Senate staffers issued ID cards whose "security chips" turn out to be just pictures of a chip


#1

Originally published at: http://boingboing.net/2017/04/26/0-factor-auth.html


#2

I bet someone could sneak in with a picture of a gun.


#3

Senator Ron Wyden [D-Equestria] sent a letter to the chairs of the Senate Committee on Rules & Administration asking why Senate staffers have been issued ID cards whose “security chips” are just photographs of a chip.

See image below for answer:


#4

Taking security theater to a whole new level.


#5

That’s honestly a bit shocking.

Discovering that the (distinctly nontrivial) PKI setup needed to make PIVs/CACs actually useful had never been done for this set of users and their supporting infrastructure, and the smartcards were basically ornamental, wouldn’t be especially surprising: PKI is worse than useless if done wrong; and a pain to do right; but the price difference between chipped cards and plain cards is small; so issuing ‘future proofed’ IDs that you will totally be enabling real soon now would be fairly understandable; and hardly the worst plan under the circumstances.

Similarly, discovering that nobody was bothering; and they were just issuing the old style IDs with the same old layout would be disappointing; but not a huge surprise. ID badges are the sort of boring function that doesn’t get a nice upgrade budget or any attention unless something bad happens; so inertia dictates that you’d just keep doing what you are doing until either the card printer fails out of warranty; or it’s shitty software is no longer supported by the version of Windows you are running.

Going to the trouble of shopping in obvious fake smartcard contacts, though, means that someone took the time to change the style, rather than reuse an old template; and wasn’t bothered by the risk of being caught out in something that is trivially verifiable and makes you look like a total idiot. Why would you do that?

(Edit: best explanation I can think of is that some hapless intern or peon-level staff got stuck with the job of whipping up some spiffy new IDs; and the Google Image Search School of Research Fu turned up a bunch of pictures of smartcoard-based IDs, which they then made minimum-effort edits to; without any real concern for why various elements were included in the images they turned up.)


#6

Guy can’t even fill important executive branch positions; you give him that much credit for being detail-oriented?


#7

Senator Ron Wyden [D-Equestria]

My little senator, my little senator, ahhh ahh ahhh ahhh ahhhhhhhhhhhhhhhh…


#8

And possibly sneak back out, if they also brought enough pictures of dead presidents to post a 6-figure bail…


#9

I don’t get the reference. Why Equestria?


#10

I’m sure this security lapse will result in a full FBI investigation and appear on the headlines for months.


#11

This is exactly the kind of treachery René Magritte warned us about.


#12

The only thing that stops a bad guy with a picture of a gun Is a good guy with a picture of a gun.


#13

It’s a My Little Pony reference. The show takes place in a land called Equestria. Wyden is the senator from Oregon, so I’m not really sure why that was changed. Maybe a Chrome plugin that swaps text?


#14

Yes, that’s the part I don’t get. I’m aware of My Little Pony. What I don’t get is if this is some kind of weird plugin, or if Wyden is a secret brony or something.


#15

But he has to be quick on the draw.


#16

If we outlaw pictures of guns, only outlaws will have pictures of guns.


#17

It’s standard two-factor security. Something you know, and something you have a picture of.


#18

Thats word for word the exact reply i was going to write upon reading the article…

I’m slightly wierded out now :stuck_out_tongue:


#19

I made you say that, too.


#20

I’ll blame you for the typo i just had to fix then :smiley: