Adam Savage, of the excellent ‘Mythbusters’ programme(*) reports that they were going to do a segment on RFID chips only to have the lawyers descend from Visa, American Express etc.

Texas Instruments comes on along with chief legal counsel for American Express, Visa, Discover, and everybody else… They were way, way outgunned and they absolutely made it really clear to Discovery that they were not going to air this episode talking about how hackable this stuff was, and Discovery backed way down being a large corporation that depends upon the revenue of the advertisers. Now it’s on Discovery’s radar and they won’t let us go near it.

A great quote from the video:

You do have about 3000 people in the room who aren’t under such legal arrangements.

The full video is here, and starts with a great talk from Savage about his obsessions.

The point is that keeping the information ’secret’ does not stop the bad guys getting it - it stops the rest of us knowing that our information is insecure. If you’re reliant on security by obscurity you have no security at all. Given that RFID is a widely distributed technology, the RFID chips should be able to withstand full scrutiny if they’re to be trusted for the purpose.

They can’t withstand that scrutiny, as evidenced by the reaction of the lawyers, and by this video.

With a bigger antenna on this I can go into Starbucks and get the [details] of everyone there.

It’s a shame discovery didn’t feel able to nod at the lawyers, and then make the programme anyway - including the conversation with the legal people. Still, when you’re depending upon ad revenues, it’s not as easy as all that - at least in the short term. A good argument for the BBC TV Licence!

(*) Although the announcer in the UK does often mix concepts of mass, pressure, force etc. Not sure about the guy in the US - the people in the show sometimes do this too, but that comes across to me as more of a ’shorthand’ - as they obviously know the difference!

Just seen a funny, but worrying, story on the BBC, a man who had the password ‘Lloyds is pants’ on his bank account had it changed by the bank to ‘no it’s not’.

It was changed as it was ‘inappropriate’. He tried to change it to ‘Lloyds is Rubbish’ - or ‘Barclays is better’ but this was not allowed. He tried ‘censorship’, but was told his password had to be six letters or less!

1. “No it’s not” is more than six letters.
2. A bank suggesting a password that’s seven letters long is too long is sadly mistaken
3. Why was an employee at the bank even able to see the whole password?

When the password is set, it should be done by having the customer enter it secretly in the branch, at the time the account was opened. If done by post, then it should be by an anonymised form which bears a reference number allowing the computer to tie the password to the account, but not for the person entering that password to know the account.

Anyone employee needing to verify a customer should be told by the computer to ask for the ’second, tenth and eleventh’ characters of the password, they should enter them - but not be able to see the characters before a correct verification (so if just one letter is wrong, the employee can’t know what two were).

At no time should an employee be able to link a full password to an account. The only time an employee should even see a full password is if they’re in the section of the head office which handles the anonymised forms.

Unless I’ve overlooked something, this seems indicative of a security flaw… and as someone with shares in the bank concerned, it worries me. I’ve written to the bank to try and find out what’s happening here.

The bank said: “It is very disappointing that he felt the need to express his upset with our service in this way. Customers can have any password they choose and it is not our policy to allow staff to change the password without the customer’s permission. “

Via xkcd I learned of a new idea called ‘Geohashing‘

Essentially the idea is that based on some seed data, some complicated sums are done to give a location.

People get to that location for a meetup.

A map tool is available which does the sums for you. You set the date, click your area and it gives you a location.

Due to problems with the seed data (US stock market) and time zones a new rule has been introduced today for people east of 30 degrees west. This is taken care of automatically by the map tool. There are several pieces of code for implementing this - though most have yet to be updated to reflect the 30W rule.

The idea is that the seed data is processed using an algorithm called md5. This algorithm produces a ‘hash’ of the data. it is difficult to find alternate data which produces the same hash. A small change in the data produces a big change in the hash.

The idea of a hash is a way of producing a ‘fingerprint’ of a file. I.e. I could send you a file, but how would you know it hadn’t been tampered with? Well, I could phone you, you could recognise me and I could read you the hash of that file (which you can then generate and check).

A hash can also be used as a zero knowledge proof. I.e. I wanted to prove to you that I had discovered some fact. I might not want you to know the fact (yet). For example, I might know the first line of the ‘Times’ editorial for next saturday. I could generate a hash of that line and give it to you - when the paper is published that information can be checked.

In this case, the md5 algorithm is used to give a reasonable pseudo-randomisation of one number into another. It’s just a bit of fun.

I’ve not gone to a geohash event myself - but I like the concept.

Following the Alex Litivenko murder, it appears that we never left the Cold War, with allegations of MI6 and KGB involvement in a murder, claim and counter-claim, with intrigue and mystery.

All the stuff of a good Le Carré novel.

I’d be surprised if someone wasn’t already working on a screenplay or novelization. A thought that’s depressing as it follows an actual murder.

(Update: Now there’s talk of missiles. Lovely - Murk)

Privacy International has opened up nominations for the ‘Stupid Security Awards 2006′.

The Stupid Security Awards is an open competition run by Privacy International to discover the world’s most pointless, intrusive, annoying and self-serving security measures. The awards aim to highlight the absurdities of the security industry. The awards were first staged in 2003 and attracted over 5,000 nominations from members of the public from around the world.

The competition is judged by an international panel of well-known security experts, public policy specialists, privacy advocates and journalists. Together they decide on the following award categories:

• Most Egregiously Stupid Award
• Most Inexplicably Stupid Award
• Most Annoyingly Stupid Award
• Most Flagrantly Intrusive Award
• Most Stupidly Counter Productive Award

Unworkable security practices and illusory security measures do nothing to help issues of real public concern. They only hinder the public, intrude unnecessary into our private lives and often reduce us to the status of cattle.

It’s hard to know just where to start, but the recent scares about airports have lots of possibilities, for example the reduction in hand luggage size - as if someone could smuggle something nasty in slightly larger luggage, but not slightly smaller. In addition there’s the fact that liquids can’t be taken through security - but can be bought on the far side of security but not if travelling to the USA, bottles of water bought at the airport are much more dangerous when flying to the US. Obviously.

There’s also the whole idea that ID cards will axiomatically make us secure (potential terrorists would have valid ID too).

The full announcement is here, and says:

The airline industry is the most prominent offender, but it is not alone. Consider the UK rail company that banned train-spotters on the grounds of security (e.g. see this article(external). Or the security desk of a US office building that complained because paramedics rushing to attend a heart-attack victim had failed to sign-in. Or the metro company that installed a $20,000 biological weapons/gas detector and placed it openly next to a power plug so terrorists could conveniently unplug the device.

In 2003, the final list was published with this leading paragraph:

"The extraordinary number of nominations indicates that the situation has become ridiculous" said Mr Davies. "Security has become the smokescreen for incompetent and robotic managers the world over".