"You're doing it wrong"

RFID conference neglects risks

The CASPIAN mailing list recently mentioned a protest which was held against a conference on RFID in clothing. The controversial aspect of the conference is the proposal to uniquely tag individual items ("item-level tagging"), which has potential for serious post-sale privacy problems. In most existing tagging schemes, all equivalent items have the same tag code, and tracking of an individual item isn't possible. Where individual items have to be tagged (e.g., library books), encryption and other techniques can and should be used to protect people's privacy. Otherwise third parties may be able to read the tags and make illegitimate use of the information.

The conference agenda mostly brushes over the issue. One item description asks, "Can privacy and other issues be overcome, or will they inhibit adoption?" This doesn't make it clear whether "overcoming" would consist of overcoming the problem -- making sure threats to privacy are minimized or eliminated -- or just overcoming the issue -- persuading people with smooth words that there's really no problem. Another item addresses "how to ensure customer privacy," and the speaker is an engineer (greatly outnumbered on the program by sales and management types); perhaps that item had some substance.

An article in RFID Journal discusses item-level tagging in connection with the conference:

[Roberto] Montanari says, the lab and its fashion board members have seven overall goals. These goals, he explains, are to measure the impacts of item-level tagging on retail business processes; determine the most appropriate tag construction for specific needs; gauge the impact of item-level tagging on the perceptions and purchasing behavior of consumers who are the fashion companies' customers; test the tags' performance; determine the usefulness of RFID as a tool to deter the sale of counterfeit garments to the public; assess the environmental impacts of large-scale tagging; and ascertain whether RFID can be deployed to effectively reduce shoplifting.

Notice what's conspicuously missing from that list of goals: There's nothing about privacy and security concerns.

MBTA makes an absurd claim

Universal Hub has posted the MBTA's latest filing (PDF) against the MIT students, in an effort to keep its restraining order in effect. It pushes hard on the problems which I mentioned in my earlier post; the slide show implied that the people who heard the talk would leave knowing how to do illegal things to the MBTA's fare system.

If the MBTA claimed simply that distributing the information would put it at risk, it might have a chance. But it goes far beyond this, asserting: "Moreover, the Presentation's plain language demonstrates that the Individual Defendants' conduct would intentionally – and not inadvertently – cause damage to a protected computer, as evidenced by the Defendants' recognition of the illegal nature of the conduct." This claim is central to the document. This is a flat absurdity. The T is trying to equate the reporting of criminally exploitable weaknesses with "plain language" expressing criminal intent.

In fact, the MBTA accuses the students of inciting illegal activity, claiming that their report "is directed to inciting or producing imminent lawless action and is likely to incite or produce such action." The language being quoted there was intended to apply to pushing a crowd to riot or something similar. The MBTA is claiming not only that the people hearing the presentation would engage in illegal break-ins, but that they would do so imminently, presumably stirred to a frenzy by the presentation and able to turn the information to practice while in an emotionally charged state.

The MBTA's claims are lunatic. I expect the T will get slapped hard for this. at least it should.

A lot of the comments on the post are worth reading, by the way.

Cartoons on Muhammad and more

Wendy McElroy reports that RightBias has offered a (mostly) new set of cartoons on Islam. One of my favorites has a group of bearded men with shocked expressions looking at a letter that says "To the Taliban: Give us Osama Bin Laden or we'll send your women to college." Two of the Jyllands-Posten cartoons are included. So are four items which clearly aren't cartoons.

Whatever you think of the humor, the courage behind posting such stuff is the right answer to terrorist threats. Random House, on the other hand, recently showed it has no courage at all, pulling the publication of The Jewel of Medina after receiving "cautionary advice" from an unnamed religious thug.

Random House has given a huge boost to the thugs, telling them they can stop any book by threatening violence. Congratulations to RightBias for not doing the same.

Cyberwarfare in Georgia

The Internet and Democracy Project at Harvard reports that the Russian invasion of Georgia has been accompanied by denial of service attacks on official Georgian websites, including the President’s Office, the Ministry of Foreign Affairs, and the Ministry of Defense.

In addition, I've noticed that Russia has loosed its most fearsome weapon of cyberwarfare: Internet trolls! A number of low-volume blogs which I've seen have gotten incoherent pro-Russian comments in unusual volume. (Most often they claim there was no invasion!) It will be interesting to see if mentioning Russia and Georgia draws them here.

How not to discuss a security problem

The MBTA obtained a restraining order against three MIT students, preventing them from giving a talk on weaknesses in the T's "Charlie Card" system. My initial knee-jerk reaction was that this was a typical case of using lawsuits to keep people from realizing what a bad job someone had done with security; but as I read more, it looks as if the students went beyond reasonable bounds.

There is a PDF document of the students' intended slide show on The Tech's website. It says near the start:

You'll learn how to

• Generate stored-value fare cards
• Reverse engineer magstripes
• Hack RFID cards
• Use software radio to sniff
• Use FPGAs to brute force
• Tap into the fare vending network
• Social engineer
• WARCART!

AND THIS IS VERY ILLEGAL!
So the following material is for educational use only.

The Tech's article says:

According to the presentation, the students wrote software to generate and analyze cards like the CharlieCard to crack encryption keys on those cards, and they wrote software to read and duplicate cards like the CharlieCard. That software was available online days ago, but the students have since removed their tools from the Internet.

Disclosing weaknesses in security is one thing; providing specific instructions and tools for breaking it is another.

The Electronic Frontier Foundation considers their actions legitimate, though. The article quotes Zack Anderson, one of the students:

We wanted to share our academic work with the security community and had planned to withhold a key detail of our results so that a malicious attacker could not use our research for fraudulent purposes. We're disappointed that the court is preventing us from presenting our findings even with this safeguard.

This is directly at odds with the introduction to the slide show. It wouldn't be surprising if a group of MIT students promised more than they were going to deliver in order to get the audience's attention. It is stupid, though, and providing software online to duplicate cards is worse than stupid (though very likely simple to replicate).

The restraining order (PDF) is available on EFF's website, but it's very brief and doesn't explain the reasons for the action.