More on the RFID virus assertion

More response to the study of RFID and security issues about which I posted earlier. In particular, I found the response from the EPC community very interesting. It's worth the read, and I have to agree with most of the arguments posited by the RFID "defenders". That said, I find the important point is made by one of the authors, Melanie Rieback: "A lot of these attacks are common knowledge to IT security professionals, but what is different is that no one expects these attacks to come from an RFID tag."

RFID Journal - Can Tag Viruses Infect RFID Systems?

... However, the group's claims were immediately rejected by some members of the RFID industry, including Kevin Ashton, cofounder and former executive director of MIT's Auto-ID Center and now vice president of marketing for RFID interrogator manufacturer ThingMagic.

"A typical EPC tag has 96 bits of memory with an ID number," Ashton notes. "For any such threat to be credible, there would have to be more memory, a read-write tag and variable-length tag reads. It would also need a reader and a system stupid enough and vulnerable enough to allow executable malicious code."

Sue Hutchinson is the director of product management for EPCglobal US, the U.S. arm of EPCglobal, a GS1-sponsored organization working to commercialize EPC technology and RFID standards. She says the security features built into the latest EPC tag and reader standard, Class 1 Gen 2, make the air interface protocol very different than the tags and readers used in the Dutch study.

Studies such as the one done at Vrije University are important because "they keep us thinking about these things, and it's of critical importance," says Hutchinson, "but it's a grand leap to say that [what was shown in the study] could happen to EPC tags and readers. ...


More reaction to the RFID Virus paper, including a reasonably accurate (as I read it) description of how the whole study is jury-rigged. I think that the point raised above is still the important one: Don't take for granted that the data in a tag is "clean" and "valid."

... Really, what they're doing is the equivalent of:

1. Designing a barcode system to automatically self-destruct if it ever reads a barcode of 1337 1337, for no reason other than to prove it's dangerous.

2. Broadcasting to the world that the barcode system will self-destruct if it ever reads a barcode of 1337 1337.

3. Intentionally reading a barcode of 1337 1337.

4. Claiming that barcodes are dangerous.

RFID Tags, just like barcodes are just data. Nothing more than data. If you intentionally design a system to be vulnerable to certain data, then intentionally expose the system to that data, then yup, you'll have a problem.

Technorati Tags: ,


Chicago and entrepreneurial technology culture

Matt McCall posts Sweet Home Chicago in his 'blog VC Confidential. As a part-time resident of Chicago for the past two years, while putting a technology startup in place, I've had occasion to hear the same jokes, the incredulity of my colleagues in SIlicon Valley, and have also faced the reality of the situation -- it's different here.

Matt refers to Shannon Clark's open letter to Ron May, which raises a couple of points for comparison. Shannon first points to the "think big" mentality of entrepreneurs in the Bay Area. He then refers to the bootstrap companies -- those that launch without benefit of significant investment. Perhaps one of the most telling issues he raises is the "network effect" and how personal contacts are generous with their time, their willingness to share ideas, and the follow through when making appropriate introductions.

My take is that it's harder to start an entrepreneurial technology company here in Chicago for two reasons (among others), and these two are about the people or, perhaps, the local culture.

First is what I would call the "risk profile." The rank and file employee of a technology startup is an optimist and a risk taker. He or she is willing to take a cut in salary, or at least an increased level of risk in job security. In exchange, this person gets the excitement and comraderie of a startup, the reward of having a bigger relative role in the outcome of the company, and potentially an economic reward from equity in the company when it becomes liquid. But it all seems to come down to the pleasure of seeing something built. It's the pride of repeatedly succeeding at tasks that others considered impossible. There's a joy involved in tech startups that's truly recognizable.

I've personally experienced the booms as well as the busts that are endemic to Silicon Valley. (Notice the plural... I can remember three really BIG boom-bust cycles, as well as several of boomlet-speedbump variety.) In each case, after the "fluff" got blown out of the area, the folks who remained were undaunted. As long as there were sufficient supplies of caffeine, inexpensive takeout food, reasonably reliable internet service, and a workstation, they lived off their credit cards, telling anyone who asked that "... there's no BETTER time to start a company. I've been able to round up incredible talent. They're willing to work nights and off-hours, or just throw in with me until their gas guage or bank balance hits the red zone near 'E'."

Many of the people with whom I've spoken during employment interviews over the past two years in Chicagoland have a story relating to an entrepreneurial startup during the last boom along the Route 80 corridor. They're still traumatized by the stunning failure of so many high fliers. When it comes to the job offer, discussions of stock options are met with the rolling of eyes, and a quick change of subject. Are there people with the right risk profile in Chicagoland? Absolutely!! But, far fewer than in the Gold Rush country. And they're MUCH harder to find or seek out. That gets to my second observation.

The norm in Chicago seems rarely to include the networking I know in Silicon Valley. There aren't the same venues where folks meet or can count on running into someone interesting with whom to strike up a conversation. I applaud the efforts of organizations like the Illinois I.T. Association. I consider the leadership and the members to be doing a tremendous job. But, it's still a venue for the CxOs, the bankers and the investors. Entrepreneurial technology companies live and die on the experienced managers and the younger, adventurous employees. I don't know where in Chicago these groups gather to reinforce one another, swap ideas, and let one another know about the new company that's looking to change the world.

Chicago has some first rate technology venture capital firms. I know many of them. We've been lucky enough to have them participate in our company. They're up-to-date, interested and ready to participate in entrepreneurial ventures. Yet, if you look at their portfolios, they've been unsuccessful as a group in finding (and funding) very many local firms. These are numbers that reflect the reality of the situation in Chicago.

Technorati Tags: , ,


How does an RFID tag perpetuate a computer virus?

InformationWeek's carrying a Reuter's article that mystifies me. I can understand that if an RFID tag is used to retain volatile information that, later, might be used in other calculations, transforms, etc. AND the villain of the piece has intimate knowledge of that application, it would be possible to throw data into the volatile storage that might gum up the works.

I can also understand that if RFID tags are "programmable" in the field, an erroneous EPC number could be inserted into the tag, inadvertantly or intentionally, with the result that the data base (once again) contains invalid information (and potentially, you're charged the going rate for toothpaste when buying a bottle of wine, since it has the same effect as a mis-tagged item).

But, a virus? That infects other RFID tags? I gotta see this paper.

Radio Chip Barcodes Can Carry A Virus: Scientists

March 15, 2006

AMSTERDAM (Reuters) - Cheap radio chips that are replacing the ubiquitous barcode are a threat to privacy and susceptible to computer viruses, scientists at a Dutch university said on Wednesday.

Researchers at the Amsterdam's Free University created a radio frequency identity (RFID) chip infected with a virus to prove that RFID systems are vulnerable despite the extremely low memory capacity on the cheap chips.

The problem is that an infected RFID tag, which is read wirelessly when it passes through a scanning gate, can upset the database that processes the information on the chip, says the study by Melanie Rieback, Bruno Crispo and Andrew Tanenbaum.

"Everyone working on RFID technology has tacitly assumed that the mere act of scanning an RFID tag cannot modify back-end software and certainly not in a malicious way. Unfortunately, they are wrong," the scientists said in a paper.

"An RFID tag can be infected with a virus and this virus can infect the back-end database used by the RFID software. From there it can be easily spread to other RFID tags," they said.

As a result, it is possible that criminals or militants could use an infected RFID tag to upset airline baggage handling systems with potentially devastating consequences, they said.

The same technology could also be used to wreak havoc with the databases used by supermarkets.

"This is intended as a wake-up call. We ask the RFID industry to design systems that are secure," Tanenbaum said in a telephone interview." ...


OK, I've downloaded their paper and read through the website. Their point, and it's a good one, though overblown, is that RFID, like any system that elicits input that goes to a database system, must be considered as containing attempted "exploits." If I were to do a "global replace" on their discussion of threats and exploits, replacing RFID with elicitation of data from users of the public internet using web browsers, the argument would be just as valid.

There are ways of pointing out that Best Practice in coding back-office software should always do a validation check on the input data before "committing" it to the system. This is an application software issue... not an issue specific to RFID.

If the point of this website and article is to point out that the data embodied in an RFID chip must NOT be considered already validated, they should have said so. If it was a fair study, by pointing up the potential threat, they should also point out that it is best practice to examine RFID-resident data for either inadvertent or intentional threats to the back-office software systems. They should have and could have said that without the sky-is-falling-and-RFID-is-inherently-unsafe hoopla.

Technorati Tags: ,


Sun goes after Azul, Azul throws counterpunch

I have no way of knowing who's IP is being used as the basis for Azul's technology. I still don't like the use of IP as a bludgeon or a saturday night special. I'm not as immediately outraged when Sun files suit for IP infringement as I might be if, for example, NTP did. At least there's reasonable possibility that Azul might inappropriately capitalize on Sun's efforts, while Sun suffers material damage.

I do sympathize with Azul, a group that's been quite innovative and worked hard to move the state of the art forward by more than an inch. It's got to be very daunting to hear the attorneys of a "big company" state that they should sweep in and own a big chunk of your "baby", or that you owe licensing fees that dwarf the amount of venture money that's gone into the company.

There's got to be a better approach to software patents. Is it to do away with them altogether? Probably not. I wish I was sharp enough to ferret out the answer.

See BusinessWeek's review of the doings in Sun Sets on Azul's Technology

... Analysts and former Sun executives say they're somewhat surprised by the row, as Sun has filed relatively few intellectual-property suits over the years. Indeed, its current marketing mantra is "share" -- a campaign built on Sun's belief in developing and supporting industry-standard technologies such as Java.

But Azul tells a different story. It says that from the time Sun first raised concerns in February, 2005, Azul has bent over backwards to prove that the fears were unfounded. Dewitt says he called McNealy after receiving the first letter from Sun's legal department. In the ensuing months, Azul had its outside counsel do an "intellectual-property audit," combing through documents and interviewing former Sun employees on staff to make sure they had not wittingly or unwittingly misused Sun patents or trade secrets. An Azul insider says Sun was uninterested in seeing the results.

Azul says in a court filing that it made other proposals, including "a mediated discussion between the parties' technical teams or other form of mediation or arbitration." Sun's response came in a letter dated May 16, 2005: "We do not need a mediator or independent auditor to point out the obvious," according to Azul's filing. ...

It's no big surprise that RIM has called for U.S. patent reform.

BlackBerry Maker RIM Calls For U.S. Patent Reform

Now that it has settled a long-running patent infringement lawsuit filed by NTP Inc., BlackBerry maker Research In Motion is calling for a "more balanced" U.S. patent system.

Technorati Tags: ,


Consumers, Prosumers, Producers and now... Conducers?

A question raised in the panel on new business models by Keith Teare from Edgeio, to Eric Rudder of Microsoft: What's the impact of RSS as a "disintermediating" force to the software and services industry when consumers become the "producers"/service providers. (E.g., when I can personally publish my photos as can my friends and family, such that my mother can see my photos and I hers)?

Jeremy Allaire of Brightcove: Syndication as an important aspect of the distribution model. Efficiencies that were never possible. But, with that said, it's NOT efficient. Doesn't scale, because individually distributing access to all the consumers on an individual basis, is very expensive.

Technorati Tags: ,