Boing Boing 

Hotel break-ins blamed on flaw in keycard system

Back in August, I blogged about a presentation at Black Hat, where a security researcher named Cody Brocious presented a paper on a vulnerability in hotel-door locks made by Onity, showing a method for opening many hotel-room locks with a simple, Arduino-based device.

Now comes the first reported case of a hotel-room break in using this technology "in the wild." A Hyatt in Houston's Galleria district was broken into using this method, according to the hotel, which had not replaced its locks even though it knew about the vulnerability.

In a statement sent to me, a White Lodging spokesperson says the company became aware of the vulnerability in its Onity locks in August, based on reading one of the stories I wrote about Brocious’s lock-hacking technique over the summer. But White Lodging says Onity only implemented a fix for that flaw in its locks after the September break-ins at the Houston Hyatt, around two months after I first alerted Onity to Brocious’s work.

Following those September incidents, White Lodging resorted to plugging the port at the bottom of its Onity locks with “epoxy putty,” according to the letter it sent to guests at its Houston location. The hotel company says it’s now working with Onity to put a more permanent solution in place, either plugging the locks’ ports or replacing their circuit board at every location it manages. “We sincerely regret that these thefts occurred, and hope that measures we have taken satisfy your concerns,” reads the letter to guests from White Lodging vice president Thomas Riegelman.

Security Flaw In Common Keycard Locks Exploited In String Of Hotel Room Break-Ins [Forbes/Andy Greenberg]

Texas student suspended for refusing RFID tracker


A student in San Antonio, TX, has been suspended from school for refusing wear a RFID tracking device on privacy and religious grounds (she believes the tracker is somehow related to the "Mark of the Beast"). The school's funding is based on student attendance, so they use prisoner-style trackers to follow students' movements. A judge has temporarily reversed the suspension.

The suspended student, sophomore Andrea Hernandez, was notified by the Northside Independent School District in San Antonio that she won’t be able to continue attending John Jay High School unless she wears the badge around her neck, which she has been refusing to do. The district said the girl, who objects on privacy and religious grounds, beginning Monday would have to attend another high school in the district that does not yet employ the RFID tags.

The Rutherford Institute said it would go to court and try to nullify the district’s decision. The institute said that the district’s stated purpose for the program — to enhance their coffers — is “fundamentally disturbing.”

“There is something fundamentally disturbing about this school district’s insistence on steamrolling students into complying with programs that have nothing whatsoever to do with academic priorities and everything to do with fattening school coffers,” said John Whitehead, the institute’s president.

Student Suspended for Refusing to Wear a School-Issued RFID Tracker [David Kravets/Wired]

San Antonio students and parents upset at mandatory radio-tracking snitch-tags

Chris Matyszczyk on CNet rounds up a variety of reports on the outrage over the schools in San Antonio, Texas, which have insisted that their students wear radio-tag trackers. The schools are using every conceivable technique for coercing their students into submitting to wearing the technology, which reminds me of the tracker anklets that paroled felons wear. For example, one student was told she couldn't cast a vote for homecoming queen unless she submitted to the tracking regime. The schools say that the students are being tracked to reduce truancy, which will make them money -- presumably by saving them on the cost of tracking and punishing students. The practice is old hat in Houston, where students have been chipped for some time.

What some might find truly beastly, though, is that his daughter, Andrea, claims that she was told by a teacher that without the ID badge, she couldn't vote for homecoming king and queen. At least that's what Catholic Online reports.

Some might find it odd that Hernandez also reportedly claimed that the school only wanted to co-operate with his feelings if he stopped publicly criticizing the tagging.

His daughter told The Alex Jones Channel that the tags don't make her feel safer.

"I feel completely unsafe knowing that this can be hacked by pedophiles and dangerous offenders," she said.

She added: "I walk home. Dangerous offenders can pick up on my signal."

For the record, I don't think that this is a very realistic fear. On the other hand, I think that there are very good reasons to want to enjoy the privacy of being un-tracked -- for example, the fundamental freedom of association is compromised if your snitch-tag tells the administration who you hang out with.

No homecoming queen vote if you don't wear RFID tag? (Thanks, Dave!)

Columbia Human Rights Law Review devotes entire issue to wrongfully executed Carlos DeLuna


The entire current issue of the Columbia Human Rights Law Review is given over to the tragic wrongful execution of Carlos DeLuna, an almost certainly innocent man who was murdered by the state of Texas on 8 December 1989. DeLuna's case is one where "everything that could go wrong did go wrong" in the words of Columbia law Professor James Liebman, who, with 12 students, wrote the 436-page issue. None of the evidence that would have exonerated DeLuna was considered by police or the prosecution, and the likely culprit, a man who was also named Carlos, and who was frequently mistaken for DeLuna, went free. It's a nightmarish account of a man whom the authorities "knew" to be guilty, who was killed despite his innocence. It's a chilling reminder where laws like the UK's stop-and-search rules (which allow police to stop and search without suspicion, if they "just know" there's something wrong) and the no-fly list (which allows for the arbitrary removal of the right to travel without any public airing of evidence or charge, when authorities "just know" you're not safe to fly) will inevitably end up.

From a Guardian story by Ed Pilkington:

From the moment of his arrest until the day of his death by lethal injection six years later, DeLuna consistently protested he was innocent. He went further – he said that though he hadn't committed the murder, he knew who had. He even named the culprit: a notoriously violent criminal called Carlos Hernandez.

The two Carloses were not just namesakes – or tocayos in Spanish, as referenced in the title of the Columbia book. They were the same height and weight, and looked so alike that they were sometimes mistaken for twins. When Carlos Hernandez's lawyer saw pictures of the two men, he confused one for the other, as did DeLuna's sister Rose.

At his 1983 trial, Carlos DeLuna told the jury that on the day of the murder he'd run into Hernandez, who he'd known for the previous five years. The two men, who both lived in the southern Texas town of Corpus Christi, stopped off at a bar. Hernandez went over to a gas station, the Shamrock, to buy something, and when he didn't return DeLuna went over to see what was going on.

DeLuna told the jury that he saw Hernandez inside the Shamrock wrestling with a woman behind the counter. DeLuna said he was afraid and started to run. He had his own police record for sexual assault – though he had never been known to possess or use a weapon – and he feared getting into trouble again.

The wrong Carlos: how Texas sent an innocent man to his death

Outstanding turntable performance of Drunk Trumpet

This 2008 Kid Koala turntable performance of "Drunk Trumpet" in San Antonio's Revolution Room isn't just a kick ass piece of music (though it is that), it's also some kind of awesome hand-ballet. I could watch this guy twiddle his fingers all day. It's also an existence proof of the innate superiority of a I-IV-V progression.

kid koala - drunk trumpet (via MeFi)