instruments' RFID tags, researchers from RSA Labs and Johns Hopkins University say they plan to continue their testing with exploits against other RFID equipment.
Doesn't look like the secret everyone thinks it is. Note the date. And this just from a few seconds with Google.
Shai Schticks:"You don't make peace with friends, you make peace with enemies"
Especially when it comes to things that might be used for criminal ends. Reason is, most criminals aren't all that smart. Especially small time criminals. To the extent there are smart criminals, they are usually the ones on top, the drug lords and such. The small time criminals usually aren't the sort of people who do research or think things through. You can see this in things like copper theft. This really is not a very profitable mode of operation. Even with the price having doubled, copper prices are still talked about in single digit dollars per POUND. That's also the price you'd pay on a mercantile exchange, not the price a scrap dealer gives you. Thus it is dangerous (both in terms of getting arrested and risking death if the wires happen to be live), a good bit of work, and probably doesn't pay any better than a job at McDonalds.
The point I'm getting at is that the large amount of petty, opportunity type criminals go for things their attention has been brought to. Copper prices skyrocketing made news so their attention got brought to it. They didn't realize that while the prices did double that was from about $2/lb to $4/lb.
Now as related to RFID, well Mythbusters certainly could lead to slightly more sophisticated petty criminals trying it. Right now, there's little information out there on it. So you'd be talking doing a good deal of research, perhaps some of it original, to build a device that could nab card numbers. This assumes that they've even had it brought to their attention that such a ting can be done. If they don't read a site like Slashdot, chances are they don't know it has security issues, and perhaps aren't even aware it exists at all.
However if Mythbusters calls attention to it, and shows a basic guide of how to exploit it, well then they might start trying.
Now I'm not saying that this means the problem shouldn't get fixed, or that it is Mythbusters job to keep it under wraps. I am saying that there really is some merit to the idea that if the public isn't aware of the problem it's not a problem. Sure there are people out there who are both aware it is a problem and know enough to exploit it. Perhaps you are one of them. However, are you going to actually do it? No? Then no problem.
I'm not saying this is the right way to approach the security of this issue, I am just saying that there is real merit to the idea that if the public doesn't know then it's not a problem. You probably meant that it would be happening but they'd be kept in the dark about it. No, not at all. What I mean is that if the public doesn't know about it, people won't try to exploit it.