Mythbusters Gagged
August 30, 2008 11:55 PM   Subscribe

(Previously)
posted by hattifattener at 12:13 AM on August 31, 2008

Well, that sure kept the information under wraps!
posted by Matt Oneiros at 12:17 AM on August 31, 2008 [1 favorite]

Wow.
posted by delmoi at 12:24 AM on August 31, 2008

Also, that woman going on and on about her pizza oven. I hate it when questioners hog time like that.
posted by delmoi at 12:28 AM on August 31, 2008

Man this story has legs. I keep wondering if I'm going to get in trouble for this...
posted by asavage at 12:31 AM on August 31, 2008 [74 favorites]

Recent RFID Hackiness:

Fastrak

MiFare

MBTA

Draw your own conclusions but eventually all systems (computing or otherwise), no matter how secure their design, can be manipulated.
posted by iamabot at 12:34 AM on August 31, 2008 [1 favorite]

Hope not asavage, you guys aren't hiding anything that someone with access to the googles and the varied tubes couldn't become highly educated about by reading any number of papers.
posted by iamabot at 12:36 AM on August 31, 2008 [1 favorite]

Man, so many hackers (or security geeks, heh) have been wrongfully busted by the very people whose security flaws they're pointing out. It's really sad. Would these organizations really prefer if the flaws were just exploited without being brought to their attention?
posted by tehloki at 12:40 AM on August 31, 2008

Adam, I know you have contractual and legal concern, but realistically what could the credit card companies do to you? Their goal is to keep the RFID vulnerabilities as hush-hush as possible; a draconian reaction is going further aggravate and mobilize your fans.
posted by nathan_teske at 12:43 AM on August 31, 2008

You better believe it, Tehloki. The bad PR you save on now always outweighs the potentially worse PR that hasn't happened yet.
posted by nudar at 12:49 AM on August 31, 2008 [2 favorites]

The current trend of ridiculous insistence upon saving face at the expense of acknowledging reality and solving problems is getting to be a real pain in the ass.
posted by batmonkey at 1:30 AM on August 31, 2008 [14 favorites]

Sorry Mr. Savage, you are officially the most "dugg" story around.

PS That Mona Lisa airgun thing way AWESOME!
posted by lattiboy at 1:48 AM on August 31, 2008

realistically what could the credit card companies do to you?

RTFA: he states quite clearly what the threat is. They could pull their advertising from the Discovery Channel.
posted by PeterMcDermott at 1:57 AM on August 31, 2008 [2 favorites]

John Schwartz from the NYT called it "three monkey security". I like that.
posted by asavage at 1:59 AM on August 31, 2008 [7 favorites]

Shrug. Security through obscurity never works in the long run. Keep pushing the envelope, Adam. My guess is that Discovery needs you more than you need them.
posted by ten pounds of inedita at 2:03 AM on August 31, 2008

(Previously)

Saves me some typing.
posted by Kid Charlemagne at 2:16 AM on August 31, 2008

PeterMcDermott: I don't want to speak for nathan_teske, but I believe he was referring to asavage wondering whether he was going to get in trouble for spilling the details. And, as nathan said, while the credit card companies clearly have the power to prevent the show from being aired, asavage being disciplined or (god forbid) fired for making the incident public would worsen, not improve, the situation in which they now find themselves. So of course they wouldn't shoot themselves in the foot. Of course.
posted by Turtles all the way down at 2:19 AM on August 31, 2008 [1 favorite]

eventually all systems (computing or otherwise), no matter how secure their design, can be manipulated.

That's not the point at all. The design of these systems is not even attempting to be secure. A few geeks and cryptographers could put together a secure payment system, or vote-taking software, using well-understood design principles. Instead we end up with crass, easily-hackable systems pushed by incompetent firms for whom 'security' isn't even on the map.The credit card system is obviously insecure from the word go: there is no authentication/signing step, just possession of a short, easily-obtained string of numbers is authorisation to empty the account. The industry's solution to increasing fraud? Add three more digits to that number. Oh, genius. We could have a more secure system based on a private key and transaction-signing, but that would require more expensive hardware, so that's out. As long as the amount of fraud is kept below the level where the entire system falls apart, the card companies are happy.Adding in-the-clear RFID access to credit cards is insecure and stupid, but then so's the existing system it's building on, so why bother make anything that's actually solid?
posted by BobInce at 2:45 AM on August 31, 2008 [9 favorites]

Man this story has legs.

But it's missing an eyebrow.
posted by DU at 3:24 AM on August 31, 2008 [10 favorites]

asavage: so now that the story has come out, think we'll get to see the hack?
posted by krautland at 3:57 AM on August 31, 2008

In case anyone wants it, here's the entire session in one google video file. The opening 20 minutes about the Dodo bird skeleton and the Maltese Falcon is excellent.
posted by inthe80s at 4:54 AM on August 31, 2008 [2 favorites]

Well, Adam Savage has always been the Discovery card.
posted by hal9k at 4:54 AM on August 31, 2008 [2 favorites]

Fuck trouble. Have fun.
posted by trondant at 4:56 AM on August 31, 2008

I believe he was referring to asavage wondering whether he was going to get in trouble for spilling the details

Oh right. Well, I don't want to speak for Adam Savage either, but I assumed from the clip that he was referring to getting in trouble with his employer/contractor, the Discovery Channel. I suppose they could fire him, or not renew the show, but I'm guessing Mythbusters is one of their bigger earners, so it seems unlikely to me.
posted by PeterMcDermott at 5:24 AM on August 31, 2008

so now that the story has come out, think we'll get to see the hack?

Pretty sure the answer to that question is "no" unless Discovery gets magical unicorn funding that isn't in any way tied to the credit card companies. They'd probably also need enough of this pixie dust cash to support doubling their legal team when said credit card companies take them to court for disseminating information about how to circumvent (the extraordinarily weak) security methods. Such action would be bullshit, of course, but it would be a problem for the network and there's a very good chance they'd lose.

Filed under things these companies don't get is the reality that the black hats who would use this information already have it. The credit card companies have dumped $lots into weak technology and believe the only way to proceed is to cover up their mistakes instead of, you know, actually correcting them. The loser? Everyone who's going to go through the hell of undoing a credit nightmare when someone gains privilege over their account.

Security has and always will be an arms race. And like arms races, the more vulnerabilities you keep private, the more vulnerabilities the unaware have.
posted by Mikey-San at 5:41 AM on August 31, 2008 [2 favorites]

* by "these companies", I mean the credit card companies, not Discovery
posted by Mikey-San at 5:43 AM on August 31, 2008

Man this story has legs. I keep wondering if I'm going to get in trouble for this...

Well, if you do, I heard that salsa can eat it's way through steel bars. You can bust outta jail easily that way.
posted by NoMich at 6:11 AM on August 31, 2008 [5 favorites]

Seems like a good time to pick up a ThinkGeek RFID-blocking wallet. Assuming they're effective.
posted by emmastory at 6:25 AM on August 31, 2008

I keep wondering if I'm going to get in trouble for this...

I would think they'd have a little trouble disciplining you if you were pointing a 80 millisecond Mona Lisa gun at them.
posted by Dave Faris at 6:27 AM on August 31, 2008 [2 favorites]

That RFID wallet works. A workmate has one. It's a faraday cage between two layers of leather, basically. We tested the hell out of it. :)
posted by rokusan at 6:40 AM on August 31, 2008

Seems like a good time to pick up a ThinkGeek RFID-blocking wallet. Assuming they're effective.

I'd like to see that one on Mythbusters — "what does it take to block an RFID reader?". Maybe a way to take lemons and make lemonade.
posted by graymouser at 6:48 AM on August 31, 2008

> Man this story has legs. I keep wondering if I'm going to get in trouble for this...

Credit card companies? Pah. If they try to get you in trouble, let them meet the combined forces of geekdom ...

*oh my god what happened to my credit score?!?!?!*
posted by WCityMike at 6:50 AM on August 31, 2008 [1 favorite]

I suppose they could fire him, or not renew the show, but I'm guessing Mythbusters is one of their bigger earners, so it seems unlikely to me

And The Jamie Hyneman Show just wouldn't be the same thing, somehow.
posted by Turtles all the way down at 7:20 AM on August 31, 2008

Well Adam- we can confirm that the RFID cards can be read buy any geek with a store bought RFID reader- but there's one thing we're not sure of.

That's right Jamie- what would happen to one of these new-fangled RFID cards if we taped a mess of TNT to them and blew them sky high? Heck we do it to everything else on the show, why should these be any different....
posted by mattoxic at 7:22 AM on August 31, 2008 [5 favorites]

Wait, do these credit cards even have to be hacked in any fashion, or is the "hacking" just reading the RFID tag?
posted by TheOnlyCoolTim at 7:41 AM on August 31, 2008

Turtles all the way down thanks, my point exactly. Basically the cc companies have gone all-in on PR and are bluffing.
posted by nathan_teske at 8:23 AM on August 31, 2008

Wait, do these credit cards even have to be hacked in any fashion, or is the "hacking" just reading the RFID tag?

I believe the "hacking" is reading the number and cloning it to a new chip.

Also asavage wow i never thought you would post on this.
posted by DJWeezy at 8:29 AM on August 31, 2008

I got the impression the episode was stopped in pre-production, not that a completed episode was pulled from the schedule (which has happened on other occasions). Am I missing something?
And, I think these sites are all misquoting, but I'm not going back there..
posted by Chuckles at 8:40 AM on August 31, 2008

That's right Jamie- what would happen to one of these new-fangled RFID cards if we taped a mess of TNT to them and blew them sky high?

Yep, still readable!
posted by Chuckles at 8:41 AM on August 31, 2008

Could start out with a re-assembling peoples shredded credit card applications and go from there...
posted by acro at 8:55 AM on August 31, 2008 [1 favorite]

Good luck with this, Adam. I'd do much the same thing for something else if I wasn't terrified of the consequences.
posted by infinitewindow at 9:03 AM on August 31, 2008

I was more surprised the toothpaste companies didn't let them test whitening strips not working.
posted by mathowie at 9:08 AM on August 31, 2008

> Man this story has legs. I keep wondering if I'm going to get in trouble for this...

I hope not, but I cringed when I saw that.

Also, I love the anatomy of an internet phenomena.

The Mona Lisa Post was on August 28th here, which then led to opsin posting this comment 12 hours later, finding the talk from youtubes 'whats related' section. Which 12 hours later resulted in the FPP of asavage's talk.

The next morning, Cory posts this to boing boing. (Not implying there was link stealage, just hitting the critical mass of "omg, you have to check out this video" which I know I did a few times sending the google vid directly to friends).

And then 48 hours after the original mona lisa post to the blue, the serpent eats it's own tail, and a FPP to the consumerist about the same video we've already been talking about shows up on the blue.
posted by mrzarquon at 9:22 AM on August 31, 2008 [2 favorites]

I totally regret my complicity if anything bad comes of this.
posted by Dave Faris at 9:40 AM on August 31, 2008

My guess is that, more or less, they reasoned as follows:

The likes of Savage, the geeks, lack a solid motivation to actually abuse their discovery. They also are a tiny % of population. The majority can hardly spell their names, let alone figure out the hacking method in the very unlikely event they stumble on a website with instructions.

Yet, if the audience is reached by the mere information that "it can be done" the likelyhood of abuse will increase significantly. Which could trigger one of the following Plans B

1) lobby for harsher sentences and go the RIAA way : costly and ineffective, unpopular.
2) lobby to make the masses pay for our own failures : difficult, we don't have any "poor artist, their villas and their families" to make-believe defend
3) actually making a safer system : makes us dependant on more sophysticated technology, possibly from fewer vendors and with few alternatives, they'll extort us mega royalties if they sniff our dependance.
posted by elpapacito at 9:41 AM on August 31, 2008 [1 favorite]

I've never heard of this show so I looked up the ratings.

They could bring Cheney on to tell you how he planned 9/11 and still no one would know about it.
posted by Zambrano at 9:47 AM on August 31, 2008 [2 favorites]

I've never heard of this show so I looked up the ratings.

They could bring Cheney on to tell you how he planned 9/11 and still no one would know about it.

Oh, snap!
posted by splice at 10:01 AM on August 31, 2008

Would these organizations really prefer if the flaws were just exploited without being brought to their attention?

No, these organizations would really prefer if the flaws were just exploited without being brought to the public's attention.
posted by dilettante at 10:07 AM on August 31, 2008 [2 favorites]

mrzarquon, it DOES feel like a kind of critical mass. That video's been online for at least a month, and the first Reddit post about it was about me being a pirate. As I show some videos to the crowd, they glimpsed my file menu for movies, saw the Batman DK trailer and mistakenly assumed it was a pirated copy. Lot's of laughs.

Story hit big also on Digg and Reddit. AND there was (for some reason) a big bump on a story I did for Pop Mechanics last month on science and education. Could it ALL be from the Mona Lisa thing? We have gotten almost a million hits in the last 4 days. Lots of extra youtube searching...

Aaanyway. 2 things were great about that HOPE conference: 1. the crowd was AWESOME, and 2. I was surprised at the fact that after I told that story about the CC companies nixing our RFID story, there wasn't more negativity in the crowd. I was being honest about the relationships that are important to a large corporation like Discovery and people took it for what it was.
It's not like I was expecting hisses (I didn't even expect to tell the story), but when you're in front of a crowd, you can really feel their mood moment by moment (listen to their palpable displeasure at the 9-11 question) and the mood after my response was higher than I would have thought.
posted by asavage at 10:23 AM on August 31, 2008 [10 favorites]

I suppose the application of an RFID chip which broadcasts a credit card number is that you can go into a store and just pass by the checkout to pay for things?

Security is the obvious problem, and thanks to the guys from Mythbusters to brinigng this to peoples' attention, and I could go into a long rant about the social implications of a store checkout without a person standing there but I will shorten it to a question:

Do you really want a trip to the store to become even more impersonal and alienating? I hate this tech, and when it becomes widespread I am buying a shielded car-coat and all kinds of electo-magnetic devices
posted by Deep Dish at 10:33 AM on August 31, 2008

> Could it ALL be from the Mona Lisa thing?

I would actually say yes. I also saw it on digg and other sites, but that combined with a labor day weekend, so folks are looking for things to keep themselves amused and are following the rabbit hole to find more and more adam and jamie hijinks. Maybe to take a step back further: it is the result of people knowing your Moon Hoax video aired on wednesday, and then googling and searching youtube on thursday to find clips of it.

I think it is funny that it was not until Cory did the "corporations are evil" rallying cry specifically pointing to the clip with the RFID discussion on it, did this not fully take off. That blurb hit the RSS feeds, got folks at slashdot and consumerist to perk up and post it, which then got some other mefi who just glossed over the original two threads to then post that here.

I imagine if the google video version of your speech was passed along by Reddit, not the 5 minute youtube clip of you falling on your ass / being a pirate, then it would have garnered more attention. Just because more people would have sat down and watched the entire video in sequence and not missed the rfid portion (it took some effort to find all of the rest of the youtube clips to watch the whole thing).

> I was surprised at the fact that after I told that story about the CC companies nixing our RFID story, there wasn't more negativity in the crowd. I was being honest about the relationships that are important to a large corporation like Discovery and people took it for what it was.

HOPE has been around for a while, and I would assume has a much older audience than if you were speaking to the Digg or Fark crowd. I think they also knew that your show is about science and testing and proving things, not some news show or investigative journalism segment. Your show probably costs a lot of money, that money has to come from somewhere, and inevitably that money has strings attached. And it was not like you were compromising your methods or practices to create a false result, in the same talk you had stated if couldn't do something properly, you would rather not do it at all (which is the take I got from your earlier response to the "why don't do you test if 9/11 was faked" question).

Personally, I found the most egregious use of corporate influence was on the grenade myth, changing it from real documented events and trying to see the result of it to "are the movies true" implying that people have not actually died sacrificing themselves to save their comrades.

I really wish you told the pizza oven woman that the best person to ask about it would probably be Alton Brown.
posted by mrzarquon at 10:58 AM on August 31, 2008

That's not the point at all. The design of these systems is not even attempting to be secure. A few geeks and cryptographers could put together a secure payment system, or vote-taking software, using well-understood design principles.

I think you missed the point of my comment. My point was obscuring the design of a system does not make it any more secure long term, in general I am not a fan of security by obscurity, but it does raise the bar a little bit for the initial disclosure. However, once the toothpaste is out of the tube, it's not going back in. Which is the relevance to the Mythbusters desire to explore the state of general knowledge around RFID and the systems around them.

Instead we end up with crass, easily-hackable systems pushed by incompetent firms for whom 'security' isn't even on the map.The credit card system is obviously insecure from the word go: there is no authentication/signing step, just possession of a short, easily-obtained string of numbers is authorisation to empty the account.

It is apparent that you have little familiarity with the underlying systems architecture for credit payment processing is and what the requirements for it are, which is a shame cause the data is out there. I know that it's easy to equivocate the lack of depth immediate in the security in the implementation of end user aspects of the payment infrastructure, but the numbers and vulnerability risk associated with individual security is so low compared to the underlying systems architecture it's ridiculous. This, however, is changing due to the focus on aggregate compromises of end users. I can tell you that PCI DSS is probably the most rigorous, modern and thorough security compliance standard out there, passing Sarbanes-Oxley, HIPPA and SAS in it's depth.

The industry's solution to increasing fraud? Add three more digits to that number. Oh, genius. We could have a more secure system based on a private key and transaction-signing, but that would require more expensive hardware, so that's out. As long as the amount of fraud is kept below the level where the entire system falls apart, the card companies are happy.Adding in-the-clear RFID access to credit cards is insecure and stupid, but then so's the existing system it's building on, so why bother make anything that's actually solid?

You're mixing the principals of secure design with the motivations of a business. The business is motivated to keep the system as it exists usable by the vast majority of users with the least inconvenience to them. Adding the code on the back of the card did a couple of things, it addressed the immediate problem present, where you had a separate number not associated with the imprint as an additional token, cutting out carbon copy theft. Additionally with it's introduction you had the implementation of a crude pin used for all transactions that is not stored as part of cardholder data in processing systems, every other indicator on the card up to that point was. It is not on the verge of total collapse as you allude. It is a profit making center for some of the most powerful and wealthy organizations in the world, as evidence by the pressure they put on the Mythbusters squad. As I mentioned above, the whole point of a credit card is to make things as usable as possible for their customers, and frankly at the end of the day people need to be responsible for their own security.

The moral of this comment is that if you have a credit card, use it for specific purposes, watch your bills and the bank change the number every 6 months. If you use one for online payments, have one dedicated for that purpose with a very very low limit that you set up to get alerts emailed to you every time it is used so you can track it.

Take ownership of your security, credit cards, banks, payment systems are all tools, as such they can cut you if you don't watch what you are doing with them

Disclosure: I design, implement, operate high and secure network infrastructures for airlines, banks, and some of the largest online retailers. They take the security of your data and their infrastructure extremely seriously, it is not a cavalier enterprise. However, the security of any system must be balanced with the ability to use that system for it's intended purpose.
posted by iamabot at 11:06 AM on August 31, 2008 [8 favorites]

The Discovery Channel HQ is right down the street from my work and they have a big grassy lawn on the south side. However, they won't let anyone but Discovery employees sit on it.

But they have a tyranosarus skeleton in a public welcome annex that they dress up for holidays.

Make up your mind!
posted by cowbellemoo at 11:16 AM on August 31, 2008

>>They take the security of your data and their infrastructure extremely seriously, it is not a cavalier enterprise.

They care about their profit and public image, not our security.
posted by SaintCynr at 11:24 AM on August 31, 2008

They care about their profit and public image, not our security.

Those things are not decoupled. In all seriousness, you should read the PCI DSS, and the supplements, this doesn't need to turn in a thread focused on the gripes around the payment industry. If you have questions feel free to memail me. I'm not by any stretch saying things are perfect or that the implementations are quite what I would like, but they are unlikely to change radically, consequently I believe shows like Mythbusters could do quite a bit to raise the general level of attention around the payment industry and the privacy concerns associated with rfid, and that is a great thing.

What worries me about rfid is the loss of anonymity associated with the widespread implementation. It would be trivial, in terms of infrastructure, to deploy a distributed tracking system and then tie the rfid's to specific individuals. The privacy concerns with RFID are frightening. I'm a network and security guy by profession and I spend way more time worrying about the loss of my privacy associated with the widespread use of rfid tags and the associated ability for distributed tracking than I do about the ability for someone to temporarily (or hell even permanently) steal several hundred dollars from me.

Who knows, maybe the attention around this topic will show Discovery and it's advertisers that it would garner a huge amount of eyeballs, and therefor revenue without actually disclosing anything that isn't already readily available on the intertubes with 15 seconds in a search engine.
posted by iamabot at 11:43 AM on August 31, 2008

asavage- also, randomly, what was the scotch you were 'forced' to drink for the sobriety tests?
posted by mrzarquon at 11:45 AM on August 31, 2008

RFID is hackable as are all other electronic system. Why not a reasonable system such as tattooing a Social Security number on the forehead of each newborn at the moment of birth.
posted by Cranberry at 11:45 AM on August 31, 2008

There is an option - stop using the cards.

Maxed out the movie
I.O. U.S.A - about debt
And if you wanna here 30 mins of hate for credit cards
Cash Flow (He was going to have Bruce Scheiner on at some point after talking about the lack of security in the money system.)
posted by rough ashlar at 11:47 AM on August 31, 2008 [1 favorite]

From a tinfoil hat perspective, and I don't think it's that far fetched:

If you consider the implementation of Echelon and other data collection enterprises and make a logical link to the ease which rfid tracking could be implemented it begins to get concerning. Follow it to how easy it would be to get the credit industry behind the scenes to turn over the data on what tag belongs to whatever user and go from there. There is no technical challenge in this, it's off the shelf in terms of a homegrown solution and commercial systems exist that accomplish this exact thing for UPS, FedEx, Ikea, Walmart, Safeway, etc. This is what the erosion of personal and civil liberties is doing to us, it is what the evaporation of privacy in commerce is doing. It is not making you safer, it is making you an asset to be observed and manipulated at both an aggregate and individual level.

In other words, support the EFF, ACLU, politicians who are advocates for privacy, etc, and again take responsibility for your own privacy and security.
posted by iamabot at 12:00 PM on August 31, 2008 [1 favorite]

Sure, instead of actually FIXING the flaws in their security system, it's cheaper to bully people into not saying they exist.

For now.
posted by chimaera at 12:10 PM on August 31, 2008

Recently a buddy of mine worked a conference where they embedded rfid in everyone's name tags who attended, and placed readers throughout the hotel and even in a few popular drinking establishments downtown. The attendees did not know any of this until the next morning when from the stage the presenter started reading off a list of who spent the most time in the hotel bar the night before as well as well as who had not quite made it back to the hotel yet. They also noted who went to the gym and such. For the rest of the event they used graphics in a crawl along the bottom of the screen to show when people rolled into the meeting late from lunch or a break. So CC's are just the tip of the ice burg on this stuff.
posted by HappyHippo at 12:15 PM on August 31, 2008 [2 favorites]

Maxed Out is pretty cool, if only because it's got interviews with smart-cookie Elizabeth Warren strewn about it.
posted by Weebot at 12:21 PM on August 31, 2008 [1 favorite]

I was more surprised the toothpaste companies didn't let them test whitening strips not working.

They don't work?
posted by Blazecock Pileon at 12:55 PM on August 31, 2008

asavage- also, randomly, what was the scotch you were 'forced' to drink for the sobriety tests?

mrzarquon: With respect, I think it's very cool that Adam Savage is a MeFite, but I think this should be one place where he should be able to make an appearance without the celebrity fawning. I realize that it's a temptation to ask questions such as this when the celebrity appears, but I'd much prefer his honest input into this or whatever threads he chooses to contribute to. Which, I suspect, he doesn't very often do because there's this thing about celebrity that gets in the way of anything else.

Again, I do not mean to criticize overly. But I can imagine what it would be like (I think) for me to try to post to MeFi if anything I said was met with "Ohmigod, do you know Turtles all the way down is ROB CAMPBELL? Seriously, THE Rob Campbell!" Because although some of what I post and comment is good (even really good, sometimes, I modestly admit) the majority is at best mediocre, and at worst motivated by drunkenness, and I would hate to think that it received attention or accolades because of my celebrity, rather than for its own merits. Which vary considerably, as is no doubt obvious.
posted by Turtles all the way down at 1:14 PM on August 31, 2008 [3 favorites]

Once and for all, BP, they do not work! Now stop asking, you pest.
posted by Turtles all the way down at 1:15 PM on August 31, 2008

I was more surprised the toothpaste companies didn't let them test whitening strips not working.

I had actually not thought of consumer product "myths" such as this. Can people really tell the difference between Coke and Pepsi? How many dentists really recommend Dentyne? Just how pure is Ivory soap? (And pure what?) If you replace someone's Folger's Crystals, do they notice?
posted by DU at 1:47 PM on August 31, 2008 [2 favorites]

turtles- it was more out of curiosity than 'omg you're my hero,' because honestly, that was the first thing I thought of when he mentioned in the video, from which the rest of the discussion is about, that he had drank 5 scotches in 45 minutes: What Scotch?

I guess if i had remembered to tact into my other comment with a small tag it would not have appeared as a random out of the blue question.

Now to the topic at hand: Corporations will take any and all means necessary to protect themselves what they see as a threat to their revenue. They have been doing this for a while, from preventing rBGH reports to be aired to preventing a show on discovery that is about science to test if their products secure. Not to expose security holes in the product, just to see if the products are secure.
posted by mrzarquon at 1:51 PM on August 31, 2008

Is it a "gag" if its not from the government? If a company doesnt want to do something out of risk then they should be able to. The real question is why we are expecting tv entertainers to test our security. Arent there security organizations that should be going this for us? With lawyers and finances to back them up?
posted by damn dirty ape at 3:02 PM on August 31, 2008

mrzarquon: fair enough, and I really didn't mean to single you out. And maybe I was out of line in general, but it's something I wanted to get off my chest.
posted by Turtles all the way down at 3:11 PM on August 31, 2008

The question is, why do we let corporations get away with this?

Further:

Why have we allowed ourselves to be so bought into the corporate model that they can exert this kind of control?

How do we get out of this obviously unequal partnership, wherein we give them gobs of money and they use it to get away with whatever they want, even eroding our own rights?
posted by batmonkey at 3:27 PM on August 31, 2008 [2 favorites]

I keep wondering if I'm going to get in trouble for this...

Cat's out of the bag, but they can't exactly blame you for wanting to test an idea already mentioned elsewhere before.
posted by bwg at 3:48 PM on August 31, 2008

Can people really tell the difference between Coke and Pepsi?

We did a small experiment in my Psychology of Perception class on this. People could (and Diet Coke and Pepsi too) by a statistically significant margin. But that was a pretty small sample size, and a pretty informal test.
posted by moonbiter at 3:59 PM on August 31, 2008

Seems like a good time to pick up a ThinkGeek RFID-blocking wallet. Assuming they're effective.

Just another owner here confirming they do indeed work as advertised. The principles of a Faraday cage are extremely simple and commonly understood... it's just there's never been a terribly good reason to build them until recently.

The day after I bought my RFID-blocking wallet I pulled into my office's parking garage and couldn't get in. I probably spent 30 seconds frantically waiving my wallet (where I had kept my RFID-containing parking pass) at the reader before it hit me... "oh right... hey, it works."
posted by Civil_Disobedient at 4:00 PM on August 31, 2008 [4 favorites]

No, these organizations would really prefer if the flaws were just exploited without being brought to the public's attention.

Indeed. One of the selling points of credit cards is that Joe Average doesn't pay for fraud - the bank, or the card company, or the merchant will wear the cost. The last thing Visa or AMEX or whoever want is to have a bunch of merchants line up and say, "You know, given how insecure your card is, we're not really seeing how we should be wearing fraud charges" at the same time it becomes easier for script kiddies to break the cards.
posted by rodgerd at 4:01 PM on August 31, 2008

Can people really tell the difference between Coke and Pepsi?

Oh, absolutely... if you drink enough of the stuff, it's not hard at all. What's more, Coke doesn't taste anything like it used to taste. After the "New Coke" fiasco, Coca-Cola changed their formula to the "Classic" variety, which is most assuredly not the formula they were using before the mid-1980s. Now it's high-fructose corn syrup scientifically reformulated to mimic the taste of the cane-sugar, pre-New Coke formula. There were other changes as well, though this would be the one most apparent to U.S.A.ians (you can still get the cane sugared formula at the bottling plant and in Canada... but on US supermarket shelves, it's nothing but rows and rows of carbonated subsidies to the Mid-west farmers).
posted by Civil_Disobedient at 4:07 PM on August 31, 2008

From the second link in the OP:

In related news, here's a post showing how to steal RFID credit card information with $8 worth of equipment from eBay.

Ha!
posted by Marisa Stole the Precious Thing at 4:27 PM on August 31, 2008

DU Can people really tell the difference between Coke and Pepsi?

Anecdotal - I absolutely can tell the difference. Also I can tell the difference between Dr. Pepper and Mr. Pibb - purportedly the same "flavor".

Oddly, if I have to drink regular soda, I choose Coke every time, but if it's diet, I much prefer Diet Pepsi.

And diet Dr. Pepper tastes the most like it's non-diet counterpart than any of them.

/derail
posted by tzikeh at 5:37 PM on August 31, 2008

HOLY SHIT! *THE* ROB CAMPBELL IS HERE!!!
posted by UbuRoivas at 5:52 PM on August 31, 2008 [5 favorites]

More seriously, there are various implementations around the world of RFID cards that double as stored-value micropayment cards. As far as I know, they're all basically public transport tickets, which you can also use to pay for things like groceries from the 7-11, parking meters, and so on. Hong Kong's Octopus card is probably the oldest & best-known example, but they're all over the place - Japan, Korea, Taiwan, New Zealand...I think the Oyster card in London also works for micropayments. At present, it seems as if swiping your card near a reader to buy a newspaper or a coffee or whatever is very much the way of the future.

The recent hack of the MIFARE-based Oyster card was quite interesting. As I understand it, they recorded the signal emitted by a reader on a government building in Holland (standard technology, yeh?), then physically peeled back the layers of circuitry on a card's chip to see what algorithm they use to encrypt & decrypt the signals between the cards & the readers, and from there it was just a matter of building a device to emulate the reader, capturing the responses from peoples' cards as they brushed past them on the Underground, then using the algorithm to reverse-engineer the unique IDs of the cards, from the captured data.

I might be missing a bit of the technical detail, but I think that largely summarises the process. Not quite rocket science, but more than your average Joe could do. It also involved microscopes & computer geekery, not dynamite & engineering geekery, so to be honest, it doesn't sound like standard Mythbusters fare.
posted by UbuRoivas at 6:08 PM on August 31, 2008

Turtles, thank you so much for the sentiment.
For the record, I didn't feel that vibe from mrzarquon, nor from anyone here on any branch of the blue, green and grey. This is really the only online community apart from the Replica Props Forum. I don't read the comments section of any other sites (reddit, digg, fark, slashdot-- especially slashdot) because it's too disturbing to be repeatedly called an idiot.

I don't post often because frankly I'm often intimidated by the level of erudition and articulate, thoughtful posts I find here, and I don't seek to denigrate that just to see my post count go higher. So I post when I've got the time and something to say.

mrzarquon, for the record, I chose a very nice 18 year old Lagavulin. Now THAT is some good shit.
posted by asavage at 7:09 PM on August 31, 2008 [16 favorites]

Ohmigod, do you know Turtles all the way down is ROB CAMPBELL?

Wait wait wait.

So there's the world. It sits on some heffalumps.

The heffalumpses sit on a fucking big turtle, or maybe on several stacked turtles. Whatever.

The turtle, or bottom turtle, rests upon ROB CAMPBELL.

So what does Rob "Atlas" Campbell sit on?
posted by ROU_Xenophobe at 7:31 PM on August 31, 2008

I don't post often because frankly I'm often intimidated by the level of erudition and articulate, thoughtful posts I find here

Well, I guess I know who doesn't favorite MY posts.

Signed,

Psho,
Miffed, Inarticulate, and Not Terribly Thoughtful (and Proud Of It, Dagnabbit)
posted by potsmokinghippieoverlord at 7:54 PM on August 31, 2008

It's Rob Campbells' all the way down.
posted by h00py at 7:54 PM on August 31, 2008

> for the record, I chose a very nice 18 year old Lagavulin.

I commend your choice in scotch sir (actually I believe you had the 16 year).

I was actually thinking about what I would choose if I were in similar situations. Would I go with a top shelf selection, but in essence just have to consume it and not be able to fully enjoy it, or go with a cheaper, simpler option, because it would accomplish the same goal to get inebriated. Then I realized I probably would not be paying for it, so Lagavulin 21 year it would be. And a nice dark stout to go along with it. And a cigar.

I wonder if thinkgeek is trying to figure out why they are getting such a rush on orders for their rfid wallet. Now that would be a fun segment: "we weren't able to fully test and talk about our RFID credit card myths, but what we can say is that we all have RFID blocking wallets to ensure they can only be read when we want them to be read"
posted by mrzarquon at 8:00 PM on August 31, 2008

I've never been more impressed with Mythbusters than when they demonstrated how easy it is to defeat fingerprint scanners and motion detectors. Like Consumer Reports, that's an important public service. People need to know that their expensive home security system can be easily defeated. People need to know that the fancy fingerprint-based "biometric security" mechanism on their new laptop or phone doesn't work as advertised.

The RFID industry depends on widespread adoption. They need tags in everybody's pockets -- it's built into their business model. Exposing the privacy and security risks of these systems is a public service, and it's a shame Mythbusters won't be able to bring their credibility and popularity to the task.

When somebody tells me how great their new fingerprint scanner is I just say, "Oh, didn't you see that episode of Mythbusters? Those don't work." And there's no debate. I'd love to be able to do the same with RFID.
posted by sdodd at 8:16 PM on August 31, 2008 [1 favorite]

OHMIGOD ADAM SAVAGE RESPONDED TO MY COMMENT!!!!111!
posted by Turtles all the way down at 8:20 PM on August 31, 2008

Just to be clear, I'm making fun of myself here.
posted by Turtles all the way down at 8:32 PM on August 31, 2008 [2 favorites]

I just want to say one of the reasons I love MetaFilter is for every high-profile guy like asavage there are countless guys who are just as creative and talented as asavage here giving advice and their opinions.

Then, of course, there are the total nincompoops.
posted by Mr.Encyclopedia at 8:41 PM on August 31, 2008

sdodd, me too. I've rarely been more surprised at success than with that segment. For the record, we were doing our beta testing with a usb fingerprint security thingy plugged into a laptop, and that thing was MUCH harder to beat than the door model. We didn't even go near the ones where you have to brush you finger, I believe that the movement makes them far more secure. (I haven't tested those though, so take that intuition for everything it's worth.

We also (I believe) got sued (or threatened with legal action, not sure which) by the maker of that fingerprint scanner. They said we misrepresented their product. But we have excellent producers and the one that spoke to that company had taken careful notes, and she'd spoken to the head of their sales team, who had provided the copy we used to describe their product. Discovery swatted it away. The preceding paragraph is all hearsay BTW. I'm not usually directly involved in these kind of machinations. Much as I'd love to be.
posted by asavage at 9:33 PM on August 31, 2008 [1 favorite]

asavage: I don't think they do make it any more secure, but I can't find a published experiment offhand (references to Tsutomo Matsumoto's (et al.) paper mostly drowns out everything else…)
posted by hattifattener at 10:15 PM on August 31, 2008

Exposing the privacy and security risks of these systems is a public service, and it's a shame Mythbusters won't be able to bring their credibility and popularity to the task.

Then Mythbusters should do a show on hacking RFID in a general way, and let viewers draw their own conclusions about potential security holes.

Maybe asavage can hack a passport or a list of other things that contain personal information.
posted by bwg at 10:19 PM on August 31, 2008

or just test to see if those RFID wallets actually work.

"here I was able to read the RFID chip, from 3 feet, but within the wallet, I couldn't detect it at all!"
posted by mrzarquon at 10:27 PM on August 31, 2008

Exactly, mrzarquon. Credit card companies may bully their way into not having their products mentioned by name, but that doesn't mean there's no workaround.

Besides, this whole RFID thing feels one step closer to "Minority Report land".
posted by bwg at 10:52 PM on August 31, 2008

Then, of course, there are the total nincompoops.

Over here!

The principles of a Faraday cage are extremely simple and commonly understood

The Faraday cages I've had experience with were...well...cages. They were about the size of a small room and ran in the neighborhood of around 60 to 80 grand. A lot of copper. These of course worked very well. Radio and cell phones went dead whenever we closed the doors. It seems they also have a tendency to degrade as the metals used do not stand up well to water, perspiration, oils from skin contact, etc..
posted by P.o.B. at 11:08 PM on August 31, 2008

bwg- unfortunately the credit card companies get on the line and managed to nix the project just when they (the mythbuster folks) were talking to the Texas Instrument folks about it. I think anything to do with RFID has been blacklisted at Discovery Channel for the foreseeable future.

Now, if we could get some Jamie and Adam impersonators, and do a spoof episode about RFID chips in credit cards, or really create a short informative video about the dangers of RFID using the same methodology and clear examples that Mythbusters uses, that would really be the best option.

A five minute video clip that demonstrates the issue as succinctly as the above linked fingerprint doorlock test, would go over extremely well.

I may just have to get myself some rfid tags and a test kit and start playing, and see if my filmmaker friends would be up to the challenge.

P.o.B.- the common solution I have seen has just been to sandwich the shielding materials between fabrics or other heavier metals, just to keep them protected. Granted for a lab testing environment, I see the benefit of just having the copper mesh visible, as it would provide a good way to visually check that cage was unbroken.

For RFID specifically, if you are able to block the inductive wavelengths (125khz or 13.56mhz) the chips wont be able to broadcast at all. Which is why foil backing on the passports will actually work, as the tiny gaps on the non spine side of the passport is still to small to let induction in, and probably too small for the chips broadcasts to get out (and if they do, the sides will act as an reflector, so the emitted signal would be directional). (I am not a EE or anyone who has worked with RF since freshman physics in college, so I could be really wrong). So those rfid blocking wallets and passport holders should work pretty well.
posted by mrzarquon at 12:06 AM on September 1, 2008

It's not just passports and credit cards. Things you might not expect may contain rfid tags:

Clothing
Prescription drug containers
Medical implants
Pets

All able to be tracked at a distance up to 5 meters, all trivial to associate with an individual, and it's not just the government to worry about having access to data around your whereabouts at a whim. It is potentially anyone who has the time to spend on the internet and a mild affinity with technology.

Hiding the uses of the technology and it's current limits does nothing, you cannot hide technical data in this day and age after it has been made available in electronic form.
posted by iamabot at 12:21 AM on September 1, 2008

I just watched that video last night
and was charmed by the addition to
the phrase, "Jack of all trades, master
of none": but often better than a
master of one.

I was curious as to what else I didn't
know about that phrase. I was wondering
if it was from Shakespeare or something,
but couldn't find anything else online about it.

But I like it.
posted by Sully at 2:29 AM on September 1, 2008

sdodd: I've never been more impressed with Mythbusters than when they demonstrated how easy it is to defeat fingerprint scanners and motion detectors.

That reminds me of a story. I signed up for a safety deposit box at the local Bank of America branch. The bank officer boasted proudly about the high technology security the bank used to protect the boxes. A major part of that security was a hand scanner that was used to control access to the safe room where the boxes were kept.

The bank officer asked me to put my right hand into the scanner, with the palm down, in order to make an initial scan. Once the scan was finished, he asked me to put my right hand in again, to see if the scanner recognized it. It did - the scan succeeded and the door to the safe was unlocked.

On a lark, I placed my left hand, palm up, into the scanner... Again - the scan succeeded and the door unlocked. The system had mistaken my left hand, palm up, for my right hand, palm down. The bank manager stammered and went red-faced, but I laughed it off.

I never got around to putting anything in that safety deposit box.
posted by syzygy at 3:12 AM on September 1, 2008 [1 favorite]

One of those hand scanners where you arrange your fingers between pins? Those things are horrible. The manufacturers are big on obscurity of course, but I think most of them work by photographing the hand from above and doing a rather poorly done comparison with the stored hand. I wouldn't be overly surprised if you could fool them with a cardboard cutout of the target individual's hand.
posted by TheOnlyCoolTim at 6:39 AM on September 1, 2008

It seems they also have a tendency to degrade as the metals used do not stand up well to water, perspiration, oils from skin contact, etc..

The mesh is built into the wallet's casing--you can barely feel a kind of wax paper-like substance and the tiny wires through the pleather. But work they do.
posted by Civil_Disobedient at 7:21 AM on September 1, 2008

I'm still surprised that the US hasn't gone to the Chip and Pin model...
posted by chuckdarwin at 8:04 AM on September 1, 2008

How RFID Tags Could Be Used to Track Unsuspecting People: A privacy activist argues that the devices pose new security risks to those who carry them, often unwittingly
posted by homunculus at 8:56 AM on September 1, 2008 [2 favorites]

I chose a very nice 18 year old Lagavulin. Now THAT is some good shit.

An excellent choice.
posted by homunculus at 8:59 AM on September 1, 2008

the whole point of a credit card is to make things as usable as possible for their customers, and frankly at the end of the day people need to be responsible for their own security.
This, basically. As long as the balance between making my life miserable and insuring me for loss is OK, I'll be happy with bank security.

What I'm not happy with is them cancelling cards when I'm abroad because, er, I'm abroad (after telling them I'd be abroad), sending out goddamn personal chip and pin machines that I need to use online banking, 174 different online passwords (three of which must be numeric), idiotic sign-on names, shitty software, fraud departments that work 9-5GMT M-F...
posted by bonaldi at 10:35 AM on September 1, 2008 [1 favorite]

This also reminds me of the time(s) I kept setting off door sensors to department stores over the course of about of a year and a half. I surmised I had some errant anti-theft RFID tags that were never "turned off" by the store clerk at checkout. I had to systematically search through my clothing to locate them. I think I found about three of them. One in my shoes, one in my wallet and one in my jacket linening.

Now I can let my kleptomania run freeee!!!
posted by P.o.B. at 10:37 AM on September 1, 2008

174 different online passwords (three of which must be numeric), idiotic sign-on names, shitty software, fraud departments that work 9-5GMT M-F...


For Mac users, I highly recommend 1Password - with the master designated as a significantly long and obscure password. It's reasonably secure for iPhone users as well, however I would wait to use it with an iPhone until they get device/content encryption working.
posted by iamabot at 11:46 AM on September 1, 2008

It seems they also have a tendency to degrade as the metals used do not stand up well to water, perspiration, oils from skin contact, etc..

Hmm... A metal cage shouldn't degrade too easily. However, when you are trying to block broad spectrum waves, you need to have shielding continuously on all walls. What might appear to be very minor damage is enough to allow certain frequencies to get inside easily. Also, the Faraday cages you are thinking of probably have anti-reflective materials lining the walls (think ferrite bead) as well as anti-transmissive material (any good conductor), so that EM fields generated inside the cage dissipate rather than 'bounce around'. Anti-reflection is a substantially more difficult problem than anti-transmission, and it would degrade a lot more easily -- simple condensation on the anti-reflective material would be a big problem.

On the other hand, Faraday cage wallets will degrade just like everything else, so if you want to rely on one, you need to test it once in a while..
posted by Chuckles at 12:10 PM on September 1, 2008

Hmm... A metal cage shouldn't degrade too easily.
Just put the metal between two thin layers of acrylic glued together. For bonus extra privacy, make it opaque acrylic. Or for your amusement at watching the beings imprisoned inside fail over and over to teleport out, make it clear acrylic.

(Also, don't forget the sixth wall. Many a vault-like object has failed on that point.)
posted by aeschenkarnos at 2:56 PM on September 1, 2008

I can't help but be appalled by the horrible security implementations in RFID.

As the link to a previous comment says, when I was working on RFID, security was a big deal and when we were courting large credit card companies (I won't say which, but let's just call it Crapital Bun), security in the transaction was a big, big deal. We made sure that transactions required an RFID with a unique ID, a reader with a unique ID and a user PIN. Basically, the ID in the chip was no good unless you had a valid reader. Readers and RFID's were no good without a pin, and any and all three could be disabled. Right around when the company tanked, we had the encryption and for the reader so that the data channel was not especially useful. All of this was done to satisfy requirements from Crapital Bun and others.
posted by plinth at 8:06 AM on September 2, 2008

As far as the whole celebrity culture aspect goes, I want you all to know that when I release the videos of me testing exercise equipment while drunk, you are all more than welcome to fawn over knowing me from back before I got big.

Incidentally, I find something in a fortified wine like Thunderbird or Night Train mixed with a brown liqueur such as Wild Turkey, works best when trying to demonstrate your skill at unicycle riding.

Someone should totally start a YouTube meme of drunken equipment testing. That could be HUGE!
posted by quin at 11:04 AM on September 2, 2008

CNET News.com: Did lawyers put kibosh on 'Mythbusters' RFID episode?
posted by ericb at 5:28 PM on September 2, 2008

CNET News.com: 'MythBusters' co-host backpedals on RFID kerfuffle.
posted by ericb at 1:20 PM on September 3, 2008

I have absolutely nothing to contribute to this thread apart from my everlasting, undying love of the word "kerfuffle".
posted by Marisa Stole the Precious Thing at 1:34 PM on September 3, 2008

And linked from that CNET story ericb provided:

"There's been a lot of talk about this RFID thing, and I have to admit that I got some of my facts wrong, as I wasn't on that story, and as I said on the video, I wasn't actually in on the call," Savage said in the statement. "Texas Instruments' account of their call with Grant and our producer is factually correct. If I went into the detail of exactly why this story didn't get filmed, it's so bizarre and convoluted that no one would believe me, but suffice to say...the decision not to continue on with the RFID story was made by our production company, Beyond Productions, and had nothing to do with Discovery, or their ad sales department."
posted by phearlez at 1:35 PM on September 3, 2008

Mythbusters gagged about being gagged about doing a new episode on the ease of hacking the new rfid enabled credit cards.
posted by Dave Faris at 1:37 PM on September 3, 2008

So it was the Australians all along! Those pommy bastards!
posted by damn dirty ape at 1:38 PM on September 3, 2008

If liability's the problem, perhaps the State of California is the solution. In the 2007 Red Team investigation of California voting machine security, the investigators worked under the auspices of the University of California in order to shield themselves from legal liability (and therefore coercion).

Maybe Mythbusters could work with the University of California on a segment on RFID security.
posted by sdodd at 1:58 PM on September 3, 2008

"Kerfuffle" is almost as cool as "zuffle".
posted by homunculus at 2:07 PM on September 3, 2008

Thank you for introducing me to "zuffle" - it makes a certain Martha Stewart joke considerably shorter to tell.
posted by Marisa Stole the Precious Thing at 2:27 PM on September 3, 2008

Aw. Sucks they put you in that spot, asavage. Hope you didn't get too much (other) harm out of it. :)
posted by cavalier at 4:13 AM on September 5, 2008

Yeeshk. I really did wonder whether I should post the link to it here, in light of things like that being said in it. Sorry if I helped put you in said spot, asavage. Absolutely my last intent.

That said, I may not be to blame for Cory finding it afterall...

Keep up the good work, anyway. The moon landing one was awesome. And great choice on the scotch... if Discovery are paying and all.
posted by opsin at 10:27 AM on September 5, 2008