CC Companies Scotch Mythbusters Show On RFID Security 466
mathfeel passes along a video in which Mythbusters co-host Adam Savage recounts how credit card companies lawyered up to make sure the Discovery channel never, ever airs a segment on the flaws in RFID security. "Texas Instruments comes on [a scheduled conference call] along with chief legal counsel for American Express, Visa, Discover, and everybody else... They [Mythbusters producers] were way, way outgunned and they [lawyers] absolutely made it really clear to Discovery that they were not going to air this episode talking about how hackable this stuff was, and Discovery backed way down being a large corporation that depends upon the revenue of the advertisers. Now it's on Discovery's radar and they won't let us go near it."
Delaying the inevitable (Score:5, Insightful)
Re:Delaying the inevitable (Score:5, Insightful)
It's only a matter of time before this gets pulled off Youtube.
This isn't about the hackers... (Score:5, Insightful)
This isn't at all about the hackers ... this is about making the general public aware just how bad this is.
You have alot of faith in judges. (Score:4, Insightful)
I don't. They tend to be old, out of touch with modern technology. I think enough BS by CC lawyers would confound them and justice would not be served.
But I'm told I'm a cynic :)
Pass the buck (Score:5, Insightful)
So, rather than face lawsuits over contractual obligations to build and maintain a secure system (hah), they litigate the party who exposes them for attempting fraud.
Should it be surprising that in a culture that prizes profits and pride over progress, that litigation threats are used to squelch otherwise good feedback and information?
I smell a Streisand Effect coming... (Score:5, Insightful)
Of course, now that the story is propagating all over the Net, pretty soon everyone will know about the alleged security flaws (if not the details), and the CC companies and their legal eagles will look quite villainous. When will they ever learn?
They busted yet another myth..... (Score:5, Insightful)
freedom of speech.
Re:Yeah, well... (Score:5, Insightful)
Because PBS isn't advertiser funded, it gets its support from private individuals and (to a rather minor extent) the government. While corporations can (and do) donate, it isn't their lifeblood.
I agree with you though. I've seen that episode and it's a fantastic rebuke of the credit card industry.
Re:Yeah, well... (Score:5, Insightful)
Re:Sometimes it neccesary (Score:1, Insightful)
Sure, but regular credit cards are already established. RFID credit cards are yet to become standard, and that should be prevented.
Re:I can just see the courtroom in 2010 (Score:5, Insightful)
Judges are lawyers and that is forced by law. You can't be one without being a lawyer.
Not only that but (Score:5, Insightful)
If ever there was a time... (Score:4, Insightful)
...for Slashdot to hammer the crap out of some corporate bullies, it sounds like this might be it. Could someone appropriately knowledgeable perhaps post a detailed account of how incredibly hackable RFID security is? A couple of URL's leading to websites with all the red meat would also be appropriate. PGP proves that once the genii is out of the bottle, it can't be put back in all that easily.
Frankly, I'm sick and tired of all these corporate assholes and their attitude. You can bet your bottom dollar that they'll keep the current, flawed system as-is, and simply out-last any hacking victim who dares to challenge them in court. The best solution is to make sure everybody with even a grade school education and a card reader can screw them at will. Maybe then, they'll do something about fixing the problem.
Re:Sometimes it neccesary (Score:5, Insightful)
And you are the only person that will figure that method out, I guess. Hopefully, you are the smartest person alive, and the problem so difficult no one else can possibly figure it out too, and abuse it.
The way we move forward as a race is that we share information, both about what works and helps, and more importantly about what doesn't work or causes harm. If the people affected the most by the flaw that has been discovered do nothing about it, then disclosure is the way. That way everyone else is informed and warned, as they should be.
Where does "law" fit into this? (Score:2, Insightful)
Let's hope they don't run a segment on how bad fast food is for you any time soon...
Re:Ignore Them (Score:5, Insightful)
There is also no law that requires the credit card companies to spend their advertising dollars on the Discovery Channel, or any other media outlet owned by the same company. That's what this is all about.
Re:Upcoming Mythbusters Special! (Score:5, Insightful)
Also, lawyers are the reason we no longer have habeas corpus, so the show should be filmed in Guantanamo Bay, Cuba.
Lawyers are also the only reason you ever had habeas corpus in the first place, and the only chance you have of ever getting it back.
Lawyers are like nuclear tech, they can be used for good or evil.
Re:This isn't about the hackers... (Score:5, Insightful)
This isn't at all about the hackers ... this is about making the general public aware just how bad this is.
But as the reasoning goes...
If the general public isn't aware of the problem...
It isn't a problem.
Want to really get em? (Score:5, Insightful)
Re:Ignore Them (Score:3, Insightful)
Except where National Security(TM) is concerned, there is no valid argument in law to prevent Discovery/Mythbusters from airing facts about the lack of security surrounding RFID, and Discovery/Mythbusters are under no contractual obligation to keep such facts secret.
Schwab
There is more at work here than the law. The implicit (explicit?) threat is that if Discovery airs this show, the CC companies will cease advertising on the Discovery network.
Re:Yeah, well... (Score:5, Insightful)
That's why you get programmes like Top Gear from the BBC. No commercial channel would dare upset the card manufacturers like it does.
Re:I can just see the courtroom in 2010 (Score:4, Insightful)
How do you know the credit card companies aren't trying to fix the issue? And why not also blame the Discovery Channel, who didn't even try to put up a defense?
I think this comes down to "we advertise on your network and don't want you making us look bad" instead of "we are trying to keep this flaw a secret, even though it is already common knowledge."
http://www.rfid-cusp.org/blog/blog-23-10-2006.html [rfid-cusp.org]
Re:Sometimes it neccesary (Score:3, Insightful)
Re:Delaying the inevitable (Score:5, Insightful)
It's not like they're covering up something big, they just want to ban talk about it altogether.
Re:Upcoming Mythbusters Special! (Score:2, Insightful)
I thinks this would be a good time to point out that more than half the U.S. Presidents were lawyers. Some of them were among the best regarded presidents, some among the worst.
Re:They busted yet another myth..... (Score:3, Insightful)
Re:Delaying the inevitable (Score:5, Insightful)
On what grounds would it be pulled off of YouTube? This is the very essence of what YouTube committed to deliver: a medium for user-produced video content. I don't see how Adam Savage could complain - he was speaking to a room full of people, any of whom could have a cel phone, or a video camera, recording him. Same with the venue and event producer - they let him in with a camera. Unless the clip was posted by someone other than the copyright holder, I don't see any way it could be "legitimately" removed.
As for illegitimate methods, is Visa, or any of the other cc companies, a big enough customer for Google that they would risk the possible backlash and negative publicity to pull it? Besides, it's been seen now by lot's of people. No way to undo that.
I loved it when the guy in the audience said "you do have about 3000 people in the room are aren't under any such legal arrangements." That's the point, right there.
Once again, the corporate culture uses lawyers to focus attention on themselves by trying to silence people who simply speak the truth. They make it so easy. It's like catching fish in a barrel.
Re:They busted yet another myth..... (Score:3, Insightful)
It kind of dilutes the right of free speech when it is used where it doesn't apply.
Re:Upcoming Mythbusters Special! (Score:5, Insightful)
It's not been lost? Tell it to those in Guantanamo Bay, or those held without legal consul, notification to their families, or admissions of their presence in this and similar facilities. Since their names are secret, and even admitting that you know the names can get you thrown in jail as a security risk, that's about as serious a violation of habeas corpus as you can commit. It's also a major violation of the Geneva Convention.
So the principal is, in fact, in danger.
Re:mod parent down (Score:2, Insightful)
If there weren't any lawyers, you wouldn't have any stuff in the first place because someone would have already ganged up and kicked the shit out of you.
Only the biggest, fastest, and strongest is free in a lawless environment. Corporations don't need the law to collect power, but individuals do to fight it.
Re:Delaying the inevitable (Score:5, Insightful)
On what grounds would it be pulled off of YouTube?
Grounds? Youtube takes down anything whenever *anyone* sends something that vaguely (really) resembles a proper DMCA takedown notice.
Safe legal ground, but they're starting to piss off a subset of their users who expect the creators of a community to put up a modicum of defense for said community.
Re:Delaying the inevitable (Score:5, Insightful)
Probably have done. Probably were anticipated by the companies to be going to do.
The thing about credit cards is that they have never been very secure. They just have a business model that can absorb a fairly substantial slice of fraud. True, the companies don't like fraud, and they take steps to reduce it, but they don't spend more than a dollar to save a dollar of fraud.
Having a fraud tolerant business model is way more important than having a fraud tolerant credit card. The only thing is that credit card marketing is based on getting consumers to rely on their cards, to trust the cards and the company behind them.
Re:Upcoming Mythbusters Special! (Score:2, Insightful)
it might take a while for the guilty parties to be held responsible. Eventually the law will catch up [nytimes.com] with them.
The article you link to describes how "Months or years of continued litigation may lie ahead, unless the Bush administration, or the administration that follows it, reverses course and closes the prison at GuantÃnamo Bay, which now holds 270 detainees."
No mention of guilty parties being held responsible. You really think that's going to happen?!
Re:Delaying the inevitable (Score:5, Insightful)
Visa?
Mastercard?
Discover?
These are companies that you can not avoid, and can not fight. No one who wants to function can boycott them, and without SERIOUS fallout no lawmaker can touch them.
Not to mention the public is surprsingly accepting of 'it should be illegal to show how bad a product is!'
Re:Delaying the inevitable (Score:5, Insightful)
Yeah, we all know how well censorship works on the internet.
Re:Delaying the inevitable (Score:3, Insightful)
Re:Delaying the inevitable (Score:3, Insightful)
It's funny, though, because at one time it was at least sort of presented that way. When I worked horrible retail jobs 10-15 years ago, we were always instructed to hold the card and compare the signatures. Never once was I told what to look for to match the signatures, nor was I told what to do in the event that the signatures didn't match, but we were always told to look anyway. It seems like they've finally given that up, though. 99% of the time now, I have the card back before I even sign anything, if I have to sign at all.
Does anyone else feel vaguely uneasy making no-signature CC purchases? I understand that the signature is mostly useless anyway, but it always makes me feel like I forgot something, as if I walked out of the bathroom without flushing or something.
Re:Delaying the inevitable (Score:4, Insightful)
Hmm, I wonder if YouTube would change their tune if they started receiving DMCA takedown notices on every video ever posted...
Re:Delaying the inevitable (Score:3, Insightful)
Threat of legal action - groundless or not - can always be used to try to cap the information.
I would say that if this is considered easy by the Mythbuster gang the whole RFID business are on a loose soil. And even disclosing the fact that it's possible even without showing how could be a cause for the lawyers to go for a hunt.
I sure hope that this won't have an impact on the show. It's a credible show even if they do take a few shortcuts sometimes. This also means that any statement like this is going to be taken seriously by the audience and we will see a lot of RFID hacks soon. Cucumbers listed as birth control at the counter would be the least of our problems.
Re:Delaying the inevitable (Score:2, Insightful)
the sad thing is that companies (Score:3, Insightful)
Worse, the companies will be continuing to claim how great the new security system is, even as they furiously try to shut up anyone that has a counter claim.
Re:Delaying the inevitable (Score:5, Insightful)
YouTube is required by law to take down content when someone files a DMCA takedown notice
Incorrect.
The DMCA says YouTube gets a free pass against any claims of infringement and any lawsuit from the party filing the DMCA notice.
and put it back up after 14 days if the person who uploaded it files an uncontested counter notice.
Incorrect.
The DMCA says YouTube gets a free pass against any claims of harm or wrong doing in taking down the content.
In practice virtually every company institutes automatic rules of obeying takedown notices and counter notices, no matter how blatantly bogus they may be. If the Olympic Committee, or Scientologists, or Barbra Streisand, or anyone else files DMCA notices demanding the takedown of content which is not in fact infringing, or for any other reason the service provider would not have been guilty under pre-DMCA law for leaving up, then that provider absolutely can choose to safely leave that content up. And equally, if under pre-DMCA law a company would not have been liable for taking certain content down, they can safely ignore a counter notice and can keep content down.
One could, for example, send in a totally bogus takedown notice against a group organizing an event on a certain date, or against a business engaging in some time-critical dealings, or even against say a politician running for office. Virtually every internet business will follow a strict policy on taking down anything on a DMCA notice, no matter how blatantly bogus it is. The arrangement of law and business interests makes that almost almost impossible to escape. The DMCA makes it trivial to arbitrarily censor almost anything anyone dislikes and to bully people into submission, and to abusively achieve complete victory in any time-sensitive situation. I recall one case where stores were unhappy with their holiday sale prices being posted online. So they filed a totally bogus takedown notice claiming the sale prices as copyright infringement, and had the information taken down. And obviously a counter-notice to have that content restored several days later - after the holiday sale was over - would have been completely pointless. But imagine if one were to take advantage of this DMCA situation for political ends. A situation that is obviously quite date-critical and where counter-noticing a takedown does not solve or even diminish the damage caused by that takedown. One could anonymously send totally bogus takedown notices by e-mail or snail-mail screwing either candidate (even screwing both). Not only could you takedown selected videos from YouTube just before an election, not only can you have various crucial materials taken down from various websites, one could potentially even get a candidate's own website taken down.
Maybe in the described political campaign situation a company might override the strict corporate rule to comply with all DMCA notices, however that is a total crap-shoot and the law makes it against the company's interest to do so. Legally, the corporate interest is to just obey the bogus notice.
If all you are doing is uploading copyright material that doesn't belong to you, there's not much YouTube can do to defend you.
If you are uploading legitimate material and someone is sending junk DMCA notices, YouTube could ignore the junk notices, could defend you, but legally it is powerfully against their interests to do so. Legally, it would be stupid for them to do so.
-
Re:Delaying the inevitable (Score:5, Insightful)
You just pointed out one of the serious flaws with the DMCA, that any company, or any person, can file a barrage of illegitimate takedown notices with little or no consequence. Which still does not represent a flaw with Google, but rather with with the law.
Re:Delaying the inevitable (Score:3, Insightful)
You bring it to their attention for the sake of revealing the problems with RFIDs; that RFIDs can be avoided, not the companies pushing them.
Besides, I have recently found out that it is illegal for companies to change more for their products when the purchaser is using a credit card. I find this absolutely ridiculous and law that protects the credit card companies and not the consumer (well, at least not the retailers).
These kinds of laws end up forcing retailers to charge consumers prices with the expectation that EVERYONE is going to pay with a credit/debit card. Which in turn means they have to tack on an extra 2%-4% to each item so that the card processing companies can get their cut.
Re:Yeah, well... (Score:3, Insightful)
Imagine what could be done if the USA had a similar arrangement to the BBC license fee for PBS.
The BBC is funded by a compulsory license fee, which you must pay if you have a device capable of receiving it's broadcasts. For television, it's less than £12 (less than $22) per month. From this, and from licensing of their content worldwide, they maintain
The beauty of media, as many Slashdotters will have noted already, is that the more you spread it around, the greater it's total value is.
The USA has a far greater population than the UK, so they could either pay about £5 a month ($9) for the same level of service (I'm assuming that infrastructure costs do not diminish but content is a fixed cost in this estimate), or pay about the same, and get much more excellent, commercial-free content.
Another enormous benefit of the BBC is that the commercial channels here are forced to raise their game. We have on average (and enforced by regulation), only 7 minutes of commercials per hour (about 12 minutes at peaks times), instead of the more customary 18 in the states. USA networks frequently cut old Trek by 9 minutes to fit it in because in the 60s you had half the commercials.
Television is by far the most powerful influencer, informer and educator of the masses and to leave it solely in the hands of the corporations is to invite facism.
Given a free reign or even a mandate [bbc.co.uk] to "inform, educate and entertain", public broadcasting can elevate an entire nation.