Full Disclosure mailing list archives
RE: Sniffing RFID ID's ( Physical Security )
From: "Ng, Kenneth \(US\)" <kenng () kpmg com>
Date: Tue, 27 Jun 2006 08:37:11 -0400
As with a thousand other technologies, no one ever takes security seriously until someone gets whacked over the head with a million dollar loss or a bad news story on the front page of the New York Times. Time and time again we see the same kind of mistakes repeated in different technologies. We see people picking the cheaper technology (all the security is the same isn't it?) and hiring cheap programmers (all programmers have security backgrounds, don't they?) and deploying with insane deadlines (they wouldn't take security shortcuts to make the deadline, right?). -----Original Message----- ***************************************************************************** The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. ***************************************************************************** From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Valdis.Kletnieks () vt edu Sent: Tuesday, June 27, 2006 12:57 AM To: michaelslists () gmail com Cc: full-disclosure () lists grok org uk; dailydave () lists immunitysec com Subject: Re: [Full-disclosure] Sniffing RFID ID's ( Physical Security ) On Tue, 27 Jun 2006 14:24:35 +1000, mikeiscool said:
eh? surely a RFID would only communicate it's private token with a trusted
(i.e. keyed) source. like a smartcard ...
Well.. Yeah. That *would* make sense. Unfortunately, some beancounter would likely realize they can shave $0.02 per card by doing it the easy way, or that they can save $40K by hiring a bonehead designer rather than a clued crypto geek. If all software was actually designed and implemented to the "Surely it would" standard, most of the people on this list, both black and white hats, would be unemployed. Fortunately for our collective ability to cover our rent checks, almost all software has "Surely they *didn't*" flaws in it.... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Sniffing RFID ID's ( Physical Security ), (continued)
- Re: Sniffing RFID ID's ( Physical Security ) Hugo Fortier (Jun 27)
- Re: Sniffing RFID ID's ( Physical Security ) Saeed Abu Nimeh (Jun 26)
- Re: Sniffing RFID ID's ( Physical Security ) Brate Sanders (Jun 26)
- Re: Sniffing RFID ID's ( Physical Security ) Josh L. Perrymon (Jun 27)
- Re: Sniffing RFID ID's ( Physical Security ) Meder Kydyraliev (Jun 27)
- Re: Sniffing RFID ID's ( Physical Security ) Gary E. Miller (Jun 27)
- Re: Sniffing RFID ID's ( Physical Security ) Josh L. Perrymon (Jun 27)
- Re: Sniffing RFID ID's ( Physical Security ) Gary E. Miller (Jun 27)
- Re: Sniffing RFID ID's ( Physical Security ) Josh L. Perrymon (Jun 27)
- Re: Sniffing RFID ID's ( Physical Security ) Adam Laurie (Jun 28)