New Controversy over Black Hat Presentation 144
uniquebydegrees writes "InfoWorld is reporting about a new controversy swirling around a planned presentation at Black Hat Federal in Washington D.C. this week. Security researcher Chris Paget of IOActive will demo an RFID hacking tool that can crack HID brand door access cards. HID Corp., which makes the cards, is miffed and is accusing IOActive of patent infringement over the presentation, recalling the legal wrangling over Michael Lynn's presentation of a Cisco IOS hole at Black Hat in 2005. Black Hat's Jeff Moss says they're standing by their speaker. A news conference is scheduled for tomorrow AM." Update: 02/27 20:10 GMT by Z :InfoWorldMike wrote with a link to story saying that the presentation has been pulled from the slate for Black Hat, as a result of this pressure.
Security is not a product (Score:4, Insightful)
I assume it reports random numbers (Score:2, Insightful)
countermeasures: use longer ident numbers when programming the things. put a GOOD camera above the door or use an IR detector and if somebody stays at the door for a minute, the guard should use the intercom and ask them if they want to sleep in another doorway, or if they need to talk to a sheriff's deputy.
moral: relying on any one layer of security is no security if somebody really wants in. multiple levels and somebody awake someplace who cares will fix every physical penetration attempt except wackos with bulldozers.
Responsibility? (Score:5, Insightful)
This blows me away. Rather than taking the responsibility for having a flawed security system, rather than having the responsibility as a company to say "Hey, yeah we know about this and we are going to fix it after 15 years," the company accuses the security researcher of a lack of responsibility for "revealing" how to exploit these systems. I feel like bizarro world has become the real world when I read these kind of comments.
How do you violate a patent by speaking? (Score:1, Insightful)
Litigation vs. Inteligent Implementation (Score:5, Insightful)
Re:HID has its head in the sand (Score:5, Insightful)
You know, in fifteen years of carrying a credit card, I have never had one fail. The high-coercivity mag stripe cards are darn near indestructible. By contrast, the low-coercivity cards that they use at some hotels... I've had them just suddenly fail on the third or fourth use and have to be reprogrammed multiple times in a single night (and about the fifth time I had the same card reprogrammed, they tossed it in a trash can and programmed a fresh one for me, which never failed again).
Put simply, low-coercivity cards suck, but high-coercivity cards are pretty solid. Just don't cut corners on your card programmers and you'll be fine.
Must be free to highlight problems (Score:2, Insightful)
With the Department of Homeland Security expected to release the Real ID regulations very soon and dictate what type of machine readable technology will be in every drivers' license and whether it will contain RFID chips, and the Department of State starting to roll out RFID-embedded passports, it is particularly important that the government and the public have all the information about RFID technology and understand that the use of RFID technology without proper protections can seriously threaten privacy, personal security, and public safety.
Lots more info about this story and RFID vulnerabilities at www.aclunc.org/techblog
Pretty much just like a key. (Score:3, Insightful)
And with a huge false sense of security. Oh, and it costs a lot more.
So, exactly what's the benefit again? Aside from the fact that employees can act all cool, by waving their badges at a sensor instead of sticking a metal piece in the door?
Comment removed (Score:3, Insightful)