Announcement

Collapse
No announcement yet.

Illegal to secretly read RFID identification tags in california

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Voltage Spike
    replied
    Re: Illegal to secretly read RFID identification tags in california

    Originally posted by streaker69 View Post
    This thread has inspired an idea, for anyone willing to build it.

    A RFID reader detector. A little device you could carry with you to let you know when someone is attempting to read RFID tags.
    Check out the ToorCamp badge.

    http://ossmann.blogspot.com/2009/07/...e-hacking.html

    Leave a comment:


  • streaker69
    replied
    Re: Illegal to secretly read RFID identification tags in california

    Originally posted by Thorn View Post
    That's just an RF detector for the appropriate frequencies. The trouble is that some of the frequencies are so widely used, you're apt to get a huge amount of false positives.
    That's fine, then it'll be targeted to the ignorant. Sell it to the same people that buy things like the flowbee, or sign up for that identity theft protection.

    Leave a comment:


  • Thorn
    replied
    Re: Illegal to secretly read RFID identification tags in california

    Originally posted by streaker69 View Post
    This thread has inspired an idea, for anyone willing to build it.

    A RFID reader detector. A little device you could carry with you to let you know when someone is attempting to read RFID tags.
    That's just an RF detector for the appropriate frequencies. The trouble is that some of the frequencies are so widely used, you're apt to get a huge amount of false positives.

    Leave a comment:


  • streaker69
    replied
    Re: Illegal to secretly read RFID identification tags in california

    This thread has inspired an idea, for anyone willing to build it.

    A RFID reader detector. A little device you could carry with you to let you know when someone is attempting to read RFID tags.

    Leave a comment:


  • astcell
    replied
    Re: Illegal to secretly read RFID identification tags in california

    This is like throwing a steak in front of a dog and saying "don't touch."

    Leave a comment:


  • sintax_error
    replied
    Re: Illegal to secretly read RFID identification tags in california

    Personally, nothing RFID I carry is getting scanned without me pulling it out, as I'm sure is the case with most of us. I doubt this is the case with most people. I know a guy who thinks wrapping his credit card in a $5 bill will keep it shielded, not a $1, not a $10, it has to be a $5, there's no convincing him otherwise. The potential for the general populous to be scanned without their knowledge or consent is there. The materials and knowledge for an identity thief are there and readily accessible.

    The question is: Is this law, or any similar laws protecting anyone? I say no. A dedicated thief will do what he/she does. The only real recourse against RFID based theft is going to be refinement. Who knows? maybe 5-10 years down the road, maybe we'll be at a point when an RFID credit card or state/federal ID is a.) worth having, and b.) safe for your average Joe to carry without it wrapped in a specific bank note or Faraday-esque device. But until then, all we can do is as much research and refinement to the technology as possible. Like most things, it needs to be broken time and time again until it gets fixed. I just hope that it doesn't take RFID based identity theft to be come as commonplace as desperate emails from exiled Nigerian royalty to make it happen.

    Leave a comment:


  • xor
    replied
    Re: Illegal to secretly read RFID identification tags in california

    Originally posted by TheCotMan View Post
    No. Not from what is written above. There is no mention of intent to to do harm or use the information in an illegal way. The law, as written, appears to me to only have the following conditions:
    1) Suspect reads RFID from someone remotely
    2) That RDIF data is used in conjunction with other data to establish a person's identity
    3) The reading of this data is done without the knowledge AND prior consent of the person that has the RFID information.

    I guess they are going to have to hang signs on RFID readers at doorways. Stating something to the effect that by entering this area you are giving said owner of the RFID access control reader your consent to be scanned. Also, that any information scanned may be used to identify you.

    Slippery slope anyone....?

    xor

    Leave a comment:


  • Thorn
    replied
    Re: Illegal to secretly read RFID identification tags in california

    Originally posted by sintax_error View Post
    As did I. I was actually reading the whole context of the code at work this morning when I caught it before even seeing your post, Thorn. A classic example of how misreading can lead to jumping the proverbial gun. But I do think that everyone's opinions thus far are still valid and open to more discussion especially now that we're all on the same page.
    Agreed. Being allowed to look for vulnerabilities is needed, no question. Bad laws that say "thou shalt not do X" as some sort of a bass-ackwards 'security' measure only server to allow the bad guys free access, but prevent the good guys from figuring out where the problems really are.

    Leave a comment:


  • sintax_error
    replied
    Re: Illegal to secretly read RFID identification tags in california

    As did I. I was actually reading the whole context of the code at work this morning when I caught it before even seeing your post, Thorn. A classic example of how misreading can lead to jumping the proverbial gun. But I do think that everyone's opinions thus far are still valid and open to more discussion especially now that we're all on the same page.

    Leave a comment:


  • kallahar
    replied
    Re: Illegal to secretly read RFID identification tags in california

    Ah! I too missed section (e). Sorry! Thanks thorn!

    However, the "Identification documents" applies to privately issued ones as well: 1798.795(c)(2) "Identification cards for employees or contractors."

    http://www.dmv.ca.gov/pubs/vctop/app...iv1798_795.htm

    Kallahar

    Leave a comment:


  • Thorn
    replied
    Re: Illegal to secretly read RFID identification tags in california

    Originally posted by theprez98 View Post
    And that seems like a pretty broad exemption as well.
    Probably. Although I'd imagine that any defense of "security research" would be clearly supported or denied based on the use of the data.

    Originally posted by TheCotMan View Post
    I totally missed that exception the first time through. Sorry about that; my mistake. I went to read the law so I *could* find th exact wording and look for exceptions, but I somehow missed the exception I was looking for. Thanks for finding this and reporting my failure. :-)
    No problem, and it wasn't aimed specifically at you. I'm the first one to bitch about badly written laws, but I hate seeing rants about "bad" laws when in fact the law addresses the concerns that are raised in the first place.

    Leave a comment:


  • TheCotMan
    replied
    Re: Illegal to secretly read RFID identification tags in california

    Originally posted by Thorn View Post
    Originally posted by law
    (e) Subdivisions (a) and (d) shall not apply to the reading, storage, use, or disclosure to a third party of a person’s identification document, or information derived therefrom, in the course of an act of good faith security research, experimentation, or scientific inquiry, including, but not limited to, activities useful in identifying and analyzing security flaws and vulnerabilities.
    The whole law is available on this link (originally provided by TheCotman):
    http://www.dmv.ca.gov/pubs/vctop/app...civ1798_79.htm
    I totally missed that exception the first time through. Sorry about that; my mistake. I went to read the law so I *could* find th exact wording and look for exceptions, but I somehow missed the exception I was looking for. Thanks for finding this and reporting my failure. :-)

    Leave a comment:


  • theprez98
    replied
    Re: Illegal to secretly read RFID identification tags in california

    Originally posted by Thorn View Post
    Slow down guys...
    Originally posted by The law in question
    ...act of good faith security research, experimentation, or scientific inquiry, including, but not limited to, activities useful in identifying and analyzing security flaws and vulnerabilities...
    And that seems like a pretty broad exemption as well.

    Leave a comment:


  • Thorn
    replied
    Re: Illegal to secretly read RFID identification tags in california

    Slow down guys. Two things:

    1) California Civil Code, Title 1.80 (Identification Documents) Section 1798.79 applies only to California documents issued by California DMV. (i.e. Driver's licenses and registrations). This is because it is part of the motor vehicle law, and as such, it does not apply to any other documents issued or used in California.

    2) Before everyone get all cranked up and rants about how wrong a law is, you might want to actually READ THE WHOLE LAW! I say that because Section 1798.79 Subsection (e) specifically makes a provision allowing for exactly the kind of research and other activities that you all are complaining is missing. In fact, it specifically mentions research such as "identifying and analyzing security flaws and vulnerabilities".

    (e) Subdivisions (a) and (d) shall not apply to the reading, storage, use, or disclosure to a third party of a person’s identification document, or information derived therefrom, in the course of an act of good faith security research, experimentation, or scientific inquiry, including, but not limited to, activities useful in identifying and analyzing security flaws and vulnerabilities.
    The whole law is available on this link (originally provided by TheCotman):
    http://www.dmv.ca.gov/pubs/vctop/app...civ1798_79.htm

    Taking a specific section of subsection of a law [in this case Section 1798.79 Subsection (a)] without reading or including the rest of the law [Subsections (b) through (e)] ends up with people being completely misinformed. Laws have to be read as complete works or much of the information is lost. Think of it this way: It is like reading the main() in C code, but never reading the other functions. You only get a portion of the information, and don't see how that information is modified or otherwise enacted upon. The same thing applies to laws.

    Leave a comment:


  • TheCotMan
    replied
    Re: Illegal to secretly read RFID identification tags in california

    Originally posted by sintax_error View Post
    I am. I may not have called it "complaining", but you have a knack for calling 'em like you see 'em. And you're right. If I were to go to let's say Union Station in Los Angeles, wearing a sandwich board sign that read "I'm collecting RFID data for research, ask me for documentation" Having full documentation of the study on hand, giving full disclosure to anyone who will listen, I'd be guilty of a crime under this code. If it were written with the "malicious intent" clause I'd be fine in court based on the full disclosure alone, I don't think any judge would find malicious intent when you're literally advertising what you are doing.

    Now granted, the same scenario would be perfectly fine if I were to ask random people "Would you mind if I scanned you with an RFID reader for research purposes, here's a detailed layout of the study" of course with the obligatory cover my own "please sign this waiver stating you agree to be scanned". I have no stake in this one way or another, because as of this moment in time, I have no plans to do much if any RFID research. My only point is that one would be free to do much more research, much more efficiently if this code stated intent. Don't get me wrong, I'm not saying if it did, that it'd be cool to secretly skim the public for your data, in fact, that's kind of a dick move. But if someone were to state clearly that they are scanning RFID, and why they are doing it, that should not be a crime.
    There is an attempt to provide "security by illegality" which is worse than "security by obscurity" because not only is it a known risk and not obscure, but there is no successor to the present system that would solve the actual problem. Instead, the passing of legislation is used to dissuade people from showing how such an attack in the real world could harm consumers, and citizens.

    A very good summary of this as miniature cautionary tale is included in The Wizard of Oz with the quote, "pay no attention to that man behind the curtain," but with an addendum of, "or else we will imprison and maybe fine you."

    So long as people are not made aware of a failure or critical flaw, they can continue to assume there is no flaw, and no weakness or exploit. It becomes denial by legislation.

    Consider this instead: will it be possible in California for companies to audit RFID security procedures in situ? Surely, examination of policy is not sufficient for a comprehensive audit, as failures in security often happen in the implementation even if the policy would otherwise be, "secure."

    These kinds of laws can make a legal, comprehensive audit of site authentication, especially for various companies looking for government contracts, impossible. Of course, with laws like this, they could say things like, "the last audit found no security problems at all with our employee RFID authentication and validation system." ]:>

    This example will likely be more easily understood by common people as a valid and useful thing more than a free security audit at the airport. :-)
    Last edited by TheCotMan; September 8, 2009, 03:25.

    Leave a comment:

Working...
X