Security Company Tries To Hide Flaws By Threatening Infringement Suit

An anonymous reader writes: An RFID-based access control system called IClass is used across the globe to provide physical access controls. This system relies on cryptography to secure communications between a tag and a reader. Since 2010, several academic papers have been released which expose the cryptographic insecurity of the IClass system. Based on these papers, Martin Holst Swende implemented the IClass ciphers in a software library, which he released under the GNU General Public License.

The library is useful to experiment with and determine the security level of an access control system (that you own or have explicit consent to study). However, last Friday, Swende received an email from INSIDE Secure, which notified him of (potential) intellectual property infringement, warning him off distributing the library under threat of "infringement action." Interestingly, it seems this is not the first time HID Global has exerted legal pressure to suppress information.

Most hated character flaw

[Kevin+Fishburne]

Nothing worse than a person who always finds a way to blame someone else for their own mistakes, except perhaps cold coffee or warm beer.

Re:Most hated character flaw

There is an easy solution. Send them a picture of Goatse and tell them to fuck off.

Re: Most hated character flaw

[Kevin+Fishburne]

Good coffee, like Italian espresso, is awesome cold with ice.

I've heard of such drinks but never tried them. Perhaps on a hot day they'd be both refreshing and invigorating. Down with room-temperature coffee, then. Here's to piping hot or icy cold coffee and cold beer.

Re:Most hated character flaw

[clemdoc]

There is nothing wrong with cold coffee.
Warm beer on the other hand should be considered a crime against humanity.

Re: Most hated character flaw

[fuzzyfuzzyfungus]

Incidentally, while iced coffee is refreshing and invigorating, you can also get refreshing and relaxing by icing irish coffee. I don't think I've ever seen the option on a menu; but I was pleasantly surprised by the effectiveness of the experiment; and a place that offers irish coffee will usually be willing to put some over ice on request.

Re:Most hated character flaw

[gl4ss]

..how about beer with ice?

(thailand, everyone puts ice in beer. even if it is 15 C outside and they're wearing eskimo clothing.)

Re:Most hated character flaw

[TheRaven64]

Beer should be served at room temperature (not warm). If it needs to be chilled, which reduces the sensitivity of the tastebuds, then the correct solution is to buy better beer.

Re:Most hated character flaw

[Ol+Olsoc]

There is nothing wrong with cold coffee. Warm beer on the other hand should be considered a crime against humanity.

Depends on the beer

If you drink BuMilCoors, the colder the better, or just get the same effect by putting toothache medicine on your tongue first.

Re:Most hated character flaw

[Ol+Olsoc]

..how about beer with ice?

(thailand, everyone puts ice in beer. even if it is 15 C outside and they're wearing eskimo clothing.)

I've done it. Wasn't half bad.

Re:Most hated character flaw

[jd2112]

There is nothing wrong with cold coffee. Warm beer on the other hand should be considered a crime against humanity.

That's It! Time to go to WAR with England!

Re:Most hated character flaw

[flopsquad]

Are we a pommy?** I agree that our "ice cold" light beer stateside is far from the height of brewcraft. But there are very few liquids of any sort that I want to consume at room temperature. Even the best beers could stand to be wine-cellar temperature or a little cooler. Maybe you drink all your beer in a wine cellar, in which case carry on--"room temperature" is correct!


**No offense meant. It's just a funny term I heard from some Australian friends. You'd do just as well to call me a POGWBABOSS (Prisoner of George W Bush's and Barack Obama's Security State).

Re: Most hated character flaw

[3.5+stripes]

If you're ever in Italy in the summer, ask for a "caffe shakerato" , where they'll take your shot of espresso, a spoonful of sugar, and a lot of ice cubes and shake it like hell in a martini shaker, then pour it out through a strainer into a martini glass. It's like a cold glass full of the crema on top of your espresso, and it is even more awesome if you happen to add a shot of baileys to the ingredient list.

Re: Most hated character flaw

[nedlohs]

Taste is temperature dependent, and room temperature is the place where it works best (unsurprisingly given that's going to be the temperature of most of the stuff being eaten during its evolution) - coffee has a bunch of bad tasting stuff in it but your taste sensitivity drops off at high and low temperatures. Thus hot coffee or iced coffee is great, but lukewarm coffee is bad.

http://www.nature.com/nature/j...

Re:Most hated character flaw

[T.E.D.]

Beer should be served at room temperature (not warm).

The piece of info I think a lot of folks are probably missing here is that Brits keep their rooms very cold. They've found that it not only saves them money on their heating bills, but it makes their beer taste much better.

Re:Most hated character flaw

[Darinbob]

I don't even like wine at the correct temperature, I want it colder. To insist that there is one and only one way to do things is the wrong attitude to take.

Re: Most hated character flaw

[PeterL.Berghold]

Warm beer isn't always a flaw... depends on local customs.

Re:Most hated character flaw

[doccus]

Problem with ice in beer, is that cubes melt. Not a problem for the first few, but if, like me, you teend to slow down after the first few pints, and can still tell the difference between stale and good beer at that point, the cubes definitely don't add to the bouquet after they melt ;-)

Re:Most hated character flaw

[RockDoctor]

Warm is the correct temperature for proper beer.

the problem is that American beer is crap unless distilled to vapour (when it is effective for clearing out blocked sinuses and removing wallpaper) or frozen solid (when it is good against sprains, bee stings and such like minor injuries).

Quite why Americans drink the stuff when it has so many better uses ... simply incomprehensible.

Re:Most hated character flaw

[cwsumner]

... Maybe you drink all your beer in a wine cellar, in which case carry on--"room temperature" is correct! ...

The castles of Europe were -not- all that warm. "Room Temperature" all depends on the temperature of your room. 8-)

Oh, another one

[roman_mir]

IClass, meet Barbara.

Re:Oh, another one

[penguinoid]

Can't say I've ever heard of IClass before. Nor security by litigation. Now I have something to remember them for :-)

Re:Oh, another one

[Lunix+Nutcase]

You've never used or seen HID products before? Do you live in a cave or just never do any work involving security? BTW their iClass products are pretty crap especially the fingerprint readers. Worked at a place who used them to secure the SCIFs and they had a false fail rate of well over 50% based on my own use and hearing about other people's headaches with them. They would also need constant resetting.

Re:Oh, another one

[Andy+Dodd]

Probably more people have heard of them as HID Global and not iClass.

When I saw iClass, my thought was "I can't remember, is that one of HID's brands?"

The HID products where I work are flaky as hell too...

Re:Oh, another one

[infinitelink]

They should know that IP doesn't cover educational or research uses even of intellectual property. My response would be to call upon the bar of any lawyers involved to dis-bar the lawyers, as well as sue for mis-use of their credentials in unlawful threats, among other things--how to actually label the crimes depends on the jurisdictions involved. They get complacent when we say "this is just a normal/standard tactic by an entity attempting to stop activity/exposure it doesn't like, but it's safe to ignore" rather than "this is an attempt at unlawful suppression of information and threats of harm for lawful activity under colors of authority and in the name of the law" and responding appropriately to threats with action.

Re:Oh, another one

[plover]

You have just described the crime of barratry, or of a SLAPP. Neither will get you disbarred.

Remember, the bar is populated by other lawyers, and they like to practice freely. They're won't disbar someone for defending their client through vigorous means - to defend someone in any other way would be unethical to their client. A SLAPP has to be really, really egregious before it sinks to that level.

Re:Oh, another one

[infinitelink]

I cordially dissent.

What they may call "defend [...] their client through vigorous means", others call intimidation under colors of authority. It's a crime that just isn't prosecuted anymore, and everyone BUT lawyers know better--that saying it's just vigorous representation is to ensure they aren't being unethical when it is a threat, veiled or otherwise.

I have spent time around various lawyers--even who think this way, who can say "we did used to have some serious standards, even that lawyers weren't allowed to advertise, but they're pretty much all gone to legalism now." The last guy to actually say something like that, by the way, was one whose only loss was overturned upon finding the judge in bed with the other side in a case. Most of his career he acted as a lawyer's lawyer and these days he actually advises and counsels other lawyers on exactly how the system is most rigorously gamed.

Substance being over form, threatening to drag someone through the legal system over a perceived wrong regardless of it being rigorous for the fear of not being seen to defend you IP when the damn instance under review is, by virtue of not obtaining to the same mechanisms of the IP, not the same process and mechanisms, sounds plenty like an unlawful threat to me--that lawyers threw-out their metaphysics books laughing how stupid everyone is to believe that it was worthless while openly embracing legal "realism" (by which they mean, "cyncism," or "will to power") in the law schools largely tells me what I need to know about that "judgement" regarding ethics. (That a bunch who espouses along with other intellectuals the uselessness of philosophy while openly practicing a particular kind meshing realisms, authoritarianisms, statisms, and monisms also evinces that we're degraded quite badly.)

I am not saying they shouldn't be vigorous. I am saying, however, they need to be rigorous and about more than appearances--but then, with the judges we get and the quality of their peers, it isn't surprising why appearances become more important. :( Actually, I'm working (besides typing this) on going through judicial reviews by lawyers to vote between judges.

Beyond that, I really do appreciate the information on the more technical terms and the contemporary-stance. Please feel free to enlighten me (and the rest) any way you know. A lot of my understanding is pattern-matching and picking-up intel and insight from others in these fields and I know the phenomena and understandings are not universal.

Regards.

obligatory Dilbert

All the bugs were reclassified as security features

If you can't do, sue!

[EzInKy]

Most of the world knows that security is fleeting, and those that deepend on the law to preserve obscurity is the fleetingness of all. Do they not even consider that citizens of nations that don't give a shit about legal protections are the very people their customers need to be protected against? These companies should be paying rewards to anyone who can defeat their protections, not punishing them.

Re:If you can't do, sue!

[EzInKy]

Disagree. I just think that anyone who depends on something as esotoric as the law to keep others safe should be held responsible for all others who are damaged by their ignorance.

Re:If you can't do, sue!

[fuzzyfuzzyfungus]

Most of the world knows that security is fleeting, and those that deepend on the law to preserve obscurity is the fleetingness of all. Do they not even consider that citizens of nations that don't give a shit about legal protections are the very people their customers need to be protected against? These companies should be paying rewards to anyone who can defeat their protections, not punishing them.

Aside from pure cultural dysfunction (of the sort that causes even some software companies to threaten the people who do free security testing for them, and even offer them time to fix bugs before releasing the proof of concept), the issue is that HID and friends are closer to locksmiths than to software companies.

RFID (and non-standardized but conceptually similar contactless short range RF fobs and slightly longer range button-cell-powered keyless entry systems) tends to be painfully computationally limited, since the tags need to be cheap and need to work on a tiny power budget. The older ones are even worse, of course, since they had less efficient silicon fabrication options to work with. For the same reason, such devices aren't usually little microcontrollers with flashable software; but mostly or entirely fixed-function implementations of crap proprietary crypto systems. Depending on when the corresponding card readers and access control stuff was installed, and what the customer picked, those parts of the system may also be hard to upgrade without ripping them out and replacing them(and, since this is a physical security issue, the readers are more likely to be embedded in walls/bolted to stuff/otherwise tied down and hardwired, so it won't just be swapping out a bunch of desktops.

Because upgrading in-software/firmware is often difficult or impossible, and upgrading involves ripping out hardware that was supposed to have years of service life, HID and friends really don't want to hear about it. They'd much rather just try to tamp down public awareness of the issue, hope that there are no high-profile breaches of customers capable of suing them, and pretend it isn't a problem until the flawed parts have aged out.

As much as it's a repulsive, dishonest, and definitely-unworthy-of-support-by-the-courts tactic, it must be admitted that plenty of known-broken lock designs continue to more-or-less do their jobs (if attackers are still forcing doors rather than just picking locks, the lock is apparently still effective) for years after their weaknesses become public knowledge, so it is entirely probable that various HID access fobs will quietly age out without any major incidents. No need to threaten the researchers about it, though.

Re:If you can't do, sue!

[Another,+completely]

They didn't threaten him for studying the algorithm, the note is about publishing code that implements their proprietary encryption algorithm. It seems more likely that they are worried about a competitor building compatible devices. If they allowed a freely published GPL implementation to be distributed without challenge, somebody might say that was implicitly approving of its distribution and therefore permitting compatible devices to be legally sold that interact with their proprietary system. I'm not sure whether that would hold up in court, but it would certainly drag out the proceedings.

From the letter, this isn't shooting the messenger so much as normal protection of a proprietary product. If somebody eventually convinces the public that it's insecure, they will deal with that later; maybe they will even have fixed their systems by then. The important thing for now is that whatever systems are out there are all genuinely from INSIDE Secure.

Re:If you can't do, sue!

[Lunix+Nutcase]

From the letter, this isn't shooting the messenger so much as normal protection of a proprietary product. If somebody eventually convinces the public that it's insecure, they will deal with that later; maybe they will even have fixed their systems by then. The important thing for now is that whatever systems are out there are all genuinely from INSIDE Secure.

HID fixing the insecurity of their products? Hahahahahahaha. Funniest joke I've heard so far this week.

Re:If you can't do, sue!

[plover]

On the one hand, there is the philosophy that "locks only keep honest people out." If someone is using a hack to bypass their door security, the current legal framework could be used to charge them with trespassing, breaking and entering, illegal use of lock-picking equipment, possession of burglary tools, or some other charge. If a prosecutor wants to file charges against you for using such a device, he will. To that end, HID may feel they have to try to defend their system through the legal system, or the courts may not take their products seriously as a security system.

On the other hand, anyone who has such a system protecting their buildings and grounds is now at Pucker-Factor One. These SLAPP lawsuits are just confirmation that HID acknowledges the threat to their systems is real, and the attack code is already in the hands of vandals and bad guys. If building security was my job I'd be on the phone to HID today, and googling the competition while their account manager lied in my ear about how it's not a crisis.

Re:If you can't do, sue!

[plover]

Nope. Legal protections for intellectual property include patents, trademarks, and copyright. However, all these have limited lifetimes. Having a trade secret means you forgo any legal protection, and you take on defending your secret through your own security systems. That means you can retain a trade secret for as long as you can keep it secret, but once the genie's out of the bottle, too bad. The courts can't help you directly, but you could sue a disgruntled employee if he published the 11 secret herbs and spices in breach of his employment contract.

IClass?

[l0ungeb0y]

NoClass sounds more like it.

Re:IClass?

[Jahta]

NoClass sounds more like it.

"When they said you was IClass, well that was just a lie".

(ducks and runs)

Patent infringement

[phantomfive]

He is not being threatened for copyright infringement, he's being warned about patent infringement. Here is the link to the patent in question (there's also a European patent). Furthermore, it seems the lawyers have determined that he has not committed infringement himself, but users of his library may use it to infringe. Therefore, the letter does not even threaten any legal action at all. It's just a friendly request.....or as friendly as lawyers ever get.

Below I will paste the specific patent's independent claims. I don't think this can actually cover generic software written for the PC, because of the 'secret memory' and the fact that they have patented the device implemented in hardware, not a software implementation of the algorithm (and how many computers actually have a pseudo-random shift register?)

1. Method of producing an authentication code (CA), comprising cycles for reading binary words (Mn) out of a secret memory (21) comprising a plurality of binary words, wherein, at each cycle, the address for reading a word out of the secret memory (21) is generated from an address generating binary word (GA) forming the result of a combination operation (Fc, ) of words (M1 to Mn) read out of the memory during previous cycles, characterised in that it comprises a transform operation of the address generating word (GA) consisting in logically combining at least one bit (g'0, g'1, g'2) of the address generating word (GA) with at least one bit (r1, r4, r6) of a pseudo-random shift register (26).

8. Logic machine (20, 20-1, 30) clocked by a clock signal (H), comprising a secret memory (21) in which a plurality of binary words read out at clock rate are stored, wherein the output of the memory (21) is applied to a first input (A) of a logic circuit (22) whose output (C) is fed back to the second input (B), the logic circuit (22) performing a combination (Fc, "+") of its two inputs (A, B) and producing an address generating binary word (GA) supplied to the address input (ADR) of the memory, characterised in that it comprises a pseudo-random shift register (26) and logic means (25-1, 27) for combining at least one bit (r1, r4, r6) of the shift register (26) with at least one bit (g'0, g'1, g'2) of the address generating word (GA).

Re:Patent infringement

[Another,+completely]

Explain claims like "Claim 8: Claim 3 in which module 12 is composed of steel and glass" or some such thing. If it were all or nothing, why would you break them out in the first place?

Re:Patent infringement

[flopsquad]

You only quoted claims 1 and 8. It's only infrintement if ALL of the claims apply. If 2-7 don't apply, then it's not infrintement. Period.

That is patently false (zing!). You do not have to infringe every claim, a single claim is all you need. In order to "infringe a patent" (not actually a thing), what you're really saying is that every element and limitation of a single claim is being practiced by the infringing device/activity.

If Claim 1 has elements A, B, and C, and limitation L, the competitor's device must contain at least A+B+C-L to infringe. It doesn't matter at all that Claim 2 recites A, B, C, and D with limitations L and M.

Re:Patent infringement

[phantomfive]

Learn the difference between a dependent claim and an independent claim.

Is This Infringement?

[Strangely+Familiar]

Claim 1 of the patent is pretty long, and the disputed software would have to meet all of the limitations of that claim to infringe.

Method of producing an authentication code (CA), comprising cycles for reading binary words (Mn) out of a secret memory (21) comprising a plurality of binary words, wherein, at each cycle, the address for reading a word out of the secret memory (21) is generated from an address generating binary word (GA) forming the result of a combination operation (Fc, ) of words (M1 to Mn) read out of the memory during previous cycles, characterised in that it comprises a transform operation of the address generating word (GA) consisting in logically combining at least one bit (g'0, g'1, g'2) of the address generating word (GA) with at least one bit (r1, r4, r6) of a pseudo-random shift register (26).

Without inspecting the software, and knowing what the HID attorney is asserting, there is no way of forming a legal opinion... and this is in no way a legal opinion, just a recitation of the first patent claim and some questions. But it does look like the method requires using a "pseudo-random shift register" and a "secret memory" among other things. Do the people who are said to infringe actually use this method? Does the code require that such a register and memory be used, or are there ways the code could be used without infringing all of the elements in the claim? Is the target of the letter simply caving to avoid consulting a lawyer?

Re:Is This Infringement?

Read any book by Donald E. Knuth. From about 1962 to 1973 for starters.
I'm sure shift register feedback is covered - and how the h*** can you get a patent for this rubbish with all the prior art and such.
Throw in the words secret memory and pseudo random. What a disgrace in classic CS plagiarism with a pike and twist and double bluff. FIPS is a little bit better, but with electron scanning microscopes, the word secret is now memory chip wrapped in wire and difficult to dissolve glue. If a repeating cycle was evident, they had sh** for brains.

Re:Is This Infringement?

Because the patent covers something that meets -all- the claims, not just any individual one. Often patents build upon existing patents/knowledge. It's the overall thing that matters.

Which is not me agreeing with software patents. I don't. Algorithms should not be patentable. Arguably implementations perhaps could be - but only if they're non-trivial and non-obvious. Complex systems that utilise those algorithms are another matter, but then it's the system not the algorithm that you patent.

Throw in the words secret memory and pseudo random

pseudo-random is not just thrown in, it's a common term in cryptography with a very specific meaning.

Re:Is This Infringement?

[Strangely+Familiar]

Dude, you are seriously misinformed. Don't repeat things you heard when you don't really know. A method or device need only meet all of the elements in one claim to infringe. Maybe someone once said that a device must meet all claim elements to infringe, and someone not familiar with patent law repeated that later, but remembered it as "a device must meet all the claims to infringe". Any competent person analyzing infringement first looks to the independent claims to see if there is infringement. If none of the independent claims are infringed, that is typically the end of the story, and I don't know of any cases where it isn't. But I wouldn't be surprised to find unusual exceptions to the rule. If you google "patent infringement", and go to the first hit that isn't a law firm trying to get business, you get a USPTO website that helpfully states:

What is patent infringement?

Patent infringement is the act of making, using, selling, or offering to sell a patented invention, or importing into the United States a product covered by a claim of a patent without the permission of the patent owner. Further, you may be considered to infringe a patent if you import items into the United States that are made by a patented method, unless the item is materially changed by subsequent processes or becomes a trivial and nonessential component of another product. A person “infringes” a patent by practicing each element of a patent claim with respect to one of these acts. Further, actively encouraging others to infringe patents, or supplying or importing components of a patented invention, and related acts can also give rise to liability in certain cases.

Notice that it says "each element of a patent claim" not "every claim"?

So... is the LAME strategy valid?

[PhrostyMcByte]

Some software projects like LAME, x264, and libav claim to skirt around patent issues by only distributing source code, not binaries. I've always wondered if this is a valid workaround, or just some clever devs getting their hopes up.

Re:So... is the LAME strategy valid?

[philip.paradis]

The general idea is that people may run a lower risk getting into trouble if they adopt the practice of shipping raw ingredients, separate components, unfinished works, mostly functional containers lacking only media content or a specific bit of code to be useful, etc instead of a "ready to roll" push-button-go-fast product. To what degree this works out in reality is highly dependent on the the specific statutes governing the independent components and/or completed thing in question.

Logical

[Tablizer]

"Being a security company, we wanna keep our mistakes secure."

Re:My infringement warning notice

[Strangely+Familiar]

That suggestion does seem like it would make it hard for the HID attorney to continue to assert that Swende is trying "to incite third parties to infringe our intellectual property rights."

No secret memory in his implementation

[dutchwhizzman]

His implementation only uses non-secret memory and should therefor be safe from these patents. The patents described here rely on the contents of the memory of the contraptions to be "secret" to make the process "secure".

You could even say that the original implementation by INSIDE secure doesn't follow the patent since obviously, the memory content isn't that "secret" anymore.

Re:not news

[phantomfive]

Governments are trying similar shit, by silencing dissent with summary penalties for as-yet undefined "trolling".

What governments are you talking about here?

Re:not news

You must've missed yesterday's news. See the UK.

Re:not news

[sg_oneill]

Governments are trying similar shit, by silencing dissent with summary penalties for as-yet undefined "trolling".

I can assure you the word "trolling" does not appear in legislation anywhere on the earth (except maybe in the misguided title of some legislation, perhaps). You'll find the law would be somewhat specific about what it defines as prohibited behavior, simply because the courts would shred the legislation if it isnt. At least the US, UK and Australian ones would.

Re:Why do companies insist on producing shit ?

[Crashmarik]

Because they need to because they can and if they don't make a success they are all screwed to the wall. Plenty of incentive to bend people's morality which is usually pretty non existent to begin with.

I've said that, but Master lock and demolition saw

[raymorris]

I've said that same thing before. I happen to BE competent professional in certain security matters, so that affects my point of view.

On the other hand, the most popular locks, Kwikset and Master lock, are obviously not designed to be secure against a knowledgeable or determined advesary. They are designed to discourage your neighbor from casually getting into your stuff, and that's pretty clear from looking at the product and feeling how lightweight it is. Maybe that's what people want most of the time - a lock sufficient to make it rather inconvenient for the average person to walk in, not something that's going to keep the locksmith out when you lose your key.

At the other end of the spectrum, for $10,000 you can buy a heavy duty safe made of steel and concrete. For $32, I can rent a demolition saw designed to cut through concrete and steel. Since physical security costs about 300 times as much as breaking it costs, perhaps the primary goal is to not be low-hanging fruit. I've watched a car burglar go from car to car, stealing stuff from the ones that were unlocked. He skipped the locked ones, which all had very breakable windows.*

* Redundant. Windows is always easily breakable.

they're a french company

[sxpert]

under european law, they have no standing for requesting this sort of code to be removed, as the code was obviously created as a research tool and for interoperability.

screw those idiots... let's start git cloning the hell of it ;)

Re:they're a french company

[zm]

A French company threatening a Swedish guy with a US law.. Makes perfect sense...

Re:Why do companies insist on producing shit ?

[fuzzyfuzzyfungus]

It's seriously difficult to understand the mindset of the organization and how they came into this. Did they even bother hiring a competent cryptographer when designing their product ? Were they duped by someone they hired and led to design a insecure product ? Or is encrypting an RFID communication a difficult and non-trivial task with no known vetted solution ?

I don't think that the problem is difficult in some fundamental way (the problem of verifying a remote host with asymmetric crypto has been reasonably well explored with SSL/TLS, and an access control system has the advantage of being able to trust only a CA it controls, and the advantage that you need to get physical access to an RFID reader pad to attempt attacks); but there are significant practical challenges.

RFID chips are pretty power constrained, since they only get whatever energy they can scavenge from the reader's RF output; and customers want them to be cheap. The industry also has fairly long product lifecycles (since, once you've put in a zillion card readers and integrated it with all your other building security stuff you don't want to rip it out and upgrade in 2 years).

It isn't so much a 'there is no known cryptographic solution to this problem' issue as a 'Why yes, we still have major customers using the 'security' provided by the lousy proprietary cryptosystem that our engineers were able to cram into a cheap, power-constrained, chip using the fab processes available in the mid to late 90s, and we really don't want to fix that' issue.

Re:I've said that, but Master lock and demolition

[Registered+Coward+v2]

At the other end of the spectrum, for $10,000 you can buy a heavy duty safe made of steel and concrete. For $32, I can rent a demolition saw designed to cut through concrete and steel. Since physical security costs about 300 times as much as breaking it costs, perhaps the primary goal is to not be low-hanging fruit. I've watched a car burglar go from car to car, stealing stuff from the ones that were unlocked. He skipped the locked ones, which all had very breakable windows.

Exactly. The goal of any security measure is to make it easier for someone to break into someone else's property; thus securing yours. I have a dog, and most burgers will move on before confronting it even though a steak tossed into the porch would distract it long enough to lock it out. However, it's simpler to move on to the next house. If a determined criminal wants something you have they will find a way to get it.

DeCSS

[tepples]

Can't say I've ever heard of [...] security by litigation.

Then you weren't around for the DeCSS cases.

Re:DeCSS

[swillden]

Can't say I've ever heard of [...] security by litigation.

Then you weren't around for the DeCSS cases.

I was... and security was not successfully achieved by litigation, nor even by ITAR restrictions. I think I still have my DeCSS t-shirt somewhere, with the code printed on the back. At the time that t-shirt was arguably an illegal munition, which of course is why it existed and why I bought it.

Re:I've said that, but Master lock and demolition

[NormalVisual]

The goal of any security measure is to make it easier for someone to break into someone else's property; thus securing yours.

It's like an implementation of the punchline, "I don't have to run faster than the bear. I just have to run faster than you."

Re:I've said that, but Master lock and demolition

[Trailer+Trash]

I've said that same thing before. I happen to BE competent professional in certain security matters, so that affects my point of view.

On the other hand, the most popular locks, Kwikset and Master lock, are obviously not designed to be secure against a knowledgeable or determined advesary. They are designed to discourage your neighbor from casually getting into your stuff, and that's pretty clear from looking at the product and feeling how lightweight it is. Maybe that's what people want most of the time - a lock sufficient to make it rather inconvenient for the average person to walk in, not something that's going to keep the locksmith out when you lose your key.

My front door has a pretty decent kwikset lock that I can personally pick. But the door also has a window large enough to walk through in addition to a window on each side.

Unless you have a solid steel door the lock isn't relevant.

If you trip all parts of one claim

[tepples]

Where did you get that interpretation? The way I read patent law, if you trip all the parts of one claim, you infringe the patent. If a claim is dependent ("The device of claim 1, where..."), you have to trip the claim it mentions as well. But you don't have to trip all of them.

You owe my hound dog an apology.

[Dareth]

You owe my hound dog an apology. He was crying, more than usual. I asked him what was wrong and he said you called him "a lawyer".

Re:I've said that, but Master lock and demolition

[hawkinspeter]

I'll have you know that Windows is far more secure nowadays than it ever used to be.

Re:I've said that, but Master lock and demolition

[hawkinspeter]

Depending on where you live, often the purpose of security is not to stop someone entering but to ensure that they're going to make a lot of noise doing so. If you're in a street with lots of neighbours, then a burglar is not going to want to be smashing windows or wooden doors.

This is also why dogs make good guard pets as some of them make lots of noise when they see someone they don't know. A lot of dogs would just go and excitedly greet a burglar, but the burglar wouldn't want to take the chance and will often pick a house without a dog.

is not are

[raymorris]

* Redundant. Windows is always easily breakable.

I've got to disagree with that one, unless you refer to Microsoft Windows then sure I agree with that :)

I did say Windows IS, not Windows ARE. :) Lexan windows are pretty tough, and the front door windows of some cars are tough, with the ability to bend a bit rather than break. On YouTube there is a funny video of a reporter trying to break a car window with a hammer.

yes, upgraded to FAX like 1970s Unix

[raymorris]

Indeed it has improved considerably. The basic security model went from "don't show other people's files unless you click the C: drive" to actually denying access to other people's files. Currently it has what has traditionally been considered a decent model, discretionary access control very similar to the classic Unix model.

On the other hand, Unix used that model in the 1970s. Linux moved to a more secure mandatory access control model ten years ago, around the same time that Windows was finally getting DAC. The weaker model is also the simpler and more convenient model, so this doesn't necessarily make Linux BETTER, it's more secure, but less simple and convenient. Choose your own priorities.

Re:yes, upgraded to FAX like 1970s Unix

[hawkinspeter]

Yep. I much prefer to use Linux, but my wife complained when I replaced all the Windows in our house, especially the double-glazing.

Re:I've said that, but Master lock and demolition

[swillden]

perhaps the primary goal is to not be low-hanging fruit

Exactly. The goal is to avoid being the easiest target around.

If bad guys wanted to work hard they'd just get a job. There are contexts in which the value of a target justifies expending a lot of effort, but they're the exception. In every case real security is all about correctly understanding the threat model and then applying adequate mitigation.

Re:Why do companies insist on producing shit ?

[swillden]

The industry also has fairly long product lifecycles (since, once you've put in a zillion card readers and integrated it with all your other building security stuff you don't want to rip it out and upgrade in 2 years).

This is the core issue. When evaluating what should be done you have to consider available technology... and in this case your baseline is 10-20 years ago because old systems don't get replaced very often and for new systems backward compatibility is important, as is minimizing the number of distinct products you have to manage.

Re:I've said that, but Master lock and demolition

[raymorris]

If bad guys wanted to work hard they'd just get a job.

I like the way you put that. I'm going to steal that phrasing.

Lexmark v. Static Control Components

[tepples]

At least Lexmark v. Static Control Components, the case I assume you're referring to, was decided in favor of interoperability.

fax? wtf autocorrect?

[raymorris]

That subject line should say DAC, not FAX.

Re:Why do companies insist on producing shit ?

[fuzzyfuzzyfungus]

I imagine that it also helps (at least in terms of customer acceptance) that most of these RFID tags are probably replacing something that was as bad or worse. Keys are clonable, provide no record of use(much less timestamped logs of individual users) and if one gets into the wild re-keying the place is Not Fun. Magnetic stripe cards are trivially clonable; but on the same level as most RFID tags in terms of access logging and enabling/disabling access. Adequately rugged optical sensors have historically been pretty expensive, so bar codes, hand scanners, and any other biometric gimmicks are likely niche players.

I'd be pretty annoyed if some salesweasel lied to me about it; but it's unlikely that an RFID installation replaced something that was harder to clone, and it's still easier than keys, slightly more robust than mag stripe readers, and reasonably cheap per tag. In some ways that makes it even more obnoxious to harass the researchers, though.

Re:Why do companies insist on producing shit ?

[swillden]

+1

Excellent points.

suit ??? for writing code in an academic environme

[PeterL.Berghold]

If they were on the up and up they'd be glad for the help finding their flaws I'd think...