Strangely, despite multiple passes through the court system and who knows what else through the patent system these things are holding. Now I KNOW our patent system has issues but do you REALLY think that something that is so "obvious" and found "everywhere" wouldn't have been appealed by the army of lawyers and millions of dollars being thrown at this case and the previous ones? Really? Seriously? Like just maybe TIVO really did do something that no one managed previously? They did crosslicense with Replay for some things apparently but all in all their stuff has held up well enough to stick Dish with some hefty damages. You'd think that if this was so darned obvious that a hundred mill give or take would've been incentive enough to prove it and remove the patent. Yet it still stands....
When it was patented years ago you might be surprised to learn that apparently it was new and innovative. Certainly Direct and DISH have been surprised to learn such a thing when they have tried and FAILED to challenge the patents.
Surely since you have greater insight than their army of lawyers and experts you should contact them to offer your services. For this I am sure you would be paid quite well when you win this case and have the patents removed from the books.
The trap here is that when someone first comes up with an idea it is new and innovative. However fast forward a few years later when everyone has seen the device and thinks it's pretty obvious and they think that having a patent on it is stupid. I mean look at the light bulb - piece of material suspended in a vac with juice run through it till it glows like mad - obvious right? Sure, now it seems obvious but when it was invented they had to work like heck to get it to last for more than a flash! Same thing with the TIVO, when it was first shown no one had built such a thing other than ReplayTV. Now it's not nearly so hard to build from commodity parts but back then it was pretty spiffy!
Talks about circular buffers for viewing and recording at the same time, maintaining audio synch, running the clock FWD and back while moving through the data. To say that they simply patented being able to pause TV is pretty disingenuous!
I short, summary is trolling crap per usual to get everyone up in arms. Real patent is a bit more complex. Granted much of this seems "obvious" now but back when TIVO first did it it was FAR from really obvious. It was going to get done by someone but back then on the hardware available it was pretty slick!
Much of this DVR technology is "obvious" now but when TIVO first began building these boxes there was no one out there doing it. some of what they do isn't really obvious either - like if you are running FFWD and hit play it will rewind just a bit to take care of overshoot. Not an obvious feature but a VERY nice one and I'm pretty sure patented.
Whenever this story is talked about, and this has been a long running battle, everyone says the patents are "obvious" but honestly I do not think they simply patented something so obvious as the buttons found on a VCR. Instead they patented their circular buffer, the ability to watch while recording and pause without losing anything including audio\video synch. I mean really, if it was so obvious and simple why is it that every other damned commercial DVR out there sucks ass? DISH, FIOS, Direct, and all of the cable DVRs BLOW compared to the TIVO. Why is that if this is all so darned easy and obvious?
TIVO ain't perfect but they pioneered much of this and it's pretty good software. Time they got paid by all those companies that simply copied (poorly) what they did.
P.S. Yeah, I owned one of the competitor boxes that had auto-commercial skip too. A shame THAT got creamed:-(
Direct and TIVO have inked another deal and there will be new HD hardware for Direct from TIVO coming in a year or so. FWIW - I left DISH for Direct to get TIVO and left Direct to FIOS to keep TIVO. Now I'm stuck on COX but I've got my TIVO!
Anyway, hang in there - relief from that POS "DVR" they provided you is coming!
Actually no they didn't. The plane that crashed after the passengers learned what was up didn't have reliable communication with the cell phones if the stories I recall are correct. They DID manage to get through but I do not believe that the calls were for long or that they weren't suffering from drops. It was enough though to tell folks what was going on though at least.
Lol, balloon was SLOW moving - and caused many issues! Phone lockups and all sorts of network weirdness he said - calls were impossible while aloft or if they got through would misroute. This was the old analog days but the same sorts of issues might still occur with a faster moving plane in a digital world.
Now imagine a jet liner full of people *all* doing the same thing. Granted at cruise altitude it is probably not so big an issue as most won't have the range but I've been on more than one flight where a phone has rang:-O
Do not think that is true either. However a friend of mine who is a balloonist years ago told me what happened when he used a cell phone in flight - chaos! It would try and talk to many many towers at once and it was a mess. This article supports that theory and I think they have the reason right - multiple cell towers cannot easily handle being contacted by a single phone moving 500miles an hour. Now multiply that by the numbers of people that fly every day and you can see why the cell companies sure as heck don't want this occurring! I've still done it though:-) They explain how in-plane cell calls would work too if you read the article. http://mirrors.mednor.net/slashdot/10072008/TidBITS_Networking%20_Peering_Inside_a_Mobile_Phone_Network.htm
1) Data was not successfully altered. A successful alteration would leave the security mechanisms intact - this hasn't been done. In order to alter the data one of two things is done. a) The PKI signature is broken and anyone, even without a copy of the proper PKI signature, can see this. Or b) the data on the passport is signed with a self created certificate which is obvious even if they haven't signed up for the PKI distribution on the basis that they have obviously seen the proper signatuere on hundreds of REAL passports. As for the data being "cracked" - the key to the data was on the printed passport, I'd hardly call figuring out how to properly use the provided key "cracking" but it IS more sensational to say that isn't it?
2) I've explained multiple times what the PKI signature does but you don't get it. I even explained again above - if you cannot understand this then you will never understand the issue. Modify the passport and retain the original PKI signatory and you've accomplished something - until then you've nto got a working forgery.
3) Even if a nation hasn't exchanged, formerly, the PKI signature they can still check to see if it is valid. They can also use past examples to spot self signed data. Yeah, the signature matters.
4) I didn't claim the passport has to be printed I simply pointed out that the printed version is still examined. If you show up with RFID data showing the original owner because you've cloned an RFID signature and all the pic isn't going to match the printed one or you've got a twin. In this case yeah someone might get by if no one notices the two pictures are different - go ahead and bet time in prison on that if you want.
You want citations? The problem is there's nothing but tin foil hatters getting any press on this. Go read the standards, go actually work with the software. Better yet actually go through a security checkpoint with a modified passport - oh wait no one has claimed THAT have they? No, they simply show the reading of the RFID via devices that don't enforce security and claim success. Success is passing through security unmolested and right now that is NOT a sure thing. That you think this won't work is amusing, if you understand PKI you'd understand that it CAN work and is way better than the paper only versions that have existed in the past. This is the perfect example of what PKI is good for actually - verifying message data. Are you claiming PKI doesn't work?
Again I have told you why all signatory nations do not need to sign up for this PKI repository, choose to not understand that if you wish. The signature protects the data - to date no one has modified the data and retained the signature - no one, not a single person. All we have are demonstrations that get the tin foil hatters up in arms - like yourself.
Yes, the articles you cite assert issues, and then fail to prove them, but you cite their flawed conclusions as somehow factual. Understand the underlying technology and you will finally understand why the sky isn't falling. This is an added layer of security over and above the checks already in place, called it flawed but it is better and it does work if the reader software isn't brain dead. You will note that not a single demonstration of success has been done against REAL portal software - it's all been done against reference standard software and against software that contains no security checks. What does that prove exactly? This is what you offer up as proof?!
The real portal software checks signature integrity and should check for the proper registered electronic signature. Even if the signatures haven't been formally swapped through the approved process countries have access to it if they desire and CAN check it...
Sorry, cannot cite some 'net article that proves this because telling people the system works and how it works doesn't rate as News For Nerds and get posted to Slashdot. Sort of like saying yes the Earth continues to turn, no one cares. Do wake me though if you can find a single instance of someone modifying a passport's RFID data and going through security in say Germany, Saudi Arabia, or Japan.
Actually there's some misunderstanding there. Yeah, there's a group that's supposed to be handling the exchange of keys and not everyone has signed up. Funny thing about passport portals though - they see LOTS of traffic. If I see a signature of say Russia's passports oh maybe 100 times a day don't you think that I'm going to know what the signature looks like? And that when a "signature" comes through that is different than the previous 1K passports I might perhaps wonder why and flag it? The files to check this signature are ON the passport, which is why self signing even can come close to working apparently.
So, a country need not sign up for the global PKI directory in order to be able check signatures if they want to. As for not being "fully secure" until all countries sign up - that's crap. If I am signed up and you come through with a member passport and it doesn't check out then I flag you - the only people who had to be signed up were my country and your country of origin NOT every single other country. Without doing my own signature capture to increase my library it's true I cannot electronically check every other passport but I still have the security for those countries that have signed up.
BTW the same sort of thing holds true for his trick of modifying the onboard security features file which you've not mentioned. If I know that every Russian passport contains XYZ security features and suddenly one shows up claiming to not have one of those then I can flag it as odd and take the traveler to secondary. Anyone designing their countries reader software to be secure ought to be taking things like this into account even if the Gold Disk software didn't. The only way to find out if they did is to try and pass through one - which this author certainly hasn't tried!
As for more or less security - the passports can still be manually checked as they always have been. I do not see this as any LESS security than what was there before - all of these electronic checks are being done in ADDITION to what was done before. Remotely reading these to obtain information to do identity theft requires getting past the 3DES.
Pick your argument BTW - that the passport concept is\isn't secure or that the countries that are rolling it out are doing it stupidly. The mechanisms to do this securely are there, if no one signs up for the PKI initiative and doesn't check PKI signatures then who's fault is that? Certainly not the designers of the silly system! If I give you a computer to use and you fail to use a password on your account it's certainly not MY fault as the designer of the security that YOU failed to exercise the security options given to you anymore than a locksmith is at fault for an unlocked door.
The 3DES crypto protects the conversation between reader and passport. th key to this is information contained in the printed passport material. Being 3DES breaking the crypto to read the passport isn't impossible. Once you've broken through this super secret key you get *drumroll* the data PRINTED on the passport. Umm, big deal? With this data you can make a CLONE of the passport - nothing more - that will pass a security checkpoint.
Yes, in this "demo" modified data was displayed. In oprder to modify this data one of two things were done 1) the PKI signature was broken or 2) The PKI signature was replaced with a self signed certificate. In both cases the passport would fail a proper security check and you'd be taking a quick trip to secondary for some serious explaining! So much for your successful "crack" huh? Where you and others get midlead is the demo that displays the data on a device that does NO security checking and simply reads off the RFID data. The fact that this was done in a Govt. office space and then in an airport means nothing - it's not a REAL security check.
As for the Gold Disk software that the UN standards committee produces... that software is designed to verify that the RFID and reader communicate properly according to the standard and it does exercise the various security checks. Guess what? The modified passport DOES flag errors when it reads his modified passport - they just aren't flagged as critical errors. This software is designed to help countries design their OWN indigenous software for their own portals, it is *NOT* used as the real software in ANY country. It doesn't flag as critical errors such as the PKI signature being broken.... sound like something any country in their right mind wouldn't flag?!
Truly, you do not understand this subject nearly as well as you think you do....
Sorry, NOT cracked! Cloning != cracking. Figuring out the 3DES key to have a conversation with the chip in order to CLONE it is != to "cracking it". Reading a passport simply gives you the data off of it, it does NOT allow you to MODIFY that data. Go ahead and make a COPY of the passport - if you've got a twin and the passport doesn't have biometric data on it.
What YOU are misunderstanding is that 3DES is NOT the crypto that underlies the PKI signature that protects the data ON the passport from being MODIFIED. 3DES is what protects the ability to open a conversation with the chip - the key of which is information already in the passport. Being able to talk to the chip buys you NOTHING if your goal is to create modified passports.
It seems that it is YOU who have something to learn about this and not I! Wake me when you successfully modify a passport and retain the PKI signature it was issued with - the PKI signature that the REAL scanners will check when you go through a portal. Right now the only way to modify a passport is to self sign and hope they don't have the PKI signature stored at the reader or break the signature and hope that the reader doesn't notice. Lastly, these articles claiming that the Gold Disk software is recommended for use in airports are wrong - it's a refrence software standard only and I'd be shocked if it was actually USED anywhere stock out of the box. That first link you provided that makes it sound like successful mods were done gets this part WRONG, even the Gold Disk software flags mods as errors - just not critical errors. The person who wrote the software presented here talked about it at BH - he has the Gold Disk software - but has NO idea how countries have implemented their real software. His only real world test has been demo machines at his local Govt. office and now this airport machine - big deal.
BTW - this information on 3DES was included in the links YOU posted, a shame you didn't comprehend it.
Fingerprint information IS being placed in some passports I believe and the accuracy is high enough and the scan speed quick enough that I do not think it will be feasible to use a cloned passport. Modified passports are the danger, right now I do not think there's enough information out there on how the various specific systems act when presented with faulty passports to know just how bad this issue might be. Even this researcher didn't og so far as to try it on a real machine! Really, who wants to be the guinea pig for THAT experiment?!
Actually not 100% correct - this isn't a cloned passport. This is a modified passport else the signature would be correct and it would pass any security check in the world that only looked at the RFID data.
Cloned passports aren't an issue, modified passports that pass crypto checks would be an issue. This passport is modified but it does NOT pass those checks when done properly - the person doing this work will say as much if you ask him and it's something he makes plain in his talks - or did at BH anyway.
Cloning easy, properly modified not. This device would be stopped at a properly designed security portal.
What security portal EXACTLY did he bypass? The device he used to scan this simply read the RFID and barfed the data to the screen. It did ZERO signature checking on the PKI encrypted data else it would have flagged the signature as either being broken or signed by an invalid CA.
What part of that did you not understand? The post you responded to is 100% correct and accurate.
Can you explain what exactly is insecure here? Other than the fact that anyone who understands the protocol can read your passport there's nothing insecure here. He's either self signing the data and the device in question isn't checking the signature against a PKI database or the passport has a broken signature which apparently this this device might also not check. A proper device would spot these changes but why would you put such a thing out where counterfeiters could test against it?
His software is pretty interesting and he's explained a great deal of how the device stores data. The great unknown is how other devices process that data when passing through a portal - that software isn't available. Who wants to be the guinea pig?
Umm, you do not know what you are talking about. By all means provide a link to a credible source on the crypto on the US passports being broken. Note that the same crypto is being used around the world - it's part of a "STANDARD" and is using a lengthy known good crypto algorithms.
All this demo proves is that there are devices happy to read the RFID and not do any security checks. As this presenter has explained in his talks modifying this data, the way he does it, requires either a self signed cert or a broken PKI signature. A device with proper security checks in place can spot both of these kinds of modifications if it was implemented properly. In fact the Gold Disk for which countries build their software to emulate even flags some of his changes - they just don't flag them as critical in that particular code base. What any country does in THEIR implementation however is anyone's guess 'cuz they ain't talking about it...
This man gives a good talk on the subject, sadly it's apparent that you either didn't understand it or never bothered to attend it. You might want to adjust your tinfoil though, it's a bit too tight.
This isn't a security scanner anymore than the previous scanner he checked out at his local Govt building - in fact it's probably nearly the same damned thing! This is simply a device that is showing the data on the chip - I'm not convinced that it is doing ANY security checks that a "real" security scanner would do. How smart would it be to put a machine out with the same checks as a security portal to allow counterfeiters to practice on? Umm, Duh?? Cloning easy, modifying of data NOT!
Yes, the data has been modified and the signature broken, it remains to be seen what the scanner will do when it sees a broken signature or self signed cert on the passport. As was explained in the talk at BH SOME countries HAVE exchanged PKI information so at least some countries ought to be aware of what the signature SHOULD look like and SHOULD be able to spot fakes. It's also not clear that modifying the security file on the passport to change what security protections it reports isn't going to be spotted either since passing THAT information is also possible. Lastly, passing trusted PKI around need not actually take place - if I see 500 German passports who ALL have the same PKI signature and 1 that doesn't it's a pretty good bet that the *1* has an issue! No secret squirrel passing of certificates required in that case.
Bottom line is - no one knows exactly what the various security stations will actually check for and how closely they really follow the lax security of the Gold Disk standard that much of this presenters testing was based off of. The only way to know any of this is to attempt to USE one of these or get the Govt's to talk - what are the chances of THAT?!
So, interesting demo but I'm not convinced it proves that fake passports with *modified* data can be made. At least some better understanding of how the data is being stored and interacted with has occurred I'd say...
Sorry, no go. There's not good enough video support in the PS3 jail. There is a HUGE thread in the XBMC forum about this and the answer is no right now it's not running. They would be interested in someone doing a PPC port though.
Actually it runs on several distros but Ubuntu is the one they are working towards supporting. Atlantis is being done as an ISO for a bootable CD anyway so really who cares what the underlying OS is exactly? If you're going to do a dedicated HTPC you might as well run the supported OS anyway IMO
Slashdot Mirror
Strangely, despite multiple passes through the court system and who knows what else through the patent system these things are holding. Now I KNOW our patent system has issues but do you REALLY think that something that is so "obvious" and found "everywhere" wouldn't have been appealed by the army of lawyers and millions of dollars being thrown at this case and the previous ones? Really? Seriously? Like just maybe TIVO really did do something that no one managed previously? They did crosslicense with Replay for some things apparently but all in all their stuff has held up well enough to stick Dish with some hefty damages. You'd think that if this was so darned obvious that a hundred mill give or take would've been incentive enough to prove it and remove the patent. Yet it still stands....
And I'm pretty sure, despite the crap summary, that those are NOT the functions that they patented.
Take a look at the patents in the link provided - they are back in the 1990s....
When it was patented years ago you might be surprised to learn that apparently it was new and innovative. Certainly Direct and DISH have been surprised to learn such a thing when they have tried and FAILED to challenge the patents.
Surely since you have greater insight than their army of lawyers and experts you should contact them to offer your services. For this I am sure you would be paid quite well when you win this case and have the patents removed from the books.
Good luck in your new career!
The trap here is that when someone first comes up with an idea it is new and innovative. However fast forward a few years later when everyone has seen the device and thinks it's pretty obvious and they think that having a patent on it is stupid. I mean look at the light bulb - piece of material suspended in a vac with juice run through it till it glows like mad - obvious right? Sure, now it seems obvious but when it was invented they had to work like heck to get it to last for more than a flash! Same thing with the TIVO, when it was first shown no one had built such a thing other than ReplayTV. Now it's not nearly so hard to build from commodity parts but back then it was pretty spiffy!
Simple - they didn't. Read the patent http://www.google.com/patents?id=IeoIAAAAEBAJ&dq=6,233,389
Talks about circular buffers for viewing and recording at the same time, maintaining audio synch, running the clock FWD and back while moving through the data. To say that they simply patented being able to pause TV is pretty disingenuous!
I short, summary is trolling crap per usual to get everyone up in arms. Real patent is a bit more complex. Granted much of this seems "obvious" now but back when TIVO first did it it was FAR from really obvious. It was going to get done by someone but back then on the hardware available it was pretty slick!
Much of this DVR technology is "obvious" now but when TIVO first began building these boxes there was no one out there doing it. some of what they do isn't really obvious either - like if you are running FFWD and hit play it will rewind just a bit to take care of overshoot. Not an obvious feature but a VERY nice one and I'm pretty sure patented.
Whenever this story is talked about, and this has been a long running battle, everyone says the patents are "obvious" but honestly I do not think they simply patented something so obvious as the buttons found on a VCR. Instead they patented their circular buffer, the ability to watch while recording and pause without losing anything including audio\video synch. I mean really, if it was so obvious and simple why is it that every other damned commercial DVR out there sucks ass? DISH, FIOS, Direct, and all of the cable DVRs BLOW compared to the TIVO. Why is that if this is all so darned easy and obvious?
TIVO ain't perfect but they pioneered much of this and it's pretty good software. Time they got paid by all those companies that simply copied (poorly) what they did.
P.S. Yeah, I owned one of the competitor boxes that had auto-commercial skip too. A shame THAT got creamed :-(
Direct and TIVO have inked another deal and there will be new HD hardware for Direct from TIVO coming in a year or so. FWIW - I left DISH for Direct to get TIVO and left Direct to FIOS to keep TIVO. Now I'm stuck on COX but I've got my TIVO!
Anyway, hang in there - relief from that POS "DVR" they provided you is coming!
http://www.engadget.com/2008/09/03/hell-freezes-over-new-directv-hd-tivo-on-the-way/
Actually no they didn't. The plane that crashed after the passengers learned what was up didn't have reliable communication with the cell phones if the stories I recall are correct. They DID manage to get through but I do not believe that the calls were for long or that they weren't suffering from drops. It was enough though to tell folks what was going on though at least.
Lol, balloon was SLOW moving - and caused many issues! Phone lockups and all sorts of network weirdness he said - calls were impossible while aloft or if they got through would misroute. This was the old analog days but the same sorts of issues might still occur with a faster moving plane in a digital world.
Now imagine a jet liner full of people *all* doing the same thing. Granted at cruise altitude it is probably not so big an issue as most won't have the range but I've been on more than one flight where a phone has rang :-O
Well you managed to get one right pulling ideas out of your ass!
Do not think that is true either. However a friend of mine who is a balloonist years ago told me what happened when he used a cell phone in flight - chaos! It would try and talk to many many towers at once and it was a mess. This article supports that theory and I think they have the reason right - multiple cell towers cannot easily handle being contacted by a single phone moving 500miles an hour. Now multiply that by the numbers of people that fly every day and you can see why the cell companies sure as heck don't want this occurring! I've still done it though :-) They explain how in-plane cell calls would work too if you read the article. http://mirrors.mednor.net/slashdot/10072008/TidBITS_Networking%20_Peering_Inside_a_Mobile_Phone_Network.htm
1) Data was not successfully altered. A successful alteration would leave the security mechanisms intact - this hasn't been done. In order to alter the data one of two things is done. a) The PKI signature is broken and anyone, even without a copy of the proper PKI signature, can see this. Or b) the data on the passport is signed with a self created certificate which is obvious even if they haven't signed up for the PKI distribution on the basis that they have obviously seen the proper signatuere on hundreds of REAL passports. As for the data being "cracked" - the key to the data was on the printed passport, I'd hardly call figuring out how to properly use the provided key "cracking" but it IS more sensational to say that isn't it?
2) I've explained multiple times what the PKI signature does but you don't get it. I even explained again above - if you cannot understand this then you will never understand the issue. Modify the passport and retain the original PKI signatory and you've accomplished something - until then you've nto got a working forgery.
3) Even if a nation hasn't exchanged, formerly, the PKI signature they can still check to see if it is valid. They can also use past examples to spot self signed data. Yeah, the signature matters.
4) I didn't claim the passport has to be printed I simply pointed out that the printed version is still examined. If you show up with RFID data showing the original owner because you've cloned an RFID signature and all the pic isn't going to match the printed one or you've got a twin. In this case yeah someone might get by if no one notices the two pictures are different - go ahead and bet time in prison on that if you want.
You want citations? The problem is there's nothing but tin foil hatters getting any press on this. Go read the standards, go actually work with the software. Better yet actually go through a security checkpoint with a modified passport - oh wait no one has claimed THAT have they? No, they simply show the reading of the RFID via devices that don't enforce security and claim success. Success is passing through security unmolested and right now that is NOT a sure thing. That you think this won't work is amusing, if you understand PKI you'd understand that it CAN work and is way better than the paper only versions that have existed in the past. This is the perfect example of what PKI is good for actually - verifying message data. Are you claiming PKI doesn't work?
Again I have told you why all signatory nations do not need to sign up for this PKI repository, choose to not understand that if you wish. The signature protects the data - to date no one has modified the data and retained the signature - no one, not a single person. All we have are demonstrations that get the tin foil hatters up in arms - like yourself.
Yes, the articles you cite assert issues, and then fail to prove them, but you cite their flawed conclusions as somehow factual. Understand the underlying technology and you will finally understand why the sky isn't falling. This is an added layer of security over and above the checks already in place, called it flawed but it is better and it does work if the reader software isn't brain dead. You will note that not a single demonstration of success has been done against REAL portal software - it's all been done against reference standard software and against software that contains no security checks. What does that prove exactly? This is what you offer up as proof?!
The real portal software checks signature integrity and should check for the proper registered electronic signature. Even if the signatures haven't been formally swapped through the approved process countries have access to it if they desire and CAN check it...
Sorry, cannot cite some 'net article that proves this because telling people the system works and how it works doesn't rate as News For Nerds and get posted to Slashdot. Sort of like saying yes the Earth continues to turn, no one cares. Do wake me though if you can find a single instance of someone modifying a passport's RFID data and going through security in say Germany, Saudi Arabia, or Japan.
Actually there's some misunderstanding there. Yeah, there's a group that's supposed to be handling the exchange of keys and not everyone has signed up. Funny thing about passport portals though - they see LOTS of traffic. If I see a signature of say Russia's passports oh maybe 100 times a day don't you think that I'm going to know what the signature looks like? And that when a "signature" comes through that is different than the previous 1K passports I might perhaps wonder why and flag it? The files to check this signature are ON the passport, which is why self signing even can come close to working apparently.
So, a country need not sign up for the global PKI directory in order to be able check signatures if they want to. As for not being "fully secure" until all countries sign up - that's crap. If I am signed up and you come through with a member passport and it doesn't check out then I flag you - the only people who had to be signed up were my country and your country of origin NOT every single other country. Without doing my own signature capture to increase my library it's true I cannot electronically check every other passport but I still have the security for those countries that have signed up.
BTW the same sort of thing holds true for his trick of modifying the onboard security features file which you've not mentioned. If I know that every Russian passport contains XYZ security features and suddenly one shows up claiming to not have one of those then I can flag it as odd and take the traveler to secondary. Anyone designing their countries reader software to be secure ought to be taking things like this into account even if the Gold Disk software didn't. The only way to find out if they did is to try and pass through one - which this author certainly hasn't tried!
As for more or less security - the passports can still be manually checked as they always have been. I do not see this as any LESS security than what was there before - all of these electronic checks are being done in ADDITION to what was done before. Remotely reading these to obtain information to do identity theft requires getting past the 3DES.
Pick your argument BTW - that the passport concept is\isn't secure or that the countries that are rolling it out are doing it stupidly. The mechanisms to do this securely are there, if no one signs up for the PKI initiative and doesn't check PKI signatures then who's fault is that? Certainly not the designers of the silly system! If I give you a computer to use and you fail to use a password on your account it's certainly not MY fault as the designer of the security that YOU failed to exercise the security options given to you anymore than a locksmith is at fault for an unlocked door.
Again for the slow among us...
The 3DES crypto protects the conversation between reader and passport. th key to this is information contained in the printed passport material. Being 3DES breaking the crypto to read the passport isn't impossible. Once you've broken through this super secret key you get *drumroll* the data PRINTED on the passport. Umm, big deal? With this data you can make a CLONE of the passport - nothing more - that will pass a security checkpoint.
Yes, in this "demo" modified data was displayed. In oprder to modify this data one of two things were done 1) the PKI signature was broken or 2) The PKI signature was replaced with a self signed certificate. In both cases the passport would fail a proper security check and you'd be taking a quick trip to secondary for some serious explaining! So much for your successful "crack" huh? Where you and others get midlead is the demo that displays the data on a device that does NO security checking and simply reads off the RFID data. The fact that this was done in a Govt. office space and then in an airport means nothing - it's not a REAL security check.
As for the Gold Disk software that the UN standards committee produces... that software is designed to verify that the RFID and reader communicate properly according to the standard and it does exercise the various security checks. Guess what? The modified passport DOES flag errors when it reads his modified passport - they just aren't flagged as critical errors. This software is designed to help countries design their OWN indigenous software for their own portals, it is *NOT* used as the real software in ANY country. It doesn't flag as critical errors such as the PKI signature being broken.... sound like something any country in their right mind wouldn't flag?!
Truly, you do not understand this subject nearly as well as you think you do....
Sorry, NOT cracked! Cloning != cracking. Figuring out the 3DES key to have a conversation with the chip in order to CLONE it is != to "cracking it". Reading a passport simply gives you the data off of it, it does NOT allow you to MODIFY that data. Go ahead and make a COPY of the passport - if you've got a twin and the passport doesn't have biometric data on it.
What YOU are misunderstanding is that 3DES is NOT the crypto that underlies the PKI signature that protects the data ON the passport from being MODIFIED. 3DES is what protects the ability to open a conversation with the chip - the key of which is information already in the passport. Being able to talk to the chip buys you NOTHING if your goal is to create modified passports.
It seems that it is YOU who have something to learn about this and not I! Wake me when you successfully modify a passport and retain the PKI signature it was issued with - the PKI signature that the REAL scanners will check when you go through a portal. Right now the only way to modify a passport is to self sign and hope they don't have the PKI signature stored at the reader or break the signature and hope that the reader doesn't notice. Lastly, these articles claiming that the Gold Disk software is recommended for use in airports are wrong - it's a refrence software standard only and I'd be shocked if it was actually USED anywhere stock out of the box. That first link you provided that makes it sound like successful mods were done gets this part WRONG, even the Gold Disk software flags mods as errors - just not critical errors. The person who wrote the software presented here talked about it at BH - he has the Gold Disk software - but has NO idea how countries have implemented their real software. His only real world test has been demo machines at his local Govt. office and now this airport machine - big deal.
BTW - this information on 3DES was included in the links YOU posted, a shame you didn't comprehend it.
Fingerprint information IS being placed in some passports I believe and the accuracy is high enough and the scan speed quick enough that I do not think it will be feasible to use a cloned passport. Modified passports are the danger, right now I do not think there's enough information out there on how the various specific systems act when presented with faulty passports to know just how bad this issue might be. Even this researcher didn't og so far as to try it on a real machine! Really, who wants to be the guinea pig for THAT experiment?!
Actually not 100% correct - this isn't a cloned passport. This is a modified passport else the signature would be correct and it would pass any security check in the world that only looked at the RFID data.
Cloned passports aren't an issue, modified passports that pass crypto checks would be an issue. This passport is modified but it does NOT pass those checks when done properly - the person doing this work will say as much if you ask him and it's something he makes plain in his talks - or did at BH anyway.
Cloning easy, properly modified not. This device would be stopped at a properly designed security portal.
What security portal EXACTLY did he bypass? The device he used to scan this simply read the RFID and barfed the data to the screen. It did ZERO signature checking on the PKI encrypted data else it would have flagged the signature as either being broken or signed by an invalid CA.
What part of that did you not understand? The post you responded to is 100% correct and accurate.
Can you explain what exactly is insecure here? Other than the fact that anyone who understands the protocol can read your passport there's nothing insecure here. He's either self signing the data and the device in question isn't checking the signature against a PKI database or the passport has a broken signature which apparently this this device might also not check. A proper device would spot these changes but why would you put such a thing out where counterfeiters could test against it?
His software is pretty interesting and he's explained a great deal of how the device stores data. The great unknown is how other devices process that data when passing through a portal - that software isn't available. Who wants to be the guinea pig?
Umm, you do not know what you are talking about. By all means provide a link to a credible source on the crypto on the US passports being broken. Note that the same crypto is being used around the world - it's part of a "STANDARD" and is using a lengthy known good crypto algorithms.
All this demo proves is that there are devices happy to read the RFID and not do any security checks. As this presenter has explained in his talks modifying this data, the way he does it, requires either a self signed cert or a broken PKI signature. A device with proper security checks in place can spot both of these kinds of modifications if it was implemented properly. In fact the Gold Disk for which countries build their software to emulate even flags some of his changes - they just don't flag them as critical in that particular code base. What any country does in THEIR implementation however is anyone's guess 'cuz they ain't talking about it...
This man gives a good talk on the subject, sadly it's apparent that you either didn't understand it or never bothered to attend it. You might want to adjust your tinfoil though, it's a bit too tight.
This isn't a security scanner anymore than the previous scanner he checked out at his local Govt building - in fact it's probably nearly the same damned thing! This is simply a device that is showing the data on the chip - I'm not convinced that it is doing ANY security checks that a "real" security scanner would do. How smart would it be to put a machine out with the same checks as a security portal to allow counterfeiters to practice on? Umm, Duh?? Cloning easy, modifying of data NOT!
Yes, the data has been modified and the signature broken, it remains to be seen what the scanner will do when it sees a broken signature or self signed cert on the passport. As was explained in the talk at BH SOME countries HAVE exchanged PKI information so at least some countries ought to be aware of what the signature SHOULD look like and SHOULD be able to spot fakes. It's also not clear that modifying the security file on the passport to change what security protections it reports isn't going to be spotted either since passing THAT information is also possible. Lastly, passing trusted PKI around need not actually take place - if I see 500 German passports who ALL have the same PKI signature and 1 that doesn't it's a pretty good bet that the *1* has an issue! No secret squirrel passing of certificates required in that case.
Bottom line is - no one knows exactly what the various security stations will actually check for and how closely they really follow the lax security of the Gold Disk standard that much of this presenters testing was based off of. The only way to know any of this is to attempt to USE one of these or get the Govt's to talk - what are the chances of THAT?!
So, interesting demo but I'm not convinced it proves that fake passports with *modified* data can be made. At least some better understanding of how the data is being stored and interacted with has occurred I'd say...
Sorry, no go. There's not good enough video support in the PS3 jail. There is a HUGE thread in the XBMC forum about this and the answer is no right now it's not running. They would be interested in someone doing a PPC port though.
Actually it runs on several distros but Ubuntu is the one they are working towards supporting. Atlantis is being done as an ISO for a bootable CD anyway so really who cares what the underlying OS is exactly? If you're going to do a dedicated HTPC you might as well run the supported OS anyway IMO