Disable PayPass or PayWave RFID with a light globe, a pen and a drill bit

I got a new credit card in the mail, and I noticed the PayPass logo in the top right corner.  I’m no fan of RFID, especially with so many documented weaknesses. Also troubling is the loss of two-factor authentification that we’ve had for decades in Australia; both Visa and Mastercard require only the presence of the card for EMV transactions under $100. I like my credit card, I don’t like that other people can spend my money with it.  I thought about trying to convince my bank to give me one that wasn’t PayPass enabled, but Mastercard won’t issue cards without PayPass, so it seems I need to make my new credit card compliant with my privacy and security policies.

Admittedly, all the exploits for RFID enabled cards seem to affect cards in the USA, whose banking system (as best I can tell) is run by a bunch of morons. I assume that the cards in Australia leak no information other than an identifying card number… but even that. RFID can allow unintended transactions, so I’d prefer my transactions to be intentional. I considered killing the whole chip in the microwave, but there’s a risk that would affect the mag-stripe.  You don’t need a radiographer to lend you an xray machine to locate the RFID antenna.  Turns out that a light globe is plenty bright enough to spot the antenna tracks, or the sun (if you can spot it at this time of year).

I lay my card on a horizontal compact fluorescent light globe, and look what I could see:

Disable drill-point marked on a credit card
Just drill out the point where the tracks narrow down, and the antenna is toast

I dutifully marked the point where the antenna traces all converged on the one location, then drilled that point out with a hole made with a 3mm drill bit.  I took it off to my local Kmart, and it worked.  However, it failed at the Coles, and every subsequent retailer (dozens) I’ve tried using it.  Apart from that one Kmart (others haven’t worked) the PayPass functionality is now turned off.

I’ll update here if I make additional modifications that are successful.

Summer 2014 ends

Four days before the start of Winter, I’ve declared the end (our second) Summer:

Wednesday 28 May              Max 18    Shower or two.
Thursday  29 May    Min 10    Max 19    Partly cloudy.
Friday    30 May    Min 10    Max 19    Partly cloudy.
Saturday  31 May    Min 10    Max 19    A little rain developing.
Sunday     1 June   Min 10    Max 17    A few showers.
Monday     2 June   Min 12    Max 17    Shower or two.
Tuesday    3 June   Min 10    Max 18    Morning shower or two.

Tap and Go causes crime: duh

Ken Lay says that in the last year in Victoria, 11500 extra crimes caused by Tap and Go cards have meant that the crime rate in Victoria has gone up (5%) rather than down.  These additional “crimes of deception” and are apparently tying up police.

It’s slack. Totally slack. There’s no control over it. And what are we finding? There’s been a huge spike in different offences committed to facilitate it; cars being broken into, mail stolen, handbags grabbed, purely because of industry introducing a new practice without any regard to security.

We have taken the view we should be taking on industry over this because our concern is they’ve introduced new practices with no regard to the implications on security and there’s no prevention measures, which is at times bogging down our members in work and time that could be better spent on some really serious type of investigations or responding to critical issues.

Assistant Commissioner Stephen Fontana

And the ABA says “no ways!” and says that dollar value of fraud is down since chip-in-card (neglecting that this isn’t about that) but allowing that losses following theft are up 35% (to only $20m/year).  And ignores all the crime that would be associated with obtaining the cards.


Unless it’s a transient, unrepeatable hardware fault, it’s not a glitch – it’s a bug. Glitch makes it sound like it’s nobody’s fault. And glitches don’t stop all banking transactions for a number of days, that’s a top-to-bottom fuck up – or bug, take your pick.

And for that matter, if legal restrictions prevent parties from being identified, it’s “mustn’t be named”, not can’t.

Summer 2014 starts

Given recent events pointed out by DavidC, I declare Summer 2014 has started. Our traditional, mid-year Summer.

Wednesday 14 May    Min 10    Max 21    Mostly sunny.
Thursday  15 May    Min 13    Max 22    Partly cloudy.
Friday    16 May    Min 14    Max 22    Mostly sunny.
Saturday  17 May    Min 13    Max 22    Mostly sunny.
Sunday    18 May    Min 12    Max 21    Partly cloudy.
Monday    19 May    Min 12    Max 21    Sunny.
Tuesday   20 May    Min 14    Max 21    Partly cloudy.

Good thing you guys voted in that Abbott government.

The upside of climate change is that I get to paint the house this week. Two weeks before the start of Winter.

Political donations are not the problem

Corrupt politicians have recently been in the Australian news.

It has been observed that money, in the form of political donations, is a corrupting influence. This causes hand-wringing, as banning donations is considered to hinder the freedom of political expression.

As a response to this demand for cash to finance political expression, suggestions are made that private funding of politics be replaced by public funding – basically an increase on the funding which parties already receive (something of the order of $2.48 per primary vote in lower house seats in the last federal election, for example). This grates those with a strong dislike of politicians and the political process. In addition, the current funding model of retrospective funding (based on votes received) disenfranchises new political views – it locks in the existing players by funding them, allowing them to campaign for votes that will fund them; those outside the system will not be able to break in.

To allow new entrants into the political system to be funded on an equitable basis, some kind of on-going polling could be done and a funding stream allocated on proportionate support in non-electoral polls.

However, switching to purely taxpayer-funded funding isn’t necessary, even if in effect the tax-deductibility of political donations makes them taxpayer subsidised.

Political donations are not the problem, the problem is that donors can be identified by the political party and and expectation of quid pro quo is raised. Beyond that, large donations from a single donor are also a problem – even if political party donations were anonymised and repudiable the donation’s existence could be inferred by the velocity of money flowing out of any anonymising system.

Let’s say you’re trying to run a corrupt political party under an annoymised donation system. Someone comes to you and says “I will give your corrupt party $10m, and I expect you to make this corrupt thing happen.” You’d then donate the $10m, and your donation would be pooled along with the hundreds of other donations made to the party. The Donor Anonymising Service (DAS) would then hand over a certain amount of money to the party, but it would not be $10m. It would be the stipend that the party had requested from the DAS, along with advice that the current amount held in reserve is enough to last at least X days, where X was the same number (give or take a couple of days) as it was yesterday. You don’t know if the $10m donation was actually made, all your party knows is that it’s got enough money to last X+2 days. You could up the rate of the stipend, but the DAS would scale back the reported window so that no extra information is revealed by the reported minimum duration the reserves will last. You’d limit the rate and number of times the stipend could be changed to discourage probing. Naturally, it would be illegal to make a political party aware of a donation or its amount.

Of course, then you have all the fun and games associated with loaning money to political parties, and with corrupt administration of a Donor Anonymising Service, but you get the gist of where we could go with this idea.

BASIC turns 50

The BASIC programming language turned 50 on Thursday.

This Time article is a great read — and notes the importance of the language on getting school students programming.

What’s the equivalent today? The Raspberry Pi is helping make hardware affordable. Some might dabble in Visual Basic or C# via Visual Studio Express, or the many of the other freely available languages such as Python, PHP, Javascript… or here’s another way of looking at it, from Jeff Atwood:

The poor are failed by the loss of obsolete medical procedures

The following rant comes courtesy of a speaker to a group of volunteer developers working on OpenMRS, who recounted her experiences of volunteering as a doctor in India.

Naturally, when you go under the knife for a surgical procedure, you’d want the surgeon using the latest, most advanced techniques, as demonstrated by empirical evidence.  Health systems want the surgeons to use the most efficient technique, expressed in positive outcomes per money spent.  You’d expect that in today’s world, you’d get one of the two, or perhaps somewhere in between.

Say that the latest technique uses robo-surgeons. Let’s call that technique Z.  It was pioneered in a university teaching hospital at enormous cost, because they’d never built one before; there’s no commercial provider of the equipment yet, so technique Z hasn’t percolated to wider practice.  Most other hospitals use techniques X or Y, one requiring more, highly trained staff, and the other requiring fewer staff but a couple of expensive pieces of equipment. Techniques X and Y are variations on T, U, V and W, some of which date back to the early sixties, and stem off from technique S.  If you look at textbooks, S is mentioned by name, and T, U, V and W have one- or two-sentence descriptions because while major leaps forward at the time, they’re now obsolete in the era of X and Y.  The medical textbooks describe how to do X and Y in detail.

In developing countries, you don’t have either the many staff, the highly trained staff or the expensive pieces of equipment.  U, V and W are all unavailable because of this. T uses equipment that can’t even be procured any more and certainly isn’t lying around waiting to assist with surgery now.

The developing world needs medical and surgical texts that don’t demand powerful diagnostic tools, expensive equipment or highly specialized staff.  A competent surgeon can do their work without any of these; they’ll get worse expected outcomes, but those outcomes will be better than inaction.  There are no textbooks currently available to instruct a surgeon with limited resources.  Even battlefield surgeons expect to stabilize their patient and ship them off to much better hospitals.

The ongoing progress in medicine is leaving behind the poorest and most vulnerable on our planet; our indifference to the preservation of these old methods are affecting us now, in ways I would never have guessed at.

Summer 2013/2014 ends

The seven-day forecast for Melbourne makes today the last day of Summer:

Wednesday                    Max 16    Showers mainly this morning.
Thursday  1 May    Min 7     Max 18    Partly cloudy.
Friday    2 May    Min 11    Max 15    Rain at times.
Saturday  3 May    Min 8     Max 14    Shower or two.
Sunday    4 May    Min 10    Max 15    Shower or two.
Monday    5 May    Min 11    Max 16    Shower or two.
Tuesday   6 May    Min 10    Max 15    Mostly dry.

Of course, Summer persists while any temperature in a week is 20 degrees or above.

Programmatically create Django security groups

Django authentication has security roles and CRUD permissions baked in from the get-go, but there’s a glaring omission: those roles, or Groups, are expected to be loaded by some competent administrator post-installation.  Groups are an excellent method of assigning access control to broad roles, but they don’t seem to be a first-class concept in Django.

It seems that you can kind-of save these values in by doing an export and creating a fixture, which will automatically re-load at install time, but that’s not terribly explicit – not compared to code. And I’m not even sure if it will work.  So here’s my solution to programmatically creating Django Groups.

management.py, which is created in the same directory as your models.py and is automatically run during python manage.py syncdb:

from django.db.models import signals
from django.contrib.auth.models import Group, Permission
import models 

myappname_group_permissions = {
  "Cinema Manager": [
    "delete_ticket",         # for sales reversals
    "add_creditcard_charge", # for sales reversals
  "Ticket Seller": [
  "Cleaner": [ # cleaners need to record their work

def create_user_groups(app, created_models, verbosity, **kwargs):
  if verbosity>0:
    print "Initialising data post_syncdb"
  for group in volunteer_group_permissions:
    role, created = Group.objects.get_or_create(name=group)
    if verbosity>1 and created:
      print 'Creating group', group
    for perm in myappname_group_permissions[group]: 
      if verbosity>1:
        print 'Permitting', group, 'to', perm

  sender=models, # only run once the models are created
  dispatch_uid='myappname.models.create_user_groups' # This only needs to universally unique; you could also mash the keyboard

And that’s it. Naturally, if the appropriate action_model permissions don’t exist there’s going to be trouble.  The code says: After syncdb is run on the models, call create_user_groups.