The Auto-ID system that Alien Technology is implementing supports 96 bits of data, apparently read only. They are attempting to deploy the next generation of UPC Barcodes, something they're calling ePC. Some good information about the tech can be found here:
The 13.56mhz spec that appears to be used for badge reading supports 2048 bits, with 64 being read-only. It's irrelevant to encrypt this data, not because the space is small (encryption does not necessarily expand the size of your data) but because you don't need to understand what you're replaying in order to replay it.
I walk next to you on a train, spit out power, sniff some bits, and spit out the bits when I'm nearby your badge reader. Poof. I win.
Again, I need to emphasize that while this use of RFID -- inventory control -- does have some creepy personal and corporate privacy issues, it's nothing at all like the situation with badges.
There is the Legitimate Counterfeit issue, though. Large US currency now contains a magnetic strip to authenticate its validity. People were talking about using that strip to detect whether or not a bill was real. Well, there's a problem -- the strip is almost invisible to the naked eye, but can be easily removed without rendering the actual bill in any way, shape, or form visibly molested. So you've got this disturbing corner case where an attacker can strip the value from a twenty, attach it to a counterfeit bill, and still have a completely legitimate looking original on his hands. So, end result has been that as far as I know nobody uses the strip as a final arbiter of whether currency is real or not.
The equivalent problem with ePC is that you can tell when a UPC has been rendered inoperable, because it's just a visual series of stripes on paper. We're good at seeing stripes -- we're *not* good, however, at seeing RF bitstreams. At the end of the day, people are buying goods, not codes -- but the issue of the two being separated can be problematic.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
There's no shortage of equipment that can capture and transmit on these frequencies; cordless phones do analog work in this domain all the time. But, again -- Alien is not trying to do badging, they're trying to do inventory control.
Very, very different problems. Worst case scenario is that a competitor drives by your facility and gets the same realtime updates of your inventory that you do.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Interesting. I just started doing some preliminary research on the security of RFID badge readers, based off of hazy memories that somebody had shown they were absolutely trivial to capture and replay.
Haven't been able to find that paper yet, but I can tell you what I've seen ain't great. Here's the story:
RFID stands for Radio Frequency Identification, and is essentially a Tesla-esque hack to allow contactless, bidirectional storage of small amounts of data on trivial circuits powered by the reader infrastructure itself. It's most commonly deployed nowadays as a replacement for magnetic-swipe oriented systems, as the lack of an exposed data surface and the absence of contact during scanning make RFID astonishingly reliable. The functionality is quite compelling, as Gilette's mass purchase shows -- what if you never needed to do inventory? What if you could just have a few sensors throughout your warehouse do a "mass ping" and acquire from the mass of replies precisely what needs to be restocked?
And it would only take a few sensors, too. Badge readers may only provide a few inches range, but there was a pretty big fuss a while back about RFID becoming functional at nine meters. At that point, you're quite a bit beyond the forklift knowing precisely what it's carrying. It's pretty clear that Gilette will make its $50M back within a year.
Oddly enough, Inventory Tracking is much, much better use of RFID than as a badging technology, even though the latter remains much more common than the former. Badging, like all trust management systems, attempts to differentiate the few who are trusted from the many that aren't.
The problem is, the many that aren't trusted aren't trusted for a reason -- they'll spy, they'll steal, they'll break stuff. Against that backdrop, mounting an attack against the security system isn't particularly unimaginable -- and here's where things get problematic.
You see, RFID tags make 802.11 look like Alcatraz.
Passive RFID systems are powered by the outside world -- the evil demon of Cartesian yore is handing over the battery. Given a cooperative RF field, the chip spews the same bits, over and over and over again.
When an employee is standing in front of the legitimate badge reader, this is a good thing. When an employee is sitting on the subway on his way to work and some guy walks by with a power source and 13.56Mhz sniffer in his briefcase...well, I guarantee you that briefcase ain't going to beep "Thank you for your access credentials, I'll be you now." All the attacker needs to do is forge a standard plastic badge and covertly trigger a transmitter when approaching the door -- there's no way for anyone to know the badge wasn't the source of the RFID transmissions!
Just because your badge reader only works from a few inches away doesn't mean anyone's reader will. If all I need to do to get access to your entire corporate infrastructure is sit in the lobby "waiting for someone" as your CEO strolls by, you don't actually have a security system. You just have doors:-)
Now, I've got my suspicions of whether magnetic strips can be read at a distance, but to be honest, I'm more than willing to concede that it's a longshot at best (and a hilariously laughable descent into paranoia at worst). But RFID is not the kind of technology people should be carrying around with them at all times, assuming that as long as they still have their card, they still have the value the card represents.
To be fair, it's an extraordinarily difficult problem for TI et al to solve: The chips are necessarily trivial -- they're *powered* by the sensors, for crying out loud. Not only is it nearly impossible to build any kind of cryptosystem into a chip that small and weak, but the system itself would remain utterly defenseless against electrical skullduggery: Manipulating a chip's power source is one of the definitive ways of divining its cryptographic secrets, as Satellite TV hackers have been pointing out for quite some time.
Security hasn't been left completely unaddressed by the RFID industry; they're well aware of the problems and have attempted some manuevers to compensate. As mentioned, some RFID systems can be both read and written to. This would be perfect for creating a "universal badge" that could spoof any identity without even a separate transmission system that could be examined and recognized. So what some companies have done is create a 64 bit region that cannot be modified and remains unique to the badge itself. So you use those 64 bits as a badge identifier that authenticates the rest of the data, and trust that your vendor will never release a badge that either a) repeats identifiers (unlikely, 2^64 is a very large number) or b) can have its identifier changed.
Of course, they can't do anything about c) somebody hacks together their own badge that doesn't play by the same arbitrary restrictions.
Now, I could get up and say "Oh my god! You just can't do this, it's horrifyingly insecure, just use IPSec/SSH er wait wrong wireless technology..."
But that wouldn't be useful. Maybe this might be:
There are some techniques that can minimize the exposure from insecure RFID badge authentication systems. Exploiting the Read/Write capacity is moderately elegant and requires only a badging infrastructure that supports RW. Essentially, every time somebody attempts to enter the secure facility and provides a valid bitstream from their badge, upload a new unique bitstream and verify the badge accepted it. This reduces the window of opportunity for an attacker and significantly increases their risk of discovery, since now the bits they steal today will stop working the moment the legitimate employee uses their badge next. Furthermore, if the attacker does manage to get to a badge reader before the employee returns for another update cycle, he has two major problems: First, his equipment must be minorly more complex, because it must inform the system that it has completed updating its internal RAM with the new (possibly cryptographically signed) bitstream. This is only a minor deterrent; having the equipment to spoof the badge reader means you likely have the equipment to read from one too. Second, and more importantly, because the interloper cannot control the bitstream submitted by the reader and expected upon next examination, the legitimate card will possess an out-of-date bitstream, allowing Security to discover the unauthorized entry.
That works OK. Not great -- especially if badge access translates into an ability to hack the central authentication server to accept whatever bits the legitimate card originally had -- but OK. Really, once the attacker gets access to the card's bitstream, it's game over.
So, lets prevent that. RFID may be contactless but that doesn't mean the badges themselves are -- they're attached to a living, breathing, thinking human being. One with fingers. Fingers that, for the last hundred thousand years or so, have had the ability to pinch two things together, like contacts inside a card. "Pinch here to activate badge", if you will. Just embed a cheap "squeeze sensor" into the card such that two contacts need to be forced together for the card to respond to the RF power source. It's cheap, it's easy, and it can be designed to fail towards functionality or security (i.e. the contacts either can't be separated or can't be attached).
I did see some mention of work to embed cryptographic constructs into Passive RFID systems; one paper pointed out that hash algorithms can be made using very little silicon, so having the card read some value from the badge reader and return a that value hashed with a shared secret can be a valid solution. As I pointed out earlier, these things are *so* vulnerable to power assult that any shared secret inside of them wouldn't last for long. (It's the kind of thing where you run some data through and you look at which gates are glowing -- thus you see which memory blocks are 1 and which are 0.) But this type of analysis usually requires physical access to the security card much greater than simply walking past the mark, so there's a definite win. Plus the system is inherently immune to replay attack because the output of the card is dependant upon the particular input of a given badge reading. Excellent -- if it works(and the hash is cryptographically secure, not CRC-32!).
Of course, this is all mildly off topic. Gilette's security posture is vastly different; they're more worried about five finger discounts and overly optimistic projections than they are about a rogue batch of razor blades sneaking in the back door! But since we're only a precious little amount of time away from the definitive displays of RFID remote compromise, I thought it worthwhile to go into some depth about the security concerns of RFID.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
My primary question about this system is whether it creates a secure domain, within which everything may be sniffed and trusted, or whether communications follow the principle of minimum exposure, i.e. a connection between hosts A and B cannot be read by hosts C and D, while a broadcast packet from A can be read by B, C, and D but not by anyone else.
It's much easier to create a shared domain than it is to create a dynamic key mesh (presuming there's no pubkey stuff at work, and even then things get tricky). One shortcut is simply to provide keys to the upstream router, and let the router sniff all traffic (and experience the cost of routing traffic between endpoints). My bet is that this is what's done.
Actually, the build of OpenOffice inside of Knoppix works astonishingly well at reading pretty complex word documents -- I actually used it to parse an RFP a few weeks ago, and that thing was a *mess*.
It's nontrivial to decode, but whatever crypto is there exists on a per-file, not a per-link basis. I was able to verify that munging bits in the stored format does indeed munge bits on the wire, so replay techniques should be fruitful.
There doesn't appear to be any way to do accelerated *downloads* off the NetMD, however. It was sad -- I went on a trip with my NetMD, and really enjoyed the thing, but I just wasn't willing to go back to 1x or 4x transfers. Even MMC, which is ungodly slow in its own right, does MP3 at 12x realtime!
What can I say? The technical chops of the NetMD just don't make it worth it to hack on.
I did the NetMD experience, due precisely to the logic you describe. Even started reverse engineering the USB protocol used to get music into it (hint: It's possible).
Returned the sucker -- and watched it get put into a pile of other returns -- when I realized achieving 4x upload times w/o the USB hack required using this miserable copy protection system that sucked up massive amounts of hard drive, but without it, I'd have to spend one hour uploading for every hour of music -- and I'd have no track boundries.
So, the short answer: Minidisc takes *forever* to write.
Jogging was my problem. You already can't stick a CD player in your pocket, but the combination of no-carry and lots and lots of jogging induced skipping (I've had three MP3 CD players, ending with the RioVolt) cut off my mp3 adventures pretty quick.
The real problem with portable media is you lose your custom mixes -- that, and they take FOREVER to write to, compared to a CD. I'm just going to bite the bullet and get an iPod. They're Just That Good.
It wasn't hard for me to acquire blueprints of my home -- they're on file with our neighborhood association. As far as I'm aware, some branch of the US government possesses blueprints of every single major and minor structure in the country, and I do believe it's even possible for average citizens to gain access to these plans.
Why? Because the costs of a building not built to spec greatly exceed the benefit of security through obscurity. By forcing building specifications to remain open to some degree, it becomes difficult to hide egregious faults in building design -- and thus, lives are spared.
As I've been pointing out for some time -- every single non-military technology that mankind has considered important has tended towards greater and greater openness -- from legal systems to building codes to the contents of our food. Software is a rare exception.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Dr. Friedman is quite a character -- I was lucky enough to chat with him a couple times; he teaches at Santa Clara University and by some peculiar twist of fate I now possess a degree from there. So we ended up going to the same talks every once in a while -- quirky guy, occasionally reminds you of the late 90's when people really acted like the Internet Was Going To Change Humanity or something.
Friedman's paper is overall pretty reasonable, but his calculations seem to ignore the *tremendous* nonlinearity in our responsiveness to bad news. Ten people can tell you a restaurant is good, but if one says it's bad, you're probably not going to eat there. Paypal can pass a million good transactions a year, and it only takes a couple thousand questionable ones to really make a visible impact on their quality of service. Simply having one's reputation questioned tarnishes it -- indeed, one reason so many cases settle, or go to binding arbitration, is to keep major conflicts quiet.
It's in this context that arbitration servers have a problem. If they downgrade reputation as humans do, those who are downgraded may complain -- with apparent statistical cause -- that their otherwise good service is being mucked up by the inevitable screwups. But if they *don't*, their data is quite useless relative to the weighing the human mind does, and nobody would ever trust them.
Now, as an economist, Friedman would probably use this as an example of how humans are irrational...I doubt that. Consider the nonlinearity a form of damage multiplication...one transaction may be tweaked to make more money, but this will impact a hundred other transactions, that will thus cause a net loss of money. This means nobody can be screwed over -- everyone must get fair service. Without nonlinearity, it's always worthwhile to screw 1-5% percent of your clientele.
The news have it right -- bad news is much more interesting, and it should be.
For what it's worth, I do suspect that a cross-jurisdictional system will spawn to handle global commerce, and I think it'll be a combination of Friedman and Visa. Anonymity in financial transactions is pretty doomed -- we've just gotten accustomed to handing over our wallet, and hoping we get it all back -- but my expectation is that person-to-person cash transfer over distance will be formalized, arbitrated, and most of all -- insured. There will be reputational work, but it'll be in the same context we already have institutionalized reputations -- credit checks. It's *much* more likely that we'll see ebay feedback on your Visa web page than we'll see some funky distributed arbitration notices system.
Visa, you see, has one major advantage: The arbitration systems that Friedman describes are great for stopping the *next* fraud, but they don't do anything about *this* one. This is the big deal about government, folks -- they may not prevent crime directly, but they sure as hell respond to it. It's not like there's a murder, and the cops are like, wow, we better prevent any gun stores from letting this guy in, but that's all we can do:-)
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Ah, the classics...you include Crystalis, you've got good taste. SF2010! I remember this...I was so pissed it wasn't SF2, then I realized it was something completely different. Man, what I'd do to stay upgraded to max punch...some more recommendations:
Terranigma (SNES)-- imagine Zelda with a seriously bizarre and even mature plot. Now give it a really, really satisfying battle system. A must play.
Blaster Master -- my top pick:-)
Battletoads -- even on an emu w/ infinite reloads, I can't beat the unicycle level. It's horrifying:-)
Gunstar Heroes(Genesis): Totally quirky contraish shooter, it becomes something else.
Batman for NES! Best Batman Game Ever, possibly the only good one.
Rygar:-)
River City Ransom
Solar Jetman
Shadowrun -- you wake up in a morgue:-)
and of course...
Cybernator for SNES. A more detailed, replayable, intelligent beat-crap-up-with-gynormous-mech game, you've never seen.
Dyqik, that doesn't make any sense. There's no need for communication between two clusters after the big bang in the situation you describe: Given a limited set of circumstances that creates stellar bodies detectable at such great range, either those circumstances occur -- and we detect something -- or they don't, and we see nothing.
With a limited set of circumstances, it's trivial to imagine a limited set of detectable outcomes, particularly if the laws of the universe are, well, universal. Stars too hot would have burned out billions of years ago; stars too cold we could not see. That leaves this very narrow region we're able to detect, and unsurprisingly everywhere we look we see the same thing. When there's something else, we're either too late or blind.
Even this logic is unnecessary, though -- given that the visible regions were once part of the same singularity, all the "information" they'd ever need to remain related could have been exchanged at the point of the Big Bang itself. Absolutely identical output is theoretically justifiable, if there's a quantum level pseudorandom number generator at work. (Oddly enough, if there was, we'd never be able to tell, except through its occasional bugs...like entanglement, perhaps.)
Then I sat down, and realized what's going probably on here (the CNet article didn't specify, and I didn't think to track down the original work. Foo on me. So I'm pulling this out of my proverbial ass.)
Perfectly random images are indeed impossible to add data to without creating some form of irreversable distortion. Suppose you had a "remove transformation" mask embedded in the included transform. This mask itself would take information, which would then need to be added to the transform, which would increase the size of the transform, thus necessitating a bigger mask, ad nauseum. So you could never embed the reversal instructions.
However, photographs are not perfectly random. Along the light wavelengths that nature selected for humans to sense, significant patterns exist -- edges, gradients, shapes, and so on. Though precise intensities eventually hit perfect randomness at absolute sensitivity, digital photographs (even without JPEG) quantize imagery into 8 bits per channel -- 24 bits total. So those patterns we see actually create significant regions of reduced entropy -- less information in the image than there is otherwise room for.
And that's the key -- because once there's extra capacity, we can embed both some message and the means to remove that message in the extra space. Then it's just a matter of using one of a thousand ways to share the secret across all the low entropy regions of the image, and you're done.
No, it doesn't violate information theory. Yes, it's mildly cool. No, it's nothing like a public key steganographic system -- there's nothing inherent about the system that prevents unauthorized removal, or even unauthorized addition of the watermark. But it's a useful adjunct -- concievably, it'd be at the heart of a watermarking system that fingerprinted audio and video in low-entropy segments, then removed the fingerprint before it hit the d/a converter.
I'm pretty sure the strategy extends to floating point representations as well, though there's likely much less compressability due to noisy capture circuitry and higher raw entropy in the signal.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Lets assume we had a random distribution of people between 0 and 60 years old, and we were interested in the same birthdate. So, that's 60*365 possibilities...21900 dates. Since the birthday paradox effectively approximates down to a square root of the number of possibilities(would you believe I never noticed this?) that's about 147 randomly picked people are required before you'll find two with the exact same birthdate.
Of course, US POPULATION DISTRIBUTIONS AREN'T RANDOM, there's this big ol' spike referred to as the Baby Boom, which is really accentuated by the Twentysomething Massacre that came right before -- so YMMV.
How much less? Factorial math is pretty ugly, but the "half the entropy"(aka square root) rule is pretty widespread when designing cryptographic hashes against birthday attacks.
However, all of this is irrelevant as MAC addresses are not randomly picked by manufacturers and won't be randomly picked by people changing them.
Ummm, I use Yarrow to generate spoofed MACs:-) Though I admit to dropping a null byte at the beginning -- some hardware just gets confused for strange reasons. Also it keeps me out of the multicast range except when I choose to be there.
Anyway, random keygenerators are older than I am, Red. We're talking about a randomizer to get you around a MAC ban -- one-click unbans don't particularly ask you to type *anything*. And as I found out earlier, you can actually burn a new MAC into the hardware without a trace (though I suspect you might want to keep the manufacturer ID bytes the same).
Hmmm. Total set of possibilities is 365*365, or 133225 different combinations of two people with two birthdays. Of those 133225 possibilities, 365 of them involve the two people having the exact same birthday. So:
133225/365 ======
365 (unsurprisingly)
1/365 times, two people have the same birthday. I think the two person case is special because if x equals y, y must also equal x. The -1 is really familiar, but the brute forcing above just doesn't flesh it out.
If you include the manufacturer code, you no longer have a random system -- most likely, they're serializing each card from a very large address space, and (barring unfortunate accidents by far eastern card manufacturers) never using that number again. No collisions -- ever.
But if you have two hosts randomly pick an address, they can twiddle all 48 bits. Odds of a collision hit 2^48 unless all nodes ever activated are simultaneously active, in which case the odds of an eventual collision hit 50% once 2^24 nodes are live.
Thassa lot of nodes, but it's a nonzero chance of collision.
Incidentally, this is why direct sequence spread spectrum occasionally beats the pants off of frequency hopping. The former increments freq's along a linear progression; the latter uses PRNGs to choose which subband to hop onto next. It takes some synchronization, but the former can be guarantee to never collide -- while the latter is has to!
It is actually possible to design functions that are nonlinear and never collide, though. I'm trying to track one down right now, actually:-) It's a use of LFSR's.
Incidentally, it'll be interesting when they overflow the manufacturer byte(why haven't they already?).
Just pulled out a Netgear FA311TX...it's like a FA310TX, but it sucks (not a Tulip).
Managed to get it to work with the netsemi linux module, which is more than I can say for the Linksys ethernet cards. I swear, Linksys needs to bribe someone to sell them Tulips...
Anyway.
The card has a big ol' spot for bootable EPROM that's unfilled, and instead has this tiny(sub-square-centimeter) chip soldered on. Whatsit?
ATC 93LC46 (serial EEPROM)
Ah, EEPROMs...slow as hell to write to, but write to them you can. I don't think any of the standard drivers allow access to the EEPROM though, since it's usually easier to twiddle some registers to get the same job done.
Anyone familiar with network drivers that actually flip EEPROM bits?
If there's one card on a network, and you add another, the question becomes "what are the odds that the two cards will pick the same number?" Since there's 48 bits of entropy(minus a small range for multicast addresses and broadcast), the odds are effectively 2^48.
This is big.
If there's many cards on a network, and you want to know how many total you can add before two of them will end up with the same card, the answer's far smaller -- 2^24, which is still pretty huge(it's a bit more than 16 million). It's a different problem because each time you add a new card, the card after has one more it can possibly match with. This is known as the birthday paradox, so named because this precise logic means that given 23 people in a room, there's a +50% chance that two people have the same birthday. Each new person is one more to match with.
In reality, this is a moot point: MAC address prefixes are assigned by manufacturer, and the manufacturer serializes their cards such that no two shipped devices should ever have the same MAC address. Sometimes there are screwups, but they're pretty rare as far as I know.
To debunk what a couple people are saying -- yes, MAC addresses as exposed to the network can be changed, but MAC addresses as detected by custom client software may be more tricky. Whatever the driver is exposing to the network, the card itself can't usually have its MAC address written over(i.e. once power is cycled, that card's returning to original shipped condition). I'm positive there are exceptions to this, but they're probably rare.
Actually, this gives me an interesting idea. You can probably remotely fingerprint the age of a computer based on the MAC address of its ethernet card...and if IPV6's MAC->IP shove goes through, you'll be able to do that reasonably remotely!
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
You sure 'bout that? It seems to me that image trademarks have to be an extension of the original image copyright, i.e. I can't claim trademark on an image I don't possess copyright on, nor is it really meaningful for someone else to have copyright on my trademark (i.e. I'd be limiting their right to copy with my trademark, so they wouldn't particularly possess copyright now would they?)
Disney's dragged 20th century culture through the mud to save Mickey; I can't imagine they'd do so if you were right. Of course, I Could Be Wrong.
Slashdot Mirror
Good questions.
The Auto-ID system that Alien Technology is implementing supports 96 bits of data, apparently read only. They are attempting to deploy the next generation of UPC Barcodes, something they're calling ePC. Some good information about the tech can be found here:
Introduction to Auto-ID.
The 13.56mhz spec that appears to be used for badge reading supports 2048 bits, with 64 being read-only. It's irrelevant to encrypt this data, not because the space is small (encryption does not necessarily expand the size of your data) but because you don't need to understand what you're replaying in order to replay it.
I walk next to you on a train, spit out power, sniff some bits, and spit out the bits when I'm nearby your badge reader. Poof. I win.
Again, I need to emphasize that while this use of RFID -- inventory control -- does have some creepy personal and corporate privacy issues, it's nothing at all like the situation with badges.
There is the Legitimate Counterfeit issue, though. Large US currency now contains a magnetic strip to authenticate its validity. People were talking about using that strip to detect whether or not a bill was real. Well, there's a problem -- the strip is almost invisible to the naked eye, but can be easily removed without rendering the actual bill in any way, shape, or form visibly molested. So you've got this disturbing corner case where an attacker can strip the value from a twenty, attach it to a counterfeit bill, and still have a completely legitimate looking original on his hands. So, end result has been that as far as I know nobody uses the strip as a final arbiter of whether currency is real or not.
The equivalent problem with ePC is that you can tell when a UPC has been rendered inoperable, because it's just a visual series of stripes on paper. We're good at seeing stripes -- we're *not* good, however, at seeing RF bitstreams. At the end of the day, people are buying goods, not codes -- but the issue of the two being separated can be problematic.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Buy more RAM and disable swap. Or just disable it -- at 1Gb, you're close to what you need anyway.
I'm serious. With another gig costing a hundred dollars -- maybe less -- the overhead of disk-based VM is just no longer justified.
WinXP benefits from this optimization even more than Linux.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Small update.
Alien is using 915mhz/2.45ghz. I assumed they were using the tech described here:
13.56 MHz Frequently Asked Questions
There's no shortage of equipment that can capture and transmit on these frequencies; cordless phones do analog work in this domain all the time. But, again -- Alien is not trying to do badging, they're trying to do inventory control.
Very, very different problems. Worst case scenario is that a competitor drives by your facility and gets the same realtime updates of your inventory that you do.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Interesting. I just started doing some preliminary research on the security of RFID badge readers, based off of hazy memories that somebody had shown they were absolutely trivial to capture and replay.
:-)
Haven't been able to find that paper yet, but I can tell you what I've seen ain't great. Here's the story:
RFID stands for Radio Frequency Identification, and is essentially a Tesla-esque hack to allow contactless, bidirectional storage of small amounts of data on trivial circuits powered by the reader infrastructure itself. It's most commonly deployed nowadays as a replacement for magnetic-swipe oriented systems, as the lack of an exposed data surface and the absence of contact during scanning make RFID astonishingly reliable. The functionality is quite compelling, as Gilette's mass purchase shows -- what if you never needed to do inventory? What if you could just have a few sensors throughout your warehouse do a "mass ping" and acquire from the mass of replies precisely what needs to be restocked?
And it would only take a few sensors, too. Badge readers may only provide a few inches range, but there was a pretty big fuss a while back about RFID becoming functional at nine meters. At that point, you're quite a bit beyond the forklift knowing precisely what it's carrying. It's pretty clear that Gilette will make its $50M back within a year.
Oddly enough, Inventory Tracking is much, much better use of RFID than as a badging technology, even though the latter remains much more common than the former. Badging, like all trust management systems, attempts to differentiate the few who are trusted from the many that aren't.
The problem is, the many that aren't trusted aren't trusted for a reason -- they'll spy, they'll steal, they'll break stuff. Against that backdrop, mounting an attack against the security system isn't particularly unimaginable -- and here's where things get problematic.
You see, RFID tags make 802.11 look like Alcatraz.
Passive RFID systems are powered by the outside world -- the evil demon of Cartesian yore is handing over the battery. Given a cooperative RF field, the chip spews the same bits, over and over and over again.
When an employee is standing in front of the legitimate badge reader, this is a good thing. When an employee is sitting on the subway on his way to work and some guy walks by with a power source and 13.56Mhz sniffer in his briefcase...well, I guarantee you that briefcase ain't going to beep "Thank you for your access credentials, I'll be you now." All the attacker needs to do is forge a standard plastic badge and covertly trigger a transmitter when approaching the door -- there's no way for anyone to know the badge wasn't the source of the RFID transmissions!
Just because your badge reader only works from a few inches away doesn't mean anyone's reader will. If all I need to do to get access to your entire corporate infrastructure is sit in the lobby "waiting for someone" as your CEO strolls by, you don't actually have a security system. You just have doors
Now, I've got my suspicions of whether magnetic strips can be read at a distance, but to be honest, I'm more than willing to concede that it's a longshot at best (and a hilariously laughable descent into paranoia at worst). But RFID is not the kind of technology people should be carrying around with them at all times, assuming that as long as they still have their card, they still have the value the card represents.
To be fair, it's an extraordinarily difficult problem for TI et al to solve: The chips are necessarily trivial -- they're *powered* by the sensors, for crying out loud. Not only is it nearly impossible to build any kind of cryptosystem into a chip that small and weak, but the system itself would remain utterly defenseless against electrical skullduggery: Manipulating a chip's power source is one of the definitive ways of divining its cryptographic secrets, as Satellite TV hackers have been pointing out for quite some time.
Security hasn't been left completely unaddressed by the RFID industry; they're well aware of the problems and have attempted some manuevers to compensate. As mentioned, some RFID systems can be both read and written to. This would be perfect for creating a "universal badge" that could spoof any identity without even a separate transmission system that could be examined and recognized. So what some companies have done is create a 64 bit region that cannot be modified and remains unique to the badge itself. So you use those 64 bits as a badge identifier that authenticates the rest of the data, and trust that your vendor will never release a badge that either a) repeats identifiers (unlikely, 2^64 is a very large number) or b) can have its identifier changed.
Of course, they can't do anything about c) somebody hacks together their own badge that doesn't play by the same arbitrary restrictions.
Now, I could get up and say "Oh my god! You just can't do this, it's horrifyingly insecure, just use IPSec/SSH er wait wrong wireless technology..."
But that wouldn't be useful. Maybe this might be:
There are some techniques that can minimize the exposure from insecure RFID badge authentication systems. Exploiting the Read/Write capacity is moderately elegant and requires only a badging infrastructure that supports RW. Essentially, every time somebody attempts to enter the secure facility and provides a valid bitstream from their badge, upload a new unique bitstream and verify the badge accepted it. This reduces the window of opportunity for an attacker and significantly increases their risk of discovery, since now the bits they steal today will stop working the moment the legitimate employee uses their badge next. Furthermore, if the attacker does manage to get to a badge reader before the employee returns for another update cycle, he has two major problems: First, his equipment must be minorly more complex, because it must inform the system that it has completed updating its internal RAM with the new (possibly cryptographically signed) bitstream. This is only a minor deterrent; having the equipment to spoof the badge reader means you likely have the equipment to read from one too. Second, and more importantly, because the interloper cannot control the bitstream submitted by the reader and expected upon next examination, the legitimate card will possess an out-of-date bitstream, allowing Security to discover the unauthorized entry.
That works OK. Not great -- especially if badge access translates into an ability to hack the central authentication server to accept whatever bits the legitimate card originally had -- but OK. Really, once the attacker gets access to the card's bitstream, it's game over.
So, lets prevent that. RFID may be contactless but that doesn't mean the badges themselves are -- they're attached to a living, breathing, thinking human being. One with fingers. Fingers that, for the last hundred thousand years or so, have had the ability to pinch two things together, like contacts inside a card. "Pinch here to activate badge", if you will. Just embed a cheap "squeeze sensor" into the card such that two contacts need to be forced together for the card to respond to the RF power source. It's cheap, it's easy, and it can be designed to fail towards functionality or security (i.e. the contacts either can't be separated or can't be attached).
I did see some mention of work to embed cryptographic constructs into Passive RFID systems; one paper pointed out that hash algorithms can be made using very little silicon, so having the card read some value from the badge reader and return a that value hashed with a shared secret can be a valid solution. As I pointed out earlier, these things are *so* vulnerable to power assult that any shared secret inside of them wouldn't last for long. (It's the kind of thing where you run some data through and you look at which gates are glowing -- thus you see which memory blocks are 1 and which are 0.) But this type of analysis usually requires physical access to the security card much greater than simply walking past the mark, so there's a definite win. Plus the system is inherently immune to replay attack because the output of the card is dependant upon the particular input of a given badge reading. Excellent -- if it works(and the hash is cryptographically secure, not CRC-32!).
Of course, this is all mildly off topic. Gilette's security posture is vastly different; they're more worried about five finger discounts and overly optimistic projections than they are about a rogue batch of razor blades sneaking in the back door! But since we're only a precious little amount of time away from the definitive displays of RFID remote compromise, I thought it worthwhile to go into some depth about the security concerns of RFID.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
My primary question about this system is whether it creates a secure domain, within which everything may be sniffed and trusted, or whether communications follow the principle of minimum exposure, i.e. a connection between hosts A and B cannot be read by hosts C and D, while a broadcast packet from A can be read by B, C, and D but not by anyone else.
It's much easier to create a shared domain than it is to create a dynamic key mesh (presuming there's no pubkey stuff at work, and even then things get tricky). One shortcut is simply to provide keys to the upstream router, and let the router sniff all traffic (and experience the cost of routing traffic between endpoints). My bet is that this is what's done.
Anyone know?
--Dan
www.doxpara.com
Actually, the build of OpenOffice inside of Knoppix works astonishingly well at reading pretty complex word documents -- I actually used it to parse an RFP a few weeks ago, and that thing was a *mess*.
--Dan
It's nontrivial to decode, but whatever crypto is there exists on a per-file, not a per-link basis. I was able to verify that munging bits in the stored format does indeed munge bits on the wire, so replay techniques should be fruitful.
There doesn't appear to be any way to do accelerated *downloads* off the NetMD, however. It was sad -- I went on a trip with my NetMD, and really enjoyed the thing, but I just wasn't willing to go back to 1x or 4x transfers. Even MMC, which is ungodly slow in its own right, does MP3 at 12x realtime!
What can I say? The technical chops of the NetMD just don't make it worth it to hack on.
--Dan
I did the NetMD experience, due precisely to the logic you describe. Even started reverse engineering the USB protocol used to get music into it (hint: It's possible).
Returned the sucker -- and watched it get put into a pile of other returns -- when I realized achieving 4x upload times w/o the USB hack required using this miserable copy protection system that sucked up massive amounts of hard drive, but without it, I'd have to spend one hour uploading for every hour of music -- and I'd have no track boundries.
So, the short answer: Minidisc takes *forever* to write.
--Dan
Jogging was my problem. You already can't stick a CD player in your pocket, but the combination of no-carry and lots and lots of jogging induced skipping (I've had three MP3 CD players, ending with the RioVolt) cut off my mp3 adventures pretty quick.
The real problem with portable media is you lose your custom mixes -- that, and they take FOREVER to write to, compared to a CD. I'm just going to bite the bullet and get an iPod. They're Just That Good.
--Dan
It wasn't hard for me to acquire blueprints of my home -- they're on file with our neighborhood association. As far as I'm aware, some branch of the US government possesses blueprints of every single major and minor structure in the country, and I do believe it's even possible for average citizens to gain access to these plans.
Why? Because the costs of a building not built to spec greatly exceed the benefit of security through obscurity. By forcing building specifications to remain open to some degree, it becomes difficult to hide egregious faults in building design -- and thus, lives are spared.
As I've been pointing out for some time -- every single non-military technology that mankind has considered important has tended towards greater and greater openness -- from legal systems to building codes to the contents of our food. Software is a rare exception.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Mike Schiffman wrote Libnet, i.e. the library that creates a unified interface to actually *writing* raw packets to a wire.
This is his baby -- lets just say I don't have any doubts.
--Dan
Whoa, Friedman made Slashdot. Not bad.
:-)
Dr. Friedman is quite a character -- I was lucky enough to chat with him a couple times; he teaches at Santa Clara University and by some peculiar twist of fate I now possess a degree from there. So we ended up going to the same talks every once in a while -- quirky guy, occasionally reminds you of the late 90's when people really acted like the Internet Was Going To Change Humanity or something.
Friedman's paper is overall pretty reasonable, but his calculations seem to ignore the *tremendous* nonlinearity in our responsiveness to bad news. Ten people can tell you a restaurant is good, but if one says it's bad, you're probably not going to eat there. Paypal can pass a million good transactions a year, and it only takes a couple thousand questionable ones to really make a visible impact on their quality of service. Simply having one's reputation questioned tarnishes it -- indeed, one reason so many cases settle, or go to binding arbitration, is to keep major conflicts quiet.
It's in this context that arbitration servers have a problem. If they downgrade reputation as humans do, those who are downgraded may complain -- with apparent statistical cause -- that their otherwise good service is being mucked up by the inevitable screwups. But if they *don't*, their data is quite useless relative to the weighing the human mind does, and nobody would ever trust them.
Now, as an economist, Friedman would probably use this as an example of how humans are irrational...I doubt that. Consider the nonlinearity a form of damage multiplication...one transaction may be tweaked to make more money, but this will impact a hundred other transactions, that will thus cause a net loss of money. This means nobody can be screwed over -- everyone must get fair service. Without nonlinearity, it's always worthwhile to screw 1-5% percent of your clientele.
The news have it right -- bad news is much more interesting, and it should be.
For what it's worth, I do suspect that a cross-jurisdictional system will spawn to handle global commerce, and I think it'll be a combination of Friedman and Visa. Anonymity in financial transactions is pretty doomed -- we've just gotten accustomed to handing over our wallet, and hoping we get it all back -- but my expectation is that person-to-person cash transfer over distance will be formalized, arbitrated, and most of all -- insured. There will be reputational work, but it'll be in the same context we already have institutionalized reputations -- credit checks. It's *much* more likely that we'll see ebay feedback on your Visa web page than we'll see some funky distributed arbitration notices system.
Visa, you see, has one major advantage: The arbitration systems that Friedman describes are great for stopping the *next* fraud, but they don't do anything about *this* one. This is the big deal about government, folks -- they may not prevent crime directly, but they sure as hell respond to it. It's not like there's a murder, and the cops are like, wow, we better prevent any gun stores from letting this guy in, but that's all we can do
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Got any references for this claim, by any chance?
--Dan
infiniti--
:-) :-) :-) :-)
:-)
Ah, the classics...you include Crystalis, you've got good taste. SF2010! I remember this...I was so pissed it wasn't SF2, then I realized it was something completely different. Man, what I'd do to stay upgraded to max punch...some more recommendations:
Terranigma (SNES)-- imagine Zelda with a seriously bizarre and even mature plot. Now give it a really, really satisfying battle system. A must play.
Blaster Master -- my top pick
Battletoads -- even on an emu w/ infinite reloads, I can't beat the unicycle level. It's horrifying
Gunstar Heroes(Genesis): Totally quirky contraish shooter, it becomes something else.
Batman for NES! Best Batman Game Ever, possibly the only good one.
Rygar
River City Ransom
Solar Jetman
Shadowrun -- you wake up in a morgue
and of course...
Cybernator for SNES. A more detailed, replayable, intelligent beat-crap-up-with-gynormous-mech game, you've never seen.
Have fun
--Dan
Dyqik, that doesn't make any sense. There's no need for communication between two clusters after the big bang in the situation you describe: Given a limited set of circumstances that creates stellar bodies detectable at such great range, either those circumstances occur -- and we detect something -- or they don't, and we see nothing.
With a limited set of circumstances, it's trivial to imagine a limited set of detectable outcomes, particularly if the laws of the universe are, well, universal. Stars too hot would have burned out billions of years ago; stars too cold we could not see. That leaves this very narrow region we're able to detect, and unsurprisingly everywhere we look we see the same thing. When there's something else, we're either too late or blind.
Even this logic is unnecessary, though -- given that the visible regions were once part of the same singularity, all the "information" they'd ever need to remain related could have been exchanged at the point of the Big Bang itself. Absolutely identical output is theoretically justifiable, if there's a quantum level pseudorandom number generator at work. (Oddly enough, if there was, we'd never be able to tell, except through its occasional bugs...like entanglement, perhaps.)
--Dan
Yes, I originally thought it was impossible.
Then I sat down, and realized what's going probably on here (the CNet article didn't specify, and I didn't think to track down the original work. Foo on me. So I'm pulling this out of my proverbial ass.)
Perfectly random images are indeed impossible to add data to without creating some form of irreversable distortion. Suppose you had a "remove transformation" mask embedded in the included transform. This mask itself would take information, which would then need to be added to the transform, which would increase the size of the transform, thus necessitating a bigger mask, ad nauseum. So you could never embed the reversal instructions.
However, photographs are not perfectly random. Along the light wavelengths that nature selected for humans to sense, significant patterns exist -- edges, gradients, shapes, and so on. Though precise intensities eventually hit perfect randomness at absolute sensitivity, digital photographs (even without JPEG) quantize imagery into 8 bits per channel -- 24 bits total. So those patterns we see actually create significant regions of reduced entropy -- less information in the image than there is otherwise room for.
And that's the key -- because once there's extra capacity, we can embed both some message and the means to remove that message in the extra space. Then it's just a matter of using one of a thousand ways to share the secret across all the low entropy regions of the image, and you're done.
No, it doesn't violate information theory. Yes, it's mildly cool. No, it's nothing like a public key steganographic system -- there's nothing inherent about the system that prevents unauthorized removal, or even unauthorized addition of the watermark. But it's a useful adjunct -- concievably, it'd be at the heart of a watermarking system that fingerprinted audio and video in low-entropy segments, then removed the fingerprint before it hit the d/a converter.
I'm pretty sure the strategy extends to floating point representations as well, though there's likely much less compressability due to noisy capture circuitry and higher raw entropy in the signal.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Interesting question.
Lets assume we had a random distribution of people between 0 and 60 years old, and we were interested in the same birthdate. So, that's 60*365 possibilities...21900 dates. Since the birthday paradox effectively approximates down to a square root of the number of possibilities(would you believe I never noticed this?) that's about 147 randomly picked people are required before you'll find two with the exact same birthdate.
Of course, US POPULATION DISTRIBUTIONS AREN'T RANDOM, there's this big ol' spike referred to as the Baby Boom, which is really accentuated by the Twentysomething Massacre that came right before -- so YMMV.
--Dan
> n will be considerably less than 2^24.
:-) Though I admit to dropping a null byte at the beginning -- some hardware just gets confused for strange reasons. Also it keeps me out of the multicast range except when I choose to be there.
How much less? Factorial math is pretty ugly, but the "half the entropy"(aka square root) rule is pretty widespread when designing cryptographic hashes against birthday attacks.
However, all of this is irrelevant as MAC addresses are not randomly picked by manufacturers and won't be randomly picked by people changing them.
Ummm, I use Yarrow to generate spoofed MACs
Anyway, random keygenerators are older than I am, Red. We're talking about a randomizer to get you around a MAC ban -- one-click unbans don't particularly ask you to type *anything*. And as I found out earlier, you can actually burn a new MAC into the hardware without a trace (though I suspect you might want to keep the manufacturer ID bytes the same).
--Dan
Hmmm. Total set of possibilities is 365*365, or 133225 different combinations of two people with two birthdays. Of those 133225 possibilities, 365 of them involve the two people having the exact same birthday. So:
/365
133225
======
365 (unsurprisingly)
1/365 times, two people have the same birthday. I think the two person case is special because if x equals y, y must also equal x. The -1 is really familiar, but the brute forcing above just doesn't flesh it out.
--Dan
If you include the manufacturer code, you no longer have a random system -- most likely, they're serializing each card from a very large address space, and (barring unfortunate accidents by far eastern card manufacturers) never using that number again. No collisions -- ever.
:-) It's a use of LFSR's.
But if you have two hosts randomly pick an address, they can twiddle all 48 bits. Odds of a collision hit 2^48 unless all nodes ever activated are simultaneously active, in which case the odds of an eventual collision hit 50% once 2^24 nodes are live.
Thassa lot of nodes, but it's a nonzero chance of collision.
Incidentally, this is why direct sequence spread spectrum occasionally beats the pants off of frequency hopping. The former increments freq's along a linear progression; the latter uses PRNGs to choose which subband to hop onto next. It takes some synchronization, but the former can be guarantee to never collide -- while the latter is has to!
It is actually possible to design functions that are nonlinear and never collide, though. I'm trying to track one down right now, actually
Incidentally, it'll be interesting when they overflow the manufacturer byte(why haven't they already?).
--Dan
Somebody's parents only threw him one birthday party, and he can't even remember it.
Guy's been bitter since.
--Dan
Just pulled out a Netgear FA311TX...it's like a FA310TX, but it sucks (not a Tulip).
Managed to get it to work with the netsemi linux module, which is more than I can say for the Linksys ethernet cards. I swear, Linksys needs to bribe someone to sell them Tulips...
Anyway.
The card has a big ol' spot for bootable EPROM that's unfilled, and instead has this tiny(sub-square-centimeter) chip soldered on. Whatsit?
ATC 93LC46 (serial EEPROM)
Ah, EEPROMs...slow as hell to write to, but write to them you can. I don't think any of the standard drivers allow access to the EEPROM though, since it's usually easier to twiddle some registers to get the same job done.
Anyone familiar with network drivers that actually flip EEPROM bits?
--Dan
Heh, I was totally wrong. It happens :-)
Maybe there's a chunk of Flash memory on board? NVRAM still requires a trickle charge to maintain, if I remember right.
--Dan
If there's one card on a network, and you add another, the question becomes "what are the odds that the two cards will pick the same number?" Since there's 48 bits of entropy(minus a small range for multicast addresses and broadcast), the odds are effectively 2^48.
This is big.
If there's many cards on a network, and you want to know how many total you can add before two of them will end up with the same card, the answer's far smaller -- 2^24, which is still pretty huge(it's a bit more than 16 million). It's a different problem because each time you add a new card, the card after has one more it can possibly match with. This is known as the birthday paradox, so named because this precise logic means that given 23 people in a room, there's a +50% chance that two people have the same birthday. Each new person is one more to match with.
In reality, this is a moot point: MAC address prefixes are assigned by manufacturer, and the manufacturer serializes their cards such that no two shipped devices should ever have the same MAC address. Sometimes there are screwups, but they're pretty rare as far as I know.
To debunk what a couple people are saying -- yes, MAC addresses as exposed to the network can be changed, but MAC addresses as detected by custom client software may be more tricky. Whatever the driver is exposing to the network, the card itself can't usually have its MAC address written over(i.e. once power is cycled, that card's returning to original shipped condition). I'm positive there are exceptions to this, but they're probably rare.
Actually, this gives me an interesting idea. You can probably remotely fingerprint the age of a computer based on the MAC address of its ethernet card...and if IPV6's MAC->IP shove goes through, you'll be able to do that reasonably remotely!
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
You sure 'bout that? It seems to me that image trademarks have to be an extension of the original image copyright, i.e. I can't claim trademark on an image I don't possess copyright on, nor is it really meaningful for someone else to have copyright on my trademark (i.e. I'd be limiting their right to copy with my trademark, so they wouldn't particularly possess copyright now would they?)
Disney's dragged 20th century culture through the mud to save Mickey; I can't imagine they'd do so if you were right. Of course, I Could Be Wrong.
--Dan