Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


ACLU, Outrage Fill in the Silence at Black Hat RFID Session



 By: Lisa Vaas
2007-03-01
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


  Table of Contents:
  1. ACLU, Outrage Fill in the Silence at Black Hat RFID Session
  2. ' 2 '

Rate This Article:
Poor Best
ACLU, Outrage Fill in the Silence at Black Hat RFID Session
( Page 1 of 2 )

Opinion: It's a shame when the only companies free to speak in the security world are those with legal teams big enough to fight possible patent litigation.

After receiving a letter threatening possible patent litigation that caused IOActive to cancel his Feb. 28 Black Hat briefing, IOActive R&D director Chris Paget did give his Hacking RFID talk after all.

Sort of.

With the ACLU on hand.

In a briefing with all references to radio-frequency identification card maker HID expunged, and with attendees lugging manuals that were lighter after having the associated materials gouged from their middles, Paget delivered the first half of his planned presentation.

He stopped when he got to the point in his slideshow that had originally listed specs of "a particular RFID tag implementation."

Resource Library:
"It was only technical information [including] frequency and number of bits in the code," he told the audience. "HID did request that we refrain from singling them out as a particularly bad RFID vendor. … So were not doing that; we removed the material titled mechanism of operation."

In fact, the information from that slide was identical to any type of RFID tag, not just to HID, Paget said.

Could IOActive have sent over its presentation materials to prove that they in fact did not contain HIDs schematic, as the company feared?

Yes, it could have. If it didnt have good legal counsel, Paget said.

Paget said that the letter from HID went something like this:

"The following are not proper subjects for your presentation this week and in future public demonstrations," the letter read. The letter went on to refer to any materials that might teach someone "not skilled in the art" how to build a device that infringes on HIDs patents, Paget said.

"To a layman, something like this seems relatively reasonable," Paget said. However, any patent attorney will recognize that the term "skilled in the art" has a very specific meaning. Essentially, someone "skilled in the art" refers to one who is able to rebuild the content of HIDs patent application.

Therefore, IOActive was prohibited from teaching the security community anything covered by HIDs patent. "The translation to real English: We cannot paraphrase something from HIDs patent in order to explain it to someone who doesnt already understand it," Paget said.

HIDs letter continued, saying that the company would have "no recourse but to pursue all available remedies against [Paget] and IOActive."

Frantic negotiations ensued, beginning Feb. 22 or 23, after IOActive had received the letter and had a chance to run it by legal counsel. When considering whether to show HID the presentation materials, IOActive requested that HID provide "a covenant not to sue."

"What, forever and ever?" said HIDs Mike Davis, with an air of disbelief after Pagets presentation, talking to the press who huddled around him, digital recorders blinking away in spite of his demand that they be turned off. Davis is director of technology, Intellectual Property, at HID Global.

"We unfortunately cannot risk a talk in this environment," Paget said.

What are the financial realities behind Pagets reference to taking a "risk"?

In a talk with IOActives Joshua Pennell after the briefing, he told me that just to go in and investigate whether theres any possibility that IOActive infringed on HIDs patent would have cost $30,000 in legal fees right out of the gate. If the situation ever reached litigation, going into court would cost between $150,000 and $1 million.

Just to reiterate, just to make sure we all understand exactly what this means to anybody who wants to share vulnerability information with security professionals, even if that information was published in a white paper two years ago (as IOActives material was) and is available online in multiple sources: Even if completely innocent, a small company or individual security researcher can be forced into silence by the mere threat of copyright infringement.

The presentation material in question relates to the security of RFID, a technology that the ACLU proved years ago could be subverted easily by pass-by readers. And understand one other thing: The only reason that IOActive planned to use HID technology as a (very generally outlined) example is that IOActive shares a building with the Federal Emergency Management Agency and was curious to know just how good that buildings security was.

Next Page: ACLU has cause for concern.





  Reader Comments: ACLU, Outrage Fill in the Silence at Black Hat RFID Session
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Network Security & Hardware Articles          >>> More By Lisa Vaas
 


x}ks㶲*Q3CO#Mɶ<։eXVi) S$IV˭_zPq2D th4{$KG̢d >55406Z-Jj=2g&Ǔ)I|[8E}I y훨-tKW9K }!xcw#?",_ f~ siR2!r* ߱n^S;G5ۯhV=<<䭱JG+҄Crƒ) t$y_˝7hr Ce)#p?݃IhJq䰉3ذ 1"%hJ@{e $}ВEtBAͨO%ތEӾAkӧI|JlZ趝x>:AGAticŦh/@7&&h`CZ=҉:L wF|hx: !a`Nr!FAтMx>tw&>l d $4)syp;LM)σ-HˋF0P 2/?>axşP}MrA=S9{ݴiǀxt83(.%w2J}c>] #RRP>'hI#r Bг ,`@o!`9`P ab .<ҶBI髥cvn<){TKh!+K@fsfh(4{~4 cbB|#'bXr`Y \h+|i)lc ը˶V.hXi(P׃4`zڽǎVKh5YQSMq'3ߴa!-{f3o3p#Eq"M(24LXh4l:Z7E^Rݳy 0Ќ7_azTf>LddGٚMs[L^͘3eІ:'_ ˙ u9\;N/=҃1 4fכ d50K%gYA3'|(@]4>+WUPÃ"`"+42[m̞w(V֌f;NrB@S*,H@fmdׇ LR?q6I :SXh8G/C4v ei[I%ͺ7RumIJۥa]hk%T87Bj^¢ym<2D֑X`9HM^>V "fˣ(e6LF%C=쳧ȤC݉~K*+'G,-3ZrijXL;6Y`aPeQ@Jiriz68u>NȃX`? 6)yy4!%6$N?&'V L Mڊ(zq X0b=ћ8]%5n/.,{KysyMّRR|~lN YXG:=4̄+udZ'TMk<ݝtlZB_wa֚ofrI)jLyclq-Z3r,yȦ szN8CL-i@:*ç c"Dk_(+ `k埯:Oְ6Q?؉ 7ܕVR53]֩30-Rzz|pE% Wl RN0C)Xk±&>,<<+ځh0A  ~H.LbР R@U.(L19r2b*[PTB$ᦼt݁ĒbtXQ ]jsWμ + ;0E<&{HeX}0t%_(ƤOMqс,` tV8wf|<@? v: C\4<`4pf mWq=[JjJwg `Z~,pΨ,3E犚D]bRYEG?voqm@^5oص`Č)Ԩ5UV *~mZg5^쥠]hDA` Н;#ؐCKA;cVS,]ܷ V}uP@&37}&MnjíJd|8.sozJ~ Qby6UG3 Ⱦ M(R!G:{Jr zk /h{ ~:ꪦ`| hSYpg#HٚIyusl,On?a ƚ߼AFp5xf==ݸٿLYEnCW!SD9^%.ɹ%wA֮vZPn3i`$ezk+WlYP;,g|m6Si4D63ȈDrzzB*~1-'l\s m:R.R r=ct8i>t1uk'Sim}[U>}Д1Ze ɢ7)ЬV#i@/ixN3 akc>/i)T",߸X,W̱^`. JU-A^Mo6=ITPGQ>=}Hc#&ahxmb{(uO( Eō:m0RBE-) BoED\u Zlm7,: /<6W" ތbl; e|פ|X+Gs;"ʌg b|p{>'F{zȐ4PG eWՄθ4;f̬9[IfYyVum4uH"5HeNV5XI0iUI+T Z} 2a.U}7*\&IvSf﩮 tGD0|=>0Jj$RiEmT)玿ߓNp ( rQ-ã,z(d0rY+`7'ɠK= j ;!O}+&< Rٟ8sɖBx_K(jT xϰLc V(YŵyAhhqLo_?؇^?jUeqbsE1 7cyJ~Zg^ = bE2}{?RXn[g#R6y'7ڭGx:h?t[Vꈷ1h>\ {>Ըa`>"Κ:"c?t>^IvCj Gya8dB&PvB, oIŸ}/gvn>H7my 8-odD4|uNqu%}ڹC|uՔ:s5A AHև#FW!yN/lFSLo2XGzz0\㥑a+"AKyÙC9kI.Dz=d_5g0Y x- ۯ}o#s~eYw1ߐdxPRc (ʱ=``V鈳V9:̝\b/;AVB 0FG_TJi)4z'u3xv<48Sj67 EGW%'K3t{--':}mFџ` e܃ɢ*WVr[k'>!ڗ.4|㿜YA$ !rF0xc`sAZ|j9R;DZ3pu*h hwl)~ڲOxFM>xuS棏G 93rĸ~jהŞ`4 ݥoV8i?{޽¶"CWq j[: -`*1$XhHNm d_"2NIJn/:4L|dM#}l%3 ՛wD/ ZRo14-*z>=[fvÏ9"i N;x2o tY ~AXy VorlK9w@rs&8lPfpvn ֔I i#ĠHߛɳrEs _5DN XW+Oi/!IVܱS,*_1;lV6֊ v™)[ꈧ Wךneb֚KKLBI|pIM{fr+ (?8 ܻ'VDe86[b[01| ttjڰJ{~|ːu 1ϙ XbO ;@aX񪊦)X>BjxEmkP[ar(t*J5,500f}Қ1`p u0~)o") *e0jgn?s# KFu7_+Փ$T>qcXJ {X|̧IbzήLt{L& ǞeA/ I;R9 G$1vmZUϨpG8dsX-81 q]hIޝC9z'Cq$PeXKBxc+D9ҷq,W-Dztut(ePǴ = mCmLy@-p rF6|p4uYDx&>1D?;ˌR8-f}<+b#b0L?)Ɍ];*b%A,xD£dIds+NK$.e%!-A ȷuzRLIɔ&;#Br'Kqb,%S"'SNT9RIқB,3 x;> >[ &0q޵qBie^L"ZQJՊ}?(>n{9d|#&K>? j-vM-UJr%F- ~2롢bZuzD 9gh/&}Cƨ/\'[r|uҖ=Lsts:%[JZR+R1bWTL`2S a/t!!JN˓dӟI ۣ^ߺE€oP%U䉸 ҞY92H0M74ҥ܁ֆƝ98#(gx^cm2g e ASKqBCЋwa=a|Kێou%q`B ?oL= eb^+%4vҝwC`<"J3׵L .KBw< k0_:-QaZ,vaOD3g0G0YI0CBL^I^R31;V$UٰcWR`jg1\AaԶ˻VPKx6O#<ԃ5έynJ7^$OsV ” MpDD6#vMѭ)$D8$" R=M&ݩb'w%<ÓgzB G6N2#nd{ݘK o6zf+\;!{ !"6y^9^!;]߾bD K/2 >k>,40\,sLm}x"aEToc,"hv2w EyGXo=3`~!e$LPV0[r%[WYSjwNZMۺTrF̷u)5H9&6Wq!pcl  OI_"Cڽ/hK-Ա_V\j .Vk&0,F1b _yXR`d\H}-:3sWya]‹K%JayA-^Z0-̟3 SL &7mu_40z)ncl'$TAX?Ec4:ZG{BX{@$& qCvH rซذj~r,z|> $V8E )96i>H]I a!/(!/DȮ~aI{@&$9q8ꊚbMk@#~iLZ# O]c)Iˋ}/AE!pxR#AKfRl\i-f \95͂Eot tMc%5_S(j~zz_ZbiE.c 2uuWHk̘xl4vlNz yԥ:BME72TBhfx9ku)؜>bfƆX50Vz^3XvX5nVڹq yK-y -J4s5R6X}j7ԘplE8aħ_ݱ'es'2vC`m 4,\ >\πTnA4`C"hR%26ZX+(%\z0=MO;ZՔV-`{dEc ]vLJhDͱ t]I\1ړnc JZP-0o5'b.hX*!EL>n0R |->v"AfӃDT8' pr|w\׻5Fȣ؆=S☑0A0+^Rc"WmLz:rF+vl"톮knnBf˔TB}F}ozW'b^n90؞b3,9+дZ`3+n{lKZIȶ8+ilwAQg)q8 @Bu0 SD|G*%_[G?J0+ƘZ9.,1jG%']0]irBGیh%=Q4 4&GqSO L%& J!47\P |ˆoq+P~ԪV7n kbޑҾK+qܔںil v(Q:co›y*:)uZLQXj*!b3wȣ4ϓ/ 飈I3*9vqY@y+LL͂`Aa~L­!Rjs#e 9jY,a48`F"Oc8=jܕɭ3E6LG%~6t0VQ1e&|[7ΥiDZ<& .ycI ^yN4xXX!o64| =܇>RXX_1[> MꪂOJBveX &zDKwy}wfY3{8~BOz%ruW0`A-'i92bg4t\K= LC? &O=lFLn瘀q}}wnH4{zӺ:WyٹœO֊_ԝUuMfbv>J5m^+LJY22 Wv)3C9-j6W#\]frxixɎ(azh,.6qLO|ջ@)Qe;ʋ QW~c8ec qvvvljŵVN|vuISguԢF h5zQ`1Dk 'M&7bQۼlH窙&5+۸v((( FFy;g@fF)/?gCF?|/ZEk}9\kˡuQoens73^_~ /3lWogOog,@v}@v}ڀ;6g;? D(@?2P(+ N~dk 3޿.W>fe__P>f'(U}Sn66oیon3/9IR< 9k\픊$dK " SV9,3{'sg+i,^a芪g-5ͩnZk ǸJuv^_BKHe^ٛT&#GP78%Y}MNJ 4tk 7b[yDYAI{R}tEI>t𞫫i@Lw<_[nNJ>s\ȜH44f[ S=oND1KAF0_wͣ,O ;H_exĻOݞ܃~n}7}zn_x܊ʣӚܴO݃v<2kݫ++#BAf_b 9y?'OxVf}4xR}xZLԸRGpoQV"#<5 |R?fzj*85ߜ:Sw}Y&@Y8'}t)hعj @j:} m̹H|7v1XoX&HΝ rQӊj~JR' a،bxUUEVro9 VVK D`q9#Tx|Demګ.Psc<{+4аY-}"z5~L@MD}_,mBfp0,{|y ގe@7 J,{sـD@.^,3/[>G4l&Klɜ]k'bB']L3 ,O~f+g=7cUݣQoxC)<:,i`+ՅoB΄[4п#ăs%(u5Y:՞/{fw:aKƈ DMKIn_!-x'GKޗ`ػ lc&XSG_Dxaw./ ]C?yA 80~.^ ]zifF`wƨ^f\c ^a/tA4#˵\='ݹq<~xg|?K+_{l xdHأ_BDOvvF;0|F+`a?94Ǟ"0ـħ%NAf:2Ş_ m>Zo/TùLH OǞcӄ2霰)#,m_i 괮E݉cEi]czf>1^c'# { #D3dưz< [/1@ EY/vY{qҭOjUMf@xR{j9.KPRJVr.Q ?`n4 iTx/ē_| 3Obx`#Yұ )ւ_/gwd&%}YQ v.yehFʪv\r$t6O[=$sDs݅ ߠ(b/<% *`>.X&">m?'.}Au+H "@"dܴuPŗ;6SF)f%NSPxSEz?X \ cwHVCaz:SA\W ፛lx@NlM9]c *۳|?Oe Lt0͡o0kn>ʷQ$L{s>zQ`k욧p ?dtE#b[p!@>pE֦2QTD Q)Ybd휙/gMrxgsu@NDqDgPx 6s6Na^|˼+AѮYmw0w6L5/#Z$&+$~Il=au+Wrcd+{f:ePZEXtl' CW5`/=H^s(n)ZF1tVB\ (at!L/Qa˟]lׁR#nH[TFE®":q`x^];ѽ!BTUc׮2X#+7I;s[__@>{zwn}#\:1V`7^=g[8KIJ y2 !δZxyU~ҥ^.I,g`cQd+8*)ؐrk`4bOP1,sQv7=MaN*)Asa#El ;Ap^7׎esS<"Y4.;gyO|gvC%nBYWNENE<<Sf}')VSL_Xџ_Q>q*g\`^IaE eiNђu:7g4!ջn>$+e={Pw r̳G`bhP7]sXSVIGv3HZW'JZR۽wߺ"f/On6@U&s)# MW\e\)MS9Q2;V&|ƷZ2cˤ_ ?"(