Security Company Tries To Hide Flaws By Threatening Infringement Suit

An anonymous reader writes: An RFID-based access control system called IClass is used across the globe to provide physical access controls. This system relies on cryptography to secure communications between a tag and a reader. Since 2010, several academic papers have been released which expose the cryptographic insecurity of the IClass system. Based on these papers, Martin Holst Swende implemented the IClass ciphers in a software library, which he released under the GNU General Public License.

The library is useful to experiment with and determine the security level of an access control system (that you own or have explicit consent to study). However, last Friday, Swende received an email from INSIDE Secure, which notified him of (potential) intellectual property infringement, warning him off distributing the library under threat of "infringement action." Interestingly, it seems this is not the first time HID Global has exerted legal pressure to suppress information.

If you can't do, sue!

[EzInKy]

Most of the world knows that security is fleeting, and those that deepend on the law to preserve obscurity is the fleetingness of all. Do they not even consider that citizens of nations that don't give a shit about legal protections are the very people their customers need to be protected against? These companies should be paying rewards to anyone who can defeat their protections, not punishing them.

Re:If you can't do, sue!

[EzInKy]

Disagree. I just think that anyone who depends on something as esotoric as the law to keep others safe should be held responsible for all others who are damaged by their ignorance.

Re:If you can't do, sue!

[Another,+completely]

They didn't threaten him for studying the algorithm, the note is about publishing code that implements their proprietary encryption algorithm. It seems more likely that they are worried about a competitor building compatible devices. If they allowed a freely published GPL implementation to be distributed without challenge, somebody might say that was implicitly approving of its distribution and therefore permitting compatible devices to be legally sold that interact with their proprietary system. I'm not sure whether that would hold up in court, but it would certainly drag out the proceedings.

From the letter, this isn't shooting the messenger so much as normal protection of a proprietary product. If somebody eventually convinces the public that it's insecure, they will deal with that later; maybe they will even have fixed their systems by then. The important thing for now is that whatever systems are out there are all genuinely from INSIDE Secure.

Is This Infringement?

[Strangely+Familiar]

Claim 1 of the patent is pretty long, and the disputed software would have to meet all of the limitations of that claim to infringe.

Method of producing an authentication code (CA), comprising cycles for reading binary words (Mn) out of a secret memory (21) comprising a plurality of binary words, wherein, at each cycle, the address for reading a word out of the secret memory (21) is generated from an address generating binary word (GA) forming the result of a combination operation (Fc, ) of words (M1 to Mn) read out of the memory during previous cycles, characterised in that it comprises a transform operation of the address generating word (GA) consisting in logically combining at least one bit (g'0, g'1, g'2) of the address generating word (GA) with at least one bit (r1, r4, r6) of a pseudo-random shift register (26).

Without inspecting the software, and knowing what the HID attorney is asserting, there is no way of forming a legal opinion... and this is in no way a legal opinion, just a recitation of the first patent claim and some questions. But it does look like the method requires using a "pseudo-random shift register" and a "secret memory" among other things. Do the people who are said to infringe actually use this method? Does the code require that such a register and memory be used, or are there ways the code could be used without infringing all of the elements in the claim? Is the target of the letter simply caving to avoid consulting a lawyer?

So... is the LAME strategy valid?

[PhrostyMcByte]

Some software projects like LAME, x264, and libav claim to skirt around patent issues by only distributing source code, not binaries. I've always wondered if this is a valid workaround, or just some clever devs getting their hopes up.

I've said that, but Master lock and demolition saw

[raymorris]

I've said that same thing before. I happen to BE competent professional in certain security matters, so that affects my point of view.

On the other hand, the most popular locks, Kwikset and Master lock, are obviously not designed to be secure against a knowledgeable or determined advesary. They are designed to discourage your neighbor from casually getting into your stuff, and that's pretty clear from looking at the product and feeling how lightweight it is. Maybe that's what people want most of the time - a lock sufficient to make it rather inconvenient for the average person to walk in, not something that's going to keep the locksmith out when you lose your key.

At the other end of the spectrum, for $10,000 you can buy a heavy duty safe made of steel and concrete. For $32, I can rent a demolition saw designed to cut through concrete and steel. Since physical security costs about 300 times as much as breaking it costs, perhaps the primary goal is to not be low-hanging fruit. I've watched a car burglar go from car to car, stealing stuff from the ones that were unlocked. He skipped the locked ones, which all had very breakable windows.*

* Redundant. Windows is always easily breakable.