Responsibility runs both ways

If you read Emergent Chaos (and if you don't, you need to add it to your reading list right now) you've already seen that the RFID talk Chris Paget was scheduled to deliver at Black Hat Federal is back on.

Apparently HID doesn't have a Webster's dictionary, because they now claim they didn't demand that the talk be pulled.

"HID Global did not threaten IOActive or Chris Paget, its Director of Research and Development, to stop its presentation at the Black Hat event being held in Washington, DC on Wednesday, February 28, 2007."

and

"Under no circumstance has HID asked IOActive or Mr. Paget to cancel their presentation. In fact, we were surprised by their decision to cancel the presentation and to attribute the cancellation to a threat from HID. This was not, and never was, HID’s position."

*cough* *cough* bullshit *cough*

You can read the entire letter HID sent here, but here are a couple snippets:

We understand … that you intend to publicly present and publish additional information about your spoofer at the Black Hat convention … We believe such presentation will subject you to further liability …

…hereby demand that you refrain from publishing any information at any public forum including the upcoming Black Hat convention…

that sounds like a demand/threat to me...

Anyway, this is all very interesting but it is distracting us from the real issue of responsibility. I personally believe that researchers have a responsibility to work with vendors to resolve security issues in a way that protects customers. But I also believe that vendors have a responsibility too, a responsibility to make sure that they are doing everything they can to stay on top of known vulnerabilities in their products, provide customers with workarounds and mitigations, and ultimately create more secure products. RFID vulnerabilities have been publicly known since 2005, Paget's presentation is not really NEW (even Jeff Moss calls it "largely a rehash of known issues, intended more as an introduction").

And remember, HID claims “cloning is simply not a credible threat”.

Long ago (in a galaxy far, far away) the only way to get vendors to fix security problems was to report them publicly and shame them into a fix. Today, vendors (most of them anyway) try to work with researchers to fix vulnerabilities and protect their customers. What keeps me up at night after events like this is the fear that more vendors will choose to ignore vulnerabilities and try to strong arm researchers into silence about the flaws in their products, and that will be used to further justify full disclosure. I don't want to live in a world where only way to get a vulnerability fixed is to drop it anonymously to a mailing list and hope the good guys fix it before the bad guys leverage it.

yearning for utopia,
~Elphie

Black Hat Federal this week

If I were there, I'd definitely make a point of seeing Jose Nazario and Ollie Whitehouse. Both are delivering fairly new talks on the con circuit, and look like interesting stuff. If you catch either of the talks, let me know what you think?

Also, if you haven't heard already about the Chris Paget talk that has been withdrawn from the conference, go read this now. Then go make a donation to the ACLU for being the good guys.

Y'all know I'm a big supporter of responsible disclosure, but when I read things like this, I have to shake my head and wonder what the vendor is thinking.

"These systems are installed all over the place. It's not just HID, but lots of companies, and there hasn't been a problem. Now we've got a person who's saying let's get publicity for our company and show everyone how to do it, and it puts everyone at risk. Where's the sense of responsibility?" Carroll said.

Yes, where is the sense of responsibility? Such as HID's responsiblity for delivering on their promise of a security solution to customers? Does HID deserve an opportunity to work with researchers to fix their security problems and protect customers? Absolutely. But these vulnerabilities have been widely known for over a year, and until now have been pooh-poohed by HID.

She [Kathleen Carroll, a spokeswoman for HID's Government Relations group] said that the company has long been aware that its proximity cards are vulnerable to hacking but does not believe that the cards are as vulnerable as Paget suggests.

"For someone to be able to surreptitiously read a card, they'd have to get within two or three inches and get into the same plane as the card," Carroll said.

HID is also concerned that Paget's demonstration will popularize the vulnerabilities in its proximity cards and endanger its many customers.

You can't have it both ways. Either you don't take it seriously as something to fix (in which case a conference talk is no real threat), or you do take it seriously and would have developed some sort of strategy or plan to solve the problem. Make up your mind.

Asked why HID hasn't addressed the issue in more recent proximity card systems, after knowledge of RFID threats became common, Carroll said that doing so would cause "major upheaval" among customers.

oh yeah, because their customers are really just shopping for a bit of security theater; something that keeps the lamer criminals out. I'm sure they would rather have a physical security system that can be trivially compromised by a skilled/motivated attacker using publicly known vulns than do what it takes to actually have a secure physical security system...

bah. makes me cranky.

~Elphie

Muppet Matrix

Yes, its the unholy alliance of the Muppets and The Matrix. Three ITT Tech (Louisville KY) students made this video for their 3-D graphics rendering course. Good stuff: Agent Smith, Neo, Cipher. Not so good stuff: Miss Piggy's ears are a bit long and make her look a more rabbitish than porcine. And I know that Miss Piggy is the sole female in the primary Muppets cast, but there is something just fundamentally wrong with putting her in Trinity's vinyl catsuit.

As always, Beaker is my hero.

~Elphie

Updated the con calendar...

okay, so I think I got most of the conferences for the first half of 2007 updated... DAMN there is a lot going on in February-March-April! You'll notice that I don't discriminate, small regional cons (notacon, carolinacon, outerz0ne) all the way up to big events (Black Hat, RSA) are listed. If you're a semi-professional con spaker with a fresh and interesting topic, you can stay pretty busy if you like to travel.

~Elphie

ShmooCon is uber1337

Didn't I tell you that ShmooCon would sell out quickly? Turns out that as I was posting this, they were just 60 seconds away from being sold out. Over 300 tickets gone in a little over 13 minutes, and this based purely on con reputation - the speaker list isn't even public yet! Congratulations to the ShmooCon team for putting together such a kick-ass event, I can't wait to see what they have in store for us this year.

~Elphie

conferences...

ok, so I'll make an effort to do a better job keeping the conference calendar up to date in 2007. promise.

For those of you who don't already have tickets to ShmooCon in late March, you better get on the ball. The last lot went on sale about 15 minutes ago and I expect will sell out quickly. Naturally I didn't post this until I had my tickets purchased and confirmed. heh. See you there.

~Elphie