[linux-elitists] Two on RFID from Politech: Hack the tech, & Gilmore's dystopia
Karsten M. Self
kmself at ix.netcom.com
Mon May 10 01:23:07 PDT 2004
RFID has been in the news and play recently. I even heard a somewhat
informed discussion on KQED's "California XXX" Saturday.
The first article covers John Gilmore's dystopian view of RFID. Imagine
being able to create weapons which indipendently target specific IDs.
This sort of activity is hard to hack. It's also a partial _current_
reality:
- OBL was tracked, according to reports, via his satellite phone,
until he became aware of this, and stopped using same (possibly even
sending it on a distracting separate track from himself for a time).
- More locally, militia movements which had used anonymous phone cards
to make "untraceable" phone calls instead were tracked on the basis
of traffic analysis. While a given card wasn't allocated to an
individual, it was identifiable by account, and could be flagged for
monitoring if it called other numbers of known interest.
I'm sure that states such as, say, Israel, would have a significant
interest in munitions having characteristics described by Gilmore.
The second covers a "hacking the system" concept. I'd considered
something similar myself, though different in approach. Rather than
finding RFID chips and "redistributing" them, why not create
programmable RFID broadcasters which could spoof other chips, and
distribute these. The idea being to pollute any RFID detectors with a
vast spew of superfluous data.
There are a couple of implications here which are pretty clear. Many of
us carry a set of identifyable broadcast appliances already, and this
will increase. These signatures are difficult to mask. The more likely
response will be to find these signatures, and to the extent they're
broadcastable, clone them and distribute them more widely (specific
seeding). This will make the specific signatures less reliable for
either legitimate or illegitimate use.
At the same time, legitimate business uses of RFID monitoring will
probably be highly specific in their focus on data interest. There's
simply going to be too much data floating around, most of it not
interesting, to be able to work with reasonably. This would be further
encouraged by seeding of noise data closely resembling legitimate keys.
Predictability of RFID sequences, and known legit or covert use of data
will be key in determining both utility and countermeasure activities
concerning RFID.
----- Forwarded message from Declan McCullagh <declan at well.com> -----
Date: Fri, 30 Apr 2004 00:24:45 -0400
From: Declan McCullagh <declan at well.com>
To: politech at politechbot.com
Subject: John Gilmore's horrific, dystopian view of an RFID world
[priv]
[I always learn something from John Gilmore, and this is no
exception. Although parts of his dystopia are already true: I
travel with a cell phone, 802.1x devices, and Bluetooth devices that
broadcast my identity (to a sufficiently savvy adversary) even more
efficiently than an RFID tag would... --Declan]
-------- Original Message --------
Subject: Re: [Politech] Computerworld falls for RFID "sniper rifle" hoax?
Date: Wed, 28 Apr 2004 13:21:35 -0700
From: John Gilmore <gnu at toad.com>
To: Declan McCullagh <declan at well.com>
CC: politech at politechbot.com
References: <408F2D74.8040301 at well.com>
Nice hoax. But the opposite is more likely to come true. Rather
than shooting RFID chips into people, people with RFID chips already
in or on them will be shot. People with RFID chips in their
clothing, books, bags, or bodies could be targeted by "smart
projectiles" that will zero in on that particular Smart.
Today's "smart bombs" already self-guide toward laser-identified or
RF-identified or heat-identified targets.
The technical challenges involved in guiding a missile toward an
RFID chip would probably relate to the speed of the missile compared
to the range at which the RFID chip can be made to respond and the
agility with which the missile can change course.
Such a missile could probably more easily be designed to *arm* or
*trigger* its explosion when a particular RFID chip is in range.
That way, if fired at innocents, it would be a dud that would only
cause minimal damage, but if fired at the right person, it would
blow up.
But we need not get so science-fiction about it. Rather than bring
the mountain to Mohammed, let's let Mohammed come to the mountain.
Let's see what this technology would do for an everyday practice of
today's freedom fighters who are defending their country by opposing
one of the US Government's current wars of occupation. In order to
comply with government labeling mandates resulting from the huge
Firestone tire recall, Michelin has announced that it plans to put
RFID chips in every tire it sells to car makers (and eventually in
every tire they sell). Similar plans are afoot for many other
automotive and personal products.
Imagine being able to bury an explosive in a roadway -- that would
only go off when a particular car drove over it. You could bury
these bombs months in advance, in any or every major or minor
roadway. You could change the targeting whenever you liked (e.g.
via driving a radio-equipped car over it and transmitting new
instructions to it). You could give it a whole list of cars that it
would explode for, or a set of cars and dates.
If you put such bombs throughout a metropolitan area, a car could
drive through the area for months without triggering anything --
taking evasive routes, etc. But on the appointed day, each the
bombs surrounding the area would know to go off when that same car
passed. Without the responsible parties having to visit the sites
later than days or weeks beforehand (making them hard to catch or
deter).
Such explosives would be detectable by their radio emissions -- RFID
pings. But in a world where RFID pings are being transmitted by
everything around you, including every cellphone and doorframe and
cash register and ATM machine and camera and car and computer and
palmtop and parking meter and cop car ... you won't even notice.
Places with "congestion pricing" like central London, or any toll
road anywhere, would even have plenty of active RFID readers buried
in the roadway already. And I'm sure the cops anywhere would love
to have them for tracking where everybody is driving --
individually.
Welcome to automated personal death. Courtesy of RFID and leading
shortsighted global corporations, with government encouragement.
John
----- End forwarded message -----
And item #2: hacking the system.
----- Forwarded message from Declan McCullagh <declan at well.com> -----
Date: Wed, 05 May 2004 00:41:47 -0400
From: Declan McCullagh <declan at well.com>
To: politech at politechbot.com
Subject: Hack the tech: a possible counter-RFID strategy [priv]
-------- Original Message --------
Subject: A possible counter-RFID strategy
Date: Mon, 3 May 2004 07:57:30 -0400
From: Rich Kulawiec <rsk at firemountain.net>
To: Declan McCullagh <declan at well.com>
(An edit of something I sent to the folks at nocards.org last summer)
Having followed the recent RFID-related messages on Politech, I
thought I'd send this along.
First, a small historical diversion: back in the 1980's, there were
rumors that the NSA had a complete Usenet feed going into its data
centers. In reaction, Usenet article authors began to include what
were called "NSA fodder" in the headers and bodies of their
articles; text strings like:
Moscow nuke Iran Kremlin secret spy CIA transmission
were put there to (at least in theory) cause the text-analysis
programs and perhaps the human beings analyzing the incoming data at
the NSA to work a bit harder.
Nobody (I hope) took this very seriously, but it does illustrate an
interesting point about approaches to frustrating unwanted data
collection, and that is that there are two ways to do that:
1. Deny the data to the collectors. 2. Give them all the
data they could possibly hope for... but fill it with so
much noise that it's useless.
In the case of RFID tags, so many people are all over their
deployment that approach #1 may now be effectively impossible.
Fine. Let them knock themselves out putting RFID tags on and in
everything and tracking them and accumulating all the data, and
spending lots and lots of money and time setting all that up.
Meanwhile, let's try approach #2.
After all, there's no reason why you and I can't have our own RFID
scanners, and locate the tags that we happen to find in our
possession, now is there? And if I felt like, oh, removing the tag
from my new shirt and sticking it in a city bus seat, or extracting
the tag from a new lawn sprinkler and putting it in on a shopping
cart back at the store where I bought it, well, why not?
Now imagine the consequences if 20 million people did the same.
We could even have little exchanges where we throw all our tags in a
pile and randomly take some away to play with -- the point being
that then not even *we* know what happened to them.
I find it very satisfying to think that someone trying to figure out
where my bicycle helmet is at the moment will actually be tracking a
Walmart (rushing headlong toward adoption of RFID) manager's car
that happened to parked somewhere nearby when I felt like
transplanting the RFID tag.
RFID tags from all kinds of things could be randomly planted
everywhere: in an airplane seat, in a newspaper at the library, in a
copy of a rented video, EVERYWHERE. Some could be transplanted to
similar items; others to completely different ones. And so on.
I'm not suggesting that anyone abandon the fight against the
intrusive and abusive uses of RFID by any means; I'm just suggesting
that one possible countermeasure to make whatever deployment goes
forward far less effective than its backers hope is to cause their
RFID trackers to record huge amounts of completely useless data. [1]
This is relatively easy to do, and could actually be turned into a
rather amusing exercise in competitive ingenuity. [2]
But more seriously, if a sufficient number of people participate,
and thus a sufficient number of RFID tags are pressed into service
generating bogus data, it will discredit them and devalue their
usefulness, thus discouraging their further adoption and
undercutting attempts to rely on them for some of their more
Orwellian possible uses.
It's a shame that something like this is necessary: but given the
total lack of respect for privacy and any semblance of
self-restraint on the part of governments and corporations, it is.
--Rsk
[1] Most importantly, "useless data" that will be very difficult to
distinguish from useful data. Every communications engineer learns
that separating signal from noise is relatively easy when they have
very different properties, but much harder when they're the same.
Hence the need to transplant at least some RFID tags to similar
items, thus generating bogus but hard-to-spot-as-bogus data.
[2] "I'd like to thank you for coming to testify before our
committee today, Mr. Ashton, and as my first question, I'd like you
to explain why the Senate's RFID scanner indicates that you walked
in here with a cheese grater, a copy of the latest Harry Potter
video, a forklift, and the latest issue of 'Motorcycle Babes' on
your person."
----- End forwarded message -----
--
Karsten M. Self <kmself at ix.netcom.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
Kerry '04 http://www.johnkerry.com/
_______________________________________________
linux-elitists
http://zgp.org/mailman/listinfo/linux-elitists
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a>
______________________________________________________________
ICBM: 48.07078, 11.61144 http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
http://moleculardevices.org http://nanomachines.net
[demime 1.01d removed an attachment of type application/pgp-signature]
More information about the cypherpunks-legacy
mailing list