Just got out of a meeting with the vp and head of security at my work (who didn’t know what a hid prox card was). I’m being told my chips are a security risk. They don’t even understand the tech and somehow my chips are a bigger risk than all the smart phones. The guy asked where the chips were made, I tried to explain its the same chip in a cell phone but he wasn’t having it. I think the vp is trying to find out if they can make me take them out. I don’t want to risk my job but for f**ks sake really I’m a security risk because the chip is made in china and they think the chinese can access it.
Explain RFID to them.
It’s passive, no one can acceds it remotely.
Everyone can access it locally.
Less risk because cant be lost etc.
Write a mail, post it here for us to help if you want.
You can get this sorted out!
Hahahah where the fuck do you work? I would be happy to have a chat with them if you think that could help.
If they do try and pull that line on you and try to make you remove them (which seems really unlikely to be legal!) try asking them where the chips in the cards they use are made? or probably 80% of the electronics they use!
Sounds like grounds for a lawsuit, and I’d make sure they know it
fixed that for you, cellphone implies transmission and tracking
They don’t have a leg to stand on in my opinion especially when it’s pointed out that their badges use the exact chip (assuming t5577)
I’m just imagining explaining all the ways a hid prox is a broken system, for the purposes of a lawsuit, and then them trying to say you are a risk
Pretty sure NXP is Dutch ( with a bit of yankee in there) , not sure about manufacture of the chips though.
This may be a good video to show them, Keys vs Chips, but some security basics in there.
Read range, show them the Tastic theif etc.
You could read somebody’s card from a much larger distance than an implant
You cant loose you hand on the bus etc…
Just put together a good argument and like @Yeka said, post it here for us to critique.
Or better yet
TAKE AMAL UP ON HIS OFFER.
If you have ever watched one of his presentations, he is very charismatic and comes off very well, plus he has the knowledge to back it up and can answer / mitigate their arguments.
Often times, you don’t find these traits in one person
just like me!
I was thinking the same thing. Its like most security it only stops honest people.
Do make sure you keep us in the loop, kinda the first case of this I’ve hear about
Don’t want it to be a trend
Normally I’m not super into name dropping, but maybe you should so we know who we are dealing with
If not that, as much context to the job as possible
You could point out the security issue is how easy it was for you to clone your card to an implant.
That would be fun, imagine if someone off the street did it while borrowing a lighter from someone on there break…
Correct me if I’m wrong but we don’t even know if he’s currently cloned any work credentials
Sounds like they are concerned about the chips existence rather than the credentials they hold
That’s why he’s VP. If he had any skills, he’d be doing useful work further down the corporate chain.
More I think about this, the more it bugs me…
(I’m fully aware I have soo much still to learn, so don’t think this comes from a place of superiority)
I would challenge this person to tell me what chip was in the work badges ( still assuming employer even uses rfid as its not confirmed )
If they don’t know what microchips are in their badges, then they have no idea they are “secure”, in which case they need to STFU
And it would get you nowhere because he’s in a position of authority.
Meaning either you demonstrates that he doesn’t know what he’s talking about in private and he’ll just tell “because I say so” and that’ll be the end of that, or you do that in public - in front of his own boss for example - and he’ll be out to get you.
Almost certainly, that person will not admit he’s wrong and apologize.
If you reach the level of telling me I have to have things removed from inside my body?
Yea, I’m either having legal representation when I meet with this person or recording the conversation, or getting it in writing
3/4 to let them know it’s not something worth pursuing, 1/4 for great stuff to present in the event of a lawsuit
And yea, maybe they try to retaliate against you, but depending on country you have levels of legal protection here
Recording is probably illegal - or at the very least, not admissible in court, if it comes to that.
As for representation, that’s what unions are for.
Depends on where you live, and how you play it
In my area, it’s one party, meaning as long as at least one person in the conversation knows it’s being recorded (you) then you are allowed
Additionally, you can apply a little bit of social engineering if you want to be able to have it on record to make it more admissible
Expectation of privacy is greatly reduced if it can be shown they should have known
Instead of saying
“I’m recording this conversation”
“I’m making a record of this conversation”
And then type notes on you’re phone while it records
I have a fairly cynical view of union helping in matters they don’t understand
Unions done right (e.g. Germany, Denmark, Sweden…) is one of the reasons why I moved to Europe. Americans don’t know what it is because they’ve never had it. I’ve been helped by unions in previous jobs in all kinds of matters, and it didn’t even turn nasty.
Of course it can go overboard, like in France or Belgium. Then it becomes stupid and counterproductive. But there’s a healthy middle ground between USia and France.
I fully agree there is, but not sure how much the ship can change course at the moment
It can’t. That’s why I fully recommend jumping it