Slashdot Mirror
Feds At DefCon Alarmed After RFIDs Scanned
FourthAge writes "Federal agents at the Defcon 17 conference were shocked to discover that they had been caught in the sights of an RFID reader connected to a web camera. The reader sniffed data from RFID-enabled ID cards and other documents carried by attendees in pockets and backpacks. The 'security enhancing' RFID chips are now found in passports, official documents and ID cards. 'For $30 to $50, the common, average person can put [a portable RFID-reading kit] together,' said security expert Brian Marcus, one of the people behind the RFID webcam project. 'This is why we're so adamant about making people aware this is very dangerous.'"
...the Feds try to ban the tech to read the RFIDs instead of urging credit card manufacturers/the state department to back off on putting RFID chips into everything?
To the haters: You can't win. If you mod me down, I shall become more powerful than you could possibly imagine
Why would they be surprised? This has been common knowledge for years.
If you have to carry an RFID'ed object that contains sensitive information, keep it shielded at all times or destroy it.
RFID is a slightly-longer-range bar-code that doesn't require line-of-sight. But it would certainly be possible to use a digital camera or scanning lasers to do this same sort of thing to any visible bar-codes.
It doesn't really make sense to say RFID is "very dangerous" unless you have that same fear of bar-codes.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
If an officer is under cover, they may still be carrying their ID. Looks like a discreet RFID scanner may be added to future tool kits of various orginizations that want to avoid making deals with undercover cops.
They're attending a security convention with id cards that can be read from their pockets.
It's a good thing they didn't have rfid credit cards.
If it can be done, it will be done.
They're using their grammar skills there.
So these sloppy mofos are the ones that are supposed to be "protecting" us? Laughable.
There is a war going on for your mind.
How could they be surprised by this? Were they not aware of the demographic group that attends Defcon? They probably just forgot to wear their tin-foil hats
It is the universe that makes fun of us all.
Being watched is one thing and, with the proliferation of security cameras, to be expected now days. It was the first step.
Being watched and identified is another thing entirely. The first step was bad enough, this one strikes me as a step too far - so, yes, I would agree it is dangerous.
Neil
So, do we have picture of the federal agents that were there ? Is this not supposed to be a criminal offense ? And who is (legally) to blame on this one ? Poor procedures ? Decision to use RFID in a situation where it should not be used ? Are they going to say that this is entirely hackers' fault ?
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
Federal agents at the Defcon 17 conference were shocked to discover that they had been caught in the sights of an RFID reader connected to a web camera...
erm... not quite what the Wired Article says:
But the device, which had a read range of 2 to 3 feet, caught only five people carrying RFID cards before Feds attending the conference got wind of the project and were concerned they might have been scanned
Still I suppose the Feds have probably hacked into the Wired Article and fixed that one...
Sig (appended to the end of comments you post, 120 chars)
"Priest asked Adam Laurie, one of the researchers behind the project, to "please do the right thing," and Laurie removed the SD card that stored the data and smashed it. Laurie, who is known as "Major Malfunction" in the hacker community, then briefed some of the Feds on the capabilities of the RFID reader and what it collected."
...they have nothing to fear. Let's see how they like that argument used against _them_!
It's simplest when federal agents are the first ones carrying RFID documents. Construction of the device is more difficult when everyone's shirt, shoes, and underwear has a chip, as the detector then has to know what kinds of codes are in ID cards of various types.
They should've used the foil protective sleeve provided with the document in question and reccommended by the organization who provided the document.
I don't know about the new passports, but RFID-enabled New York State Enhanced Driver Licenses come with a foil sleeve and a reccommendation to keep the license in the protective sleeve when not in use.
That's right - the government is providing tinfoil hats for your RFIDs already.
retrorocket.o not found, launch anyway?
I was charged with writing POS software where I work. After looking into using scanners, I came across RFID. As it turns out, instead of needing to scan your crap, you can just have a magic wand magically take inventory for you. In fact, after looking into it, I realized I could rig sensors in our storage room to automatically re-take inventory periodically.
I'm sure some people are pushing for RFID for the wrong reasons, but I'm all for it as a replacement for barcodes as far as keeping stock goes. Imagine going to Walmart, and your shopping buggy automatically tells the clerk how much money you owe! Well, that might be a ways off, but it's possible.
I think RFID is an awesome tech, it just has a risk for being abused. Just like barcodes are awesome, but we don't want them on our forehead (unless we're playing shadow run, then it's 'cool.)
"Sorrow is better than laughter, for by sadness of face the heart is made glad." [Ecclesiastes 7:3]
Yes attaching the RFID info to the photo gives you a better data aggregate but the same "problem" they were worried about can be caused by a web-cam designed to snap photos of ANYONE that goes past it.
the only thing the RFID reader does is try to nab someone with a access card in their wallet. It will not identify just "feds" but anyone that has a card access system in their workplace. So all Comcast employees will get read, Verizon employees, etc... making a very high signal to noise ratio that is approaching that of just taking everyone's photo.
Now look for a SPECIFIC badge, like the black hat badges that have your name and type in it, THAT is useful. Plus make that reader higher power, grab a 3 foot directional range and it becomes useful at choke points.
Do not look at laser with remaining good eye.
Wasn't this explained not long after the inclusion of RFID chips in passports announced? I just don't understand how it could have been ignored by the government for this long. I'm not this kind of hacker, but even my brief exposure to RFID at work (for inventory management) made me think that it would make a really awful system for sensitive data.
... my passport certainly does. I got mine at ThinkGeek.
Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
What does this article bring to us about RFID security that we did not already know ?
An RFID tag can be read from afar ! Oh big deal, but isn't it the precise purpose of a contactless badge or ID card to be read this way ?
Did these guy break any security protection in any contactless card ? No.
They're just telling us that they scared some clueless FEDs attending the conference. That could be an interesting information if only their paper wasn't full of hype and so void of content relating to the security of RFID cards.
They jump to the conclusion that being able to read an RFID card with an RFID reader "is very dangerous" but aside movie-plot scenarios I hardly see how being able to read a random number on some random card is a threat to anybody.
Seriously, how could privacy concerned people focus on this when we're basically broadcasting ourselves on the Internet and our neighboorhood (purchases with credit card, cellphone broadcasting a unique ID at a range a thousand time bigger than what any RFID tag could achieve, etc.) ?
http://www.transparency.org
SN != AL It's not tinfoil, it's aluminum foil. You'd think that the flock of nerds here would have that figured by now.
You don't say? They go to Defcon and this happens? Good gracious me oh my. Kinda the point of DefCon isn't it?
"But it was enough for me to be concerned," he said." There were people here who were not supposed to be identified for what they were doing ⦠I was [concerned] that people who didnâ(TM)t want to be photographed were photographed."
If it's worth doing, it's worth doing for money.
If you are worried about this, there are very simple measures you can take.
I know that some think this is some kind of critical failure, especially on slashdot. But it isn't.
1. Agents don't know or understand what's on the card(s). They probably fell into the same false belief the scanner operators have just because they don't know any better.
2. There's nothing particularly special on the RFID chip. A parking facility card and a passport generate the same amount of interesting information. A unique ID. Whew! you got me there. There's a particularly obsessive set of slashdotters that watch too much television and come to believe something can be done with this information. The hurdles are so many the odds of winning the lottery are better than doing something useful with the unique ID.
3. If this were a crypto-capable chip and they got the secrets off the chip with a passive scan, they'd still have a unique ID. It would be a minor accomplishment, but no one cares.
Move along.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
... the smart investor's strategy.
Isn't it simpler to staple or put a needle through the tag? That should still pass basic scrutiny.
My problems are that its default behaviour is 'on' put a @#$^@^% switch on it and be done with it, you want to scan me? ask and I will enable, you don't ask, you don't scan I simply can't wait for smart bombs that target by RFID, it should scare the Feds, I know it would scare me, kudos to the person who thought this up, I hope they don't take retribution in kind.
Unix, an obscure operating system developed by bored researchers in an attempt to get a better game playing experience.
http://www.thinkgeek.com/gadgets/security/910f/
"I am shocked, shocked to find that hacking is going on in here!"
-Unnamed official.
It is fairly easy to get a license to purchase a shotgun that you leave at home in most places in America
Actually, in *most* places in America, you need absolutely no license of permit to buy a shotgun. You just simply need to be of legal age and able to pass the National Instant Check System (NICS) to show that you don't have a criminal history, etc, that disqualifies you from being legally eligible to purchase a gun.
It's only a few states like NY, MA, NJ, IL, CA that love to violate the US Constitution so heinously to infringe on your 2nd Amendment rights to defend yourself with proper arms.
Remember, that if you're in a life or death situation with an assailant where seconds count... that the police are only minutes away.
I hate so I told you so (Not really, I'm loving every minute of this) but would they listen?
About 5-6 years ago when the Bush administration started the drive to forcing us all to carry biometric Passports and ID card with RFID chips in a lot of us got rather upset and we warned of all kinds of Orwellian things that could be done with them. Including the installation of RFID readers with cameras and other devices attached that could be used to track people, and the feds called paranoid and dismissed every single one of our concerns. But now they're getting upset?
I don't think that this has anything to do with a change in administration. Could it be because so many FBI agents and police officers now carry RFID cards themselves?
One things for certain, the people who make the anti RFID sleeves for biometric passports could stand to make some green out of stories such as this.
Um, hello? They were selling nice (and very effective) RFID blocking wallets and passport holders there for $20. If you're flying Feds halfway across the country to attend DEFCON, I'm pretty sure you can afford 20 fucking dollars to give yourself some peace of mind.
Of course, some idiot in Gov will propose a 3 billion dollar project called Protect-A-Fed that will invest thousands of man-hours to devise such a device that could prevent RFID tags from being captured...and 4-billion dollars later you'll have a "new and improved" Government-issue $20 RFID wallet.
Considering that this was done and publicized last year, the idiots who attended this year and had the stupidity to actually bring and carry their rfid tags deserved what they got.
Stupid is as stupid does. They'd probably complain just as loudly if it was an enemy agency which cloned their credentials - imagine thinking the world is fair and nice.
Mountain Bike races. Especially 24 hour events. Yeah, you could clone the leading team, but it would be quite obvious to those physically logging each lap using paper and pencil. It makes timing a lot more accurate and fair, for sure.
RFID, for example, makes the real time scoring system used by Granny Gear possible. So, not only can your friends back home see how your team is doing in real time, but you can also check it yourself as a competitor to see what you need to do to real in the team ahead, and keep the ones behind you at bay.
Nothing succeeds in making your point like a hugely public embarrassing success against a vested party.
Better here than secretively out in the wild.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
There was a laptop connected to a webcam and a gigantic RFID reader, all in plain sight on the table.
And they're surprised? What did they think it did?
all this discussion still hinges on some weird idea that people have a right to privacy... you never have....
The US Consitution tell what the government can and cannot do but there has never been a "Right to Privacy" in public spaces. If that were the case then you could have sex in the middle of rush hour in your car because it would be a "private space." This isn't the case. RF tags or your hair cut, just as easily "viewable" in a public space. You don't even have a right to privacy in your own home per-say. You have the right to private property and as such can prevent someone from entering your home. Even "peeping tom" laws have their limit.
I'm not here to debate privacy, I am here to simply state this entire discussion, topic, hinges on a concept that we have not made, through law, into a "Right". Until you get a consitiutional amendment defining privacy as a right, we are just spinning our wheels here...
Your electromagentic emissions are open and public broadcasts, at the very least would fall under the FCC. Can't wait till they can monitor brain waves at 30 yards so we can punish you for mental harrasment based on what you think! Sooo close I can hear the goose stepping Gattica engineered Pre-crime teams marching through the streets punishing you on what you think.. damn pre-terrorist, pre-rapists, pre-murderers!
"Where have you been? Never mind we know where you've been!"
Sorry your card doesn't work here at Mc Fatties. You have exceeded your governement regulated amount of fast food... In addition that $200 dollars you took out of the ATM at the strip club will also incur a 30% pleasure tax on the withdrawl. You non-essential trip to the club will also incurred a 15 cent per mile entertainment travel surcharge based on the Federal Road Tax program since the route taken was not registered under your Google Road Plan account for work, basic essentials, or volunteer routes. Please note that carrying alcohol or tabacco products in your vechile is subject to the local "Vice Transportation" surcharge on all county roads.
-=[ Who Is John Galt? ]=-
An enterprising scumbag could put an RFID reader and a camera outside of the copshops and collect tons and tons of data. That data could then be refined and cross-referenced with other RFID data from other sources.
Then, the pictures could be translated into facial recognition data. With the facial recognition and the RFID-database information, you could generate a pretty good cop-detector.
DefCon is providing a wonderful wake-up call to the cops. I hope they are listening!! OTOH, this stuff is so cool that the CIA and the NSA must be using it like CRAZY!
The disadvantage is you have to deal with hundreds of "lol funny video" submissions and with idiotic digg users. (they are actually worse than slashdot users, which I didn't think was possible.)
But the nose piercings were all on the wrong side, so they couldn't be sure.
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
There are several published surveys of criminals in prison investigating what they do, how they evaluate targets, and what conditions discourage them from operating in given localities. The risk of being shot by a victim is a major factor. Apparently even criminals are capable of minimal cost-benefit analysis.
------ The only greater hazard to your liberty than n politicians is n+1 politicians.
PETA is against your right to arm bears, and I side with them.
Hey don't blame me, IANAB
Morton Grove Illinois banned them, Kennesaw Georgia required them (no enforcement though, just symbolic) Crime went way up in Morton Grove and dropped in Kennesaw.
I've lived a buncha places, the area with by far the least amount of crime I have seen was Vermont, which is one of two states that have basically a pure no BS second amendment stance. It works once everyone gets used to it.
Bill the Tool, thats you're new name.
"if you're a bodyguard of a rich (important) person", that IS a political connection.
...but I'm just making the point that Slashdong is getting its material from stuff posted on Digg days ago. And when you make a post like this, you are instantaneously modded down.
I work for the Materials department of a major transportation company. We looked at RFID hoping to do what you dream of. We decided it wasn't likely to work for us for various reasons. The tags are still pricey (especially in relation to low value items). They are a little fragile. And the read range isn't great, or is non-existant if they are hidden down in a pile of metallic items.
The NRA among others keeps track of crime statistics. The gun control activists hate it when a permissive gun carrying law is enacted, because crime drops dramatically, immediately. Instead, the activists try to cover up those statistics, pointing to another part of the country and crying about all the shootings there.
You can't convince a zealot.
The sunsabitches who spend so much time trying to take our rights away, will NOT be found volunteering to work with youth, or counseling first time offenders of minor crimes. It is more to their advantage to have youth and minor offenders graduate to more serious criminal activity, thereby giving the activist yet more ammunition with which to infringe on honest people's rights.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
The quickest way to show someone why gun control is counter-productive is to have them do a little reading about knife control in Britain. The news articles read like an SNL sketch. It's clear that once they 'solve' the knife problem they'll have to tackle the menace of pointy sticks, followed by rocks, bare fists, etc...
This idea of yours would work without the RFID chips. Just build the face recognition databases off everyone entering the police station at regular intervals. Build distributed camera systems that track glimpses of the vehicle license plates around town and soon you'll know their home addresses too. The same distributed camera system can also track the ID number on each police vehicle and report the current location of each officer.
You know, this "surveillance state" stuff can be used against the state too.
When you join a militia and keep your guns for that, you'll have a point.
A while ago in college I came across some research on what is legally the militia. US Federal Law defined the militia as all able bodied male citizens ages 18 to 45 for those who had *never* served in the regular military, 18 to 55 for those who had served. This constitutes the inactive "unorganized militia". The "organized militia" were those who had officially signed up with their states and periodically underwent training. These organized state militias were federalized into the National Guard prior to World War 1 and were required to equip and train like the regular Army. Federal Law went on to say that the inactive unorganized militia could be called up to serve in the National Guard in time of national emergency. In short this is the legal basis for drafting a civilian into the military. So many of us civilians in the US are in the unorganized militia.
True, there are other countries that provide freedom (sometimes beyond what's offered here in the US) without the epidemic of gun violence we face because guns other than those used for hunting are outlawed
It is also true that some countries have fully automatic weapons in most citizen's homes and they don't have internal violence issues. My only point is that it is naive to blame guns themselves. The argument you present is really claiming that some people, Americans in particular, can not be trusted to behave themselves. I don't agree but it is a valid point to discuss, I only disagree with the "guns are to blame" camouflage.
I have a RFID passport right here.
Here on page five:
This passport must not be altered or mutilated in any way. Alteration could make the passport invalid, and if willful , may subject you to prosecution (Title 18, U.S. Code, Section 1543.
With all due respect I don't think you've considered your argument particularly well.
The trouble with guns is that the actual time it takes to fatally wound someone is effectively instantaneous. From the point of view of someone in a rage it probably takes less than a few seconds to grab a gun, aim and pull the trigger. This can all be done while the shooter is a safe distance from the victim (so they're not in any particular danger themselves).
If you think that is even remotely similar to strangling, drowning, beating or bludgeoning someone to death then I'd love to hear your argument as to why. For one, any of these would take a good minute or more of sustained rage against the victim to actually result in a death. It would be unusual for someone to take out that level of aggression for such a sustained period of time without at least questioning why they're doing it. Secondly the attacker would also be putting themselves in a lot of danger (It's unlikely I'm going to just let someone beat me to a pulp without trying to retaliate).
Stabbing is different obviously, but I consider someone carrying a concealed knife to be just as crazy as someone carrying a gun.
hey. people. can we possibly discuss the articles?
the last 5 posts ive read have had 2 or three responses to the actual article and then well over a hundred morons shouting back and forth about $hotlyDebatedIssue that only mildly(at best) relates to the OP.
no one cares how you feel about $hotlyDebatedIssue, your distractability(prob not a word) and taste for arguing amongst yourselves is awful.
This reminds me of Richard Feynman's story Safecracker Meets Safecracker (.pdf) about the how he learned to pick locks. When he demonstrated how he could pick the lock on a big, fancy safe that belonged to a colonel at Oak Ridge, the colonel didn't make improvements to the locks on safes and filing cabinets, he simply ordered everyone to change the combinations on their safes and filiing cabinets if Feynman had been in their office.
---
You can lead a horse to water but you can't make him drink.
Until it's illegal to surveil them. Citizens have already been arrested and charged for taping cops in public or on their own property.
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
No, you're instantly modded down. (This doesn't get modded down because nobody will read these 3 layers deep AC posts)
And digg creates zero news. They don't own the links to the articles. And those links are posted by users from other locations. Most things on digg are around 2-3 days old, and are usually flying around IRC and blogs before it makes it to digg. Things on slashdot are 5-10 days old and never originate from digg. If you actually wanted recent news, and wanted to drop the lame ass comment submissions you'd probable just go to the source of the news.
When slashdot starts posting links straight to digg you can start your bitching and moaning back up again.
I'm still consistently amazed by the lack of basic understanding on the part of most people (especially those who should know better).
"OMG! This little chip -- which was designed to be read from a distance -- can be read from a distance? Why weren't we told?"
NO SHIT! Wake the hell up and smell the coffee.
Porquoi?
wait for smart bombs that target by RFID
For some reason, most reporting just covers the less scary and farther-fetched scenarios such as this:
The real danger is that the RFIDs scanned on persons in one location might be further abused to assault, abduct or even assassinate their bearers in another place where these might be much more vulnerable to attack.
.nt nt nt nt nt!
Stupid lameness filter!!!
Get some MacGyver on it.... http://www.rpi-polymath.com/ducttape/RFIDWallet.php ITgrrrl
'The longing to be primitive is a disease of culture' George Santayana