[LINK] Re: RFID in Govt, and in People

Wed Oct 4 23:01:36 AEST 2006

At 07:03 PM 4/10/2006, you wrote:
>Adam Todd wrote:
>>  ... From 478 cm's away I could read the RFID with no problem at all. ...
>>I'm not even going to begin with what happens after you can read it. ...
>
>At 18:29 +1000 4/10/06, Geoff Ramadan wrote:
>>1) what device did you use to read the passport?
>>2) how was the passport presented. Was it opened or closed?
>>3) could you read it while it was closed.
>
>In addition, Adam:
>4) do you mean that you:
>    a) extracted a bit-string;  or

Yes.

>    b) extracted human-readable data

Prefer not to disclose.

(Does that disclose something??)

>5) if b), could you provide some sample data.
>    (Naturally you'd want to avoid providing data with security
>    implications;  so partial data or data that is, shall we say,
>    'lightly falsified but indicative' might be best)

I don't think it's possible to put sample data into a public place without 
the issue of security implications.  I'll discuss it with my playmate and 
see what we can come up with.

The "data" would in fact be, as explained on the passport, the same as the 
content of the passport in readable format.  Again, I'd resist saying any 
more, other than to hint that privacy issues go beyond the obvious.

To be honest it really wasn't that hard, but then when is anything 
"technological" hard?

I should say that I've been working with One Wire touch memory systems and 
RFID devices for a LONG time now, since the late 1980's so this isn't a new 
concept to me.

I use the term "reading" in a very loose manner.  I won't say more.

Look can I say something fundamental.  I'm not adverse to RFID technology 
being used and I know damn well no matter how "encrypted" and "coverted" 
the data is, it can always be read, intercepted, duplicated and 
recreated.  It's electronic.  There are no means I know of to prevent 
replication of electronic stored data.

DeCSS is great for DVD's in principal 99% of people don't care and haven't 
the ability, but 1% will always be able to find a way even with persistence.

If there is a LEGAL WAY, there is ALWAYS an illegal way.

Once the RFID is excited to transmit, that's it.  It's in the open.  There 
are ways to make low powered devices or even limited range devices gain 
range and become amplified.

Lets face it, it's not that hard to build a listening device that is 
powered not by a battery but by the directing of day a 2Mhz RF signal in 
the direction of the device.  The Higher the 2Mhz power the more excited 
the transmitter on the device.

It's easy to detect low emissions of power (Star Trek has been doing it for 
decades!) it's even easier to detect emissions of RF.

It's not difficult to detect disabled devices simply by resonating the 
circuits.  I do it all the time.  Depending on the location, type of 
equipment and the requirements, it's no different to finding room resonance 
by raising and lowering the frequency of your voice.  (Didn't you do that 
as a kid to create a resonance?)

My concern is more along the lines of the ease in which the device is 
excited, the ease in which it can be excited by high power excitement, and 
the fact that it potentially contains digital data that might be used for 
fraud.

But then you just need a copy of the Human Visual page with a signature and 
photo, date of birth and you're away.

How many times do you get TOLD and ASKED by people for your date of birth 
supposedly as a means of Security and Identification?

Honestly a Date of Birth is meaningless as security.  It's pretty much 
deemed public information to be honest.

If you have a name and a DOB, you can pretty much find anything you want 
about a person.  If you just have a Name, you are pretty helpless.

Why can't there be a mismatch of data between the RFID and the Visible page 
- then you have a "checksum" or a "parity" checking mechanism that is 
HUMANLY untamperable.

Enough said.

If anyone wishes more information or discussion, please contact me in private.