Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hackers Clone Elvis' Passport

samzenpus posted more than 5 years ago | from the don't-mess-with-the-king dept.

Security 164

Barence writes "Hackers have released source code that allows the 'backup' of RFID-protected passports, although the tool can potentially be used to create fake or cloned documents. The Hacker's Choice, a non-commercial group of computer security experts, has released a video showing a cloned passport being approved by a security scanner at a Dutch airport. When the reader scans the passport, it is revealed to belong to one Elvis Aaron Presley, complete with picture. Reports of the hackers serenading security staff with 'Are You Clonesome Tonight' are unconfirmed."

cancel ×

164 comments

Obligatory (5, Funny)

Gandalf_Greyhame (44144) | more than 5 years ago | (#25230631)

Elvis has left the building

Re:Obligatory (5, Funny)

Anonymous Coward | more than 5 years ago | (#25230649)

On a day when we are going to be giving hundreds of billions to dodgy bankers, on a day when suicide bombs have returned to Baghdad, on a day when the most influential vice-presidential nominees for a lifetime will go toe-to-toe, surely there is more important news [bbc.co.uk] for /. to report!

Re:Obligatory (1)

Kokuyo (549451) | more than 5 years ago | (#25230687)

Well, none of the above were too surprising, right? So this deserves the headlines just for being damn funny amidst all the other bullshit that's going on.

Re:Obligatory (1, Offtopic)

Gandalf_Greyhame (44144) | more than 5 years ago | (#25230701)

I think you have things a bit messed up there, AC.

Hundreds of billions of dollars to dodgy bankers - Financial news
Suicide bombers returning to Baghdad - War correspondence
Vice-Presidents going toe-to-toe - Political news

Whereas the RFID protected passports being essentially cracked is technology news.

One of these types of news belongs inherently on "Slashdot: News for nerds, stuff that matters" the other 3, whilst they may have a place, are not obvious inclusions

WHOOSH! (0, Informative)

Anonymous Coward | more than 5 years ago | (#25230723)

Joke <----------------

Your head <----------------

Why don't you actually try clicking the link?

Re:Obligatory (1)

PopeRatzo (965947) | more than 5 years ago | (#25231085)

Son, those are all "technology" news at some level.

Re:Obligatory (3, Informative)

theeddie55 (982783) | more than 5 years ago | (#25231333)

if slashdot reported everything that was "at some level" technology news, it would just be a news site.

Vote for Stephen Harper! (0)

Anonymous Coward | more than 5 years ago | (#25230727)

Good old Neo-con Steve will help us out of the financial crisis. Look how well he did in the french debates last night!

Re:Obligatory (1)

Stooshie (993666) | more than 5 years ago | (#25231153)

Does that count as rickrolling?

Re:Obligatory (5, Funny)

RemoWilliams84 (1348761) | more than 5 years ago | (#25231721)

That would be the greatest rick roll ever. Have them scan your passport and it come back with Rick Astley's picture followed by you singing never gonna give you up at the top of your lungs. I'm beginning to see a whole reality show here.

Re:Obligatory (0)

Anonymous Coward | more than 5 years ago | (#25231391)

Yeah, damnit. These are SERIOUS times. Stop having fun, people.

Re:Obligatory (1)

tinkertim (918832) | more than 5 years ago | (#25230743)

Elvis has left the building

Well, if your a programmer .. you can only conclude that Elvis is re-entrant and thread safe.

He left, re-entered and again left the building while leaving behind a small local mess to clean up.

If only it were (just *) local ....

Re:Obligatory (5, Funny)

BlueStrat (756137) | more than 5 years ago | (#25230747)

Elvis has left the building

Elvis has left the building

And the other Elvis has left the building

There, fixed that for you.

Cheers!

Strat

Re:Obligatory (4, Funny)

tinkertim (918832) | more than 5 years ago | (#25230789)

Elvis has left the building

Elvis has left the building

And the other Elvis has left the building

There, fixed that for you.

Cheers!

Strat

Well, sort of .. but where do I find MAX_ELVIS ?

Re:Obligatory (4, Funny)

Chris Mattern (191822) | more than 5 years ago | (#25231141)

Well, sort of .. but where do I find MAX_ELVIS ?

#include <rock-n-roll.h>

Re:Obligatory (1)

jacquesm (154384) | more than 5 years ago | (#25231211)

after the above comment I believe that should be:

#include

Re:Obligatory (1)

Chris Mattern (191822) | more than 5 years ago | (#25232161)

Y'know, the Preview button is there for a reason...

Re:Obligatory (5, Funny)

El_Muerte_TDS (592157) | more than 5 years ago | (#25231129)

There, fixed that for you.

Thank you, Thank you very much.

Elvis

Re:Obligatory (2, Funny)

JustOK (667959) | more than 5 years ago | (#25230951)

with his blue suede shoe bombs

Re:Obligatory (2, Funny)

ehaggis (879721) | more than 5 years ago | (#25231173)

I'm sorry, he cannot leave the building, he no longer has a valid passport.

Re:Obligatory (4, Interesting)

dkleinsc (563838) | more than 5 years ago | (#25231199)

Ever since that cracker got me
I found a new place to dwell.
It's down at the end of cloned street
At pwned hotel.

(chorus)
You make me so cloned baby,
I get so cloned,
I get so cloned I could die (again and again).

And although its always crowded,
You still can find some room.
Where broken hearted users
Do cry away their gloom.

(chorus)

Well, the spammer's mail keeps flowin,
And the desk clerks dressed in black.
Well they been so long on cloned street
They ain't ever gonna look back.

(chorus)

Hey now, if a cracker gets you,
And you got a tale to tell,
just take a walk down cloned street
To pwned hotel.

Re:Obligatory (1)

clickety6 (141178) | more than 5 years ago | (#25231483)

Surely it should be "Elvis has left the country"

I for one (1, Funny)

Anonymous Coward | more than 5 years ago | (#25230641)

...welcome our new Elvis passport bearing overlords.

Re:I for one (1, Offtopic)

BlueStrat (756137) | more than 5 years ago | (#25230785)

In Soviet Russia, Elvis passports clone YOU!

Sorry, it was just too tempting.

Re:I for one (1)

master5o1 (1068594) | more than 5 years ago | (#25231097)

Drop the Elvis from that one: ..., passports clone YOU!

I can fix that for you... (5, Funny)

codefrog (302314) | more than 5 years ago | (#25230667)

That little problem goes right away... just add "Elvis Aaron Presley" to the no-fly list.
We is all secured again, and permanently this time!

He doesn't need to fly (2, Funny)

mangu (126918) | more than 5 years ago | (#25230703)

just add "Elvis Aaron Presley" to the no-fly list

Won't work. Elvis is everywhere [google.com]

Re:I can fix that for you... (5, Funny)

RuBLed (995686) | more than 5 years ago | (#25230711)

Elvis will be so pissed when he returns in 2012.

Re:I can fix that for you... (5, Funny)

davester666 (731373) | more than 5 years ago | (#25230939)

He's coming back for the Olympics? So, he's just be away all this time getting back in shape?

Re:I can fix that for you... (2, Funny)

master5o1 (1068594) | more than 5 years ago | (#25231101)

Yeah he's going to make that opening ceremony so much better than China's. Oh wait I don't think you can get more awesome than a publicly displayed BSOD.

Re:I can fix that for you... (5, Funny)

EasyTarget (43516) | more than 5 years ago | (#25231165)

Hello,

You have used our copyrighted phrase '2012', thereby destroying the branding of the British Olympics. You owe us 12Bn poonds.
We look forward to recieving your remittance by return.
- IOC IP enforcement department.

Re:I can fix that for you... (0)

Anonymous Coward | more than 5 years ago | (#25231205)

How the hell did this get modded "interesting"?? Is there some widely accepted theory about Elvis returning in 2012 I've missed?

Who the hell gets mod points nowadays?

Re:I can fix that for you... (3, Informative)

Sebilrazen (870600) | more than 5 years ago | (#25231647)

How the hell did this get modded "interesting"?? Is there some widely accepted theory about Elvis returning in 2012 I've missed?

Who the hell gets mod points nowadays?

Probably related to the end of the Mayan Long Count calendar, which was really accurate for 5,125 years, but it all of a sudden ends on the Winter Solstice in 2012 [wikipedia.org] , nobody knows what's going to happen.

I like to think of it as Peter Venkman said, "Human sacrifice, dogs and cats living together... mass hysteria!" Elvis caused mass hysteria, ergo Elvis comes back.

Re:I can fix that for you... (2, Informative)

Anonymous Coward | more than 5 years ago | (#25231599)

Elvis will be so pissed when he returns in 2012.

"Score:5, Interesting"

Try again, modboys. Sometimes I wonder what you guys are thinking when you moderate posts like this. Don't you see that it should have been modded informative instead of interesting. Amateurs.

Re:I can fix that for you... (1)

PopeRatzo (965947) | more than 5 years ago | (#25231087)

Thank god those religious fanatic terrorists will never figure this out.

hilarious! (1, Interesting)

Anonymous Coward | more than 5 years ago | (#25230673)

I wonder if it would be possible to just have a bunch of RFID chips along with your passport so they weren't sure which one they were reading? Although elvis would probably give it away :P

Re:hilarious! (2, Insightful)

BackwardHatClub (763903) | more than 5 years ago | (#25230705)

The 4 hour stop at security would be really hilarious...!

Be careful... (3, Insightful)

Anton Styles (1336251) | more than 5 years ago | (#25230713)

Personally, I'd be rather careful when it comes to ID fraud... Don't want to end up doing the Jailhouse Rock

Re:Be careful... (2, Funny)

technolectro (892729) | more than 5 years ago | (#25230741)

You have a Suspicious Mind.

Re:Be careful... (2, Insightful)

Thiez (1281866) | more than 5 years ago | (#25231051)

Actually, the Dutch don't own a little piece of Cuba, so no need to panic. Also, laws are relatively sane, so I doubt the people who did this are going to get in trouble, especially since the copied passpart is so obviously fake, and merely proof-of-concept instead of something to be used in an evil plot to take over the world.

Re:Be careful... (4, Interesting)

Patrick Georgi (1355115) | more than 5 years ago | (#25231167)

At least in Germany, ID cards are considered to be federal property, so changing data on it could be considered malicious mischief.

Re:Be careful... (5, Insightful)

Incadenza (560402) | more than 5 years ago | (#25231221)

In the Netherlands passports are state property to. If your passport gets lost, you have to pay for a replacement (obviously) *plus* you get fined for losing government property!

Re:Be careful... (2, Insightful)

Anonymous Coward | more than 5 years ago | (#25231261)

Except in the video, you see they are using a simple blank card. So the ID cards where not from the government in the first place.

The detection equipment is probably build and bought by private companies, so fooling these also do not involve the government either.

Re:Be careful... (3, Insightful)

Thiez (1281866) | more than 5 years ago | (#25231323)

The card they use in the video doesn't appear to be a real passport, only the chip (that may or may not have been removed from a password). Even if what they did is illegal, I would be extremely suprised if anyone involved were to end up in prison, although they may be fined, especially if they got the chip out of a real passport (like you suggested).

Re:Be careful... (3, Insightful)

EasyTarget (43516) | more than 5 years ago | (#25231227)

Unfortunately the current mob in (sort of ) charge here are right up the illiberal-fuck brigade's arse.

When it was recently demonstrated that the new national travelcard is broken (Mifare [computerworld.com] ) the response was a typical mixture of outrage, damming everybody as criminal, and refusing to accept that people with science degrees are a darn sight smarter than the bunch of PR/MBA wankers who fell for the Mifare sales spin.

Re:Be careful... (1)

jacquesm (154384) | more than 5 years ago | (#25231231)

America also doesn't own a piece of Cuba, it's leased, and the lease is disputed.

Re:Be careful... (0, Troll)

mikkelm (1000451) | more than 5 years ago | (#25231591)

Apparently being Dutch makes you very naive as well. Forging government issued documents is a serious crime no matter where you are, regardless of how benign it might be, and that certainly does not constitute a lack of sanity.

Now we just need (1)

goddidit (988396) | more than 5 years ago | (#25230717)

Security scanners with suspicious minds.

Re:Now we just need (1)

game kid (805301) | more than 5 years ago | (#25230781)

I'm sorry Dave, I'm afraid I can't do that.

Osama Bin Laden (5, Funny)

Krneki (1192201) | more than 5 years ago | (#25230721)

I dare anyone to fake the ID of Osama Bin Laden and try to get to the US.

Re:Osama Bin Laden (5, Funny)

plasmacutter (901737) | more than 5 years ago | (#25230883)

I would suggest a very fat white guy in a flannel shirt : )

Re:Osama Bin Laden (4, Funny)

Anonymous Coward | more than 5 years ago | (#25231019)

This is slashdot. That doesnt really narrow it down now does it? :P

Re:Osama Bin Laden (1)

Sebilrazen (870600) | more than 5 years ago | (#25231711)

This is slashdot. That doesnt really narrow it down now does it? :P

He meant Michael Moore, circa his Roger & Me days.

Re:Osama Bin Laden (1)

Kvasio (127200) | more than 5 years ago | (#25231953)

I would suggest a very fat white guy in a flannel shirt : )

Do you really want to put Marlon Brando in situation of this kind?

Re:Osama Bin Laden (2, Funny)

Anonymous Coward | more than 5 years ago | (#25230975)

Imagine a plane full of Osama Bin Ladens arriving to the US.

I'd pay to see that :D

Re:Osama Bin Laden (1)

Sporkinum (655143) | more than 5 years ago | (#25232467)

That's Osama Bin Forgotten.. Fixed that for you.

Re:Osama Bin Laden (2, Funny)

Oktober Sunset (838224) | more than 5 years ago | (#25230999)

Well I triple DOG dare you to do it.

Re:Osama Bin Laden (5, Funny)

MadMidnightBomber (894759) | more than 5 years ago | (#25231057)

It's OK - they already assume everyone who isn't white is Osama Bin Laden.

Re:Osama Bin Laden (1)

david.peace (1302591) | more than 5 years ago | (#25231081)

Wouldn't be too hard. Just make sure you apply for your visa in Jeddah, Saudi Arabia. That's where most of the 9/11 hijackers got theirs.

Re:Osama Bin Laden (1)

master5o1 (1068594) | more than 5 years ago | (#25231109)

No no do Saddam Hussein. He's dead so no one will care. Right?

Misconfigured scanner (2, Informative)

Anonymous Coward | more than 5 years ago | (#25230733)

This "hack" just worked because scanner they used to validate the passport permitted self signed certificates.

Of course, it is good to show that scanners must be properly configured to be any good.

Re:Misconfigured scanner (5, Informative)

lorenzo.boccaccia (1263310) | more than 5 years ago | (#25230835)

I don't think there is a CA for passports, more info of this cloning on the schneier blog: http://www.schneier.com/blog/archives/2008/09/how_to_clone_an.html [schneier.com]

Re:Misconfigured scanner (2, Interesting)

prefect42 (141309) | more than 5 years ago | (#25231013)

Schneier looks to be wrong about multiple CAs. They don't cause the problem he's talking about.

Without having a global CA:

UKCA can make certs
USCA can make certs

I trust certs from both CAs. I only trust UKCA with certs /C=UK and USCA with /C=US. Both CAs can make certificates for the other country, but that doesn't mean the end user trusts it.

jh

Re:Misconfigured scanner (1)

master5o1 (1068594) | more than 5 years ago | (#25231117)

Both CAs can make certificates for the other country, but that doesn't mean the end user trusts it.

You mean the end user knows what a CA is?

Re:Misconfigured scanner (0)

Anonymous Coward | more than 5 years ago | (#25231335)

oh, yes, you securely understand it better than schneier.

I saw Elvis! (1)

FornaxChemica (968594) | more than 5 years ago | (#25230739)

Hopefully that fake Elvis passport will get in the wrong hands, that would help spotting illegal immigrants and terrorists trying to enter the country. Gotcha! [ruthlessreviews.com]

Before passing through security (5, Funny)

BackwardHatClub (763903) | more than 5 years ago | (#25230787)

Please remove your blue suede shoes.

Re:Before passing through security (0)

Anonymous Coward | more than 5 years ago | (#25230849)

Wise men say, only fools rush in.

Re:Before passing through security (2, Funny)

zwarte piet (1023413) | more than 5 years ago | (#25231035)

Why? Nobody is going to step on them..... because they're: 1) for the money 2) for the show

Any have a link to the video? (0)

Anonymous Coward | more than 5 years ago | (#25230813)

One that doesn't require flash.

Re:Any have a link to the video? (1)

sxpert (139117) | more than 5 years ago | (#25230937)

how about getting youtube-dl ?

Re:Any have a link to the video? (0)

Anonymous Coward | more than 5 years ago | (#25231159)

how about getting youtube-dl ?

How about it? I tried it before posting.

~$ youtube-dl http://video.google.com/googleplayer.swf?docid=-3185369830560352967
ERROR: no suitable InfoExtractor: http://video.google.com/googleplayer.swf?docid=-3185369830560352967

Bad title (4, Insightful)

L4t3r4lu5 (1216702) | more than 5 years ago | (#25230917)

You can't clone Elvis' passport; They didn't have access to the original.

They created a passport with fake details which matched the identity of another person. Nothing was cloned. I bet it wasn't even his passport picture, but a stock photo from the web.

Re:Bad title (1)

apt142 (574425) | more than 5 years ago | (#25231191)

Ah... but the real question is: Why did they use the young Elvis Picture over the Old Fat Elvis Picture?

Maybe they didn't clone Elvis' passport but made Clone Elvis' passport.

Completely brain dead minds want to know...

Re:Bad title (1)

AngryLlama (611814) | more than 5 years ago | (#25232321)

Ah.. is that why it is Elvis' and not Elvis's.. Young Elvis and Fat Elvis are two different entities.

Re:Bad title (4, Insightful)

wvmarle (1070040) | more than 5 years ago | (#25231949)

Which, from the face of it, makes the feat even more impressive. Cloning means "simply" reading the data from one passport, and copying it onto another. It is not necessary to decrypt this data, as long as the chip is tricked into releasing it.

Instead, they created a completely new data set, put this on the chip, and programmed the chip so it correctly answers to the challenge posed by the reader.

Now the idea of having the data encrypted in the passport chip may be wishful thinking of course... I would expect it is encrypted, if not then it's of course one step less for these hackers. At the very least I would expect some cryptographic checksum, based on some secret key or so, to verify that the passport (i.e. the data on the chip) has been government issued.

No matter what, a neat hack, and scary that it is possible in the first place.

creators 'clone' how it was meant to be (-1, Troll)

Anonymous Coward | more than 5 years ago | (#25230995)

which makes 'it' available again/forever?

greed, fear & ego are unprecedented evile's primary weapons. those, along with deception & coercion, helps most of us remain (unwittingly?) dependent on its' life0cidal hired goons' agenda. most of yOUR dwindling resources are being squandered on the 'wars', & continuation of the billionerrors stock markup FraUD/pyramid schemes. nobody ever mentions the real long term costs of those debacles in both life & any notion of prosperity for us, or our children, not to mention the abuse of the consciences of those of us who still have one. see you on the other side of it. the lights are coming up all over now. conspiracy theorists are being vindicated. some might choose a tin umbrella to go with their hats. the fairytail is winding down now. let your conscience be yOUR guide. you can be more helpful than you might have imagined. there are still some choices. if they do not suit you, consider the likely results of continuing to follow the corepirate nazi hypenosys story LIEn, whereas anything of relevance is replaced almost instantly with pr ?firm? scriptdead mindphuking propaganda or 'celebrity' trivia 'foam'. meanwhile; don't forget to get a little more oxygen on yOUR brain, & look up in the sky from time to time, starting early in the day. there's lots going on up there.

http://news.google.com/?ncl=1216734813&hl=en&topic=n
http://www.nytimes.com/2007/12/31/opinion/31mon1.html?em&ex=1199336400&en=c4b5414371631707&ei=5087%0A
http://news.yahoo.com/s/ap/20080918/ap_on_re_us/tent_cities;_ylt=A0wNcyS6yNJIZBoBSxKs0NUE
http://www.nytimes.com/2008/05/29/world/29amnesty.html?hp
http://www.cnn.com/2008/US/06/02/nasa.global.warming.ap/index.html
http://www.cnn.com/2008/US/weather/06/05/severe.weather.ap/index.html
http://www.cnn.com/2008/US/weather/06/02/honore.preparedness/index.html
http://www.nytimes.com/2008/06/01/opinion/01dowd.html?em&ex=1212638400&en=744b7cebc86723e5&ei=5087%0A
http://www.cnn.com/2008/POLITICS/06/05/senate.iraq/index.html
http://www.nytimes.com/2008/06/17/washington/17contractor.html?hp
http://www.nytimes.com/2008/07/03/world/middleeast/03kurdistan.html?_r=1&hp&oref=slogin
http://biz.yahoo.com/ap/080708/cheney_climate.html
http://news.yahoo.com/s/politico/20080805/pl_politico/12308;_ylt=A0wNcxTPdJhILAYAVQms0NUE
http://www.cnn.com/2008/POLITICS/09/18/voting.problems/index.html
http://news.yahoo.com/s/nm/20080903/ts_nm/environment_arctic_dc;_ylt=A0wNcwhhcb5It3EBoy2s0NUE
(talk about cowardlly race fixing/bad theater/fiction?) http://money.cnn.com/2008/09/19/news/economy/sec_short_selling/index.htm?cnn=yes

is it time to get real yet? A LOT of energy is being squandered in attempts to keep US in the dark. in the end (give or take a few 1000 years), the creators will prevail (world without end, etc...), as it has always been. the process of gaining yOUR release from the current hostage situation may not be what you might think it is. butt of course, most of US don't know, or care what a precarious/fatal situation we're in. for example; the insidious attempts by the felonious corepirate nazi execrable to block the suns' light, interfering with a requirement (sunlight) for us to stay healthy/alive. it's likely not good for yOUR health/memories 'else they'd be bragging about it? we're intending for the whoreabully deceptive (they'll do ANYTHING for a bit more monIE/power) felons to give up/fail even further, in attempting to control the 'weather', as well as a # of other things/events.

http://www.google.com/search?hl=en&q=weather+manipulation&btnG=Search
http://video.google.com/videosearch?hl=en&q=video+cloud+spraying

'The current rate of extinction is around 10 to 100 times the usual background level, and has been elevated above the background level since the Pleistocene. The current extinction rate is more rapid than in any other extinction event in earth history, and 50% of species could be extinct by the end of this century. While the role of humans is unclear in the longer-term extinction pattern, it is clear that factors such as deforestation, habitat destruction, hunting, the introduction of non-native species, pollution and climate change have reduced biodiversity profoundly.' (wiki)

consult with/trust in yOUR creators. providing more than enough of everything for everyone (without any distracting/spiritdead personal gain motives), whilst badtolling unprecedented evile, using an unlimited supply of newclear power, since/until forever. see you there?

"If my people, which are called by my name, shall humble themselves, and pray, and seek my face, and turn from their wicked ways; then will I hear from heaven, and will forgive their sin, and will heal their land."

That's not a security console... (2, Insightful)

Neelix21 (143043) | more than 5 years ago | (#25231041)

I have no idea what kind of console that is, but it doesn't look like much of a "security console" to me.

This movie only shows that they have succesfully created a cloned passport, and that the scanner does not do any security checks. This was already demonstrated some time ago [os3.nl] at a local town hall.

Doing this again at an airport adds nothing but hype. It does not prove that security in those things is broken.

Re:That's not a security console... (5, Insightful)

Ren Hoak (1217024) | more than 5 years ago | (#25231143)

It does not prove that security in those things is broken.
Ok, so by your words, being able to create a document that contains blatantly false information, and successfully using that document to bypass security doesn't prove that "security in those things is broken". What, pray tell, would be required beyond this to demonstrate that security is broken? Because, you see, in my simple view of things, if you are "Bob" and security is on the lookout for "Bob", and you show them a modified password claiming that you're "Neil", and security lets you through because as far as they can tell you aren't "Bob", security has been compromised. When security is based on human inspection of said passport, clearly it's subject to human error. When security is electronically based, such as the case with RFID, all but the most basic of human interaction should be removed from the "is this a real passport?" equation.

Re:That's not a security console... (1)

BLKMGK (34057) | more than 5 years ago | (#25231935)

What security portal EXACTLY did he bypass? The device he used to scan this simply read the RFID and barfed the data to the screen. It did ZERO signature checking on the PKI encrypted data else it would have flagged the signature as either being broken or signed by an invalid CA.

What part of that did you not understand? The post you responded to is 100% correct and accurate.

Re:That's not a security console... (1)

BLKMGK (34057) | more than 5 years ago | (#25231979)

Actually not 100% correct - this isn't a cloned passport. This is a modified passport else the signature would be correct and it would pass any security check in the world that only looked at the RFID data.

Cloned passports aren't an issue, modified passports that pass crypto checks would be an issue. This passport is modified but it does NOT pass those checks when done properly - the person doing this work will say as much if you ask him and it's something he makes plain in his talks - or did at BH anyway.

Cloning easy, properly modified not. This device would be stopped at a properly designed security portal.

Re:That's not a security console... (1)

BlackCobra43 (596714) | more than 5 years ago | (#25232445)

Except in this case "Bob" is not pretending to be "Neil", he's pretending to be "Jesus H. Christ". You'd figure someone, somewhere would throw up a red flag at that.

Never let a computer do a job that can be done by (4, Insightful)

HungryHobo (1314109) | more than 5 years ago | (#25231047)

"Never let a computer do a job that can be done by a human."
I just can't agree with this.
People can be fooled easily enough and the more that's automated properly the better. A human(well thousands of them) *could* do all the interest calculations at your bank but it would be stupid to do it that way.

There are loads of jobs out there which are better done by machines.

Re:Never let a computer do a job that can be done (1)

master5o1 (1068594) | more than 5 years ago | (#25231139)

And loads of jobs that need to be double checked by machines after originally being done by Humans. Come on we need jobs too! Just because Computers are relatively cheap to feed and don't pay income tax doesn't mean they're the best tool in the shed.

ASdpojd pja oh sorry laptop i didn't mean to insult you.

Re:Never let a computer do a job that can be done (1)

Laebshade (643478) | more than 5 years ago | (#25231957)

He left out a key word: "better", so rewrite it as this:

Never let a computer do a job that can be done better by a human

As you said, there are lots of jobs that computers are better at; I imagine the best case scenario (in a dream world?), when it comes to security, would be a combination of computer and human security.

But that's just my armchair opinion.

As Jamie and Adam would say ... (1)

Stavr0 (35032) | more than 5 years ago | (#25231269)

Myth: Confirmed! [slashdot.org]

Hahahahahaha (3, Informative)

Jane Q. Public (1010737) | more than 5 years ago | (#25231327)

Hahahahahahahahahahahahahahahaha! Hahahahahahahahahahaha!

Of course we already knew, when U.S. passport encryption was broken in all of 2 hours, that this was inevitable.

And the government did it all in the name of more "security".

But as we know, it is actually less freedom, and LESS security. This is just more proof.

Re:Hahahahahaha (1)

BLKMGK (34057) | more than 5 years ago | (#25231815)

Umm, you do not know what you are talking about. By all means provide a link to a credible source on the crypto on the US passports being broken. Note that the same crypto is being used around the world - it's part of a "STANDARD" and is using a lengthy known good crypto algorithms.

All this demo proves is that there are devices happy to read the RFID and not do any security checks. As this presenter has explained in his talks modifying this data, the way he does it, requires either a self signed cert or a broken PKI signature. A device with proper security checks in place can spot both of these kinds of modifications if it was implemented properly. In fact the Gold Disk for which countries build their software to emulate even flags some of his changes - they just don't flag them as critical in that particular code base. What any country does in THEIR implementation however is anyone's guess 'cuz they ain't talking about it...

This man gives a good talk on the subject, sadly it's apparent that you either didn't understand it or never bothered to attend it. You might want to adjust your tinfoil though, it's a bit too tight.

Im am so dissapointed (0)

Anonymous Coward | more than 5 years ago | (#25231497)

When i read the headline, i thought they had made an Elvis clone from leftover DNA on his old passport. :(

Re:Im am so dissapointed (1)

Sebilrazen (870600) | more than 5 years ago | (#25231743)

Ewww.

Smart IEDs (1)

JackSpratts (660957) | more than 5 years ago | (#25231629)

From the related article:

"Thanks to the ePassports is it now possible to build Smart-IED's. A Smart-IED waits until a specific person passes by before detonating or let's say until there are more than 10 americans in the room. Boom." -John Doe

isn't that lovely.

- js.

http://blog.thc.org/index.php?/archives/4-The-Risk-of-ePassports-and-RFID.html [thc.org]

Sorry, proves nothing (2, Interesting)

BLKMGK (34057) | more than 5 years ago | (#25231727)

This isn't a security scanner anymore than the previous scanner he checked out at his local Govt building - in fact it's probably nearly the same damned thing! This is simply a device that is showing the data on the chip - I'm not convinced that it is doing ANY security checks that a "real" security scanner would do. How smart would it be to put a machine out with the same checks as a security portal to allow counterfeiters to practice on? Umm, Duh?? Cloning easy, modifying of data NOT!

Yes, the data has been modified and the signature broken, it remains to be seen what the scanner will do when it sees a broken signature or self signed cert on the passport. As was explained in the talk at BH SOME countries HAVE exchanged PKI information so at least some countries ought to be aware of what the signature SHOULD look like and SHOULD be able to spot fakes. It's also not clear that modifying the security file on the passport to change what security protections it reports isn't going to be spotted either since passing THAT information is also possible. Lastly, passing trusted PKI around need not actually take place - if I see 500 German passports who ALL have the same PKI signature and 1 that doesn't it's a pretty good bet that the *1* has an issue! No secret squirrel passing of certificates required in that case.

Bottom line is - no one knows exactly what the various security stations will actually check for and how closely they really follow the lax security of the Gold Disk standard that much of this presenters testing was based off of. The only way to know any of this is to attempt to USE one of these or get the Govt's to talk - what are the chances of THAT?!

So, interesting demo but I'm not convinced it proves that fake passports with *modified* data can be made. At least some better understanding of how the data is being stored and interacted with has occurred I'd say...

Giving Fair Use a bad name... (0)

Anonymous Coward | more than 5 years ago | (#25231787)

Backup? Seriously? Who on earth needs to "back up" their passport data? And what possible use is a "back up" of your passport data? You can't legally create yourself a new one if the original is lost.

Look, I'm not a fan of the enormous faith being placed in insecure formats on passports. And I'm sure people want to point out security flaws, and I'm fine with that.

But publishing an obvious exploit under the guise of a "backup tool" is just BEGGING for people to sit up and take notice of "gee, maybe we need to rethink the notion of 'backing up' always being fair use...."

Re:Giving Fair Use a bad name... (1)

BLKMGK (34057) | more than 5 years ago | (#25231879)

Can you explain what exactly is insecure here? Other than the fact that anyone who understands the protocol can read your passport there's nothing insecure here. He's either self signing the data and the device in question isn't checking the signature against a PKI database or the passport has a broken signature which apparently this this device might also not check. A proper device would spot these changes but why would you put such a thing out where counterfeiters could test against it?

His software is pretty interesting and he's explained a great deal of how the device stores data. The great unknown is how other devices process that data when passing through a portal - that software isn't available. Who wants to be the guinea pig?

Summary wrong (1)

Ecyrd (51952) | more than 5 years ago | (#25231823)

RFID does not protect technology. Saying something is "RFID-protected" is just like saying "my access point is WiFi -protected". Eh?

RFID is a carrier technology, with a number of different frequency bands, with each of their own application area: some can be read from afar, some offer high transfer speeds, some work well close to metal, some need large antennas and some need small ones.

Some RFID tags just contain an ID (and are usually of high range and low speed), and some tags contain loads of data (meaning a low range and high speed). Unfortunately, people tend to lump all RFID as a single thing, which muddles things somewhat. However, they have no more in common than say, HAM radio and WiFi. You can't say that WiFi is bad because HAM radio lacks security ;-)

Obvious Fake (3, Informative)

jea6 (117959) | more than 5 years ago | (#25231849)

For conspiracy theorists: Elvis' middle name was Aron, not Aaron, right?

Wikipedia says "Presley's genuine birth certificate reads "Elvis Aaron Presley" (as written by a doctor). There is also a souvenir birth certificate that reads "Elvis Aron Presley." When Presley did sign his middle name, he used Aron. It reads 'Aron' on his marriage certificate and on his army duffel bag. Aron was apparently the spelling the Presleys used to make it similar to the middle name of Elvis' stillborn twin, Jesse Garon. Elvis later sought to change the name's spelling to the traditional and biblical Aaron. In the process he learned that "official state records had always listed it as Aaron. Therefore, he always was, officially, Elvis Aaron Presley." Knowing Presley's plans for his middle name, Aaron is the spelling his father chose for Elvis' tombstone, and it is the spelling his estate has designated as the official spelling whenever the middle name is used today. His death certificate says "Elvis Aron Presley." This quirk has helped inflame the "Elvis is not dead" conspiracy theories."

Misread the headling for a minute and was happy (1)

elrous0 (869638) | more than 5 years ago | (#25231975)

For just a minute, I thought hackers had successfully cloned Elvis. Then I saw it was just his passport.

Oh well, it's a start.

Old Story (1)

VincenzoRomano (881055) | more than 5 years ago | (#25231977)

I've seen some time ago on BBC Lukas Gruenwald from Germany reading his own passport data.

It's not "Aaron" (1)

Illbay (700081) | more than 5 years ago | (#25232169)

Anyone who knows ANYTHING about Elvis lore, knows that his name was oddly spelled:

Elvis ARON Presley.

Everybody owes The King something (1)

ajparr (1366929) | more than 5 years ago | (#25232311)

This proves it -- everybody owes The King something...
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...