RFID Passports Revisited

I've written about RFID and passports before, but have let most of the recent news about its interaction with the new biometric passport standards slip. But I can't pass up the latest tidbit.

The problem with RFID in general is that you can't make reasoned arguments against it without sounding like a kook that is afraid of black helicopters and mind probes. The thing is, that there really are some serious issues raised by the widespread adoption of RFID that simply are not possible if simpler (and cheaper, and more suited to the application) technologies like 2D barcode are used instead.

In short, the advantage of RFID is that the tag's information can be retrieved without the operator needing to actually see the tag. The disadvantage of RFID is that the tag's information can be retrieved without the operator needing to actually see the tag. But that actually isn't the reason for today's bit of ranting.

The ICAO is the agency of the UN that sets standards for passports, which are generally adopted by the member nations, including the US. The ICAO established a standard requiring that passports carry biometric information about the holder in addition to the usual date of birth, full name, and issuing country which is about all the information that passports classically carry.

Apparently, a typical bit of biometric info to include is an image of a fingerprint. Rather than storing an encoded hash of a matching print that would require a border checkpoint to use an equivalent (usually patented if not trade secret) technology to match a bearer's print, someone chose to store a simple image of the print. Since it is important to use as little space as possible to store the image, JPEG2000 is used to compress a photograph of the fingerprint. If you are going to store a fingerprint in a document with a hoped-for lifetime of 10 years, that is all reasonable.

Unfortunately, the makers of the passport readers all appear to have used JPEG2000 implementations that have some (or all) source code in common. In particular, there is a known bug in the JPEG2000 implementation that makes it vulnerable to a buffer overrun attack.

A determined individual demonstrated recently that he was able to use off-the-shelf technology to clone a copy of a passport's RFID chip. That is bad enough. But his latest revelation is worse: he was able to modify his cloned copy of a passport's otherwise valid RFID tag to include a fingerprint picture that exercises a known buffer overrun attack on JPEG2000. That tag has been demonstrated to crash every passport reader it has touched.

Today's attack is just a denial of service. The passport station would be crashed, and under normal conditions it could be restarted relatively easily and wouldn't crash again until another bad passport was brought through. (Of course the fiasco at LAX the other day involving 10000 people stuck on the tarmac outside of the customs barrier for as much as seven hours could be the result of that denial, especially if the official reaction to such a crash was institutionally stupid.)

But one of the better ways to inject code of the attacker's own choosing into a device is to carefully craft a buffer overrun attack so that rather than crashing the targeted system, it actually takes it over. At that point, you have code provided by an attacker running inside a passport terminal. These terminals are networked, and it is not inconceivable that such an attack could have effects that are both subtle and far reaching.... I'll let you fill in your own risks from that point.


Mooning Again

Since I last mentioned the Lua programming language in these pages, it has seen a surge in visibility. Yes, I know that is a coincidence, because I am pretty sure I don't have enough readers of my random musings to have had an effect.

But it is interesting to see that it has sustained its place in the TIOBE top 20 at the respectable position of #15 this month. Since TIOBE doesn't appear to keep an archive of each month's scoreboard, here is the list as of August, 2007:

Rank Language Ratings
1 Java 21.768%
2 C 15.699%
3 Visual Basic 10.646%
4 C++ 10.111%
5 PHP 9.696%
6 Perl 5.320%
7 C# 3.987%
8 Python 2.749%
9 JavaScript 2.575%
10 Ruby 1.906%
11 PL/SQL 1.833%
12 SAS 1.389%
13 D 1.251%
14 Delphi 1.222%
15 Lua 0.645%
16 COBOL 0.600%
17 ABAP 0.587%
18 Lisp/Scheme 0.585%
19 Transact-SQL 0.549%
20 Ada 0.537%

A couple of things struck me about this list of languages. One is the absence of FORTRAN despite the continued presence of COBOL and SQL, both more venerable. This month, FORTRAN is found down at #21, or just pushed out of the top 20. The presence of D in the ranking at 13 (D is the 13th letter for the numerologists in the audience) is amusing at least partly because Walter Bright, D's creator, is a friend of a friend. I am sad to see that Java continues to dominate, but heartened to notice that the C/C++ family if counted as one language would both push Java down a notch, and allow FORTRAN to return to the top 20.

The real surprise is Lua. A year ago, TIOBE had hardly heard of the language. Last December, Lua just slipped on to the top 50 list, at a position quite near to Objective-C (near and dear to Mac OSX developers--interestingly, Objective-C hasn't budged much at all since December, since it is sitting at #50 exactly today). Lua crossed into the top 20 list by landing at 18 in July, and clearly it is on track to improve its current standing again for September.

The full story on what the TIOBE index is calculated from is found here. In short, they run hand tuned queries against all the major search engines for each language, count the significant hits, and do a lot of statistics to arrive at the score for each language. The final ranking is then simply the list of languages sorted by their scores.

In case my biases aren't clear, Lua is my new favorite language especially when combined with just enough C to get the job done. The majority of my productive work is done in C, Lua, and Perl, with the occasional diversion to C++ and on rare occasions, Java. Although I have not personally used any of the .NET family, I firmly believe that .NET is to be preferred to Java any day.


And Now, in Cat News

Rory in 2002

I haven't written much in this space before about the cats that actually own my house and run my life. That is mostly because I have been more interested in technical topics or entertainment. The existence of cats and that they are in charge was generally not germane to either of those topics.

Lately, our oldest cat Rory (short for Rorschach for the perfect ink blot mark folded along his spine) has himself become the source of technical musing. He went lame, and the lameness developed into mild paralysis of his hindquarters. Concern for his health resulted in a trip to the vet, where attempts to cure the immediate problem revealed deeper problems and resulted in a lengthily stay. He returned home for a week, but has had further difficulties and had to return to professional care.

Because of these difficulties, we have had the opportunity to see more of the inside of a well-run veterinary hospital than we ever had before.

Some background might help here. All of our cats have been seeing the same vet since they were found and adopted. All three were originally strays that volunteered for the strenuous post of indoor cat with a small household staff to keep in order. Their vet is Dr. Sylvia Domotor who now operates Dr. Domotor's Animal House in Monrovia employing several other vets and a sizable staff. She has been their vet since well before she founded her own practice. The cats remained her patients because we have always approved of her handling of them. For that matter, we have had nothing but good experiences with all of her other vets and with the rest of her staff.

And as we go through these difficult times with Rory's health, we are touched again and again by their kindness and professionalism.