Jennifer Granick's awesome explantion

Imagine if, in the 1970s, the tobacco companies had patented devices to measure the health effects of smoking, then threatened lawsuits against anyone who researched their products.

I’ve never heard such a clear explanation of why threats to security research are bad. From “Patently Bad Move Gags Critics,” in Wired.

The same can be said of sweeping breach information under the rug. We’re better off if we talk about it.

HIDing At Blackhat

Now HID is claiming that they did not demand that Chris or IOActive cancel their talk. As a result the talk is now back on, but with the details about the device and the demo expurgated. As Chris has repeatedly said, this attack is completely generic and works against any passive RFID tag.
Additionally, Nicole Ozer, Technology & Civil Liberties Policy Director for the ACLU is also scheduled to speak after Chris to cover the privacy issues around RFID.
[Update 1: Chris: “If you even think about doing this sort of thing, have a patent lawyer”]
[Update 2: HID seems confused about what constitutes a demand. From Chris’s presentation and the original letter from HID:

We understand … that you intend to publicly present and publish additional information about your spoofer at the Black Hat convention … We believe such presentation will subject you to further liability …


…hereby demand that you refrain from publishing any information at any public forum including the upcoming Black Hat convention…

Furthermore, HID hints heavily at burying IOActive in law suits by saying:

…we will have no recourse but to pursue all available remedies against you and IOActive


impossible for HID to provide a covenant not to sue

As as result of this letter, Chris stated that he and IOActive felt that they could not risk being put out of business by the costs of a lawsuit brought on by covering the HID specific portions of the talk.
[Update 3: Quotes above are from Chris’s slides.]
[Update 4: Full text of the letter from HID has been posted by the ACLU. Also Nicole Ozer has posted her own take on the issues discussed today at Blackhat.]
[Update 5: Jennifer Granick weighs in with some scary thougts:

HID Global reportedly pointed to two of its patents for card readers — No. 5,041,826 and No. 5,166,676. The important parts of a patent are the claims. To infringe a patent, one must make, use, sell or offer for sale an invention described by the patent’s claims without the patent owner’s authorization.
Paget doesn’t sell his reader, which you can see him demonstrate here. But he did make it. So if it operates identically to the card readers described in HID’s patents, then the company’s legal threat actually makes some theoretical sense. That should scare everyone reading this.

[Update 6: Clone your verichip. This technique should work on similar RFID chips….]

Medical Privacy News

There’s a great editorial about how your prescriptions are bought and sold all over the place, “Electronic prescribing is no panacea” by Dr. Deborah Peel, in Government Health IT. Also, Health Care IT news reports that “Federal privacy panel leader resigns, raps standards:”

The leader of a federal panel charged with providing privacy recommendations for the national health information network resigned Wednesday, thwarted, he said, in efforts to develop adequate standards.

No, seriously

Somebody — I want to say Rich Mogull, but I cannot find the reference — wrote sarcastically about breach notices almost always saying “At $COMPANY we take security seriously….” as they report how, well…you know.
I just finished scanning 183 notice letters I got from New York, covering the last half of 2006. Using an extremely inelegant hack involving pdftotext and grep, I can report that a mere 35 of the 183 contain the word “seriously”.
Update: In the comments, Rich says it wasn’t him. Dan Gillmor is the leading candidate.

Rootkit on a Stick


The SnoopStick offers full realtime monitoring of another computer. It’s Vista-ready, too, which perhaps says something about Vista security, or perhaps about people who have had trouble working with Vista, or both.

Any time you want to see what web sites your kids or employees are visiting, who they are chatting with, and what they are chatting about, simply plug in your SnoopStick to any Windows based computer with an Internet connection and a USB port. SnoopStick will automatically connect to the target computer.

There is other amusing information on the web site, such as:

All SnoopStick monitoring messages are sent through our data centers, and none of the information is stored here locally at any time. Additionally, all SnoopStick messages passing through our systems are encrypted with an industry standard encryption algorithm.

Solid Oak and its employees are not able to view any SnoopStick activity sent through our networks because of the encryption used by all components of the system. You can rest assured that the information gathered by SnoopStick is only accessible by the owner of that particular SnoopStick.

What a relief! An industry-standard encryption algorithm. Wanna bet it’s in ECB mode, with known headers? And what about the IP addresses the messages are coming from, and so on. I’d love to see a security analysis of this thing. Even better would be to see what AV and anti-spyware systems will catch it, and if not then why not?

Picture of the SnoopStick shamelessly appropriated from their web site, because I didn’t want their weblogs to get the information. It’s bad enough to write about them at all.

Vote Positively With Your Pocketbook

Adam Frucci at Gizmodo is calling for action, “Putting Our Money Where Our Mouths Are: Boycott the RIAA in March.”

I don’t disagree with him on the basics. I believe that consumer revolt is a misunderstood power. If you don’t believe me, I can prove it with one TLA: DAT. If your response to that is, “Huh?” then you’ve proved me right. The details of that are another essay, however.

However, there’s more to it than that. Boycotts are not as effective as purchase-shifting. If you just don’t buy any CDs, then one line in an accountant’s ledger will go down. The conclusion they’re going draw is that this means they have to hold tighter to what they have. There are no atheists in foxholes, but there are clinchpoops, and they clinch their poop tighter.

Subscribing to eMusic is good idea. If you haven’t, do so. If you regularly buy music, you will find enough things on eMusic that the monthly fee will save you a penny.

Better, go to CDBaby, Yep Roc, Compadre, and others. Even better, many,many small artists sell their music from their own web sites, often through a small label. As nice as eMusic is, relatively little of the money you give them will get in the hands of the musicians, and buying CDs as close as possible to the musicians themselves is the best way to get them what they deserve. Don’t wait for Friday, do it now.

Blackhat Do It Again

Looks like HID hasn’t learned anything from Cisco’s experience two years ago. One of these years more vendors will learn how to manage vulnerability disclosure and follow the lead of companies like Microsoft and Cisco rather than sticking their foot in it.
Chris Paget a well respected researcher is going to present at Blackhat Federal tomorrow on how to build your own proximity card cloner. Infoworld broke the story yesterday. Some choice bits:

Asked why HID hasn’t addressed the issue in more recent proximity card systems, after knowledge of RFID threats became common, Carroll said that doing so would cause “major upheaval” among customers.
Inertia is a more likely cause, said Dan Kaminsky, director of penetration testing at IOActive.
“They didn’t want to change to a more secure implementation because of backwards compatibility issues, and they had a lot of sites that use these cards, and HID has stuff to sell them,” Kaminsky said.

Dan, as as always, can be counted on to say something both interesting and provocative:

The technology is very convenient, but don’t interpret the convenience as security,” Kaminsky said. “At the end of the day, many companies are essentially using barcode technology to control access to their facilities. I’d posit that perhaps there are more secure technologies out there.”

Jeff Moss however nails the real issue.

It’s just so frustrating from a security standpoint. Now anytime someone wants to talk about anything, they need a team of lawyers. Even when it’s about commonly understood problems.

[Update: HID is claiming that the talk infringes on their patents. As a result of the litigation threat, Chris Paget/IOActive are pulling the talk and it will be replaced by a presentation from the ACLU about privacy risks of RFID. Hopefully they will also cover the chilling effects of legal threats like this on the entire security industry as well.]
[Update 2: Rob Lemos has much more detail.]

It’s "privacy," Jim, but not as we know it.

license.jpgThe Canadian Privacy Commissioner has issued a number of new rulings, essentially ruling that anyone in Canada can request an ID card whenever they want. The first, summarized by Michael Geist in “Privacy Commissioner on Domain Name Registrant ID Requirements” says:

requirements of personal identification, such as a driver’s license, in order to change the administrative email address for a domain name registration…was reasonable.

Which is odd, because my drivers license doesn’t contain my email address. Also odd is the idea, in a second case “PIPEDA Case Summary #361, Retailer requires photo identification to exchange an item” that “The investigation established that the information from the piece of identification is not recorded at this store.” Except in the paragraphs prior, they found that:

The store’s purpose for collecting the customer’s name, address and telephone number is to protect against fraud and error in order to protect its customers and business. It asks for photo identification in order to verify that the information provided by the customer is accurate.

So…information is taken down, and verified against the card, but not taken from the card. Would things be any different if they copied the information directly from the card?

It seems to me that these decisions are a great blow to privacy in Canada, essentially nullifying the common law tradition of being able to use whatever name one wants to use in one’s day to day business.

Remember, all non-trivial privacy fears come true. I’m confident that there were claims that drivers licenses won’t be needed for normal everyday life, and privacy advocates predicted this.

Emergent Meanings of Privacy

There’s a really fascinating article in New York Magazine, “Say Everything:”

And after all, there is another way to look at this shift. Younger people, one could point out, are the only ones for whom it seems to have sunk in that the idea of a truly private life is already an illusion. Every street in New York has a surveillance camera. Each time you swipe your debit card at Duane Reade or use your MetroCard, that transaction is tracked. Your employer owns your e-mails. The NSA owns your phone calls. Your life is being lived in public whether you choose to acknowledge it or not.

Dan Kaminsky keeps telling me that, too. It’s worth reading the article. Virginia Postrel has some interesting commentary, “The Transparent Society and its clueless adult enemeies.” I think the most insightful comments come from Paul Saffo, in “Retroprobrium and mutually assured embarrassment:”

Several comments to my 2/17/02007 posting have noted that in a future transparent society, no one will make fun of their friends’ past postings because everyone will be in the same confessory boat. The problem with this argument is that we don’t judge behavior by the standards of the time when it occurred; rather, we consistently engage in retroactive opprobrium — retroprobrium — judging past actions by present standards.

To me, a key element of privacy is that the past is reasonably ephemeral: only the most important elements get remembered, and the cost of search is high. This is changing, and we don’t fully understand where we’re going.

The Canaidian government has recently obtained access to US conviction records, as reported in the San Francisco Chronicle, “Going to Canada? Check your past:”

Canadian attorney David Lesperance, an expert on customs and immigration, says he had a client who was involved in a fraternity prank 20 years ago. He was on a scavenger hunt, and the assignment was to steal something from a Piggly Wiggly supermarket. He got caught, paid a small fine and was ordered to sweep the police station parking lot.

He thought it was all forgotten. And it was, until he tried to cross the border.

“This,” [an attorney] says, “is just the edge of the wedge.” Who would have thought a single, crazy night in college would follow you around the world?

I certainly would never have thought so. If I had, I might write an article with a title like “Long Term Impact of Youthful Decisions.”

Photo: “How to tell you’ve had a good day,” by Andrew Murray.

[Edit: fixed broken html -Arthur]

A telling remark

In the “inconvenient coincidences” category, it seems that Al Sharpton’s great-grandfather was a slave owned by relatives of the late segregationist US senator Strom Thurmond.
Thurmond’s niece, Ellen Senter (via an AP report) provides an interesting perspective:

I doubt you can find many native South Carolinians today whose family, if you traced them back far enough, didn’t own slaves,” said Senter, 61, of Columbia, South Carolina.

Except, that is, for the ones who were slaves, Mrs. Senter.