Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Government IT News

Australian Gov't Offers $560k Cryptographic Protocol For Free 163

mask.of.sanity writes "Australia's national welfare agency will release its 'unbreakable' AU$560,000 smart card identification protocol for free. The government agency wants other departments and commercial businesses to adopt the Protocol for Lightweight Authentication of ID (PLAID), which withstood three years of design and testing by Australian and American security agencies. The agency has one of Australia's most advanced physical and logical converged security systems: staff can access doors and computers with a single centrally-managed identity card, and user identities can be automatically updated as employees leave, are recruited or move to new departments. PLAID, which will be available soon, is to be used in the agency's incoming fleet of contact-less smartcards that are currently under trial by staff. It will replace existing identity cards that operate on PKI encryption."
This discussion has been archived. No new comments can be posted.

Australian Gov't Offers $560k Cryptographic Protocol For Free

Comments Filter:
  • by Sockatume ( 732728 ) on Wednesday April 29, 2009 @09:23AM (#27759017)
    Somehow that makes it more sinister than calling it "RAZORBAK" or "AOK JINGOSIM".
    • Re: (Score:3, Funny)

      by Sockatume ( 732728 )
      (I'm not saying that the encryption is sinister, just that after so many contrived fist-pumping acronyms in the past decade, it's creepy.)
    • Re: (Score:3, Funny)

      by Sockatume ( 732728 )
      Jingosim? Damn it.
  • by courtjester801 ( 1415457 ) on Wednesday April 29, 2009 @09:24AM (#27759035)
    Can it be referred to as the Former Lightweight Authentication of ID, or FLACID?
  • A little more info (Score:5, Informative)

    by explosivejared ( 1186049 ) * <hagan.jared@NOsPaM.gmail.com> on Wednesday April 29, 2009 @09:24AM (#27759037)
    Here is a briefing [74.125.47.132] on the PLAID 6 protocol with more specifics on the actual algorithms and cryptography in general involved. PDF link [secureidnews.com] if the first one doesn't work for you.
    • by TechyImmigrant ( 175943 ) * on Wednesday April 29, 2009 @09:59AM (#27759461) Homepage Journal

      The protocol looks unremarkable. They pass some entropy and IDs back and forth, using conventional standards based encryption and hash algorithms.

      Their problem is keeping the cards secure and they state clearly that they are using commercially available smart cards.

      There are secrets in the cards, an RSA private key and an AES master key. The bigger problem is keeping these secrets in the cards and distributing the keys to cards. The PLAID protocol has no bearing on these matters.

      • by swillden ( 191260 ) <shawn-ds@willden.org> on Wednesday April 29, 2009 @10:33AM (#27759863) Journal

        There are secrets in the cards, an RSA private key and an AES master key. The bigger problem is keeping these secrets in the cards and distributing the keys to cards. The PLAID protocol has no bearing on these matters.

        Which is fine, because those problems are easily solved.

        Commercially-available smart cards provide a rather high degree of security. Extracting keys from them isn't impossible (nothing is), but it is very difficult and expensive. I design high security systems for a living, and we have no concerns about the security of the cards themselves, because experience shows it's just not an issue.

        What we do focus on is the security of the issuance process, because that's where those keys get injected. That problem is also solvable, mainly by performing the key injection in secure facilities using highly secure devices (FIPS 140-2 level 4 certified hardware security modules). It's expensive and complex (from a management and process perspective, not a technical perspective), but a high degree of security is achievable.

        The protocol looks unremarkable. They pass some entropy and IDs back and forth, using conventional standards based encryption and hash algorithms.

        It is unremarkable, which is one of its most significant strengths. It's just a lighter-weight approach to the problem, one that can be implemented efficiently on current-generation hardware. Previously, PK authentication on smart cards was considered too slow to use for physical access control and other applications where sub-second authentication was required. Faster smart cards coupled with a lightweight authentication protocol mean that PK authentication can be completed reliably in as little as 200 ms. That's fast enough to use it for transit applications.

        • Yes.

        • Re: (Score:3, Insightful)

          by oldhack ( 1037484 )
          If it's so unremarkable, what makes it worth half million Australian dollars, then? Unremarkable patent, perhaps?
          • Developing and maintaining the security infrastructure (read: controlling people and the key issuance and management processes) is what costs tons of money with systems like this; the underlying technology is fairly simple.
          • Re: (Score:3, Insightful)

            by swillden ( 191260 )

            If it's so unremarkable, what makes it worth half million Australian dollars, then? Unremarkable patent, perhaps?

            How do you define the "worth" of a protocol?

            Secure protocols are hard to design because there are a lot of subtle errors that can be made. It takes a lot of work by a lot of smart people to make sure that none have been -- and it's even harder if the protocol breaks new ground.

            I suspect that the half-million figure is an estimate of how much has been put into the design and verification of the protocol. That's a goodly amount of work. Had the protocol been extremely novel, verifying it to the world's

          • That's probably just the cost to develop it. Doesn't seem like a bad deal... less than a million bucks to build a security system design that can be easily implemented and copied, yet remain secure?
      • by thsths ( 31372 )

        > Their problem is keeping the cards secure and they state clearly that they are using commercially available smart cards.

        The other problem is the use of an RFID interface. Unless you have a metal wallet, your card would be vulnerable to third party use as long as they can get close enough to your wallet. The normal readers can only bridge a few centimeters, but there is no reason why with proper signal amplification it should not work over a meter or more. Suddenly new attack scenarios become feasible t

        • You missed the bit about it performing strong mutual authentication. What third party attacks are you concerned about?

        • Re: (Score:3, Informative)

          by profplump ( 309017 )
          "Completely unnecessary" is a stretch at best -- contact-less interfaces have real benefits. The most obvious is a lack of contamination and corrosion, both on the card and the reader. Another is decreased read times, which allows you to use the cards in more places without increasing the level of annoyance.

          Not to mention the "new attack scenarios" do not include simple copying of the card UUID, so radio-based attacks would need to be interactive:
          1. Attacker camps out at door with radio equipment
          2. Attacker
          • Re: (Score:3, Insightful)

            by PitaBred ( 632671 )
            Hell, if you're really worried, make an "airlock" gate, where the outside door is free to open, but it is built like a faraday cage for the frequencies uses, and the reader is inside that.
      • by owlstead ( 636356 ) on Wednesday April 29, 2009 @02:32PM (#27763129)

        The protocol looks unremarkable. They pass some entropy and IDs back and forth, using conventional standards based encryption and hash algorithms.

        That's a good thing.

        Their problem is keeping the cards secure and they state clearly that they are using commercially available smart cards.

        Which is also a good thing, as long as these cards have been analyzed well. I would be worried if they were using cards with "military grade" security meaning that they were only analyzed by few, without any standardized security level like FIPS or CC.

        There are secrets in the cards, an RSA private key and an AES master key. The bigger problem is keeping these secrets in the cards and distributing the keys to cards. The PLAID protocol has no bearing on these matters.

        Sorry, but you are wrong on both matters.

        The RSA private key and AES master keys are not on the card. It contains the RSA public key and the AES derived key (one that is specific to the card).

        There are many interesting things about this protocol. Lets have a list so I can get a few mod points on this old discussion:

        • No ID before authentication (card ID is encrypted with public RSA key, standard RSA encryption uses random padding)
        • No RSA private key encryption for the authentication (vulnerable to attack)
        • Uses standardized, up to date algorithms (SHA-1 is only used in a secure way as far as I can see)
        • Uses RSA public key on the card, which is *faster* than ECC because the public exponent will likely be small (010001h normally)

        Ok, for some disadvantages

        • Requires contact-less processor card with AES and hardware RSA support
        • Access is much slower than with AES only authentication
        • Time and power usage of RSA calculations may make it more difficult to do a successful authentication
        • Unremarkable (probably has been invented earlier)
        • Requires terminal that performs RSA private key encryption
        • Requires RSA private key to be present on reader side, key cannot be revoked
        • Still requires a single master key (hopefully it will never be leaked)

        All in all, this protocol is very interesting for mutual authentication. I'll have to look into it further (e.g. how much the private key needs to stay private).

    • by Anonymous Coward

      While some crypto protocols are capable of ludicrous speed, this protocol can go plaid.

  • PLACID (Score:5, Funny)

    by ajlitt ( 19055 ) on Wednesday April 29, 2009 @09:25AM (#27759051)

    That's a much better acronym than the originally proposed Protocol for Automated National Identification and Control.

  • Yeah Right... (Score:5, Insightful)

    by Frosty Piss ( 770223 ) on Wednesday April 29, 2009 @09:35AM (#27759175)
    Given Australian government's views on privacy, I wonder when the back door will be discouvered? Or is looking for it agianst the law?
    • Re:Yeah Right... (Score:4, Informative)

      by swillden ( 191260 ) <shawn-ds@willden.org> on Wednesday April 29, 2009 @10:37AM (#27759915) Journal

      Given Australian government's views on privacy, I wonder when the back door will be discouvered? Or is looking for it agianst the law?

      Look at the protocol. It's so simple that there's virtually no way for a back door to exist.

      Implementations can have back doors, of course, but that's a separate issue.

      • In this particular case the risk of a backdoor is going to be in the hardware. That is, the smartcard itself. You can't easily look in there and see what's going on.

        Their specification indicates they are using Java Cards and most if not all Java Cards do in fact have a backdoor if you know the keys. Often these keys are embedded in the card's firmware and can't be changed. They are designed to allow easy mass production and personalization and are generally only available to the manufacturer (or I assum

        • Re:Yeah Right... (Score:4, Interesting)

          by swillden ( 191260 ) <shawn-ds@willden.org> on Wednesday April 29, 2009 @01:16PM (#27762139) Journal

          Well, these are off-the-shelf cards, so if there are back doors, they're already there. That has nothing to do with this protocol.

          Also, it's not really accurate to say that Javacards have a "back door if you know the keys". They're delivered from the manufacturer with an initial key set, which is generally swapped out for new, randomly-generated keys by the card issuer. The card issuer knows those keys and can use them to install and remove applets and what not. The card issuer is the true owner of the card, and has complete control over it, because they know the keys. That's not so much a "back door" as the reality that the card holder is generally not the one that owns the card.

    • I wounder when you'll discouver you doun't need to insert extra "u"'s after every "o".

    • by Speare ( 84249 )
      As any Scot will tell you, if you adopt PLAID to protect your secrets, your backdoor is wiiiide open.
  • Mmmh (Score:5, Insightful)

    by Britz ( 170620 ) on Wednesday April 29, 2009 @09:36AM (#27759179)

    "Here, have my lock and key. Nobody will be able to get into your home. Except, maybe, me :-)"

    • Re: (Score:3, Insightful)

      by MobyDisk ( 75490 )

      They aren't giving a way the lock and key. They are giving away a design for locks and keys.

      • It was a very short comment. The idea is, that before anyone would like to use it the crypto-community should have a long and hard look at it.

        • Re: (Score:3, Insightful)

          by MobyDisk ( 75490 )

          From the summary:

          which withstood three years of design and testing by Australian and American security agencies.

          I took that to mean the crypto-community had a long hard look at it.

  • by 140Mandak262Jamuna ( 970587 ) on Wednesday April 29, 2009 @09:41AM (#27759253) Journal
    I am sure it will blend.
  • ... that must mean it's secure {\sarcasm}

    FTFA: Centrelink documents reported the hackers cannot break the PLAID protocol because it uses two cryptographic algorithms in its scrambling process in rapid succession - typically less than a quarter of a second - whereas other systems use a single algorithm.

  • by Lord Ender ( 156273 ) on Wednesday April 29, 2009 @09:46AM (#27759293) Homepage

    Imagine government IDs had contactless smart cards with certificates on them keyed to an ID database managed by the government (for revocation purposes and identity information). Now imagine contactless smart card readers were standard equipment in PCs.

    You would just need one card in your wallet to log you in to any computer or web site, make purchases, board planes or trains... anything! No more wasted effort on having a hundred weak authentication cards and passwords. You have one strong authentication method that can't be forged, or at least not without fantastically more effort than forging a check or credit card.

    Enormous economic and security benefit.

    • Re: (Score:3, Interesting)

      You would just need one card in your wallet to log you in to any computer or web site, make purchases, board planes or trains... anything! No more wasted effort on having a hundred weak authentication cards and passwords. You have one strong authentication method that can't be forged, or at least not without fantastically more effort than forging a check or credit card.

      Enormous economic and security benefit.

      Until you lose your wallet and the person who finds it has complete control to ruin every aspect of your life connected to said card... ...

      • by Burkin ( 1534829 ) on Wednesday April 29, 2009 @09:54AM (#27759393)

        Until you lose your wallet and the person who finds it has complete control to ruin every aspect of your life connected to said card... ...

        Yes, because clearly they would have no system to revoke lost cards.

        • Re: (Score:2, Funny)

          by Anonymous Coward

          "To revoke privileges to your lost card, please validate your identity by presenting your smart card"

        • Re: (Score:3, Interesting)

          by leonardluen ( 211265 )

          yes because the govt. has shown such wisdom in the past by making it easy to replace social security numbers

          • by profplump ( 309017 ) <zach-slashjunk@kotlarek.com> on Wednesday April 29, 2009 @12:01PM (#27761135)
            The government never issued SSN with the intent of being a universal identifier.
            • They have also never put a stop to it after the practice began

            • The government never issued SSN with the intent of being a universal identifier.

              Really? What would be the problem with that? Isn't that exactly what it's for?

              Also, there's nothing wrong, from a security standpoint, with issuing universal identifiers.

              For instance, on most online sites I have the "universal" identifier "jonaskoelker". No one seems to want to "steal" it from me, so in that sense it's universal (I can get it when-/whereever I want).

              The problem is that in most real-life security protocols, the conceptual "login form" has only a field for the username, and no password; or

          • [discussing key revocation] yes because the govt. has shown such wisdom in the past by making it easy to replace social security numbers

            The real failure is not the lack of revocation of SSNs.

            Consider this hypothetical security protocol for proving that you are who you claim: you tell them a name, an address and an SSN. The verifier looks up in the person database under your SSN and checks that your claimed name and address matches what the database says.

            You have to revoke your SSN after every single use, because otherwise the verifier can "prove" they're you.

            The real failure is in the "proving-I'm-me" protocol: it works by you revealing yo

      • Until you lose your wallet and the person who finds it has complete control to ruin every aspect of your life connected to said card... ..

        That's why we should embed them into peoples arms and if they start cutting those off, use their forehead!

        I read about this in some old archaic book somewhere.

      • 1) PKI systmes have revocation, so you're wrong.

        2) A good PKI system would have an online photo database, so you're wrong unless the guy looked like you and you have not had your card revoked

    • Re: (Score:3, Interesting)

      by UberOogie ( 464002 )
      And now imagine that the system is compromised, and complete identity theft is available to anyone who can crack that one database.
      • And given the level of exposure a system like that could have (especially if it gets used as widely as the GP suggests) and the probability of a compromise gets increasingly large. Especially given how insanely "juicy" it would be, as a target.
      • by Burkin ( 1534829 )
        Because identity theft is so hard today considering, in the US for example, you can find pretty much all the pertinent information you need from public sources?
    • by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Wednesday April 29, 2009 @09:54AM (#27759399) Homepage Journal

      Enormous economic and security benefit.

      Yes, for just $429.95 I will sell you a very nice mask and a programmable contactless identity chip. Enormous economic benefit to me, enormous security benefit to you. Well, it will benefit you in bypassing security, and framing someone for a crime anyway.

      You still need at minimum two-factor authentication to be secure, so you're still going to need a PIN for non-trivial uses. However, even non-trivial uses could be enough to get you into plenty of trouble.

      It's not hard to consolidate multiple usernames and passwords down to a single username and password. This is done for users through any number of freely available schemes. This is preferable to concentrating them down to a single system which, when corrupted (not "if") will permit virtually unlimited abuse. I do not believe that you are so helpless that you need government to assist you with password management. Therefore I submit that you are trolling. You could call it sarcasm if you had left any clues in your comment. Perhaps you used > rather than &amp; someplace?

      • Yes, for just $429.95 I will sell you a very nice mask and a programmable contactless identity chip

        That's rather expensive. Programmable contactless chips are available in engineering quantities for less than $10 and large quantities for less than $2.

        And what good does it do to have a chip? To fake someone's identity, what you need is their KEY so you can put it in a chip.

    • what if the host where i log in is compromised? Even if it could not do Man in the middle attack because the session is secured from the smart card to the destination, it could intercept and pilot mouse and keyboard events and screen display so your bank withdrawal becomes 100$ to you and 900$ to the hacker.

      The trust put in the system and its centralized nature would turn any security breach into a nightmare.

      Besides, how much you trust your government with access to all your money and movement and online ac

      • I am referring to a strong authentication system. The government would have no control over bank accounts or anything like that. It would simply enable me to prove to my bank that I am me.

        None of the security issues you attempt to describe are unique to smartcard-based authentication systems.

    • Consolidating this to a single card would be utterly retarded, as it provides both the issuer (the government) and entities that you do business with far more information about you than they need to know, and it greatly increases the consequences when a card is compromised.

      On the other hand, having a standard authentication mechanism which was integrated into most computers would be very useful. Then when my bank issued me a pin-and-chip credit card, I would know that it worked with my computer as well as a

      • Consolidating this to a single card would be utterly retarded, as it provides both the issuer (the government) and entities that you do business with far more information about you than they need to know,

        No, you're wrong. It would provide only identity/authentication information. No more.

        • It would be difficult (not necessarily impossible, but hard) to allow verification of ID through government-controlled systems without either also allowing the government to tell when and where you are authenticating or being very difficult to revoke the card.
        • by pavon ( 30274 )

          It would provide only identity/authentication information.

          I don't think you realize how much information that is.

          Each transaction would authenticate me as Citizen X, rather than as card holder Y. Today all my purchases are made with a single use card number and shipped to a PO Box. If the authorities want to track me down using that, they can get a warrant and get the info from my credit company or the postal box company, but people I ordered from don't know or care who I am.

          The government would also have a record of everyone who checked the public key repository.

    • It is bad "hygiene" to combine ID with payment.

      It is better to have at least two types of cards. One for official ID - which should rarely leave my sight.

      And one for payment, which I could pass to someone else for a short time.

      So if something happens to the payment card or cert (damaged or lost), I can apply for another payment card.

      While waiting for a new payment card to be issued, I can still prove I am me, with my ID card.

      Putting that all on one card makes that hard.

      Currently, I take out my ID card from
  • by knifeyspooney ( 623953 ) on Wednesday April 29, 2009 @09:51AM (#27759353)
    ...which withstood three years of design and testing by Australian and American security agencies

    Anything that withstands three years of attempted government design must be robust indeed.
  • PLAID 6 Protocol (Score:4, Informative)

    by Anonymous Coward on Wednesday April 29, 2009 @09:52AM (#27759367)
    * Uses existing off-the-shelf symmetric and asymmetric crypto algorithms (SHA1, AES 256, RSA 1024, RSA 1984) tied together via the PLAID protocol
    - Note - Neither SHA256 nor ECC are used at this time because production cards are either not obtainable from all vendors nor do they achieve the required performance, (in spite of theoretical advantage of ECC)
    - Note - RSA 1984 is a trade off between performance and security, and ensuring the transaction fits in one APDU command.
    * Fast & simple - less than 1/2 second (400ms) and the Java Card - applet is extremely small (about 4 Kb)
    * Not clone-able, re-playable or subject to privacy or identity leakage
    * Same protocol can be used for PACS/LACS & contact/contactless
    * PIN can be verified when card-not-present by comparing PIN hash
    - Saves user having to hold contactless card to reader during typical PKI session
    * Mutual authentication Protocol
    * Algorithms used are commercially available on virtually all modern smartcards including Java
    Card, MULTOS, most SIMs and many proprietary cards
    * Algorithms and their selected key lengths have been tested on production cards and devices to ensure speeds are real, not theoretical

    * No IP issues - IP was developed solely by the Australian Government by its agency, Centrelink, and will be openly and freely licensed
    * Designed to be used either stand-alone or as a bootstrap into other specifications like Australian IMAGE, US PIV, ICAO Passports etc.
    * Supports multiple concurrent specs dependant on device request to card
    - i.e. Card could supply Weigand number or CHUID or Centrelink CSIC or Passport MRZ etc etc dependant on use case
    * Supports multiple (256) key sets dependant on device request to card
    - i.e. there might be a "perimeter key set" and a "high security key set" and a "LACS key set" and an "administrative key set" etc etc and the terminal device only requests the one it requires, reducing the possibility of compromise of the others.
    - The key sets can be rolled, by loading spare unused key sets (up to 255) in case of compromise (memory is the limitation)
    * Optionally provides session keys for higher level specs
    * Protocol can be registered and implemented under ISO/IEC 24727-3 and 6, and either used under ISO/IEC 24727or implemented separately

    However:
    Slightly slower than existing physical access Tag and proprietary solutions (by 0.2 to 0.3 seconds)
    - Keys MUST be distributed & managed
    * Vendors need to build key management for PLAID into existing or new key management systems. (Centrelink vendor is doing this for LACS)
    * PACS using older Weigand technologies need secure SAM devices in the readers
    * Newer PACS can utilise back end HSM devices/SAMs on the network or in distribution frames
  • ...Protocol for Lightweight Authentication of ID (PLACID), which withstood three years of design and testing by...

    Withstood three years of design? What the blazes does that mean?

    Boss 0: Here is all the material we have on the PLACID system. I want you to design it.
    Agent X: Right away, Boss!

    ... three years later

    Agent X: Sorry Boss. Me and my team have been trying for three years. PLACID simply withstands all attemps at being designed.
    Boss 0: I was afraid of that. We'll have to release it to
  • Stories like this frequently conflate the smart card goings-on with the system functions.

    In this case, the newsy bit about the smart card is they apparently have a new protocol for authenticating from the smart card. For those that don't know, there are many kinds of smart cards including ones that have an operating system on-board. Their protocol is probably employed on top of the smart card OS. Yes, you too can write your own authentication protocol and use it on a smart card.

    The backend system appears

  • Spaceballs (Score:3, Funny)

    by GordonCopestake ( 941689 ) on Wednesday April 29, 2009 @10:00AM (#27759477) Journal
    Dark Helmet: Yes, we're gonna have to go right to ludicrous speed... Lonestar: It's Spaceball 1. Barf: They've gone to plaid! ...
  • It seems like the NSA and other intelligence agencies around the world have a real trust problem.

    On the one hand, they make some of their living out of breaking codes. And worse, as we saw with the NSA illegal wiretapping, they're not necessarily acting in legal ways or in the interests of the general public.

    So for that reason, we citizens have a good reason to distrust anything they say, especially large wooden statues of horses.

    On the other hand, the NSA et al also have a desire (we believe) to help the

  • by sakonofie ( 979872 ) on Wednesday April 29, 2009 @10:08AM (#27759599)
    I'm just waiting for the advertisement that says:

    I can't wait to get PLAID by the Australian government.

  • It is nice to see a little social responsibility out there. More people should read up and adopt similar business models such as Ben & Jerry's Ice Cream which is proof one can be both successful and socially responsible in business.
  • The problem is some people LIVE for challenges like this and it's an ecryption method based off of other encryption methods. That means there is only 1 piece of the puzzle to figure out.

    My concern is that they (the government) suddenly say that all ID's must be tied to this and like several posts above... now someone who knows how to crack this and tag a specific person now has access to everything about them. Banking, health records etc...

    • First of all, it's a protocol, not an encryption method. The protocol is based on RSA and AES. If those are "broken" we have bigger problems to worry about as all internet encryption is based on these protocols.

      I'm not saying it is safe, but saying it will be broken because somebody will break the "encryption method" because it is out there, well, that's not in line with the current state of crypto-analysis.

  • They've gone to plaid!

  • Why don't I think the US or Aussie government (especially the Aussies, given their recent track record on civil liberties and disregarding privacy concerns of their citizens) would give away an "unbreakable" form of crypto?

    My feeling is that they must have a backdoor into this, and that makes me suspicious.

    It seems to me it might be more like "Here, use this, this is great encryption, nobody can crack it." Well, it may be unbreakable - but what if they have a master key or something?

    • by dave420 ( 699308 )
      What really doesn't jibe is your desire to make assertions completely undermined by the content of the article. But as this is slashdot, I guess it's to be expected.
    • First of all, this is a protocol using normal cryptographic primitives. They can't have a master key to this protocol. Normally you have back doors or master keys for devices not for protocols.

      Second of all, this is mainly about authentication of their own terminals, so yes, I would suppose they have the master key. In their scheme, it's called "Master ISK key" (probably master inspection system key).

      Third of all, they don't need to give away an unbreakable form of crypto, since none of the current, widely

  • Now that it has hit Slashdot I give it 6 months before it's blown apart. Nothing pisses a geek off more then being told "It Can't Be Done"

    Ther are very angry cave dwellers that since seeing this have now vowed to make it their EPIC QUEST to crack this thing open. Do not underestimate the power of the geek!

    POWER OF THE GEEK COMPELLS YOU!
    POWER OF THE GEEK COMPELLS YOU!

    THE SPIRIT OF THE WOZ COMPELLS YOU!

    POWER OF THE GEEK COMPELLS YOU!
    POWER OF THE GEEK COMPELLS YOU!

    THE SPIRIT OF THE TORVALD COMMANDS YOU!

    POWER O

  • Should they really be calling it unbreakable? Isn't that essentially the same as asking to have it broken so some hacker can make a name for himself? Any good social-engineer could crack this thing in a few days flat, I'm sure. As /. posters love pointing out, even if the system were perfect its users ain't.

If all else fails, lower your standards.

Working...