Category Archives: Security

Dog House: RFID for Dogs

The Guardian has a nice write-up of the issues surrounding pet RFID tags. They point out the compatibility issues with varying standards and readers, and claim that a bigger market wouldn’t have the same interoperability challenges:

Finbar Heslin, a vet in the Irish Republic who has worked to try to streamline Irish microchipping standards, says part of the problem is that RFID chips have been developed for a different market. “The idea behind microchipping is excellent. The downside is that you’re taking the technologies from the logistics industry and trying to apply them to animals.”

Logistics is a huge market for RFID and so there is a greater incentive to adhere to standards. “But with animals, the RFID market is small, and there are no standards, even across Europe,” says Heslin.

In both Britain and Ireland, the situation has been what he calls “a free for all”, because distributors weren’t licensed and cheap, non-ISO chips were sometimes brought in from abroad.

I’m not so sure about that. Even huge lucrative markets see the same interoperability hurdles and a lack of consistency across vendors. I brought up something similar back in early October 2005 on Schneier’s blog, specifically with regard to the debate in Congress about how and when to upgrade America’s animals.

San Jose Rails

Dog poop on rails Somewhere someone is busy designing the next generation of skate-board proof railings and curbs.

The irony I see is that the market has generated overly bland and simple rails and curbs to begin with, which has led to exploration by skaters looking for something challenging to do with themselves.

Had the railings been more integrated and delicately created from the start (e.g. more thought/creativity = more expensive) then they would be less likely to be turned into the very thing they seemed destined for — cheap thrills. Some might think that a quick fix will remove the vulnerability of the lowly hand-rail to the threat of eager kids on wheels, and they’re probably right.

Think about it, though. Would you rather a handrail have the look of “damn kids, these metal poop-strips will teach them a thing or two about respecting property” or something more like “grab me and I will help you be safely on your way”. Come to think of it, should we first look at whether stairs are even necessary or just less expensive landscaping?

Sweet Ethanol

The BBC has posted an interesting perspective on the ethanol industry in Brazil. Here’s the key to the article:

More than 80% of new cars now sold in Brazil are equipped to use ethanol as well as gasoline. Both fuels are available almost everywhere, and since ethanol can cost about a third less than petrol per litre at the moment (though the mileage is not quite as good), the home grown fuel is more popular than the foreign import.

Mileage not quite as good, eh? Here’s an idea, mix that ethanol with waste vegetable oil and put it into a diesel engine and watch your average mileage double. I think people get too hung up on a purist vision of the next energy source. Even the biodiesel folks I often meet are “100% veg” this and “pure-bio” that. Let’s face it, the infrastructure doesn’t exist yet (to support biomass energy creation and distribution) and the engines aren’t sophisticated enough yet (to run on multiple forms of energy), so let’s find a best-fit blend that can significantly reduce dependance on insecure sources of energy without wasting any more time. It’s a game to find a new set of trade-offs to replace the old ones, which are no longer sustainable, without falling into another trap of over-consolidation or unsustainability.

Why diesel? Because it was designed from the start to adapt to any form of oil: vegetable, animal, or even mineral. If you marry that together with an electric, hydrogen, or other engine you get a wide variety of options and a far more competitive market.

RSA Badge: Insider Edition

Curiosity got the better of me and so I held up a bright light to my badge. The internal antennae were readily apparent. RFID it is, I guess. Then I simply peeled the two layers apart to reveal the metal inside. Note the fake smartcard print on the face:

Identity 2006

RFID surprise

A total of six little lines run around the edges of the badge and end up connecting to a strip just below the Taj image on the right. A tiny slice or pin-prick through these lines would kill the tag without any obvious damage. I wasn’t particularly careful because, well, I was feeling impatient and a bit cavalier. A clean job can be accomplished by sliding a razor gently and repeatedly along the edge of the badge and peeling up the label on the back, then lightly slicing the metal lines, then gluing the label back in place and applying pressure. Of course my badge rarely worked anyway and I refused to take it out of it’s little plastic pouch (when it wasn’t in my pocket) so this is hardly a burning issue. In fact, after several attempts to read my badge on the first day HP actually asked me to type my info into their system by hand…had I been more patient, and the card more reliable, I would have first tried to read the thing and see how the data was stored. Maybe next year.

I also noted that someone left themselves logged into the badge station in the afternoon when there was just one bored guard standing around. That seemed especially sloppy to me and made me wonder if anyone had ducked behind the desk to print their own badges on the sly.

Create your badge here

“Dark February” falls upon Nigeria

More bad news for the petroleum industry:

The Movement for the Emancipation of the Niger Delta [MEND] has given oil companies and their employees until midnight on Friday night to leave the region.

It recently blew up two oil pipelines, held four foreign oil workers hostage and sabotaged two major oilfields.

The group wants greater control of the oil wealth produced on their land.

The warning came as militants and the army exchanged fire after a government helicopter gunship attacked barges allegedly used by smugglers to transport stolen crude oil.

This seems to be the nature of artifically high concentratons and control of “natural” resources, which I wrote about here. The rebels are apparently smuggling oil out in exchange for weapons in Eastern Europe. The economic considerations are obvious and bring to mind the massive impact biofuel could have on both weapon exports and the related fight for control of petroleum.

Hungarian Election Hack

The Budapest Business Journal has reported an interesting twist in an election race:

A statement published on the web page of the party’s parliamentary group said that the documents had been obtained from a site “accessible with a user name and password available to anyone.”

For some reason the South African Mail and Guardian has posted this version of the story:

Hungary’s main opposition party, Fidesz, said on Thursday that it had made a “serious mistake” in hacking into the server of the governing Socialist party ahead of the April general elections.

Anyone else wonder if the user:password was fidesz:fidesz?

RSA Badge Challenge redux

Well, I said I would post more, and then I actually posted several things over on Bruce’s blog…odd that he took the $100 fee I mentioned to him as gospel. Anyway, the bottom line is that Bruce said I should try to get in without my badge because it wouldn’t work if he tried it (I said he should do it, but he claimed he is too well recognized — yes, I am transferring all blame to Bruce). He had asked me to email the results of my tests, but I guess I didn’t get done in time for his blog entry to pop up.

Anyway, I did as told by the great Bruce and stuck my badge in my pocket and just wore the lanyard and plastic holder with the pocket agenda. The only thing I didn’t try was just walking right up to the booth and saying “I need a new badge, what will that cost me?” I probably would have done it, too, if I hadn’t found it so easy to walk around badgeless. Sadly, I wasn’t challenged sufficiently to actually have to produce my badge. In fact, on a few occaisons I had to actively look around and seek out the guard who was stationed at the main doors. The presentation rooms had a single person for a huge crowd and there were so many issues with the readers during the sudden influx of people that I was not the only person literally forced to enter without my badge being carefully checked.

All-in-all a bizarre situation for a security conference. I started to feel like I needed to beg people to challenge me for my badge so that I could see if the $1900 replacement fee was for real. In fact, at one point I put my badge back on just to see if it mattered and was still working. Of course, at that point I was scanned. Dumb luck, I guess, or it could have been because the woman in line in front of me said she worked for Homeland Security. Alas, sometimes a hypothesis leads to a completely different set of conclusions than was originally expected.

Overall the conference was a huge benefit to me as I managed to meet several people who can help with the secret key issues I’m working on, and I learned a great deal of very useful tidbits from security industry luminaries like Ron Gula and Crispin Cowan (just in casual conversation outside the conference). McNealy’s presentation was very funny and helped me understand how Sun plans to get back on track. His human message was also very appreciated. Honestly I had given up on them back around Solaris 7, but they definitely seem to be back in the swing of things with Open Solaris and Office…tempting to see what it would take to replace our Windows desktops that are mainly used for analytics and email. In the Expo I was particularly impressed with the Identity Engines product and the Array SSL VPN (very fast, very clean). The food was sufficiently edible as well.

I give the conference high marks for bringing so many great minds together, but I really wish they would sort out the conference badge/identity situation properly (hey, this is a chance to really do something secure and efficient and not just talk about it) and work on quality/quantity of presentation issues. A DoJ speaker actually started her talk with “RSA sent me some presentation gurus. They said that I need to use humor and avoid going off-topic into the weeds”. Then she put up a cartoon and said “ok, here’s some humor” and then she proceeded to immediately head right into the weeds, so far off-topic that she (and her presentation buddy) became too lost to continue the slides. Oh, and I can’t forget that at one point she looked at a symbol for the British pound and said “um, that’s in Lira, right?”. I know, boring trivial stuff, but the presentation was so bad I had to wonder what might have been rejected from the conference.

Windshield washer fluid and privacy

I attended a panel discussion yesterday on identity management and privacy. One of the pundits made the observation, in a rather ostentatious manner, that he had been asked for his address when he tried to buy windshield washer fluid at a store. “Kragen shall remain nameless…they had no business reason for this information” he thundered.

Unfortunately, this is the kind of uninformed position that is all too common in information security. People get their shorts up in a bunch about privacy, which is all fine and good, but then they seem to think that everything must be an invasion of their personal rights even though they do not take even the most basic step to confirm/review the risks in their entirety.

Call it the uninformed consumer, if you will, but this guy had all the hallmarks of an American cultural tradition of shoot first, ask questions later. Not the sort of thing I would have expected from a panel at RSA. In fact, the presenter said he was forced to exit the store without his washer fluid — the business was plain wrong and they lost his business. Good for him, but did he try to find out why a business might be forced by the authorities to treat windshield washer fluid as a controlled substance (as opposed to just a random opportunity for marketing data)?

Anyone familiar with engine tuning or meth lab investigations knows the market dynamics of windshield washer fluid (about 30% methanol), not to mention the market for the bottles themselves. Moreover, anyone familiar with the properties of methanol knows the environmental and health impact of its widespread use for illegal purposes.

This begs the question of how effective the control might be (e.g. compared to removing the methanol from the fluid, since even in normal/legal use it’s a toxic substance that is being sprayed into the air and all over the roads that people live on), but in this instance I just wanted to point out that a store is unlikely to let the employees know why they have to ask for the address/information, but at the same time the consumers might be happy to know that the police are trying to cut down on highly-toxic uses of meth in their neighborhood.

This reminds me of Cory Doctorow’s explosive reaction to an American Airlines screener (for now I’ll skip the more well-known example of the hunt for WMD). Profiling is a critical component of our every day lives and people need to learn to seek and sufficiently understand an “other” perspective before they rush into action and demand reform/justice. There are few things more counterproductive in security than reacting to the symptoms and causing widespread outages. In fact, if more people just did a little bit of “root cause” analysis, we might find a more informed and democratic path of resolution for real and present dangers to their livelihood. This would actually help law enforcement by taking the burden of ad hoc policy creation away so they can get back to their proper focus on enforcement.

EFF sues AT&T over wiretap

I wonder if this case will go better than their others…

The Electronic Frontier Foundation (EFF), based in San Francisco, filed the suit against AT&T for giving the NSA direct access to its databases of communications records, including whom their customers had phoned or sent e-mail to in the past. The suit was filed Tuesday in the United States District Court of the Northern District of California. […] The EFF alleges that this behavior on the part of AT&T violates several federal laws, including the Electronic Communications Privacy Act (ECPA), he said. It also violates the first and fourth amendments, which protect U.S. citizens’ right to speak freely and not to be subject to unreasonable searches, Bankston said.

US surveillance to go deeper with ADVISE

The Christian Science Monitor reports that the US government is secretly developing a surveillance system called Analysis, Dissemination, Visualization, Insight, and Semantic Enhancement (ADVISE):

The US government is developing a massive computer system that can collect huge amounts of data and, by linking far-flung information from blogs and e-mail to government records and intelligence reports, search for patterns of terrorist activity.

The article has a side-bar that, according to US Government auditors, says SecureFlight held records on 43,000 people not accused of terrorism. This points directly at the very real threat of data-mining being used for nefarious non-security related purposes.

ADVISE is apparently meant to stitch together a vast array of data points in order to more accurately understand behavior and avoid false positives. However, an analytics expert from IBM had this to say about the current capabilities of such a system:

Techniques that “look at people’s behavior to predict terrorist intent,” he said, “are so far from reaching the level of accuracy that’s necessary that I see them as nothing but civil liberty infringement engines.”