Magical Mystery Turing .... dDutch Skunk Works ...
Keeping Quiet is Prohibitively Expensive and Costly too, surely?
The publication of a scientific paper by Radboud University that discusses design flaws of the MIFARE chip in cards such as the Oyster travelcard may be in jeopardy. Dutch secretary of state Tineke Huizinga has urged the university not to publish any secrets that may lead to abuse. Last week researchers from Radboud University …
Publish the paper. Keeping this find under wraps will stop them having to improve the system NOW, to prevent those who now KNOW the system can be compromised from abusing it SOON.
They gain maybe a couple of months, in which time the system could be changed. Nobody wins by this being locked away.
Being prohibited (or aggressively encouraged) from publishing scientific findings is bad news. It's a seriously slippery slope - and the worst part is that the manufacturers and contractors involved in the Dutch projects are really the ones behind this issue.
They've already put the deal on their books and that kind of write off could sink many companies. They don't want to loose their R&D investment (can't blame them) but blocking research won't make their product any more secure.
As noted in the article, now that people know it can be broken, other people will be working on finding the same solution as the researchers. The best that can be hoped for at this point is awareness of the issue in the scientific community to prevent this mishap in the future.
Incompetent person #1 realises that person #1's incompetence has become well known and well founded. Hence only solution is: gag the source that makes such incompetence explicit and known?
Poor accountability is a very poor evolution to good practice in general?
Hence (part 2) an appeal from incompetent for the competent to exercise responsibility and please be quiet?
They think you can go and buy an encryption system and it will be safe for ever... wrong!
All that you can really hope to achieve with encryption is to slow down the access. If you've slowed it down till after the useful life of the information then you've won.
Any system, like Oyster, can only hope to have a finite life. They need to expect to have to do a thorough review every couple of years to see whether the system needs to be replaced. Obviously this review needs to be independent, independent of the suppliers and also independent of the people who made the original purchasing decision.
Suppliers in this sort of market place need to understand that what ever technology they come up with, it's likely to be broken, the solutions they sell need to be upgradable. The costs of these regular upgrades needs to be taken into account when planning these systems.
Shooting the messenger is the kind of dumb response we've all come to expect from the people who run our country - why should we expect any other country to be any more clued up.
... leading to the Dutch researcher's incarceration anyway because "the system hadn't been cracked before you cracked it, ergo it must have been you disseminating it."
Now the best thing they could do is release it for 2 months to the Mifare security guys and the UK (since it's our system) and Dutch (since it's their country) governments. Give the "good guys" a chance to pull ahead of the blackhats.
Then 2 months later release it to everyone- and tell the companies/gov'ts that you will beforehand. That way they'll have an incentive to actually improve the system rather than just saying they have.
The scary thing is our company's new building will probably be using RFID cards over the (slightly) more secure magnetic swipe cards we use at the moment. And just as the whole "RFID- hacked and spoofed on a mobile" thing was happening a few months ago, we were informed that it would be a "cashless" office- so your money would be "stored" on the RFID card. As would your access privileges. So I'll be able to walk up behind the CEO (or the heads of IT/building security) and spoof their cards. Then go buy lunch on their credit.
Scientific censorship is wrong. Delayed release to the public is probably not a bad idea though- it still gets released, and it still gets solved. Sweet!
they should leave their obviously oblivious nation ran by retarded media happy tossers and go somewhere where oversight, scientific endevour and intellect are valued, where finding a problem in a system is a good thing and that the ones at fault are those that released the origonally faulty system (now in complex systems it isn't suprising there are faults, but being able to repair faults is a rather critical part of anything relying on software...)
So maybe some kind of native tribe in the Amazon?
"..... though allows an option to sell to the highest bidder." ... By David Pollard Posted Wednesday 25th June 2008 20:40 GMT
Or the most helpful, David, for that would increase Worth and Valuation. If something is bust you mend it or replace it, you can't really ignore it and hope it goes away you know.
The Dutch boffins could have developed a securer replacement system anyway within their research. And that would be worth a fortune which Business would just love to get its hands on. But we are getting SMARTer, Quicker, and old Channels of doing things have been replaced with Instant Networks InterNetworking for Realising/Virtualising things........ and that is Youthful Territory.
So we can XXXXPect ....... Changes.:-)
She's way out of line, it's no different than putting pressure on journalists to suppress a story (or even part of a story). Johanna Catharina (Tineke) Huizinga-Heringa... is way out of line here. She should be told.
Anyone have an email address for her?
http://www.verkeerenwaterstaat.nl/english/topics/organization/state_secretary/
Everyone now knows how easy it is too crack, media hype and paranoia about "what if"
So rather than explaning the issue sensibly, we all believe it is easy to attack our minds fuelling the amount of bugs and the size of the gaping holes in the code. So do more damage to the system and it's credibility.
Than say a bunch of academics put forward what they did and what they found in some boring lecture somewhere.
So Oyster cracking is now on the emails of every hacker out there, "It can be done afterall"
Glorious.
The MIFARE chip was already cracked by journalists of the german computer-magazine C't in the issue 08/08 which was sold around the third week of April. They included a detailled description who they done it?
I assume, the Dutch only copied it???
http://www.heise.de/ct/inhverz/suche?q=mifare&search_submit=Suchen&rm=search
First pester university scientist for years their research should be relevant to society, then when they deliver tell them to keep it under wraps.
And then politicians keep complaining they get too little recognition! Four words: GET A REAL JOB!
Paris, because she always delivers.... kinda....
The security of RFID and in particular commercial offerings (and warnings) have been around for some time. Some individuals have raised the issues and the companies concerned (you know who you are!) have gone out of their way to discredit and poo poo the evidence. It is now coming home to roost and full disclosure is the only way.
Security by obscurity has been shown to fail.
No politician will EVER get their head around telling it strictly like it is.
N.B. this is only a UK problem since Oyster is a copy of the MIFARE first touted for Rotterdam.
Philips subsidiary that developed the technology took a gamble (a trade of cost versus correctness) they KNEW the flaw would be present in the product as released. Full disclosure is the sort of public slap-down these kind of people deserve.
Paris revels in full and frank disclosure (can't believe I am the 1st with that gag in this thread)
IIRC they were intending to (possibly have) release the research to NXP so they could look at it before they released it publicly.
The solution is simple but costly DON'T USE MIFARE CLASSIC, not only does it use a badly designed proprietary algorithm but an easily manipulated PRNG and ends up with an effective key length of 32-bits, the only thing preventing someone bruteforcing the cards is the reader chips which IIRC (been a while since I read the data) have rate limiting, reverse the protocol and emulate it with an OpenPICC and you're done.
Again, it's been a while but I believe that the standard reader chips from NXP support DESFire cards out of the box, just need a software update to turn the capability on and phase out the MiFARE classic and replace it with MiFARE DESFire, granted 3DES ain't what it used to be but it's peer-reviewed and has a hell of a lot larger keyspace than CRYPTO1 (If it's good enough for ATM's it ought to be good enough for public transport ticketing).
The scary thing is MiFARE classic is still more secure than the products of a few well known proximity access card manufacturers...
No, what's disgusting is that the university org/admin would roll over like and give up their guys to the government like this. A university stands for the freedom of intellectual discovery, and they should have stood up and yelled at the top of their voices "Nobody will lean on us in this fashion". Instead they wimped out, toed the line and told their researchers not to publish.
I don't blame the politicos, that's just the way they are and it's all you can expect from them, but academic institutions have a long and honourable tradition to uphold, and this one has failed dismally.
Sorry, real world, universities usually only get to publish freely because they don't publish stuff that obviously treads on other people's toes. The professor in charge should have known better than to devise a real world attack on a real world system. Also, a bad idea to invent an attack without also devising a workable solution.
I should know, I got told off for even contemplating researching a topic that would be ultimately unpublishable - real world! The same subject could however be studied in abstract quite freely.
He would have been better directing his students to build an abstract model and a lab simulation, demonstrating the attack and also one or more solutions, and making the implications known to those who needed. In private, of course, he could offer a real world demo and solution and make his coterie a bit of dosh in the process. But you can't real world expect to be allowed or praised for publicly a) humiliating and b) threatening or even appearing to threaten a commercial company with a system that has a security flaw, particularly if a big government contract is riding on it.
Paris, because even she was realistic enough to know that you can't ultimately stop publication of results, but you can make money from it.