[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-disclosure] Sniffing RFID ID's ( Physical Security )

To: <Valdis.Kletnieks@xxxxxx>, <michaelslists@xxxxxxxxx>
Subject: RE: [Full-disclosure] Sniffing RFID ID's ( Physical Security )
From: "Ng, Kenneth \(US\)" <kenng@xxxxxxxx>
Date: Tue, 27 Jun 2006 08:37:11 -0400

As with a thousand other technologies, no one ever takes security
seriously until someone gets whacked over the head with a million dollar
loss or a bad news story on the front page of the New York Times.   Time
and time again we see the same kind of mistakes repeated in different
technologies.  We see people picking the cheaper technology (all the
security is the same isn't it?)  and hiring cheap programmers (all
programmers have security backgrounds, don't they?) and deploying with
insane deadlines (they wouldn't take security shortcuts to make the
deadline, right?).

-----Original Message-----



*****************************************************************************
The information in this email is confidential and may be legally privileged.  
It is intended solely for the addressee. Access to this email by anyone else is 
unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution or 
any action taken or omitted to be taken in reliance on it, is prohibited and 
may be unlawful. When addressed to our clients any opinions or advice contained 
in this email are subject to the terms and conditions expressed in the 
governing KPMG client engagement letter.  
*****************************************************************************


From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of
Valdis.Kletnieks@xxxxxx
Sent: Tuesday, June 27, 2006 12:57 AM
To: michaelslists@xxxxxxxxx
Cc: full-disclosure@xxxxxxxxxxxxxxxxx; dailydave@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Sniffing RFID ID's ( Physical Security )

On Tue, 27 Jun 2006 14:24:35 +1000, mikeiscool said:
> eh?
> 
> surely a RFID would only communicate it's private token with a trusted

> (i.e. keyed) source.
> 
> like a smartcard ...

Well.. Yeah.  That *would* make sense.

Unfortunately, some beancounter would likely realize they can shave
$0.02 per card by doing it the easy way, or that they can save $40K by
hiring a bonehead designer rather than a clued crypto geek.

If all software was actually designed and implemented to the "Surely it
would"
standard, most of the people on this list, both black and white hats,
would be unemployed.  Fortunately for our collective ability to cover
our rent checks, almost all software has "Surely they *didn't*" flaws in
it....

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: RE: [Full-disclosure] Sniffing RFID ID's ( Physical Security )
Next by Date: [Full-disclosure] 365,000 identities breached at Ohio University
Previous by thread: RE: [Full-disclosure] Sniffing RFID ID's ( Physical Security )
Next by thread: [Full-disclosure] [SECURITY] [DSA 1103-1] New Linux kernel 2.6.8 packages fix several vulnerabilities
Index(es):
- Date
- Thread