FourthAge writes "Federal agents at the Defcon 17 conference were shocked to discover that they had been caught in the sights of an RFID reader connected to a web camera. The reader sniffed data from RFID-enabled ID cards and other documents carried by attendees in pockets and backpacks. The 'security enhancing' RFID chips are now found in passports, official documents and ID cards. 'For $30 to $50, the common, average person can put [a portable RFID-reading kit] together,' said security expert Brian Marcus, one of the people behind the RFID webcam project. 'This is why we're so adamant about making people aware this is very dangerous.'"
...the Feds try to ban the tech to read the RFIDs instead of urging credit card manufacturers/the state department to back off on putting RFID chips into everything?
Blatantly true, at least in parts of the United States
Fixed that for you. If you think you can get a carry permit in New York City/San Francisco/Chicago as a law abiding American citizen think again. The only way that happens is if you are rich and have political connections. The rest of us poor slobs don't have the right to defend ourselves if we are unlucky enough to live in a part of the country run by the anti-gun zealots.
This will eventually change when the 2nd amendment is incorporated against the states but it doesn't change the fact that right now you effectively have no right to keep and bear arms if you live in the wrong part of the country.
Sad but true. My favorite is the Hollywood types that rant about the evils of firearm ownership while being protected by armed bodyguards. Fucking hypocrites.
All animals are equal but some are more equal than others.
If they weren't out there publicly trying to get our rights taken away, they wouldn't attract crazy people, therefore they wouldn't need the armed security.
Until then keep your deadly weapons and wild west "justice" out of my community.
So, move to LA, San Francisco, New York City, Chicago, etc. and the terrible worry about peacefully minded citizens taking legal means to protect themselves from assault, rape, robbery, etc. will never again burden you.
I am so reminded of a line from The Chronicle [wikipedia.org] along the lines of "How very twentieth century of you", as the character whips out a taser and stuns the miscreant.
There are nonlethal means of defending one's self, these days. While most may only work at arm's reach, that's also the range you're most likely to be at, in a situation you'd want to use a gun defensively.... and have any realistic chance of it being effective, anyway.
If they weren't out there publicly trying to get our rights taken away, they wouldn't attract crazy people, therefore they wouldn't need the armed security.
Y'know, I wouldn't take that bet. Crazy people are considered crazy in no small part because they use skewed logic, or no logic at all. And "taking away our rights" doesn't really top the agenda of people who need bodyguards. Nor, I expect, the rationale for most assaults upon people who feel a need for bodyguards.
Even if you could prove to me that guns were used in even half of those cases I would still say your argument has no merit. Having a gun makes no difference in those situations. If you're so pissed off that you're going to kill someone, you're going to find a way to do it. People have been beating, stabbing, bludgeoning, drowning, choking and otherwise finding ways of killing people they dislike since the dawn of man. It's foolish and naive to believe that guns have anything to do with it.
In fact, I'd say gun ownership does more to prevent crime than it does to encourage it. If I'm a big guy and I figure that I could throttle you pretty easily, but I know that you carry a gun, that may dissuade me from assaulting you. I'm not going to say with 100% certainty that it will - that would be hyperbole. I will, however, assert that it would change a lot of people's minds.
There are several published surveys of criminals in prison investigating what they do, how they evaluate targets, and what conditions discourage them from operating in given localities. The risk of being shot by a victim is a major factor. Apparently even criminals are capable of minimal cost-benefit analysis.
Make the gun exam hard. Make it so difficult only a few people in a thousand can pass. And make it so that only those people would be allowed to carry guns, law enforcement, military, or otherwise.
Hmm, let's see here. You believe in the amendment that says the right to keep and bear arms shall not be infringed yet you want to set up a system that would only allow 1% or 2% of the population to exercise that right? I hope you can see how those two statements are at odds with one another.
BTW, if you made the test that hard the vast majority of law enforcement would flunk it.......
When you join a militia and keep your guns for that, you'll have a point.
The government has done its best for decades to convince the people that militias are full of homicidal maniacs. And no, the National Guard is not a militia. It is a standing army under the control of the FEDERAL government-- and it has to be, because states are forbidden from having standing armies in the Constitution.
Guns are cowardly
Compared with... what? "Putting up your dukes," as one ignoramus once snorted on slashdot? Would you ask your 80 year-old grandma to "put up her dukes"? I bet she could handle a small
pistol, though.
And I do completely support the right to have hunting rifles.
Thanks to the 10th Amendment, we do have the right to use hunting rifles. However, the general right to KEEP AND BEAR ARMS is EXPLICITLY mentioned in the 2nd. The "militia" part is not a condition of that.
(a) The militia of the United States consists of all able-bodied males at least 17 years of age and, except as provided in section 313 of title 32, under 45 years of age who are, or who have made a declaration of intention to become, citizens of the United States and of female citizens of the United States who are members of the National Guard.
(b) The classes of the militia are--
(1) the organized militia, which consists of the National Guard and the Naval Militia; and
(2) the unorganized militia, which consists of the members of the militia who are not members of the National Guard or the Naval Militia.
it should be noted that well-regulated != organized
if you sign up for selective service (which you are required to...)
Bzzt, no selective service registration is required. From Title 10, Section 311 [cornell.edu] of the US Code:
The militia of the United States consists of all able-bodied males at least 17 years of age and, except as provided in section 313 of title 32, under 45 years of age who are, or who have made a declaration of intention to become, citizens of the United States and of female citizens of the United States who are members of the National Guard.
No. You are wrong. It is fairly easy to get a license to purchase a shotgun that you leave at home in most places in America, yes, but in many places it is almost impossible to get a license to actually have the weapon with you. My friend's dad works in and out of Boston in some pretty rough neighborhoods, and after witnessing a crime and calling the police he had several DOCUMENTED threats made against his life (ie coming out to see WE ARE GOING TO F*CKING KILL YOU HONKY spraypainted on the side of his truck). Even with this, he was not able to obtain a concealed carry permit. His criminal record is 100% clean, and he even knew some guys high up in the force that could pull some strings, but eventually the reason he got was that they didn't see that he needed to carry a gun. Thankfully, he never ended up getting murdered, but don't just stand there and proclaim that it's not true that only criminals have guns, you just make yourself look like a fool.
Ah, nice. ESR is the perfect argument against an armed citizenry.
Every time some 12 year old posts "IMA KIL U U FAT FCK I AMA IRANYAN NINJA U NEVAR C ME CUMING!!!!1!!" on his blog, he craps his pants, buys another.45 extension for his shrinking penis, and gets another entry in his FBI "whackjob time waster" file.
Personally I think the entire "ESR" persona is the intartube's longest running piece of performance art, but it appears that some of his followers:
1) Actually believe that he's real and someone to be emulated...
2) Are armed.
It's not known if any Feds were caught by the reader. The group that set it up never looked closely at the captured data before it was destroyed. Priest told Threat Level that one person caught by the camera resembled a Fed he knew, but he couldn't positively identify him.
"But it was enough for me to be concerned," he said. "There were people here who were not supposed to be identified for what they were doing... I was [concerned] that people who didn't want to be photographed were photographed."
Priest asked Adam Laurie, one of the researchers behind the project, to "please do the right thing," and Laurie removed the SD card that stored the data and smashed it. Laurie, who is known as "Major Malfunction" in the hacker community, then briefed some of the Feds on the capabilities of the RFID reader and what it collected.
Nice to see that - after they made their point - the organizers and attendees at "one of the most hostile hacker environments in the country" did the right thing and destroyed the data. I'm sure we could count on law enforcement, our employers and credit card companies to show the same moral character.
I'm sure we could count on law enforcement, our employers and credit card companies to show the same moral character.
Ha ha very good! The sad thing is they would keep the data while telling the media they didn't, then justify keeping it when there lies are exposed, then mock outrage when it gets stolen, then bungled legislation when the peasants revolt. It's written in my tea leaves - which at least will be destroyed on MY say so!
It's one thing to expose a security flaw, quite a different thing to exploit it. You're right, the Feds shoulda oughta known better; I'm sure the security issues with RFID are being given a closer look at several alphabet agencies as I write this.
You seem to be advocating some sort of vigilante action on the part of the people doing the demonstration, but I think that is exactly the wrong approach if your goal is to raise public awareness. If the people doing the demonstration had dug their heals in and kept the information they harvested, the likely result would have been arrests and confiscation of the information and headlines reading "Hackers Steal Identities of Federal Agents." This would have been wrong as well, and cause for much bitching on Slashdot, but would have done exactly nothing to address the insecurity of RFID.
By volunteering to destroy the data collected, Priest got the best of all worlds - the dangers of RFID were exposed, as was the ignorance of the general public to these dangers (including the people who oughta know better) and he left them with no opportunity to spin this as a story of Hackers Out Of Control.
Sometimes it's better to go after the big fish, rather than eat your bait.
This is a legal gray area, but a couple years back Wired suggested that hitting the passport's chip with a hammer would disable the RFID without obvious signs--a disabled RFID chip does not invalidate the passport.
I seem to recall that putting it in a microwave on the "defrost" setting for a minute or so had the same effect, without destroying the passport itself.
Think again. I tried this with a RFID'ed credit card just to see what would happen and the results were rather spectacular. The RFID chip was destroyed in under a second but generated a shower of sparks that melted a large portion of the credit card and rendered it completely unusable. Of course that was the point -- I'd made the credit card company send me a card without a chip in it -- but I'm guessing you don't want to try and use a scorched and carbonized passport.......
Finding this Slashdot article in your browser cache, and you being in possession of a disabled RFID passport might be enough probable cause to dig deeper and find more. And more.
It would take a bit more than a disabled RFID chip to get probable cause to search your computer. That said, I wouldn't try the hammer or the microwave with my passport. I'd be surprised if there isn't a law on the books about mutilating those types of documents. It's easy enough to keep the thing in a foil pouch until you need to use it -- and if I'm not traveling out of the country my passport lives in a safe deposit box anyway.
A brief trip to the microwave works better. Fewer indentations on the cover ("No officer, it doesn't look like someone's been beating this passport with a hammer, why do you ask?").
It is still valid. After returning from a long trip I went to bed and my wife did all my laundry from my trip, which included my passport and ipod nano in a shirt pocket. I was traveling again shortly after and tried to find someone who could tell me if it was still valid, but had no luck. I was going from the U.S. to Mexico and just figured I'd see how it went.
The agent tried to scan the chip and when it didn't work, just treated it like an older passport. I've gone out of the country with it again since then and had the same result.
I wouldn't recommend that approach, as is mentioned above, a hammer will do the job. It took me a while to dry out my passport then I had to leave it under a huge stack of books to get the pages flat again. Knowing that people keep them for 10 years makes me think that they must go through all kinds of things like that.
The nano took longer to dry out completely but still works.
I hope events like this (the scanning of the chips) keep getting attention so that something can be done before disabling the chip becomes synonymous with invalidating the document.
This is completely beyond my comprehension that the Feds are surprised by this. I just assumed that they were doing this on purpose to achieve some grander goal. It's either that, or they are retarded. In fact, there are many things that are happening now which makes me think: "Are they doing this on purpose? Or are they retarded?"
They're faithfully participating in a system which is intentionally insane. It's not that hard to understand...
Federal agents at the Defcon 17 conference were shocked to discover that they had been caught in the sights of an RFID reader connected to a web camera...
erm... not quite what the Wired Article says:
But the device, which had a read range of 2 to 3 feet, caught only five people carrying RFID cards before Feds attending the conference got wind of the project and were concerned they might have been scanned
Still I suppose the Feds have probably hacked into the Wired Article and fixed that one...
"Priest asked Adam Laurie, one of the researchers behind the project, to "please do the right thing," and Laurie removed the SD card that stored the data and smashed it. Laurie, who is known as "Major Malfunction" in the hacker community, then briefed some of the Feds on the capabilities of the RFID reader and what it collected."
They should've used the foil protective sleeve provided with the document in question and reccommended by the organization who provided the document.
I don't know about the new passports, but RFID-enabled New York State Enhanced Driver Licenses come with a foil sleeve and a reccommendation to keep the license in the protective sleeve when not in use.
That's right - the government is providing tinfoil hats for your RFIDs already.
I don't know about the new passports, but RFID-enabled New York State Enhanced Driver Licenses come with a foil sleeve and a recommendation to keep the license in the protective sleeve when not in use.
That's right - the government is providing tinfoil hats for your RFIDs already.
As asinine as possible. The advantage of RFID is convenience. Let's use it and then make it less convenient to use.
General lesson: Convenient or secure. That's an XOR.
I was charged with writing POS software where I work. After looking into using scanners, I came across RFID. As it turns out, instead of needing to scan your crap, you can just have a magic wand magically take inventory for you. In fact, after looking into it, I realized I could rig sensors in our storage room to automatically re-take inventory periodically.
I'm sure some people are pushing for RFID for the wrong reasons, but I'm all for it as a replacement for barcodes as far as keeping stock goes. Imagine going to Walmart, and your shopping buggy automatically tells the clerk how much money you owe! Well, that might be a ways off, but it's possible.
I think RFID is an awesome tech, it just has a risk for being abused. Just like barcodes are awesome, but we don't want them on our forehead (unless we're playing shadow run, then it's 'cool.)
I love acronyms.:) My mind read your first sentence as, "I was charged with writing [Piece of Shit] software where I work." "Point of Sale" is only a secondary parsing of that acronym for my language framework.;)
Right, but they sure can read whatever your RFID has to say. The problem is twofold:
1) Ignorant implementers put sensitive data on RFID's in plaintext. 2) Users are unaware of what data is actually *in* their RFID items.
RFID tags are dumb, low powered, even passive devices. If you can't afford active RFID's with public key encryption, don't put sensitive data on the damn things!
It doesn't really make sense to say RFID is "very dangerous" unless you have that same fear of bar-codes.
There is no bar code on my passport, credit card or driver's license. Even if there was, it's unlikely that person sitting at the next table with a portable bar code reader could read the bar code off my Visa card while it's in my wallet.
It's worse, virtually any type of ID has this other code on the outside, it's purposely done in a contrasting colour so it's easy to copy and photograph and is called Alphabet.
What worries me is the black hat demo where their RFID detector detected US passports within range of a garbage can and detonated an explosive in said garbage can. No barcode/magstrip can be read remotely to determine your country of origin and action taken based on that.
There's nothing particularly special on the RFID chip. A parking facility card and a passport generate the same amount of interesting information. A unique ID. Whew!
The problem is when you have another government computer that is counting on the Unique ID to be a UNIQUE ID, and using ONLY THAT parameter (plus other info also on the card) to identify someone - congratulations, you have just stolen someone else's identity.
The point wasn't to "pwn" the Federal Agents. It was to alert them to the fact that this technology exists, that it's cheap, and that it's easy. From TFA:
Paget announced during his DefCon talk that his security consulting company, H4rdw4re, will be releasing a $50 kit at the end of August that will make reading 125-kHz RFID chips â" the kind embedded in employee access cards â" trivial. It will include open source software for reading, storing and re-transmitting card data and will also include a software tool to decode the RFID encryption used in car keys for Toyota, BMW and Lexus models. This would allow an attacker to scan an unsuspecting car-ownerâ(TM)s key, decrypt the data and open the car. He told Threat Level theyâ(TM)re aiming to achieve a reading range of 12 to 18 inches with the kit.
Just wait until someone creates a small RFID reader and hooks it up to an iPhone in their pocket (a combo that would be virtually undetectable) and starts walking through the subway collecting info. We can already pick up the credit card owner's name, credit card number, expiration date, etc. right off of the RFID tags present in AMEX cards.
What do you bet... (Score:5, Insightful)
Re:What do you bet... (Score:5, Insightful)
It's easier to outlaw gadgets than to admit you're wrong.
That's why, thanks to recent laws, only criminals carry guns. Pretty soon only criminals will have webcameras or RFID sniffers.
Parent
Re:What do you bet... (Score:4, Insightful)
Blatantly true, at least in parts of the United States
Fixed that for you. If you think you can get a carry permit in New York City/San Francisco/Chicago as a law abiding American citizen think again. The only way that happens is if you are rich and have political connections. The rest of us poor slobs don't have the right to defend ourselves if we are unlucky enough to live in a part of the country run by the anti-gun zealots.
This will eventually change when the 2nd amendment is incorporated against the states but it doesn't change the fact that right now you effectively have no right to keep and bear arms if you live in the wrong part of the country.
Parent
Re:What do you bet... (Score:4, Funny)
The only way that happens is if you are rich and have political connections.
That's not entirely true - if you're a bodyguard of a rich (important) person, you can legally protect them too.
Parent
Re:What do you bet... (Score:5, Insightful)
Sad but true. My favorite is the Hollywood types that rant about the evils of firearm ownership while being protected by armed bodyguards. Fucking hypocrites.
All animals are equal but some are more equal than others.
Parent
Re:What do you bet... (Score:4, Insightful)
If they weren't out there publicly trying to get our rights taken away, they wouldn't attract crazy people, therefore they wouldn't need the armed security.
Until then keep your deadly weapons and wild west "justice" out of my community.
So, move to LA, San Francisco, New York City, Chicago, etc. and the terrible worry about peacefully minded citizens taking legal means to protect themselves from assault, rape, robbery, etc. will never again burden you.
Parent
Re:What do you bet... (Score:4, Insightful)
I am so reminded of a line from The Chronicle [wikipedia.org] along the lines of "How very twentieth century of you", as the character whips out a taser and stuns the miscreant.
There are nonlethal means of defending one's self, these days. While most may only work at arm's reach, that's also the range you're most likely to be at, in a situation you'd want to use a gun defensively. ... and have any realistic chance of it being effective, anyway.
If they weren't out there publicly trying to get our rights taken away, they wouldn't attract crazy people, therefore they wouldn't need the armed security.
Y'know, I wouldn't take that bet. Crazy people are considered crazy in no small part because they use skewed logic, or no logic at all. And "taking away our rights" doesn't really top the agenda of people who need bodyguards. Nor, I expect, the rationale for most assaults upon people who feel a need for bodyguards.
Parent
Re:What do you bet... (Score:4, Insightful)
In fact, I'd say gun ownership does more to prevent crime than it does to encourage it. If I'm a big guy and I figure that I could throttle you pretty easily, but I know that you carry a gun, that may dissuade me from assaulting you. I'm not going to say with 100% certainty that it will - that would be hyperbole. I will, however, assert that it would change a lot of people's minds.
Parent
Re:What do you bet... (Score:5, Funny)
Provide a link or it didn't happen.
Wait ten minutes and then check Wikipedia ;)
Parent
No brainer (Score:4, Interesting)
Parent
Re:What do you bet... (Score:4, Insightful)
I believe in the 2nd amendment
Make the gun exam hard. Make it so difficult only a few people in a thousand can pass. And make it so that only those people would be allowed to carry guns, law enforcement, military, or otherwise.
Hmm, let's see here. You believe in the amendment that says the right to keep and bear arms shall not be infringed yet you want to set up a system that would only allow 1% or 2% of the population to exercise that right? I hope you can see how those two statements are at odds with one another.
BTW, if you made the test that hard the vast majority of law enforcement would flunk it.......
Parent
Re:What do you bet... (Score:4, Insightful)
Parent
Re:What do you bet... (Score:5, Insightful)
The government has done its best for decades to convince the people that militias are full of homicidal maniacs. And no, the National Guard is not a militia. It is a standing army under the control of the FEDERAL government-- and it has to be, because states are forbidden from having standing armies in the Constitution.
Compared with... what? "Putting up your dukes," as one ignoramus once snorted on slashdot? Would you ask your 80 year-old grandma to "put up her dukes"? I bet she could handle a small pistol, though.
Thanks to the 10th Amendment, we do have the right to use hunting rifles. However, the general right to KEEP AND BEAR ARMS is EXPLICITLY mentioned in the 2nd. The "militia" part is not a condition of that.
Parent
Re:What do you bet... (Score:4, Informative)
Every able-bodied man between 18 and 45 is automatically in the militia.
Parent
Re:What do you bet... (Score:5, Informative)
for those who will demand the citation
10 usc 311
(a) The militia of the United States consists of all able-bodied males at least 17 years of age and, except as provided in section 313 of title 32, under 45 years of age who are, or who have made a declaration of intention to become, citizens of the United States and of female citizens of the United States who are members of the National Guard.
(b) The classes of the militia are--
(1) the organized militia, which consists of the National Guard and the Naval Militia; and
(2) the unorganized militia, which consists of the members of the militia who are not members of the National Guard or the Naval Militia.
it should be noted that well-regulated != organized
Parent
Re:What do you bet... (Score:4, Informative)
if you sign up for selective service (which you are required to...)
Bzzt, no selective service registration is required. From Title 10, Section 311 [cornell.edu] of the US Code:
The militia of the United States consists of all able-bodied males at least 17 years of age and, except as provided in section 313 of title 32, under 45 years of age who are, or who have made a declaration of intention to become, citizens of the United States and of female citizens of the United States who are members of the National Guard.
Parent
Re:What do you bet... (Score:5, Interesting)
Parent
Re:What do you bet... (Score:5, Funny)
I find it peculiar that they were willing to participate in criminal activity but could not bring themselves to spell the word "FUCKING".
Parent
Re:What do you bet... (Score:4, Funny)
Ah, nice. ESR is the perfect argument against an armed citizenry.
Every time some 12 year old posts "IMA KIL U U FAT FCK I AMA IRANYAN NINJA U NEVAR C ME CUMING!!!!1!!" on his blog, he craps his pants, buys another .45 extension for his shrinking penis, and gets another entry in his FBI "whackjob time waster" file.
Personally I think the entire "ESR" persona is the intartube's longest running piece of performance art, but it appears that some of his followers:
1) Actually believe that he's real and someone to be emulated...
2) Are armed.
Which is quite a worrying combination.
Parent
Re:What do you bet... (Score:5, Insightful)
I found this part really interesting:
Nice to see that - after they made their point - the organizers and attendees at "one of the most hostile hacker environments in the country" did the right thing and destroyed the data. I'm sure we could count on law enforcement, our employers and credit card companies to show the same moral character.
Parent
Re:What do you bet... (Score:4, Insightful)
I'm sure we could count on law enforcement, our employers and credit card companies to show the same moral character.
Ha ha very good! The sad thing is they would keep the data while telling the media they didn't, then justify keeping it when there lies are exposed, then mock outrage when it gets stolen, then bungled legislation when the peasants revolt. It's written in my tea leaves - which at least will be destroyed on MY say so!
Parent
Re:What do you bet... (Score:4, Insightful)
It's one thing to expose a security flaw, quite a different thing to exploit it. You're right, the Feds shoulda oughta known better; I'm sure the security issues with RFID are being given a closer look at several alphabet agencies as I write this.
You seem to be advocating some sort of vigilante action on the part of the people doing the demonstration, but I think that is exactly the wrong approach if your goal is to raise public awareness. If the people doing the demonstration had dug their heals in and kept the information they harvested, the likely result would have been arrests and confiscation of the information and headlines reading "Hackers Steal Identities of Federal Agents." This would have been wrong as well, and cause for much bitching on Slashdot, but would have done exactly nothing to address the insecurity of RFID.
By volunteering to destroy the data collected, Priest got the best of all worlds - the dangers of RFID were exposed,
as was the ignorance of the general public to these dangers (including the people who oughta know better) and he left them with no opportunity to spin this as a story of Hackers Out Of Control.
Sometimes it's better to go after the big fish, rather than eat your bait.
Parent
Re: (Score:3, Insightful)
Re:What do you bet... (Score:4, Interesting)
My New York EDL came with a foil-lined protective sleeve.
Parent
Re:What do you bet... (Score:5, Interesting)
Parent
Re:What do you bet... (Score:4, Interesting)
I seem to recall that putting it in a microwave on the "defrost" setting for a minute or so had the same effect, without destroying the passport itself.
Think again. I tried this with a RFID'ed credit card just to see what would happen and the results were rather spectacular. The RFID chip was destroyed in under a second but generated a shower of sparks that melted a large portion of the credit card and rendered it completely unusable. Of course that was the point -- I'd made the credit card company send me a card without a chip in it -- but I'm guessing you don't want to try and use a scorched and carbonized passport.......
Finding this Slashdot article in your browser cache, and you being in possession of a disabled RFID passport might be enough probable cause to dig deeper and find more. And more.
It would take a bit more than a disabled RFID chip to get probable cause to search your computer. That said, I wouldn't try the hammer or the microwave with my passport. I'd be surprised if there isn't a law on the books about mutilating those types of documents. It's easy enough to keep the thing in a foil pouch until you need to use it -- and if I'm not traveling out of the country my passport lives in a safe deposit box anyway.
Parent
Re:What do you bet... (Score:5, Insightful)
You can microwave it. The RFID antenna collects to much power and fries the circuit. Should take a second or two.
While an inoperative RFID may not invalidate your passport, I suspect a big honking scorch mark in the middle of the thing just might.
Parent
Re:What do you bet... (Score:5, Insightful)
Not quite as satisfying however.
Parent
Re:What do you bet... (Score:5, Informative)
It is still valid. After returning from a long trip I went to bed and my wife did all my laundry from my trip, which included my passport and ipod nano in a shirt pocket. I was traveling again shortly after and tried to find someone who could tell me if it was still valid, but had no luck. I was going from the U.S. to Mexico and just figured I'd see how it went.
The agent tried to scan the chip and when it didn't work, just treated it like an older passport. I've gone out of the country with it again since then and had the same result.
I wouldn't recommend that approach, as is mentioned above, a hammer will do the job. It took me a while to dry out my passport then I had to leave it under a huge stack of books to get the pages flat again. Knowing that people keep them for 10 years makes me think that they must go through all kinds of things like that.
The nano took longer to dry out completely but still works.
I hope events like this (the scanning of the chips) keep getting attention so that something can be done before disabling the chip becomes synonymous with invalidating the document.
Parent
duh? (Score:5, Informative)
Why would they be surprised? This has been common knowledge for years.
If you have to carry an RFID'ed object that contains sensitive information, keep it shielded at all times or destroy it.
Re:duh? (Score:4, Insightful)
They're faithfully participating in a system which is intentionally insane. It's not that hard to understand...
Parent
wait a minute (Score:3, Informative)
They're attending a security convention with id cards that can be read from their pockets.
It's a good thing they didn't have rfid credit cards.
If it can be done, it will be done.
Cops (Score:3, Insightful)
So these sloppy mofos are the ones that are supposed to be "protecting" us? Laughable.
Misleading post text... (Score:5, Informative)
Federal agents at the Defcon 17 conference were shocked to discover that they had been caught in the sights of an RFID reader connected to a web camera...
erm... not quite what the Wired Article says:
But the device, which had a read range of 2 to 3 feet, caught only five people carrying RFID cards before Feds attending the conference got wind of the project and were concerned they might have been scanned
Still I suppose the Feds have probably hacked into the Wired Article and fixed that one...
The data was destroyed (Score:3, Informative)
"Priest asked Adam Laurie, one of the researchers behind the project, to "please do the right thing," and Laurie removed the SD card that stored the data and smashed it. Laurie, who is known as "Major Malfunction" in the hacker community, then briefed some of the Feds on the capabilities of the RFID reader and what it collected."
If they have done nothing wrong... (Score:5, Insightful)
...they have nothing to fear. Let's see how they like that argument used against _them_!
Silly Feds (Score:5, Interesting)
They should've used the foil protective sleeve provided with the document in question and reccommended by the organization who provided the document.
I don't know about the new passports, but RFID-enabled New York State Enhanced Driver Licenses come with a foil sleeve and a reccommendation to keep the license in the protective sleeve when not in use.
That's right - the government is providing tinfoil hats for your RFIDs already.
Re:Silly Feds (Score:4, Insightful)
I don't know about the new passports, but RFID-enabled New York State Enhanced Driver Licenses come with a foil sleeve and a recommendation to keep the license in the protective sleeve when not in use.
That's right - the government is providing tinfoil hats for your RFIDs already.
As asinine as possible. The advantage of RFID is convenience. Let's use it and then make it less convenient to use.
General lesson: Convenient or secure. That's an XOR.
Parent
Missing the point. (Score:5, Insightful)
I'm sure some people are pushing for RFID for the wrong reasons, but I'm all for it as a replacement for barcodes as far as keeping stock goes. Imagine going to Walmart, and your shopping buggy automatically tells the clerk how much money you owe! Well, that might be a ways off, but it's possible.
I think RFID is an awesome tech, it just has a risk for being abused. Just like barcodes are awesome, but we don't want them on our forehead (unless we're playing shadow run, then it's 'cool.)
Re:Missing the point. (Score:5, Insightful)
RFID tracking people = NOT OK
Parent
Re:Missing the point. (Score:5, Funny)
Parent
I don't wear a tinfoil hat, but ... (Score:5, Interesting)
Re:bar-codes (Score:5, Insightful)
Parent
Re:bar-codes (Score:5, Insightful)
Right, but they sure can read whatever your RFID has to say. The problem is twofold:
1) Ignorant implementers put sensitive data on RFID's in plaintext.
2) Users are unaware of what data is actually *in* their RFID items.
RFID tags are dumb, low powered, even passive devices. If you can't afford active RFID's with public key encryption, don't put sensitive data on the damn things!
Parent
Re:bar-codes (Score:5, Insightful)
There is no bar code on my passport, credit card or driver's license. Even if there was, it's unlikely that person sitting at the next table with a portable bar code reader could read the bar code off my Visa card while it's in my wallet.
Parent
Re: (Score:3, Insightful)
That's scary!
Re:bar-codes (Score:5, Interesting)
Parent
Re:bar-codes (Score:5, Insightful)
Parent
Re:The Federal Agents weren't Pwnd (Score:5, Insightful)
There's nothing particularly special on the RFID chip. A parking facility card and a passport generate the same amount of interesting information. A unique ID. Whew!
The problem is when you have another government computer that is counting on the Unique ID to be a UNIQUE ID, and using ONLY THAT parameter (plus other info also on the card) to identify someone - congratulations, you have just stolen someone else's identity.
Parent
Re:The Federal Agents weren't Pwnd (Score:5, Interesting)
Paget announced during his DefCon talk that his security consulting company, H4rdw4re, will be releasing a $50 kit at the end of August that will make reading 125-kHz RFID chips â" the kind embedded in employee access cards â" trivial. It will include open source software for reading, storing and re-transmitting card data and will also include a software tool to decode the RFID encryption used in car keys for Toyota, BMW and Lexus models. This would allow an attacker to scan an unsuspecting car-ownerâ(TM)s key, decrypt the data and open the car. He told Threat Level theyâ(TM)re aiming to achieve a reading range of 12 to 18 inches with the kit.
Just wait until someone creates a small RFID reader and hooks it up to an iPhone in their pocket (a combo that would be virtually undetectable) and starts walking through the subway collecting info. We can already pick up the credit card owner's name, credit card number, expiration date, etc. right off of the RFID tags present in AMEX cards.
Parent