Dave Bullock / eecue

photographer, engineering leader, nerd


Major Flaw in Proposed RFID Passports

The guys from a wireless research company called Flexilis who happen to be based a block and a half from my loft, just showed me their proof of concept demo of a serious flaw in the upcoming RFID embedded Passports, scheduled to be released in October. The RFID passports incorporate a shielding mechanism to prevent rogue readers from picking up the sensitive information contained in your US passport, but as it turns out if the passport is slightly open it can be read. This may not seem like much of a big deal until you watch the following video where they created a proof of concept Improvised Explosive Device that detects the presence of a US passport and detonates a charge (or in their test case, some model rocket engines).

This hack could also be used to identify to unique individual and then detonate a device or track them. Because the RFID technology works at only close distances this attack is especially dangerous. I talked to them about the possibilities of attacking the RFID chip even if the passport is closed and it is possibly that with a very strong electromagnetic field, the data could be read on a subcarrier, but they still have more research to do in that area. Here is their abstract about the demo:
The FLX[2006‐0605] video security brief demonstrates a real‐world vulnerability associated with the failure of the shielding component in the current proposed electronic passport design. When partially open, as could be the case when in a pocket, purse, or briefcase, the currently proposed passport can be detected by a nearby inquiring RFID reader. The security brief also demonstrates an improved shield design that requires a passport to be significantly open before reading is possible.

You can read the full RFID Passport Technical Analysis (84K PDF) or the RFID Passport Shield Failure Demonstration (120 KB). The good news is they have proposed a fix for the problem, John Hering told me he had discovered the vulnerability 2 years ago, but didn't want to release knowledge of the problem until he had a fix to go with it.

Digg This Article

UPDATE Well it looks like the Department of State decided not to wait until October to begin issuing these dangerous passports. Here is their press release.


Major changes / dynamony

So as you may or may not know, I have been recoding slacker from scratch. Slacker is the software that, along with phpreactor, powers all my sites including this one and junglescene. The whole thing is written in procedural php and the new rewrite which I have named dynamony, is completely object oriented. So far I have rewritten nearly every component of the backend system: the db abstraction class; the "slacker" base class which is a class that allows one to add/edit/update/delete from a database and provides the forms to do so along with limiting, sorting, searching by words or date; the blog class; the album class in which i used a much better tree algorithm that avoids the memory/processor intensive recursion i had used in the past; the ACL class; using Pear::Log for all error and debug logging; a comment class; a category class; a frontend controller system that loads requested classes after checking the ACLs; the signup class; image output class; the login/logout classes; the image class; the gallery remote class; the xml_rpc class; the dynamony class which allows me to create new classes within the web application instead of through a separate website; and today I created the forum class where I have seen my greatest decrease in load time nearly 10x faster than how the forums currently load (i tested it with several hundred thousand posts from junglescene.com)

The whole thing is really going to be leaps and bounds better than what I have now and going over my old code is really embarrassing. The amount of reused code was insane and made upkeep nearly impossible for one site let alone the dozens of sites that slacker powers. So far all the data is completely separated from the html/xml/csv that it will parsed using... I just use arrays of data and print_r() as my current output method which works great for prototyping. I have decided to completely program the backend before I even start any of the output classes. One important thing to me is to create rewrite rules and functions that will take the old links to content and forward them to the new content as not to break the thousands of links out there... It's a big project but once it is all done it will make my life so much easier.


Major Earthquake off the coast of California near Eureka

There was a 7.0 Magnitude earthquake off the coast of Northern California. There is a Tsunami Warning in effect. The Tsunami wave (if it exists) is schedulued to touch down in San Pedro at 10pm.


Major Updates...

I have radically updated my website. I was using a program called serendipity for my news / blog and one called gallery for my photo galleries. There were some really good features, most of which I have emulated in my own code, and there were some bad features, which I have replaced with good features.

I am still importing my photos from a few other sites that I currently have them on.... soon enough they will all be on here.

Read on for the complete list of changes...


major server upgrade

ok folks the new server is in and rockin!

it's about 10 x faster than the old one with way more ram and disk space to boot. there is a possibility you may get some old email again, and you may have some old files in your ftp site..