Secure card maker HID Corp. is objecting to a demonstration of a hacking tool at this week's Black Hat Federal security conference in Washington, D.C. that could make it easy to clone a wide range of so-called "proximity" door access cards.

HID has sent a letter to IOActive, a security consulting firm, accusing Chris Paget, IOActive's director of research and development, of possible patent infringement over a planned presentation, "RFID for beginners," on Wednesday, a move that could lead to legal action should the talk go forward, according to Jeff Moss, founder and director of Black Hat.

Intellectual Property laws are again being abused to silence security research. Patents do not cover presentations of technical information. They are a matter of public record. You can look them up online. Patents cover products. This claim is totally frivolous and the company fronting it is, I presume, betting yet again that the victim doesn't have the economic resources to defend himself. The worst part is that they have the audacity to accuse the researcher of being irresponsible. These issues are well understood. What is irresponsible is the willful malpractice of law in the pursuit of a loophole around the first amendment.

Battle brewing over RFID chip-hacking demo | InfoWorld | News | 2007-02-26 | By Paul F. Roberts

My next test case was the number "8"; no luck there either, the number didn't change at all. I then tried the number 5: success! '5' is an interesting test case, it's a "boundary value" just beyond the maximum allowed value of the field which was '4'. A classic programming mistake is to be off by 1 when coding constraints.

How to crash an in-flight entertainment system | CSO Blogs

A scheme to steal customers' credit and debit card information at a New England supermarket chain highlights a little-understood fact about credit card security: Customers still think that the credit-card companies have to eat fraudulent charges, but since the PCI DSS standards were adopted, it's actually the merchant banks and merchants who have to pay up. And, according to the blogger writing in the latter article, it's a good thing."

I don't agree with that blogger. Credit Card numbers get stolen because they can be. The only people who are in a position to rearchitect this system are the Credit Card companies, who, of course, have no economic incentive to do so, because they don't bare any of the costs associated with the fraud. This is market failure, and instead of pouring buckets of money at law enforcement in this context the government ought to fix the glitch.

Slashdot | Who Pays For Credit Card Breaches?

The picture on the left shows Hitachi's infamous mu chip, once heralded as the world's smallest RFID tag. Back in 2003, it was touted as the perfect size for embedding into currency, slipping into bullets, and even tagging humans. The siren song of this dot-sized tracker even lured the Malaysian government into buying rights to it.

These are interesting but the range on them is probably very small unless you've got a huge antenna coil in your reader or a very powerful amplifier. That reduces the threat that they could be abused.

'Weaponized' RFID

The best conference presenters have a story to tell, and this morning, Billy Hoffman -- the lead researcher at Web application security company SPI Dynamics, had a great story to tell Wednesday morning at the RSA security conference about how all your favorite new Web 2.0 applications are a boon to criminals.

27B Stroke 6 covered Billy's talk at the RSA security conference.

Billy rocks.

Wired: 27B Stroke 6- Billy Hoffman on Ajax Security at RSA

In its long evolution, Windows has grown so complicated that it is harder to secure. Well these images make the point very well. Both images are a complete map of the system calls that occur when a web server serves up a single page of html with a single picture. The same page and picture.

Which one do you think is Windows?

Why Windows is less secure than Linux | Threat Chaos | ZDNet.com

The second alternative is for Apple to license its FairPlay DRM technology to current and future competitors with the goal of achieving interoperability between different company’s players and music stores.

The most serious problem is that licensing a DRM involves disclosing some of its secrets to many people in many companies, and history tells us that inevitably these secrets will leak. The Internet has made such leaks far more damaging, since a single leak can be spread worldwide in less than a minute.

Apple has concluded that if it licenses FairPlay to others, it can no longer guarantee to protect the music it licenses from the big four music companies.

Steve Jobs speaks openly about DRM here, which is interesting, but he is obviously negotiating with European anti-trust entities in this essay. He presents a proposition that the two major European music companies license their music to him without a DRM requirement. Thats a bit "let them eat cake" I think. I'm sure he thinks the pressure that Europeans might put on those major music companies as a result of this essay will release some of the pressure on him, allowing him to find a better negotiating position.

Unfortunately, with regard to the passage I'm quoting, he's wrong. In order to have a DRM system you have to put the enforcement technology in the hands of all of your users. Those people can reverse engineer that technology, and spread their results via the Internet. DRM encoding systems can be just as blackbox as DRM enforcement systems, and you aren't handing them to as many people, so the idea that you can't tolerate the risk of those encoders being reverse engineered doesn't make any sense. You're already taking the greater risk that the decoders will be reverse engineered, and thats the fundamental crux of DRM. Furthermore, there is no reason why Apple couldn't support another companies DRM technology that already has shared encoders.

Steve Jobs - Thoughts on Music

Microsoft has joined forces with the Web 2.0 vanguard, as Bill Gates announced Tuesday in a keynote at the RSA security conference that Microsoft was going to support a distributed identity system known as OpenID.

This is interesting. OpenID has been discussed on MemeStreams before. While it would be useful for MemeStreams to serve OpenID so that our users could use their accounts to post on blogs that accept it, accepting it here is a different story. OpenID essentially allows anonymous blog commenters to maintain a persistent identity across the Internet. As we don't accept anonymous comments, adding this sort of capability presents more challenges for us than for blogs that do. We've talked about allowing anonymous comments, but this can open the door to more spam, particularly in threads that aren't fresh. It would be nice if a real identity sharing technology was layered on top of OpenID to ease account creation. There is a system that attempts to do this, but it suffers from the same scope limitations that FOAF does. Either way, I think we've got some simpler coding work that needs to be done on this site before that bubbles up to the top of our todo list.

Has anyone here messed with Cardspace?

Microsoft supports OpenID

Update: 27BStroke6 has an audio recording of the voicemail Fyodor received as well as clear evidence that GoDaddy just doesn't get it:

I think the fact that we gave him notice at all was pretty generous.

Jesus. I think the fact that I'm going to contact them formally before pulling my domains is pretty generous.

Here is my original post:

This was extremely irresponsible! GoDaddy shoots first and asks questions in 1 to 2 business days!

A popular computer security Web site was abruptly yanked offline this week by MySpace.com and GoDaddy, the world's largest domain name registrar, raising questions about free speech and Internet governance.

Fyodor says in his post:

I woke up yesterday morning to find a voice message from my domain
registrar (GoDaddy) saying they were suspending the domain
SecLists.org. One minute later I received an email saying that
SecLists.org has "been suspended for violation of the GoDaddy.com
Abuse Policy". And also "if the domain name(s) listed above are
private, your Domains By Proxy(R) account has also been suspended."
WTF??! Neither the email nor voicemail gave a phone number to reach
them at, nor did they feel it was worth the effort to explain what the
supposed violation was. They changed my domain nameserver to
"NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM". Cute, eh?

I called GoDaddy several times, and all three support people I spoke
with (Craig, Ricky, then Wael) said that the abuse department doesn't
take calls. They said I had email abuse_at_godaddy.com (which I had
already done 3 times) and that I could then expect a response "within
1 or two business days".

1. This website is a major nexus for communication in the computer security industry. Having it down for an extended period of time likely had a greater negative impact on Internet security on the whole than the disclosure of a list of MySpace passwords that are already known to spammers.

2. It is totally inappropriate to shut down an entire site based on such a brief attempt to contact the owner and it is totally inappropriate to have a 1 to 2 day turn around time on review of decisions of this magnitude.

3. Godaddy has created a new denial of service attack that can be employed to shut down any website that allows public posting and employs them for DNS services:
Step one: Post objectionable material.
Step two: File complaint with GoDaddy.
Step three: Website goes down.

4. They have the audacity to defend this decision!

GoDaddy's Jones said that "we're not knee-jerk--we try to be responsible about verifying complaints." There's a broad spectrum of policies among domain name registrars, she acknowledged, with GoDaddy "probably the most aggressive."

When asked if GoDaddy would remove the registration for a news site like CNET News.com, if a reader posted illegal information in a discussion forum and editors could not be immediately reached over a holiday, Jones replied: "I don't know...It's a case-by-case basis."

You DON'T KNOW if you'd shut down NEWS.COM based on a single complain with no prior notification!?!# Fyodor says:

Needless to say, I'm in the market for a new registrar.

If GoDaddy doesn't do something to address their policies I'll be in the same boat. What a major pain in the ass!

GoDaddy pulls security site after MySpace complaints | Tech News on ZDNet

In its favour, this program does come with a EULA - sadly, it's a piece of comedy gold written with the express intention of making people interface their tea with their monitors. We'll look at the EULA a little more later, but for now check out the waft of "dodgy" from the screenshot:

Read the text in the image linked here. There is more in the article. Its great.

Vitalsecurity.org - Hillarious Malware 'EULA'