There are a variety of different smart cards out there. The fact that one old model of card has been cracked is pretty meaningless in this discussion.
There is a constant cat and mouse game going on between those who design smart cards and those who try to break them. A few years ago it was discovered that through power analysis techniques you could get the keys off a card. Card makers then introduced measures to proctect against that attack. Later differential power analysis was used to extract keys. Countermeasures were again deployed by card makers.
You can be sure that the cards used in this system will be resistant to all known attacks. There will of course be new attacks invented that could make the system easier to attack. That is why cards have an expiration date. Every few years you will need to issue new cards because new attacks have rendered older cards vulnerable.
As for Big Brother type abuse, you may be right. I have no idea what kind of protections the winning bidder will put in place to prevent these. But you can design a system that will protect against these types of abuses if you want to.
Once the first card reader is compromised, or even if someone just reverse-engineers the chip, the whole system is compromised. Once bank information is on them -- and I have no doubt that that bit of the proposal is only on hold, not really dropped -- how long will it be before someone builds a remote reader that can pull info just by walking within a few feet of one?
Have you ever worked with smart cards? Do you know what a smart card reader is? It is simply an interface between the smart card and another system. It has no, I repeat NO intelligence. There is NOTHING TO CRACK in the reader.
What do you mean by reverse engineering a chip? In a properly designed smart card system the bad guys can get ahold of all the cards (initialized or uninitialized) they want and they will not be able to "compromise the whole system".
Even if you somehow managed to extract the keys from one card, that is all you would have, one card. You would have go through the process again for another card. BTW, extracting the keys from a single card is estimate to cost $300,000 or more. It is not something that can be mass-produced.
A remote reader is only useful for contactless cards and only in certain situations.
I work with smart cards everyday. I work for one of the teams that bid on this project. Not the winning team:( . I am only flaming the parent post because it is spreading lies and for some reason has been modded it.
How do you know this is not how Google creates its search results? What you've described sounds exactly like how Google describes their technology:
I know because I have read about both technologies. I discussed the merits of Clever v. Google a few years ago with classmates that were taking the class at Stanford that spawned Google. That is how I know.
End of Rant
There is an excellent article on Clever that appeared in Scientific American a few years ago. It was linked to from the page I origianlly posted. You should check it out. Clever returns results divided into the catergories of "hubs" and "authorities". I have never noticed Google doing that/
Here is an excellent summary from the article on the differences between Clever and Google:
Google and Clever have two main differences. First, the former assigns initial rankings and retains them independently of any queries, whereas the latter assembles a different root set for each search term and then prioritizes those pages in the context of that particular query. Consequently, Google's approach enables faster response. Second, Google's basic philosophy is to look only in the forward direction, from link to link. In contrast, Clever also looks backward from an authoritative page to see what locations are pointing there. In this sense, Clever takes advantage of the sociological phenomenon that humans are innately motivated to create hublike content expressing their expertise on specific topics.
Of course Google has tweaked their method since this article was written, however it has not become Clever.
I will refer you to the Clever project at IBM. I first read about this years ago when Google was still a project at google.stanford.edu.
Clever does Google one better by separating the results of searches into "hubs" and content. Hubs are sites with lots of links on a particular subject. Content sites are the highly rated sites linked to by the hubs.
I thought it was a very intersting concept and I am surprised that it was not comercialized. Of course, IBM is in the business of buying banner ads rather than selling them. They could always do like/. and OSDN and mostly run ads for their own stuff though....
Your idea is really interesting. You would have to specify which three parameters (or group the parameters) to use for the graphing. You would also need a way to visualize and rotate the data.
One of the nice things about Google and other current search engines is that you can easily look at the context in which the search term occurs and determine if the link is relevant. I think this would be harder to do in 3D. It would be nice if you were able to weight your search terms (scale of 1-10?) on Google. That might accomplish the same goal as what you want without the 3d niftyness.
It appears that your iButton is indestructible. My point is that contray to some have posted here, a smart card is not going to get accidentally destroyed if you happen to run it over.
Can you think of some sort of physical abuse that would destroy your iButton?
Just ran it through with the dishes with detergent. Card continues to function. I am thinking that if I hit it with a hammer several times I will destroy it. I think that an iButton would also be destroyed by a hammer. My point is that I can't think of anything that would happen to the card in the course of normal use that would destroy it.
But: the iButtons are WAY more secure than smart cards
The smart cards that I deal with have tamper-resistant, tamper-detecting hardware. I am unaware of tamper-proof hardware of any sort. The closest thing that I know of is an IBM 4758 crypto co-processor card.
I do not doubt that the iButton is durable. I would not be surprised if it is more durable than a smart card. However, I think that smart cards are burable enough. Here is what I will do. I will go outside right now and drive my truck over a smart card. I will then test it and report back here. If it is still funtioning I will put it in a glass of water for a while. If you are still interested I will test it again and report again. If you would prefer I will stick it in my dishwasher and run it.
As far as your "WAY more secure" comment, I fail to see how a "64 bit key" that the iButton has is more secure than 3DES. Please tell me why this is.
The advantage that I see the iButton having is that it is big enough to have its own power source, so it can actively monitor its own state while not hooked up to a reader.
The coolest part of the iButton is that the reader costs $15.00 at the most expensive and $1.00 in bulk for OEM's. a speedpass reader is more expensive than a smartcard reader.
Reader expense is a small part of the expense of a total solution. If you look at this page you will see that the buttons themselves are more expensive than the readers. Also the buttons are much more expensive than comparable smart cards. I can buy Java Card Open Platform cards for $2.86 and there are 16 kbyte (not kbits as the iButton measures things) MFC cards for less than $1. If you are doing a deployment the cost of the cards will dwarf the cost of readers.
(I prefer my ring)
What do you use it for? Do you wear it all the time?
Hey Shawn, my keyboard sucks! The T series keyboard seems to be much less substantial than the 700 or 600 series keyboards were. My cusor keys have this stange behavior that I would proudly demonstrate to you one day. I have used a bunch of other T21s and they do not exhibit the problem mine has. Of course, I am often unlucky.
Regardless, I prefer my T to the 600, which was itself a very nice machine.
Now if I just had a T23......
ps I also work for IBM. Comments are mine, obviously not theirs.
In one of my CS classes (I think it was AI but memory is such a flimsy thing) we watched a video on some crazy Japanese micro cars. These things were less than 1 centimeter in length. The wheels were so small that if you lubricated the axels it would cause them to bind. They looked pretty cool darting around on a table. You could really bother your cats with one. Didn't work too well on carpet though....
I wonder if you could tell us what your expenses are (itemized so we see what Katz gets paid) and how much money you take in. I would find it very interesting to see if your subscription service is making you all rich off our comments.
How much better do super-annoying ads pay? Have you thought about allowing users to do small low-cost text ads?
If you read sllort's journal carefully you will see that I am the one that brought his attention to the mass banning of moderators.
I don't think that I was abusive. You are free to disagree. I should have modded up The Post of Doom as under-rated and saved my skin.
But I continue to insist that off-topic is the most consistently misused moderation. Moderators need to read both the entire article and all parent posts to determine if a post is truely off topic. As far as the PoD is concerned it was more funny/interesting than off topic in my mind. The fact that Taco disagrees with me about ONE post should not have led to me being banned from moderation.
Regardless, I consider myself a good member of the/. community, currently have a karma of 49, and I don't troll or post crap. I think that if I contribute to the content I should get a "member's discount".
Of course I will again moderate up things that are funny/interesting that you think are offtopic.
Also, I think that it is pretty strange that the people who post are going to be the ones that have to pay the most. We are producing your content Rob! Don't you think that accounts that have a certain amount of karma should be rewarded for giving you good content for free? Or are you relying on the fact that these people are adicted to your silly site and will be the ones you can milk the most lucre out of?
I propose that every post that is archived at either +4 or +5 give the user a $0.40 and $0.60 credit respectively. Also, editor moderations down shouldn't change this calculation.
You don't want to annoy your posters Rob, THEY ARE THE SITE!
I am not going to bother looking it up, but there is a company from either Finland or Sweden that makes a product that allows you to run essential parts of your code on a smart card.
They even have a way for you to distribute the source code with the essential parts extracted, compile it and run it assuming that you have the card for the program.
Since I am lazy I am not going to use Google to look it up, but they were at the last CTST conference selling their system.
I agree. A few weeks ago I was looking for an adapter to hook a laptop IDE drive up to a desktop system. I asked the guy at CompUSA and he said, "Go ask that guy over there, he's our expert." So I ask the expert and once he understands what I am asking for he tells me that such a thing doesn't exist.
I bought one 15 minutes later at a local store.
You are forgiven!
on
iWarez
·
· Score: 1, Offtopic
I am just bitter that the articles I submit never get posted. Actually, they usually DO get posted, just a day after my submission has been rejected.
Your are right!
on
iWarez
·
· Score: 5, Informative
If the poster of the article had read the story he would have noticed that is was a customer who witnessed the iPod piracy. He contacted a CompUSA employee and according to the article:
Webb watched the teenager copy a couple of other applications. He left the kid to find a CompUSA employee. "I went over and told a CompUSA guy, but he looked at me like I was clueless," Webb said.
Unsure whether the kid was a thief or an out-of-uniform employee, Webb watched as he left the store. "I thought there's no point in getting any more involved in this imbroglio," Webb said. "Besides, this is Texas. You never know what he might have been carrying."
CompUSA representatives didn't respond to requests for comment. Neither did Apple officials.
So basically the CompUSA people had no clue what was going on. Typical.
Also note that nobody was caught as the poster claimed. The event was merely witnessed, nobody was caught.
Slashdot Mirror
I replied to the wrong message! Sorry for the stupidity.
And unlike an ethernet cable, reading the bits going by won't do you any good.
There is a constant cat and mouse game going on between those who design smart cards and those who try to break them. A few years ago it was discovered that through power analysis techniques you could get the keys off a card. Card makers then introduced measures to proctect against that attack. Later differential power analysis was used to extract keys. Countermeasures were again deployed by card makers.
You can be sure that the cards used in this system will be resistant to all known attacks. There will of course be new attacks invented that could make the system easier to attack. That is why cards have an expiration date. Every few years you will need to issue new cards because new attacks have rendered older cards vulnerable.
As for Big Brother type abuse, you may be right. I have no idea what kind of protections the winning bidder will put in place to prevent these. But you can design a system that will protect against these types of abuses if you want to.
Have you ever worked with smart cards? Do you know what a smart card reader is? It is simply an interface between the smart card and another system. It has no, I repeat NO intelligence. There is NOTHING TO CRACK in the reader.
What do you mean by reverse engineering a chip? In a properly designed smart card system the bad guys can get ahold of all the cards (initialized or uninitialized) they want and they will not be able to "compromise the whole system".
Even if you somehow managed to extract the keys from one card, that is all you would have, one card. You would have go through the process again for another card. BTW, extracting the keys from a single card is estimate to cost $300,000 or more. It is not something that can be mass-produced.
A remote reader is only useful for contactless cards and only in certain situations.
I work with smart cards everyday. I work for one of the teams that bid on this project. Not the winning team :( . I am only flaming the parent post because it is spreading lies and for some reason has been modded it.
You asked how I knew. I answered. I am sorry about being annoyed. Thanks for your response.
I know because I have read about both technologies. I discussed the merits of Clever v. Google a few years ago with classmates that were taking the class at Stanford that spawned Google. That is how I know.
End of Rant
There is an excellent article on Clever that appeared in Scientific American a few years ago. It was linked to from the page I origianlly posted. You should check it out. Clever returns results divided into the catergories of "hubs" and "authorities". I have never noticed Google doing that/
Here is an excellent summary from the article on the differences between Clever and Google:
Google and Clever have two main differences. First, the former assigns initial rankings and retains them independently of any queries, whereas the latter assembles a different root set for each search term and then prioritizes those pages in the context of that particular query. Consequently, Google's approach enables faster response. Second, Google's basic philosophy is to look only in the forward direction, from link to link. In contrast, Clever also looks backward from an authoritative page to see what locations are pointing there. In this sense, Clever takes advantage of the sociological phenomenon that humans are innately motivated to create hublike content expressing their expertise on specific topics.
Of course Google has tweaked their method since this article was written, however it has not become Clever.
Clever does Google one better by separating the results of searches into "hubs" and content. Hubs are sites with lots of links on a particular subject. Content sites are the highly rated sites linked to by the hubs.
I thought it was a very intersting concept and I am surprised that it was not comercialized. Of course, IBM is in the business of buying banner ads rather than selling them. They could always do like /. and OSDN and mostly run ads for their own stuff though....
One of the nice things about Google and other current search engines is that you can easily look at the context in which the search term occurs and determine if the link is relevant. I think this would be harder to do in 3D. It would be nice if you were able to weight your search terms (scale of 1-10?) on Google. That might accomplish the same goal as what you want without the 3d niftyness.
Can you think of some sort of physical abuse that would destroy your iButton?
Just ran it through with the dishes with detergent. Card continues to function. I am thinking that if I hit it with a hammer several times I will destroy it. I think that an iButton would also be destroyed by a hammer. My point is that I can't think of anything that would happen to the card in the course of normal use that would destroy it.
I will now run it through the dishwasher to get the grit off and I will report back here!
The smart cards that I deal with have tamper-resistant, tamper-detecting hardware. I am unaware of tamper-proof hardware of any sort. The closest thing that I know of is an IBM 4758 crypto co-processor card.
I do not doubt that the iButton is durable. I would not be surprised if it is more durable than a smart card. However, I think that smart cards are burable enough. Here is what I will do. I will go outside right now and drive my truck over a smart card. I will then test it and report back here. If it is still funtioning I will put it in a glass of water for a while. If you are still interested I will test it again and report again. If you would prefer I will stick it in my dishwasher and run it.
As far as your "WAY more secure" comment, I fail to see how a "64 bit key" that the iButton has is more secure than 3DES. Please tell me why this is.
The advantage that I see the iButton having is that it is big enough to have its own power source, so it can actively monitor its own state while not hooked up to a reader.
Thanks!
Reader expense is a small part of the expense of a total solution. If you look at this page you will see that the buttons themselves are more expensive than the readers. Also the buttons are much more expensive than comparable smart cards. I can buy Java Card Open Platform cards for $2.86 and there are 16 kbyte (not kbits as the iButton measures things) MFC cards for less than $1. If you are doing a deployment the cost of the cards will dwarf the cost of readers.
(I prefer my ring)
What do you use it for? Do you wear it all the time?
Disclaimer: I work for IBM so I might be biased.
Hey Shawn, my keyboard sucks! The T series keyboard seems to be much less substantial than the 700 or 600 series keyboards were. My cusor keys have this stange behavior that I would proudly demonstrate to you one day. I have used a bunch of other T21s and they do not exhibit the problem mine has. Of course, I am often unlucky.
Regardless, I prefer my T to the 600, which was itself a very nice machine.
Now if I just had a T23......
ps I also work for IBM. Comments are mine, obviously not theirs.
In one of my CS classes (I think it was AI but memory is such a flimsy thing) we watched a video on some crazy Japanese micro cars. These things were less than 1 centimeter in length. The wheels were so small that if you lubricated the axels it would cause them to bind. They looked pretty cool darting around on a table. You could really bother your cats with one. Didn't work too well on carpet though....
I wonder if you could tell us what your expenses are (itemized so we see what Katz gets paid) and how much money you take in. I would find it very interesting to see if your subscription service is making you all rich off our comments.
How much better do super-annoying ads pay? Have you thought about allowing users to do small low-cost text ads?
Because of that you won't get modded up. The people who still have mod privs don't agree with you.
What about those of us who have lost the ability to moderate for no good reason?
Because I actually participate on /. and provide content for you Rob.
I don't think that I was abusive. You are free to disagree. I should have modded up The Post of Doom as under-rated and saved my skin.
But I continue to insist that off-topic is the most consistently misused moderation. Moderators need to read both the entire article and all parent posts to determine if a post is truely off topic. As far as the PoD is concerned it was more funny/interesting than off topic in my mind. The fact that Taco disagrees with me about ONE post should not have led to me being banned from moderation.
Regardless, I consider myself a good member of the /. community, currently have a karma of 49, and I don't troll or post crap. I think that if I contribute to the content I should get a "member's discount".
Of course I will again moderate up things that are funny/interesting that you think are offtopic.
Also, I think that it is pretty strange that the people who post are going to be the ones that have to pay the most. We are producing your content Rob! Don't you think that accounts that have a certain amount of karma should be rewarded for giving you good content for free? Or are you relying on the fact that these people are adicted to your silly site and will be the ones you can milk the most lucre out of?
I propose that every post that is archived at either +4 or +5 give the user a $0.40 and $0.60 credit respectively. Also, editor moderations down shouldn't change this calculation.
You don't want to annoy your posters Rob, THEY ARE THE SITE!
They even have a way for you to distribute the source code with the essential parts extracted, compile it and run it assuming that you have the card for the program.
Since I am lazy I am not going to use Google to look it up, but they were at the last CTST conference selling their system.
I bought one 15 minutes later at a local store.
I am just bitter that the articles I submit never get posted. Actually, they usually DO get posted, just a day after my submission has been rejected.
Webb watched the teenager copy a couple of other applications. He left the kid to find a CompUSA employee. "I went over and told a CompUSA guy, but he looked at me like I was clueless," Webb said.
Unsure whether the kid was a thief or an out-of-uniform employee, Webb watched as he left the store. "I thought there's no point in getting any more involved in this imbroglio," Webb said. "Besides, this is Texas. You never know what he might have been carrying."
CompUSA representatives didn't respond to requests for comment. Neither did Apple officials.
So basically the CompUSA people had no clue what was going on. Typical.
Also note that nobody was caught as the poster claimed. The event was merely witnessed, nobody was caught.