You need a big field. You're confusing reading a signal from a card with energizing the card in the first place. The cards have no internal power source; they start up when they are in an induction field that is generated by the reader. These fields are very weak...so it doesn't take much to power the card, but on the flip side, the cards can't handle much because of the need for them to operate at low power levels. And even if you could shape the field to a beam, it still remains a range issue. You can't energize the card 20 feet away without frying the one that is 3 feet away. Oh, and good luck being subtle while waving a high gain directional antenna around...swinging a YAGI around isn't the pinnacle of being surreptitious.
Randy Vanderhoof, executive director of the industry group the Smart Card Alliance, points out that despite previous research on the contactless attack, no real-world instances of the fraud have ever been reported. “We’ve got six years of history, a hundred million users of these cards, and we haven’t seen any documented cases of this kind of fraudulent transaction. The reason we think that’s the case is that it’s very difficult to monetize this as a criminal,” says Vanderhoof. “The premise that this is a new threat is absolutely false and isn’t supported by [Paget's] demonstration.”
In fact, contactless cards do offer one security feature traditional cards don’t: Along with the card’s 16-digit number and expiration date, the cards are set to offer up a one-time CVV code with every scan. Those codes can only be used for one transaction, and have to used in the order they’re generated. If a payment processor that detects multiple transactions with the same code or codes being used to make transactions in the wrong order, it will disable the card. So a contactless card scammer can only use each stolen number for one transaction, and if the victim of a the scam uses the card again before the thief has time to make a fraudulent payment, all transactions on the card will be blocked.
So unlike the traditional magnetic stripe kind of card...and these get skimmed as well, mind you...with this attack you MUST be the next person to use the card's credentials. If not, the attack fails. It's not quite as bad as they make it out to be here. Furthermore, the cries that people have thrown up that someone could scan an entire room full of people at once are totally off-base. You'd need to create an induction field strong enough to energize the furthest cards...which would kill the nearest ones...and the cards would all jabber at the same time, mixing their signals. The RFID spec for these cards has no provision for collision detection or avoidance.
The first way (as an analyst): You have a significant percentage of your core market complaining about it. In the terms of economics, yes, that's a bad thing. Ask the RIAA, which had far more legal and moral standing for their claims, but yet managed to alienate so many customers that they drove them further into the arms of (let's call a spade a spade, shall we?) content piracy. You, and others in the gaming industry, are making the same mistake in an entirely different way. When your customers complain, you're doing it wrong.
The second way (as a customer): All I can think of to say is, "You FUCKING faggot. Eat shit. Yes, it's wrong."
I think you're missing the point of what he is asking. Redesigning all the devices in his world is not an option; he needs to do proximity detection across multiple wireless protocols. You know, it's this approach that gives geeks a bad name. "Oh, that's easy, just make EVERYTHING use [new unreleased technology that isn't even available yet]!" Yeah...in the real world, you have to work within the less convenient reality that you have to buy off-the-shelf, and that you don't get to design the entire universe as it would need to be in order to make solving one specific problem easier.
Facebook? Facebook is telling Google not to be evil? FACEBOOK? If Google were half as self-serving with privacy policies and use of data as Facebook has been....actually, it would be so awful I don't even know how to put it into words.
It's important to remember something here. This wasn't Google HQ, out in California. This was Google Kenya. Kenya ranked 154th (out of 182) in Transparency International's Corruption Index in 2011. It's not a country that is known for an ethical business climate in general; this will steep into the behaviors of any local business, regardless of who the parent company is. So while the actions of Google Kenya were reprehensible, let's not all assume that Eric Schmidt called them up personally and said, "Hey! I want to see you guys lying about the competition and stealing their information...get to it!" It's a pretty safe bet that this is not what happened.
I've had a douchebag in the seat next to me on a plane make a spastic grab for his drink while reaching over me...and my laptop. Not all exposure to water is defined by the owner of the damaged item being the one who is pathetic, and none of the times my electronics got wet had to do with my negligence. I've also been caught in a scirrocco in Italy while walking back home, knocked off the side of a dock by a person turning with an oar tucked stupidly under their armpit...the ways in which water and other liquids can get to our electronics are many. Let's face it; water covers most of the planet, and even falls from the sky on regular occasions...it ain't exactly hard to get exposed to.
One of the problems here is that government contracting works best when it uses swarm theory. You have to think of the workers as ants...individually unintelligent, intended for single- or few-purpose roles at best. When you set goals using techniques and methods that require a more versatile kind of individual...well, you will fail, because recruiting aims for people who are less expensive. And the recruiting is driven by the procurement, which also drives costs down. Get bottom dollar for a project, and you have to give bottom dollar for the people, and get bottom dollar for performance. Agile development requires a bit more mental agility than most contractors I've seen possess. (Full disclosure: I work for a company that does a lot of contracting for the Federal government.)
No...I looked at their actual website though. Here's where we get into the concepts of "primary source" and "secondary source". Their website lists over 150 games, mostly based on FPS concepts; they have combat and wars everywhere from WWII Europe to Vietnam to the Middle East. For this, I would say that the Middle East is just another venue for the game setting, since those games don't have any kind of a majority. Oh, and also...a company that has cranked out 150 games is not exactly blowing the bell curve when they produce something in Arabic, these days. There's a large audience there. And if you look at the Wikipedia entry for "Arab Spring" you will find that fighting corruption is a hot topic there...
Shouldn't the text be something along the lines of "An American that was visiting his family in Iran who has been sentenced to death by a Sharia court for spying on behalf of the CIA has also claimed in the same prepared statement that he was a video game developer who made games for the CIA, even though there don't seem to be more than a single game that would align itself with Western interests." I mean, let's face it. Trusting Fars (a semi-official Iranian news agency)...these guys have backed their President's view that the Holocaust didn't happen, for Christ's sake...is NOT exactly relying on an unbiased source. For Fars to complain about propaganda is like the pot calling kettle black.
If this kind of behavior from a former HP executive surprises you, then you clearly haven't talked to anyone who works at HP lately...but in his defense, I'm sure he got as good as he gave. There's a reason so many are jumping ship there, leaving only fourth- and fifth-stringers behind.
If that's what's suggested, then I think a Microsoft Superphone would mean...that hell froze over. Don't get me wrong; I think Microsoft is amazing, and has done a great deal for the world. But their phone products are the biggest, steamiest nut-studded shitloafs I've had the displeasure to use. I HATED my phone when I had Windows Mobile, and the odds of them coming out with a great product all of a sudden (be mindful..they've been trying to sort this out for as long as there have been smartphones) are almost zero. Throw in the recent confusion as to whether or not Silverlight was going away, and other insantiy (like opening Microsoft stores...bascially consumer electronics stores in malls...while they decide they will no longer participate in CES) and it does not look good.
Actually, a total lack of planes keeps them on the ground too. Afghanistan hasn't had an air force since...well, since their air force was Soviet.
It's true enough, though, that one of the reasons why many countries that could expect to face us on a battlefield do not focus too heavily on air assets...because they know that beyond a certain geopolitical tipping point, we and/or our allies will show up and those assets will change from valuable flexible air cover to flaming opportunity costs that could have been spent on ground forces.
And I don't see how his statement about IEDs has anything to do with supporting his argument. The means we use to nullify them is quite research- and technology-intensive, and our ability to quickly adapt to new IED designs and triggers is only made possible by the enormous buildup of pre-existing expertise that has been tapped.
Charlie Kindel was once a Windows Phone evangelist, and he thinks that inferior features or user experience are not the reason why Windows Mobile isn't capturing the market. To me, these are two solid pieces of evidence that he's never actually USED a Windows Mobile device!
First thing: "'This was likely [Haney's] first experience under such physiological duress.'"
Okay, that makes no sense to me. My understanding is that both USN and USAF pilots undergo extreme physiological and psychological duress in the course of their training, for just this reason. They expose you to hypoxia, to decompression, to high-g forces, even to having to survive and avoid capture (with most trainees end up getting caught) and resist interrogation techniques (see under 'most trainees end up getting caught').
Second thing: "It takes 40 pounds of pull to engage the emergency system. That's a tall order for a man who has gone nearly a minute without a breath of air, speeding faster than sound, while wearing bulky weather gear, says Michael Barr, a former Air Force fighter pilot and former accident investigation officer. 'It would've taken superhuman efforts on the pilot's behalf to save that aircraft,' says Barr. 'The initial cause of this accident was a malfunction with the aircraft — not the pilot.'"
Okay, this is total bullshit, I'm sorry. Pilots work out...a lot. A hell of a lot. They do a lot of strength exercises, including push-presses and other exercises that work the back, because in the course of these exercises they ALSO end up building up their legs. As a method of fighting black-out, they tense their legs to tighten the muscles and help push air up into their upper body (away from where it tends to go during positive high-g manuvers). Yes, there is the flight suit that squeezes them as well, but every bit counts. And since the ring that starts the emergency system is forward and beneath the pilot, that means that they would be using their back to pull against that 40-lb resistance...which is not that big a deal if you're in shape. After a minute without air? That's what it feels like to be working out hard...and since he wouldn't have been exercising vigorously during that minute, he'd have had plenty of glucose on hand, so his muscles could easily have worked using anaerobic respiration long enough for one pull of a ring. Furthermore, how is this supposed to be harder based on how fast you're moving? I fly in airplanes all the time, and I don't notice that it gets harder to lift things or move around based on how fast or slow the plane flies. And even if all of this WAS a tall order, that's exactly what fighter pilots are trained for; that's why so few people who apply are accepted, and why so few who are accepted make the grade in training.
The problem is interoperability. Yes, yes...I know, you can just give out your PGP public key to everyone and they'll be able to decrypt their email. If, that is, they use PGP too, which almost nobody does. And granted, sure...you can install an S/MIME cert in your copy of Outlook and...what's that? Some people aren't using the full-fledged, Microsoft Office-included version of Outlook? Some people are on smartphones too, and have the AUDACITY to want to be able to read the emails I send them on their iPhones? Bah...idiots. They should focus on more important things than the incredibly sensitive email they send back and forth...like encryption!
Actually, no it can't. The Stuxnet virus was incredibly specific; the only PLCs it affects are ones that control variable frequency drives (which are used to spin things very, very quickly with a high degree of control over RPM) made by one of two manufacturers. Control rods do not spin at thousands of RPM and are not controlled by var-freq drives of any make.
So technically yes...something other than centrifuges could get infected, and in fact did (that's how Stuxnet came to light in the first place). But I've seen control systems that were infected by it, and I can tell you first-hand that, for systems where the full suite of intended targets are not present, it's entirely harmless and has no impact on operations whatsoever.
It's good that you've recognized that the security researcher in question had no illicit intent in mind, and was actually working for the good of the general public. Very nice, and definitely the high road. But...
It's clear that not only did you unapolgetically and unreservedly produce a product with the explict, baked-in and horrific capacity to spy on the activities of millions of people (with no distinction between adults and minors, many of whom also have smartphones these days), but you also intended to use brutish, irresponsible tactics to muzzle a person who called you out on it.
So the lesson you need to take away from this is not that pushing the envelope and then apologizing gets you off the hook. The real lesson you need to learn is that, from this point onwards, when I see the brand name "CarrierIQ" before me, my brain will automatically and reflexively replace the phrase "PIG-FUCKING ASSHOLES". And I'm sure I'm not the only ones who feel that way, you scumbag pieces of shit. Fuck you all. I wish nothing more than that the carriers who are your customer base will be ashamed to buy your product, and that you will go out of business.
Clean up your product and make it about..and only about...what you say your goals are as a company, and after half a decade most of the people who feel like I do (including me) will come around and actually see "CarrierIQ" when we read "CarrierIQ". That's the cost of what you have done, and the real lesson you should take away from this.
Joe Weiss is fairly notorious in the control system security world as the first to say, "Hey! That was a cyber incident!" For example, he said this about the BP spill, when they were still investigating it...and while it turned out to be true that some alarms were turned off because of computer issues, the real root causes had to do with faulty mechanical equipment and bad concrete, and that the cyber aspect was pretty much entirely irrelevant. Hear him speak, and it's a safe bet that you'll hear about his book, his conference, and other ways in which he can make money telling you how awful things are in the world and how much you need to listen to him.
Slashdot Mirror
You need a big field. You're confusing reading a signal from a card with energizing the card in the first place. The cards have no internal power source; they start up when they are in an induction field that is generated by the reader. These fields are very weak...so it doesn't take much to power the card, but on the flip side, the cards can't handle much because of the need for them to operate at low power levels. And even if you could shape the field to a beam, it still remains a range issue. You can't energize the card 20 feet away without frying the one that is 3 feet away. Oh, and good luck being subtle while waving a high gain directional antenna around...swinging a YAGI around isn't the pinnacle of being surreptitious.
So unlike the traditional magnetic stripe kind of card...and these get skimmed as well, mind you...with this attack you MUST be the next person to use the card's credentials. If not, the attack fails. It's not quite as bad as they make it out to be here. Furthermore, the cries that people have thrown up that someone could scan an entire room full of people at once are totally off-base. You'd need to create an induction field strong enough to energize the furthest cards...which would kill the nearest ones...and the cards would all jabber at the same time, mixing their signals. The RFID spec for these cards has no provision for collision detection or avoidance.
The first way (as an analyst):
You have a significant percentage of your core market complaining about it. In the terms of economics, yes, that's a bad thing. Ask the RIAA, which had far more legal and moral standing for their claims, but yet managed to alienate so many customers that they drove them further into the arms of (let's call a spade a spade, shall we?) content piracy. You, and others in the gaming industry, are making the same mistake in an entirely different way. When your customers complain, you're doing it wrong.
The second way (as a customer):
All I can think of to say is, "You FUCKING faggot. Eat shit. Yes, it's wrong."
I think you're missing the point of what he is asking. Redesigning all the devices in his world is not an option; he needs to do proximity detection across multiple wireless protocols. You know, it's this approach that gives geeks a bad name. "Oh, that's easy, just make EVERYTHING use [new unreleased technology that isn't even available yet]!" Yeah...in the real world, you have to work within the less convenient reality that you have to buy off-the-shelf, and that you don't get to design the entire universe as it would need to be in order to make solving one specific problem easier.
I don't believe for a second that it's possible for a virus and a worm to combine to produce a more dange
Facebook? Facebook is telling Google not to be evil? FACEBOOK? If Google were half as self-serving with privacy policies and use of data as Facebook has been....actually, it would be so awful I don't even know how to put it into words.
It's important to remember something here. This wasn't Google HQ, out in California. This was Google Kenya. Kenya ranked 154th (out of 182) in Transparency International's Corruption Index in 2011. It's not a country that is known for an ethical business climate in general; this will steep into the behaviors of any local business, regardless of who the parent company is. So while the actions of Google Kenya were reprehensible, let's not all assume that Eric Schmidt called them up personally and said, "Hey! I want to see you guys lying about the competition and stealing their information...get to it!" It's a pretty safe bet that this is not what happened.
I've had a douchebag in the seat next to me on a plane make a spastic grab for his drink while reaching over me...and my laptop. Not all exposure to water is defined by the owner of the damaged item being the one who is pathetic, and none of the times my electronics got wet had to do with my negligence. I've also been caught in a scirrocco in Italy while walking back home, knocked off the side of a dock by a person turning with an oar tucked stupidly under their armpit...the ways in which water and other liquids can get to our electronics are many. Let's face it; water covers most of the planet, and even falls from the sky on regular occasions...it ain't exactly hard to get exposed to.
Five minutes and nobody's posted yet. That says a lot about what people think of Ceglia :)
One of the problems here is that government contracting works best when it uses swarm theory. You have to think of the workers as ants...individually unintelligent, intended for single- or few-purpose roles at best. When you set goals using techniques and methods that require a more versatile kind of individual...well, you will fail, because recruiting aims for people who are less expensive. And the recruiting is driven by the procurement, which also drives costs down. Get bottom dollar for a project, and you have to give bottom dollar for the people, and get bottom dollar for performance. Agile development requires a bit more mental agility than most contractors I've seen possess. (Full disclosure: I work for a company that does a lot of contracting for the Federal government.)
No...I looked at their actual website though. Here's where we get into the concepts of "primary source" and "secondary source". Their website lists over 150 games, mostly based on FPS concepts; they have combat and wars everywhere from WWII Europe to Vietnam to the Middle East. For this, I would say that the Middle East is just another venue for the game setting, since those games don't have any kind of a majority. Oh, and also...a company that has cranked out 150 games is not exactly blowing the bell curve when they produce something in Arabic, these days. There's a large audience there. And if you look at the Wikipedia entry for "Arab Spring" you will find that fighting corruption is a hot topic there...
Shouldn't the text be something along the lines of "An American that was visiting his family in Iran who has been sentenced to death by a Sharia court for spying on behalf of the CIA has also claimed in the same prepared statement that he was a video game developer who made games for the CIA, even though there don't seem to be more than a single game that would align itself with Western interests." I mean, let's face it. Trusting Fars (a semi-official Iranian news agency)...these guys have backed their President's view that the Holocaust didn't happen, for Christ's sake...is NOT exactly relying on an unbiased source. For Fars to complain about propaganda is like the pot calling kettle black.
"House fires keep you warm in the wintertime!"
If this kind of behavior from a former HP executive surprises you, then you clearly haven't talked to anyone who works at HP lately...but in his defense, I'm sure he got as good as he gave. There's a reason so many are jumping ship there, leaving only fourth- and fifth-stringers behind.
If that's what's suggested, then I think a Microsoft Superphone would mean...that hell froze over. Don't get me wrong; I think Microsoft is amazing, and has done a great deal for the world. But their phone products are the biggest, steamiest nut-studded shitloafs I've had the displeasure to use. I HATED my phone when I had Windows Mobile, and the odds of them coming out with a great product all of a sudden (be mindful..they've been trying to sort this out for as long as there have been smartphones) are almost zero. Throw in the recent confusion as to whether or not Silverlight was going away, and other insantiy (like opening Microsoft stores...bascially consumer electronics stores in malls...while they decide they will no longer participate in CES) and it does not look good.
...uh, I don't understand...
Actually, a total lack of planes keeps them on the ground too. Afghanistan hasn't had an air force since...well, since their air force was Soviet.
It's true enough, though, that one of the reasons why many countries that could expect to face us on a battlefield do not focus too heavily on air assets...because they know that beyond a certain geopolitical tipping point, we and/or our allies will show up and those assets will change from valuable flexible air cover to flaming opportunity costs that could have been spent on ground forces.
And I don't see how his statement about IEDs has anything to do with supporting his argument. The means we use to nullify them is quite research- and technology-intensive, and our ability to quickly adapt to new IED designs and triggers is only made possible by the enormous buildup of pre-existing expertise that has been tapped.
Charlie Kindel was once a Windows Phone evangelist, and he thinks that inferior features or user experience are not the reason why Windows Mobile isn't capturing the market. To me, these are two solid pieces of evidence that he's never actually USED a Windows Mobile device!
First thing:
"'This was likely [Haney's] first experience under such physiological duress.'"
Okay, that makes no sense to me. My understanding is that both USN and USAF pilots undergo extreme physiological and psychological duress in the course of their training, for just this reason. They expose you to hypoxia, to decompression, to high-g forces, even to having to survive and avoid capture (with most trainees end up getting caught) and resist interrogation techniques (see under 'most trainees end up getting caught').
Second thing:
"It takes 40 pounds of pull to engage the emergency system. That's a tall order for a man who has gone nearly a minute without a breath of air, speeding faster than sound, while wearing bulky weather gear, says Michael Barr, a former Air Force fighter pilot and former accident investigation officer. 'It would've taken superhuman efforts on the pilot's behalf to save that aircraft,' says Barr. 'The initial cause of this accident was a malfunction with the aircraft — not the pilot.'"
Okay, this is total bullshit, I'm sorry. Pilots work out...a lot. A hell of a lot. They do a lot of strength exercises, including push-presses and other exercises that work the back, because in the course of these exercises they ALSO end up building up their legs. As a method of fighting black-out, they tense their legs to tighten the muscles and help push air up into their upper body (away from where it tends to go during positive high-g manuvers). Yes, there is the flight suit that squeezes them as well, but every bit counts. And since the ring that starts the emergency system is forward and beneath the pilot, that means that they would be using their back to pull against that 40-lb resistance...which is not that big a deal if you're in shape. After a minute without air? That's what it feels like to be working out hard...and since he wouldn't have been exercising vigorously during that minute, he'd have had plenty of glucose on hand, so his muscles could easily have worked using anaerobic respiration long enough for one pull of a ring. Furthermore, how is this supposed to be harder based on how fast you're moving? I fly in airplanes all the time, and I don't notice that it gets harder to lift things or move around based on how fast or slow the plane flies. And even if all of this WAS a tall order, that's exactly what fighter pilots are trained for; that's why so few people who apply are accepted, and why so few who are accepted make the grade in training.
The problem is interoperability. Yes, yes...I know, you can just give out your PGP public key to everyone and they'll be able to decrypt their email. If, that is, they use PGP too, which almost nobody does. And granted, sure...you can install an S/MIME cert in your copy of Outlook and...what's that? Some people aren't using the full-fledged, Microsoft Office-included version of Outlook? Some people are on smartphones too, and have the AUDACITY to want to be able to read the emails I send them on their iPhones? Bah...idiots. They should focus on more important things than the incredibly sensitive email they send back and forth...like encryption!
Actually, no it can't. The Stuxnet virus was incredibly specific; the only PLCs it affects are ones that control variable frequency drives (which are used to spin things very, very quickly with a high degree of control over RPM) made by one of two manufacturers. Control rods do not spin at thousands of RPM and are not controlled by var-freq drives of any make.
So technically yes...something other than centrifuges could get infected, and in fact did (that's how Stuxnet came to light in the first place). But I've seen control systems that were infected by it, and I can tell you first-hand that, for systems where the full suite of intended targets are not present, it's entirely harmless and has no impact on operations whatsoever.
Look at it this way...the virtual models are more likely to pass a Turing test than the real ones...
Look at it this way...the computer-generated models are more likely to pass a Turing test than the real live ones, right?
Dear CarrierIQ,
It's good that you've recognized that the security researcher in question had no illicit intent in mind, and was actually working for the good of the general public. Very nice, and definitely the high road. But...
It's clear that not only did you unapolgetically and unreservedly produce a product with the explict, baked-in and horrific capacity to spy on the activities of millions of people (with no distinction between adults and minors, many of whom also have smartphones these days), but you also intended to use brutish, irresponsible tactics to muzzle a person who called you out on it.
So the lesson you need to take away from this is not that pushing the envelope and then apologizing gets you off the hook. The real lesson you need to learn is that, from this point onwards, when I see the brand name "CarrierIQ" before me, my brain will automatically and reflexively replace the phrase "PIG-FUCKING ASSHOLES". And I'm sure I'm not the only ones who feel that way, you scumbag pieces of shit. Fuck you all. I wish nothing more than that the carriers who are your customer base will be ashamed to buy your product, and that you will go out of business.
Clean up your product and make it about..and only about...what you say your goals are as a company, and after half a decade most of the people who feel like I do (including me) will come around and actually see "CarrierIQ" when we read "CarrierIQ". That's the cost of what you have done, and the real lesson you should take away from this.
Joe Weiss is fairly notorious in the control system security world as the first to say, "Hey! That was a cyber incident!" For example, he said this about the BP spill, when they were still investigating it...and while it turned out to be true that some alarms were turned off because of computer issues, the real root causes had to do with faulty mechanical equipment and bad concrete, and that the cyber aspect was pretty much entirely irrelevant. Hear him speak, and it's a safe bet that you'll hear about his book, his conference, and other ways in which he can make money telling you how awful things are in the world and how much you need to listen to him.