ACLU, Outrage Fill in the Silence at Black Hat RFID Session

After receiving a letter threatening possible patent litigation that caused IOActive to cancel his Feb. 28 Black Hat briefing, IOActive R&D director Chris Paget did give his Hacking RFID talk after all.

Sort of.

With the ACLU on hand.

[...] In a talk with IOActive’s Joshua Pennell after the briefing, he told me that just to go in and investigate whether there’s any possibility that IOActive infringed on HID’s patent would have cost $30,000 in legal fees right out of the gate. If the situation ever reached litigation, going into court would cost between $150,000 and $1 million.

Just to reiterate, just to make sure we all understand exactly what this means to anybody who wants to share vulnerability information with security professionals, even if that information was published in a white paper two years ago (as IOActive’s material was) and is available online in multiple sources: Even if completely innocent, a small company or individual security researcher can be forced into silence by the mere threat of copyright [sic] infringement.

The presentation material in question relates to the security of RFID, a technology that the ACLU proved years ago could be subverted easily by pass-by readers. And understand one other thing: The only reason that IOActive planned to use HID technology as a (very generally outlined) example is that IOActive shares a building with the Federal Emergency Management Agency and was curious to know just how good that building’s security was.

[...] The ACLU’s reason to be concerned is that, first of all, there have been multiple breaches of RFID-enabled passports and other identification documents, including British and Dutch e-passports.

“The ACLU is interested in getting out the facts,” [tha ACLU's Nicole] Ozer said. “For less than $100, with parts off the Internet—and that’s the up number—Chris got them for about $20—[you can assemble a device] to read RFID. [That includes] RFID in identification documents, for secure buildings like the FEMA building which IOActive is in. [The government] just spent over $2 million in readers. ACLU showed compromising of that last year.

“From an ACLU standpoint, [we're concerned] in terms of privacy tracking, personal safety and financial security,” she continued. “You can get a list of who was at what place at what time. [RFID doesn't] just transmit a number. It can transmit anything encoded: name, address, Social Security number. Dutch and British passports have already been compromised. People might not want their name and address on [RFID-enabled documents]. Think of a woman walking down the street alone—would she want her name, her address, broadcast? RFID undermines the goal of trying to improve security.”

It’s imperative to educate the government and public about the vulnerabilities if somebody’s going to use RFID in a public document, Ozer said.

These wireless robots try not to act remote - pdf

Walt Disney Imagineering this week debuted its latest, cutting-edge creation: free-roaming, interacting audio-animatronic Muppets capable of “seeing” and “talking” to tourists — and without a human puppeteer in sight.

Disney’s most advanced robotic creation to date makes the costumed, mute Winnie the Poohs and Donald Ducks seem like felt-covered relics, though Disney executives are quick to reassure that the beloved, autograph-signing cast isn’t going anywhere.

“This is an incredibly compelling and powerful way to experience the characters,” said Bruce Vaughn, vice president of Walt Disney Imagineering’s research and development division.

“They are fully aware of the people in their presence and can call you by name. It is a 100% live experience.”

[...] One boy walked away with this question: “Do you think there’s someone down there talking, Dad?” His father shrugged.

Never wanting to divulge their secrets, Imagineers waved it off as “Disney magic” and “pixie dust.” In reality, a live puppeteer who can see and hear everything reacts from afar.

Westworld at IMDB

Google Courts Small YouTube Deals

Google has been frustrated in its efforts to reach comprehensive deals with major studios and networks to put their video on YouTube. Meanwhile, it is forming partnerships with hundreds of smaller media companies that see value — or at least a valuable experiment — in contributing to the site.

[...] Industry analysts say it is far easier for YouTube to persuade small media companies to license their content than it is to get NBC or Viacom, two of Google’s vocal critics, to give up control of their most-prized content and the advertising revenue associated with it.

“Smaller guys want mass distribution and are willing to face the risk of copyright infringement for access to this huge audience,” said Allen Weiner, an analyst at Gartner. “It is a relatively low-risk deal for them.”

Still, there are signs that courting small media players may be paying off for YouTube. In the two weeks after YouTube acceded to Viacom’s demand that it take down more than 100,000 clips from Viacom properties like MTV and Comedy Central, traffic on the site nonetheless increased by 14 percent, according to Hitwise, an Internet research firm.