Comments on: Nixed: Black Hat talk on RFID access badge risks

Legal threat from HID prompts security researchers to cancel discussion on flaws of radio tag-embedded building access ID cards.

[unknown unknown]

Once again out of control IP

laws used to stifle what was probably a legitimate speech.

[Rythan]

Free Speech?

Worse, yet, what happened to Free Speech? You mean Big Corporations can circumvent the Constitution, Bill of Rights et al?

Nice. :-(

R.

[0x90]

Yup

...And what is worse, this type of crap oppresses the research that can make people safer. If this kind of thing is allowed to continue, then the state of security on the net is just going to get a lot worse.

sidenote~
Mike Lynn gets props for his talk, and so does Raven for backing it up at DefCon.

[TV James]

Oh well...

They have two options...

1. Some black hat will hack the computer with the powerpoint and distribute it across the internet.

2. They can go visit the HID headquarters. What? You can't get in without an RFID badge. Prize to whoever gets into their server room first.

[ACLU of NorCal]

ACLU Speaks Out on RFIDs

Read the full comments made by Nicole Ozer, Technology and Civil Liberties Policy Director of the ACLU of Northern California, about this incident on her blog: http://www.aclunc.org/issues/technology/bytes_and_pieces/blackhat_presenters_threatened_with_patent_suit_for_exposing_rfid_vulnerabilities.shtml

[appletoys]

Who's suing who???

Isn't there laws that state: you cannot sell a 'defective' product.
And that would also mean 'false and mis-leading advertising'.
Hmm? That would mean that they (mfg) of such security items
could/would be held accountable.
Just wondering?

[fred dunn]

They just condemned their own product...

If they have to use the patent system to prevent a discussion on the vulnerabilities that exist within their products then they are admitting these vulnerabilities exist.
With that in mind who would want their products?
If you have to use ancillary security measures to ensure that their product hasn't been hacked then whay not just use mag-cards and have an officer posted at the door?

Surely someone that has the intent on exploiting their product's vulnerabilities to gain access to a building is not going to care about patent litigation.

[smarttools]

ID cardholder can minimize RFID security risks

You can minimize the threat of cloning or eavesdropping in any RFID enabled cards (e.g., ID cards or credit cards).

Smart Tools' RFID Shield is a protective sleeve for RFID cards. This blocks RFID while the card is in the sleeve, and lets RFID talk again when the card is removed.

To have minimal stray RFID communication, you'd keep the ID card in the sleeve until you're next to the reader, then remove the ID card only so far that the reader can read the RFID'd ID card. This keeps long distance (or 3rd party) RFID communication probability low.

Even when the ID card is RFID blocked, the front face of the ID card is still readable. This helps if you need to show your ID card to somebody.

There's more info at:
http://smarttools.home.att.net/rfshield.htm

[nuckelhedd]

Why bother with them then?

All you need to do is make sure you have the only key and that nobody ever touches the lock and if you keep the key in a locked box with someone else holding the kay to that box and then you weld the lockbox to the ceiling of another building that someone else has the key to and yoyu have a secret handshake for the people who need to get in to the buildings and the a secret password then every time someone needs access to the bathroom you can be sure they belong there. That's how ludicrous the idea of special sleeves and adding biometrics and talking dogs and crap is. The technology sucks better to not even use it unless of course it's running on Windows Vista in which case it woun't let it work anyay.