I didn’t mean to imply that they have a legal leg to stand on (though on reading my own words it isn’t exactly clear).
Surely, they could show anything they wanted as long as their advertisers and corporate brass went along with it. I’m just skeptical that those with financial sway don’t meddle with the content.
ETA: Tangent, point taken – those were good shows!
I don’t find the timeline confusing in the least.
You said: “Savage later retracted those comments, acknowledging that he had most of his facts wrong. They did eventually air the show on RFID.”
I asked for a cite. There was a mention of an earlier episode that clearly is not the segment Savage talked about.
If you can provide a link to a Mythbusters episode where they cover the security and reliability of RFID tags, I will be happy.
And they showed you could easily beat an ultrasonic motion detector using something as complex and expensive as … a bedsheet held in front of you.
Well one of two things is going on here.
You’re assuming that the order of events is 1) conference call with industry, 2) Savage conspiracy comments, 3) RFID epsiode airs. Clearly, it is 1) conference call, 2) epsiode airs, 3) Savage conspiracy comments.
Or, you are misinterpreting my sentence in what I think is a pedantic way, insisting that when I said they "did eventually air the show on RFID, that I’m saying that they aired a show on RFID which Savage claimed they were blocked from airing. All I was saying was that they did air a show on RFID, the production of which Savage reference in his comments.
Either way, we’re getting further away from the OP’s question.
I didn’t intend my list to be a comprehensive listing, but CNN and Time Magazine have covered security/privacy issues with RFID. There was a front page story in the Wall Street Journal in January (link requires subscription for full story).
I think there has been coverage, it’s just failed to gain traction.
I understood your comment to mean that (1) the (alleged) credit card industry lawyers did not stop Mythbusters from revealing the straight dope on their product; and (2) this is demonstrated by the fact that Mythbusters did in fact exhibit such a show.
However, it would seem that the show in question did not reveal anything at all about credit cards but instead discussed MRI issues. This would seem to undermine the evidence you seem to be citing. Indeed, it’s consistent with the hypothesis that Savage’s initial account is largely correct.
I have said repeatedly that they did not air such a show. That’s not what I meant to convey at all. What I meant to convey was that (1) was demonstrated by Savage’s subsequent comment retracting what he said on the YouTube video.
They aired a show where they implanted an RFID chip in Torry’s arm and gave her an MRI. This episode is what prompted the question from the audience member on the YouTube video. The only reason I mentioned that at all was because it’s documentary evidence of what Savage himself said in his retraction… that they did end up airing a segment on RFID technology, but not one that addressed the issue of RFID security in credit cards. His point was that in fact, the show decided to pursue a different angle after talking to the RFID experts, and that they weren’t forced to make that change as he had originally claimed.
Whether that’s true or not, only the folks in the room can say for sure. I’m just reporting what Savage himself said, and what the folks at Discovery and Texas Instruments said on the subject. this whole thing seems pretty absurd.
It’s also consistent with what Savage said in his original comments. So it seems to me that at best it’s not evidence one way or another.
Basically we have Savage first saying “X” and later saying “Y.” As you point out, it’s hard to say for sure which is correct. But as I noted earlier, my instinct is that the initial comments – made before his bosses had a chance to yell at him – are more likely to be closer to the truth.
In general in life, if somebody spontaneously says to me “I probably shouldn’t tell you this, but . . . .” and then goes on to say something embarrassing to himself or some institution he is affiliated with, but later retracts his comments after having had a chance to reflect, I’m usually more inclined to believe the initial comment.
Fair enough. I think implanting an RFID chip in somebody’s arm was better television than hacking a credit card anyway. 
I just saw Adam at the RSA Conference, and predictably, this question came up. He seemed physically pained, and said that what he’d said at Hackers On Planet Earth last year didn’t exactly fit in with Discovery’s somewhat more conservative leanings. His overall demeanor was that of someone who’d been told by The Boss to never discuss this again. I suspect we’ll never know the whole story until the day comes that the gag order expires or he’s no longer associated with Discovery and has nothing to lose.
The host handed him a packet of “initial research” that RSA had done on RFID. (Probably nothing that can’t be found at RSA’s website.) He then warned Adam about the mind-damaging cryptography described in the reports and said something like “Don’t try this at home. These people (points out at us) are experts.”
I’ll keep an eye out to see if anyone puts this up on YouTube.
I watched the RFID episode not too long ago. Its silly. They put an RFID in Kari and put her in an MRI.
The kind of thing Savage refers to is the kind of thing you read about in 2600 magazine or in various security websites. Stuff like real working exploits, explanations of flaws, code, kits for sale, etc. There’s nothing like that in the mythbusters episode. I imagine there’s a great deal of things they cant do on that show because of potential advertiser reaction. Not sure why he complained about this, perhaps he was trying to win cred at HOPE and didnt realize the legs this story would have.
I dont see the big deal. Savage is an entertainer, not a security researcher. Better men than him have revealed quite a bit about RFID. He’s not censored by the government. If anything his Hollywood ego got a bruising it needed.
Regardless if the show aired or not, isn’t it always a good idea to expose security weaknesses? You know, so those securing what ever it is, can improve on that security? If you have to go back to the drawing board, that is a good thing. If you don’t want to do that, your security WILL eventually get cracked, and then it will be too late.
This is an interesting point to me living in the UK. We have like you, freedom of expression, press - yet I believe it is now an offence to own publications like ‘CIA Improvised Bomb Making’, despite the fact we might never have the means or intention of ever constructing an explosive device. Yet your First Amendment Rights permit the publication of such information, with the attached disclaimer ‘For Reference Purposes Only.’
Indeed you can go on Y/tube and see devices being assembled and then shown working.
So why then would a broadcaster baulk at showing how a breathalyser or RFID Reader could be beaten ?
Apologies if this was mentioned in any of the sites linked to in previous posts, but according to this report on Endgadget from 2006, the RFID technology in Dutch Passports was cracked by postgrad students …
Dutch RFID e-passport cracked – US next?
by Thomas Ricker, posted Feb 3rd 2006 at 9:05AM
A Dutch television program “Nieuwslicht” recently worked with local security firm Riscure to successfully crack and decrypt a Dutch-prototype RFID passport. In this case, the data exchange between the RFID reader and passport was intercepted, stored, and then the password was cracked later in just 2 hours on a PC giving full access to the digitized fingerprint, photograph, and all other encrypted and plain text data on the RFID tag
October 6th, 2008
RFID Smartcard Vulnerability Published, Allows Anyone To Crack It In Minutes Using Inexpensive Tools
Details about world’s most widely deployed radio frequency identification (RFID) smartcard vulnerability have finally been published Monday. RFID smartcards are used to control access to many transportation systems, military installations, and other restricted areas, and it can be cracked in a matter of minutes using inexpensive tools.
The first among the 2 papers about this issue was published by researchers from Radboud University in Nijmegen, Netherlands. It describes in detail how to clone cards that use the Mifare Classic. The chip is used widely throughout the world, including in London’s Oyster Card, Boston’s Charlie Card, and briefly by a new Dutch transit card.
The primary RFID technology in Japan is FeliCa, which is mass produced and properly encrypted.
But would it be possible to steal a compatible reader, or leak blueprints online, thereby allowing a criminal / terrorist group to deploy one, and hoover up data at a bank, airport, etc ?
You can buy compatible readers. The readers can’t access encoded data though. The reader needs software behind it that knows how to access a particular segment of data.
The cards are split up into multiple segments that are leased out (like how they license certainly frequencies to radio stations), and only the person who leased that segment has the encryption key to read/write to their section. You can have hundreds of different services all on the same card (if everyone has chosen to use FeliCa.)
Dutch RFID e-passport cracked – US next?
The US passport has a foil cover which makes its more or less unreadable when its closed. Even if you knew my encryption code (hint: they are printed on the inside) you still cant read the RFID data unless youre very close to it and I have it open. 50cm max I think.
Its not a perfect system, but no system ever is. Considering a determined party could take my password by just punching me in the face, well, whats more encryption going to do then? Nothing. The advantages of RFID is that it can just be opened and scanned very quickly. The optical scanner will get the key and the RFID will get the 64kbyte payload.
This is just more neo-luddite paranoia. I’m old enough to remember when people said the same thing about:
Credit cards
Computer modems
Computerized Pharmacies
Debit Cards
Driver’s License with the barcode
etc, etc
Mostly agree with you, but from my POV identity theft isn’t the primary risk presented by RFID ID. The bigger problem is that the bearer of the ID has no access to the data encrypted on his card.
Before electronic ID becomes established I believe it’s crucial that citizens gain the effective right to access and challenge (if need be) the data encrypted on their cards.
To some degree the same holds true for any government held data regarding private individuals.
The card will, most likely, contain nothing more than an ID. That ID is then connected to relevant info like the name and address and stuff in a database stored centrally somewhere. Anything which stores all of the data in the card is nearly guaranteed to be improperly designed.