Senate staffers issued ID cards whose "security chips" turn out to be just pictures of a chip

Maybe Cory is secretly working for Hasbro?

1 Like

5 Likes

Hmm… who won the contract for this, and how much did the Senate pay for it?

Yep. And Dadaism did have its influence on Surrealism (the times we live in now!)

No idea, that’s quoted from the article itself. We would need to ask Cory why he wrote that.

The local high school drama club would make more realistic props.

1 Like

2 Likes

Or the security chip is a decoy and the actual security devices are not advertised.

It wouldn’t be too surprising(or necessarily an atrocious idea; just not
one even close to being as adequate as PIV implementation) if these cards
did contain one of the RFID/NFC/pre-standardization-contactless mechanisms
in common commercial use. Those are fairly cheap; can be implemented with
quite limited integration with IT(there is generally some sort of database
that stores the ‘what cards can open what doors, when?’ data; activity
logs(if any; the sort of people who approve of doing things by "voice vote"
might not like robust access logs) and an intererface for
adding/removing/changing users; but that’s far less involved than what you
do to allow smartcard authentication to systems; and allow routine use of
encryption and digital signatures); and aren’t visibly different than basic
plastic card blanks. Such mechanisms are hard to keep secret(RFID only
works if the card wakes up and merrily starts trying to authenticate
whenever a suitable reader provides it power; so a few seconds of
interrogation with cheap reader hardware; or even inspection under strong
light, can typically tell you whether or not a card has RFID elements).

I would be much more surprised(though one can never quite banish the
specter of awful roll-your-own ‘security’ cropping up) if these things use
some sort of PIV-level features implemented in a ‘secret’ nonstandard way.
“Senate Staffers” is an atypically influential user group; but not a
terribly large one; and the cost of hardware and software design and
implementation is absolutely brutal unless you can spread it over a large
userbase. CACs and PIVs have large userbases(especially since they share
most of the computer security design and features; which are the bits you
want to reuse; and differ in terms of layout, graphics, and exactly what
user data are supposed to be included, which are things easier and cheaper
to customize). Plus, anyone who wants to do business with the DoD, and
fairly large chunks of other areas of the government, has had to at least
grudgingly support them for some years now; so it’s vastly easier to find a
vendor who can work with you if you are using ‘normal’ PIV/CAC hardware.
Even just moving the contacts around would make you incompatible with
basically all cardreader hardware; and futzing with protocols would involve
a new definition of pain and suffering, without obvious benefit.

The lack of visible contacts certainly doesn’t imply a passive plastic
card; but a bespoke RF design just for the senate seems unlikely; and the
absence of contacts in the correct place means that it virtually certainly
isn’t a smartcard; so odds are either ‘just passive blank’ or ‘one of the
relatively short list of close-range RF flavors in common use’. Either way,
printed contacts that aren’t even metallic looking, much less conductive,
would provide maybe a second or two of decoy value against someone
inspecting a card.(clearly they provided a much longer decoy window against
whoever was in charge of implementation, admittedly)

1 Like

This topic was automatically closed after 5 days. New replies are no longer allowed.