Slashdot Mirror
Security Company Tries To Hide Flaws By Threatening Infringement Suit
An anonymous reader writes: An RFID-based access control system called IClass is used across the globe to provide physical access controls. This system relies on cryptography to secure communications between a tag and a reader. Since 2010, several academic papers have been released which expose the cryptographic insecurity of the IClass system. Based on these papers, Martin Holst Swende implemented the IClass ciphers in a software library, which he released under the GNU General Public License.
The library is useful to experiment with and determine the security level of an access control system (that you own or have explicit consent to study). However, last Friday, Swende received an email from INSIDE Secure, which notified him of (potential) intellectual property infringement, warning him off distributing the library under threat of "infringement action." Interestingly, it seems this is not the first time HID Global has exerted legal pressure to suppress information.
The library is useful to experiment with and determine the security level of an access control system (that you own or have explicit consent to study). However, last Friday, Swende received an email from INSIDE Secure, which notified him of (potential) intellectual property infringement, warning him off distributing the library under threat of "infringement action." Interestingly, it seems this is not the first time HID Global has exerted legal pressure to suppress information.
Nothing worse than a person who always finds a way to blame someone else for their own mistakes, except perhaps cold coffee or warm beer.
Buy your next Linux PC at eightvirtues.com
IClass, meet Barbara.
You can't handle the truth.
All the bugs were reclassified as security features
Most of the world knows that security is fleeting, and those that deepend on the law to preserve obscurity is the fleetingness of all. Do they not even consider that citizens of nations that don't give a shit about legal protections are the very people their customers need to be protected against? These companies should be paying rewards to anyone who can defeat their protections, not punishing them.
Time is what keeps everything from happening all at once.
NoClass sounds more like it.
inferior they know their code to be.
Below I will paste the specific patent's independent claims. I don't think this can actually cover generic software written for the PC, because of the 'secret memory' and the fact that they have patented the device implemented in hardware, not a software implementation of the algorithm (and how many computers actually have a pseudo-random shift register?)
1. Method of producing an authentication code (CA), comprising cycles for reading binary words (Mn) out of a secret memory (21) comprising a plurality of binary words, wherein, at each cycle, the address for reading a word out of the secret memory (21) is generated from an address generating binary word (GA) forming the result of a combination operation (Fc, ) of words (M1 to Mn) read out of the memory during previous cycles, characterised in that it comprises a transform operation of the address generating word (GA) consisting in logically combining at least one bit (g'0, g'1, g'2) of the address generating word (GA) with at least one bit (r1, r4, r6) of a pseudo-random shift register (26).
8. Logic machine (20, 20-1, 30) clocked by a clock signal (H), comprising a secret memory (21) in which a plurality of binary words read out at clock rate are stored, wherein the output of the memory (21) is applied to a first input (A) of a logic circuit (22) whose output (C) is fed back to the second input (B), the logic circuit (22) performing a combination (Fc, "+") of its two inputs (A, B) and producing an address generating binary word (GA) supplied to the address input (ADR) of the memory, characterised in that it comprises a pseudo-random shift register (26) and logic means (25-1, 27) for combining at least one bit (r1, r4, r6) of the shift register (26) with at least one bit (g'0, g'1, g'2) of the address generating word (GA).
"First they came for the slanderers and i said nothing."
Without inspecting the software, and knowing what the HID attorney is asserting, there is no way of forming a legal opinion... and this is in no way a legal opinion, just a recitation of the first patent claim and some questions. But it does look like the method requires using a "pseudo-random shift register" and a "secret memory" among other things. Do the people who are said to infringe actually use this method? Does the code require that such a register and memory be used, or are there ways the code could be used without infringing all of the elements in the claim? Is the target of the letter simply caving to avoid consulting a lawyer?
Join the IParty!
A security company that doesn't care about security.
It's seriously difficult to understand the mindset of the organization and how they came into this. Did they even bother hiring a competent cryptographer when designing their product ? Were they duped by someone they hired and led to design a insecure product ? Or is encrypting an RFID communication a difficult and non-trivial task with no known vetted solution ?
The code is implemented for people to be able to play with an insecure algorithm, to test it's weaknesses. If I were the author of the library, I would have added a warning like this:
This code is known insecure. If you ship on a real device to customers, you are such a moron that........imagine every insult Linus Torvalds has ever spoken or written, and that it applied to you. Would you want that? That's what would be the case if you used this in production code.
Furthermore, even if you're the dumbest person on earth, shipping this code on real devices could expose you to threats of lawsuits. I don't know if those threats are real, but don't let it get to that point.
"First they came for the slanderers and i said nothing."
Some software projects like LAME, x264, and libav claim to skirt around patent issues by only distributing source code, not binaries. I've always wondered if this is a valid workaround, or just some clever devs getting their hopes up.
"Being a security company, we wanna keep our mistakes secure."
Table-ized A.I.
where are the "sensitive keys" he speaks about in his email? any links?
His implementation only uses non-secret memory and should therefor be safe from these patents. The patents described here rely on the contents of the memory of the contraptions to be "secret" to make the process "secure".
You could even say that the original implementation by INSIDE secure doesn't follow the patent since obviously, the memory content isn't that "secret" anymore.
I was promised a flying car. Where is my flying car?
If people stop buying, pretty soon shit goes away. The problem is not that the people buy shit, or that the people like shit, no, the real problem is that the people are shit.
Governments are trying similar shit, by silencing dissent with summary penalties for as-yet undefined "trolling".
What governments are you talking about here?
"First they came for the slanderers and i said nothing."
You must've missed yesterday's news. See the UK.
I can assure you the word "trolling" does not appear in legislation anywhere on the earth (except maybe in the misguided title of some legislation, perhaps). You'll find the law would be somewhat specific about what it defines as prohibited behavior, simply because the courts would shred the legislation if it isnt. At least the US, UK and Australian ones would.
Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
I've said that same thing before. I happen to BE competent professional in certain security matters, so that affects my point of view.
On the other hand, the most popular locks, Kwikset and Master lock, are obviously not designed to be secure against a knowledgeable or determined advesary. They are designed to discourage your neighbor from casually getting into your stuff, and that's pretty clear from looking at the product and feeling how lightweight it is. Maybe that's what people want most of the time - a lock sufficient to make it rather inconvenient for the average person to walk in, not something that's going to keep the locksmith out when you lose your key.
At the other end of the spectrum, for $10,000 you can buy a heavy duty safe made of steel and concrete. For $32, I can rent a demolition saw designed to cut through concrete and steel. Since physical security costs about 300 times as much as breaking it costs, perhaps the primary goal is to not be low-hanging fruit. I've watched a car burglar go from car to car, stealing stuff from the ones that were unlocked. He skipped the locked ones, which all had very breakable windows.*
* Redundant. Windows is always easily breakable.
And all they did was meet about how I was gonna fix their problem of their network security authentication system, which actually means we don't know how to integrate our old bash scripts into SolarWinds Orion platform?!?! And then when I asked what's their real problem they let me go for asking too many questions!!! Fuck you, Kevin and enjoy your fucked ass company until you're replaced as CTO.
under european law, they have no standing for requesting this sort of code to be removed, as the code was obviously created as a research tool and for interoperability.
screw those idiots... let's start git cloning the hell of it ;)
cloned and downloaded .. re: streisand :)
They want us all to die. That is the way of their kind.
Follow the clones at https://github.com/holiman/loclass/network/members
Lucky me then, in my country its 100% legal to reverse engineer system to study how it works or to develop compatible interaction between other systems..
So fork it... Just in case... And because Streisand effect....
If you have info that could harm the interests of a corporation but is in public good, don't fucking talk about it or announce your intentions for heaven's sake. Just pastebin it.
Corporations have confirmed through their behavior that to do differently just makes you a target for law suits.
They have forced our hand. Whistleblowers get burned. . No protections. So fuck em. Burn them down anonymously.
At the other end of the spectrum, for $10,000 you can buy a heavy duty safe made of steel and concrete. For $32, I can rent a demolition saw designed to cut through concrete and steel. Since physical security costs about 300 times as much as breaking it costs, perhaps the primary goal is to not be low-hanging fruit. I've watched a car burglar go from car to car, stealing stuff from the ones that were unlocked. He skipped the locked ones, which all had very breakable windows.
Exactly. The goal of any security measure is to make it easier for someone to break into someone else's property; thus securing yours. I have a dog, and most burgers will move on before confronting it even though a steak tossed into the porch would distract it long enough to lock it out. However, it's simpler to move on to the next house. If a determined criminal wants something you have they will find a way to get it.
I'm a consultant - I convert gibberish into cash-flow.
Can't say I've ever heard of [...] security by litigation.
Then you weren't around for the DeCSS cases.
The goal of any security measure is to make it easier for someone to break into someone else's property; thus securing yours.
It's like an implementation of the punchline, "I don't have to run faster than the bear. I just have to run faster than you."
Please stand clear of the doors, por favor mantenganse alejado de las puertas
* Redundant. Windows is always easily breakable.
I've got to disagree with that one, unless you refer to Microsoft Windows then sure I agree with that :)
Twice already, since 2001, I've ordered my car with a security kit which in addition to providing enhanced dead-bolts in all doors which activate a minute later car is locked with remote fob. It also comes, with the kit, window kit that can defer without breaking a heavy stone / tile (~ 3kg) thrown full speed directly to any window, and the kit wasn't even expensive (relative to price of car). Those windows are not breakable easily, though they last fine a shotgun shot or light handgun, but not many shots from police hand gun or rifles. Iv'e seen myself in one occasion when shown how a heavy tile bounces back and leaves only minor scratch to glass point where the corner did hit. And in case you are able to break it then because it's layered structure with a very strong translucent film between layers it turns completely white and you have still need to do plenty of smashing and peeling of glass from film and trying to get it out from rim/frame before you can get trough.
I don't know where you live or what kind of cars you drive, but that kind of kit is available for are available for many business and full size cars that are built to order for the customer rather than built to a dealer warehouse and sold from there. I've had that kit just in case someone would like to throw stone to window and try to steal something inside. I'm talking now about car's which cost above 50k euros and so.
ac.
I've said that same thing before. I happen to BE competent professional in certain security matters, so that affects my point of view.
On the other hand, the most popular locks, Kwikset and Master lock, are obviously not designed to be secure against a knowledgeable or determined advesary. They are designed to discourage your neighbor from casually getting into your stuff, and that's pretty clear from looking at the product and feeling how lightweight it is. Maybe that's what people want most of the time - a lock sufficient to make it rather inconvenient for the average person to walk in, not something that's going to keep the locksmith out when you lose your key.
My front door has a pretty decent kwikset lock that I can personally pick. But the door also has a window large enough to walk through in addition to a window on each side.
Unless you have a solid steel door the lock isn't relevant.
Do you have ESP?
I have just sent the following to 'customerservice@hidglobal.com'.
I’ve just read the following: http://news.slashdot.org/story/14/10/21/0214222/security-company-tries-to-hide-flaws-by-threatening-infringement-suit . As a customer, I’m very concerned about doing business with an organization that spends more effort hiding flaws than fixing them. Please let me know what efforts are underway to resolve the issues found in your products.
Where did you get that interpretation? The way I read patent law, if you trip all the parts of one claim, you infringe the patent. If a claim is dependent ("The device of claim 1, where..."), you have to trip the claim it mentions as well. But you don't have to trip all of them.
You owe my hound dog an apology. He was crying, more than usual. I asked him what was wrong and he said you called him "a lawyer".
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
I prefer to live somewhere where I don't need that kind of "security".
I'll have you know that Windows is far more secure nowadays than it ever used to be.
You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
Depending on where you live, often the purpose of security is not to stop someone entering but to ensure that they're going to make a lot of noise doing so. If you're in a street with lots of neighbours, then a burglar is not going to want to be smashing windows or wooden doors.
This is also why dogs make good guard pets as some of them make lots of noise when they see someone they don't know. A lot of dogs would just go and excitedly greet a burglar, but the burglar wouldn't want to take the chance and will often pick a house without a dog.
You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
Search "UK trolling law", returns 4.3 million results. Take your pick.
You're welcome.
British courts can't change the law, they are NOT allowed to. That is the sole domain of Parliament.
Holy shit! Europe must be a really dangerous place if this is something you guys have to consider when buying a car.
I'm glad I live in the US, where I don't have to have bulletproof windows installed on my car! It sucks that you guys have to live in constant fear.
I prefer to live somewhere where I don't need that kind of "security".
Having that security kit doesn't mean I need it all the time and especially where I live it's very quiet and fine location indeed. But that kind of kit is convenient to have, it's not expensive as already mentioned and to know that when driving long trips, parking wherever you need to visit, leaving car parked downtown unsupervised over the night area where you have no idea what kind of people might pass over the night, leaving it also weeks or even up to many months to often not so well lit airport parking halls where someone might try to get in it's not so easy as the above writer claimed. All in all you need to worry less where you can park as the car is not so easily being subject of burglary. I did not mention earlier, that it also keeps helluva noise if you even put your hand in trough open window when doors are locked, that's due doppler motion sensor radar. It beeps first few times and then starts a show that does not easily be unnoticed.
I have lived and worker due my work past 15 years in quite many very large cities and mostly use rented cars when not near home. Some of these rented cars have been caused some harm, scratches, dents, broken window etc.
It's not nice to start a day and first thing you fine your car has been broken in. The hassle with renting company and getting a replacement car does take some time and ruins your day even if you just leave the broken in car there, take a cab to get your business and arrange all things fine with rental company later.
Of course the insurance is for that unlucky event, but first line defense to car (the security kit) is very nice to have and prevents most bad things to happen in first place. That also shows in lower insurance costs I pay. I'm glad to have it in my car and not spend too many thoughts where I can leave my car overnight. It's not perfect if someone who's specialized to steal better cars they will most likely succeed, but it prevents occasional walk by guys doing silly things and saves me some time and worry over the years too.
ac.
* Redundant. Windows is always easily breakable.
I've got to disagree with that one, unless you refer to Microsoft Windows then sure I agree with that :)
I did say Windows IS, not Windows ARE. :) Lexan windows are pretty tough, and the front door windows of some cars are tough, with the ability to bend a bit rather than break. On YouTube there is a funny video of a reporter trying to break a car window with a hammer.
Is it "write-only"?
If you can retrieve data from it, it's not secret. If you can't, it's worthless.
Indeed it has improved considerably. The basic security model went from "don't show other people's files unless you click the C: drive" to actually denying access to other people's files. Currently it has what has traditionally been considered a decent model, discretionary access control very similar to the classic Unix model.
On the other hand, Unix used that model in the 1970s. Linux moved to a more secure mandatory access control model ten years ago, around the same time that Windows was finally getting DAC. The weaker model is also the simpler and more convenient model, so this doesn't necessarily make Linux BETTER, it's more secure, but less simple and convenient. Choose your own priorities.
Or those awesome t-shirts that say "I am a bomb technician. If you see me running, try to keep up." (In case you've never seen one...)
perhaps the primary goal is to not be low-hanging fruit
Exactly. The goal is to avoid being the easiest target around.
If bad guys wanted to work hard they'd just get a job. There are contexts in which the value of a target justifies expending a lot of effort, but they're the exception. In every case real security is all about correctly understanding the threat model and then applying adequate mitigation.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
White hat hackers need to show these assholes just how bad they are. Unfortunately, that means never revealing yourself. It's real easy. Just inform the [company in this instance] and tell them that they have 2 weeks to patch it, or an exploit toolkit will be distributed.
Those windows came with the kit and they are not bulletproof per se (not advertised as such, just smash resistant but apparently take well small handguns shots too as the kinetic energy is not much more than throwing large tile towards window) which means they are just well manufactured tough laminated glass which has been used in airplanes, modern trains and other industrial needs and now have been used with smartphones too to prevent accidental breakage. Nothing magic there.
The security kit, that I already have twice told was not expensive, I spent more money other option upgrades like chose better sound system, hybrid (auto/manual) gearbox and tighter chassis, finer upholstery and other features. But after choosing all that adding couple of grands to protect car was nothing I thought would be wort leaving out. I don't enjoy driving and I'm not in car fan person, not even these days much enjoy traveling any more and rather stay house during vacations, but if it's with little bit of money you get it less worse experience then I'm fine with it.
I may well reply also that It sure sucks live in US where you have all that crap, have to drive your kids to school, here they just walk alone or with friends without any fear. I'm glad I live in EU country which we don't have to have guns in such large numbers to protect ourselves from burglars and robbers, our living surroundings are safe but occasionally you may have to visit and leave your car where you can't guard yourselves your property (car) and can't trust the hotel or parking facility guards will be able to guarantee your car is untouched either. Then that kit comes handy, you see. Not that I need it when I'm at home or visit my summer villa.
And you have bear the TSA security circus also while traveling there, good luck with that too ...
If bad guys wanted to work hard they'd just get a job.
I like the way you put that. I'm going to steal that phrasing.
Above is written by me, same guy who wrote two above mesages.
ac.
Or the printer cartridge wars.
At least Lexmark v. Static Control Components, the case I assume you're referring to, was decided in favor of interoperability.
That subject line should say DAC, not FAX.
A couple of points. First, this isn't new. Second, HID has addressed a number of vulnerabilities, and finally, HID is not the one sueing. It is one of their chip suppliers.
I prefer to live somewhere where I don't need that kind of "security".
So does every human. Some few have actually deluded themselves into thinking that they do, and confuse statistics and/or their luck for confirmation. There is no such thing as "security", only relative levels of risk. Assuming you are an adult, nobody but you is responsible for your own protection or the protection of your property.
- T
At the other end of the spectrum, for $10,000 you can buy a heavy duty safe made of steel and concrete. For $32, I can rent a demolition saw designed to cut through concrete and steel.
Any student of physical security knows that safes do not make your items secure. All safes do is buy you time. Time for the intrusion alarm to trigger by the crook's presence. Time for the security guard to make his rounds. Time for the police to arrive AFTER the alarm has been triggered. Ect. BTW your $32 demolition saw is going to make a lot of noise. Crooks usually do not like loud noises while they're working as it attracts attention and reduces the working time they have to get that safe open.
If lawsuits are how HID Global deals with people informing others about security holes in their products, you would be wise to invest in some other form of access control, like a high-security pick-resistant lock and key.
of course they can. it's called precedent. They just say the law means X. Only a higher court can say the law doesnt mean X, and all the lower courts must follow the higher courts ruling.
If they were on the up and up they'd be glad for the help finding their flaws I'd think...