> This is the most hysterical piece of security journalism I have
> read in a long time.

No. That honour would seem to belong to your response, in my opinion.

> Through the sea of links, you are taken on a voyage of discovery, and
> the conclusions that can be made are:

> 1) There is a good living to me made from recycling other peoples
> material that you have found on the Internet.

That seems like a cheap shot, but does at least fit in with the tone of your reponse.

> 2) Don't try to embellish the content if you don't know what you are
> talking about. You will be made to look a proper berk by someone who does.

You are quite right, as you are about to discover....

> As a real security professional (i.e. one that does not go around
> screaming that the sky is falling) and as someone who has worked
> with RFID for the military and for civilian uses (mainly Post Offices)
> for over six years, I find your article makes a number of glaring
> omissions that would allow any sensible human being to make a rational
> judgement about this technology.

As someone who does not claim to have any such title (security professional or otherwise), but is just technically experienced and relies on my 3 physics degrees and extensive practical experience with RF in the space industry, covert surveillance, broadcast and radar, I find your response to be irrational, ill informed and lacking in serious technical competence.

> Omissions:

> 1) Range verses size. Very basic issue.

In terms of the RF component, yes, the basic physics determines the physical constraints. In terms of the rest of the circuit, not really an issue, since it can be any size you want.

> The smaller it is, the closer you have to be to it to pick up the signal.

Clearly, you are unfamiliar with sensitive receiving equipment then. I remember someone claiming to be an expert on RF saying video senders really could only transmit 100 metres or so. Then I showed him a practical demonstration where I picked up a video sender signal almost 5 miles away, due solely to a 3 figure sum of receiving equipment optimised for maximum sensitivity.

Maybe you can explain to everyone the validity of your statement given that amateurs can happily build receiving equipment in their back garden which can pick up transmissions from spacecraft orbiting Mars ? Be a bit hard for those amateurs to go to Mars to pick up the incredibly weak signal, don't you think?

> For a small passive tag we are talking inches (3-4 feet max).
> In order to track something from 200 yards (maximum range currently
> in use), you need an active tag (i.e. with a battery) and it has to
> be the size of a beer mat.

No and no. It would not take an active tag, it would take a more sensitive receiver. Hardly rocket science. Then again, carry on believing what you say, it will give people a good laugh when criminals read off your sensitive data remotely in years to come.

> I think you would notice it in your jeans.

Why is it that I get the impression you don't understand RF as well as you think ?

> The signal generator in this case is also a non-trivial device.
> It is the size on a lamp-post and weights in excuss of 30Kg.
> Hardly PDA attachment material.

You have heard of Moore's Law, haven't you ? Technology does get smaller, and certainly in this case, smaller solutions do exist. It's just you seem unaware of them.

> 2)Storage area on the device is tiny. For the small passive devices you
> are referring to the storage area is less than 1Kilobyte.
> Not much space for your medical records here.

Clearly, your technical breath of knowledge is very limited here aswell. If details are already stored on a database, it is a trivial task to run a query based on the unique (note the word unique) ID of the RFID, and to potentially gain whatever information neccessary. Then again, I've seen guidance systems written in under 1K, which again indicates that distinct lack of knowledge you have on the subject.


> 3)The logic associated with the tyre scenario. The association of the
> vehicle number and the tyre would not be stored on the tag. There is no space,

Really ? Do you actually have any idea how much information can be stored in 1K ? It may not be excessive, but one could certainly store more than basic details.

> and Read/Write tags are much more expensive (and larger).

Good grief. Actual factual content in your text. Again, though, this is merely a supply and demand issue. As time goes on, this will no doubt, change.

> Easy to overwrite also.

That depends on the implementation, surely.

> So for your big brother is watching scenario, you would need to replace
> every lamp-post on every highway with a signal generator, have assess to
> the database that cross-references your vehicle ID with the tag ids, and
> be able to monitor all of the signal generators in real-time to see what
> was happening.

Certainly not impossible technically. Financially, currently prohibitively expensive, but ask Ken Livinstone about his traffic cameras in London. I'm sure he'd be up for this.

> And all this just to find out where you are.
> Are you really that important? I think ringing your mobile would be easier.

A second fact? Steady on old chap.

>There is also a problem with reading many tags at once. The current limit is
> around 200 tags per second for the best sensor. The tag will respond and
> continue to respond at regular intervals (sub-second usually but dependant
> on set-up). Because they are all talking at once on the same frequency, the
> sensor cannot distinguish and ignore tags in real-time. It may recieve many
> responses from the same tag, and there is no way to tell the tag to shut up.
> So imagine the situation across a busy highway.

That's right, because there is no such thing as technical progress, is there ? So any technical issues will not be resolved will they ? I think not.

Also, just because you are not aware of a technical solution, does not mean one does not exist.

> Hope this helps to re-assure people that it is very dangerous to listen to
> people who don't know what they are talking about.

I think your post achieves that eminently, though to the technically minded of us, not quite in the way you anticipated.

If you make such statements on technical matters, yet demonstrate lack of technical knowledge, then you should expect people to question and probe those statements. This is the real world, not the world inhabited by directors, where people do not question their statements, however wrong or banal they may be.

Those who purport to be "Security Professionals", need to be aware that an RFID is not fussy on the source of a signal. It receives the signal and responds. Simple as that. If a legitimate transceiver can detect it, so can a criminal's transceiver. Rather than reassure people based on a lack of knowledge, you would be better off gaining some technical knowledge so that you can actually comment on the issue from a position of strength.

For the record, I'm not against RFIDs, I am against people with little technical knowledge trying to sell the concept and gloss over potential flaws that could cause a lot of problems for the general population. In the real world, security and prevention of criminals from exploiting new technologies such as this is a very real concern. It does not mean the sky is falling in, it just means directors should learn and listen to the technical issues. The technology is still flawed.


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/169/20647#20647