On Thursday 07 August 2003 12:03, Jim Rees wrote: > The Funcard is not a smartcard. The Funcard is not a smartcard. The > Funcard is not a smartcard.
Oh..? Hrm. Isn't the funcard listed at the following URL an embedded AT90S8515(a) with an added memory chip? http://www.mbsks.franken.de/sosse/html/index.html If so, then the AT90S8515 has a number of lock bits that can be set to prevent further modification of the flash ram. Reverse engineering the AT90S8515 is possible, but someone with the resources to do it could break through most of the standard smartcards with similar ease anyway. Mr. Kuhn describes some methods that include acids and physical probes here: http://www.cl.cam.ac.uk/~mgk25/tamper.html ...and elsewhere on his site too. My application isn't as sinister as stealing whatever programming DirecTV thinks is so hot--instead, I intend to build a smartcard-assisted application to communicate securely between two people. I've already begun work on the software application. Now I'm just hungrily awaiting some hardware devkits I ordered. (I'm hoping to sell this machine/software combo to some local companies who are too paranoid for their own good. :) > You can use it to debug and test your smartcard applications, but it > does not have the tamper resistance of a real smartcard. The whole > point of carrying a smartcard is that if someone steals it, they > can't extract the keys, and they can't use it without a PIN. The > Funcard is just a small computer with a 7816 interface and no more > tamper resistance than a Palmpilot. I thought the Atmels have lock bits.. I wonder whether they can be set through the smartcard contact interface or just a bootloader. > I have no opinions on Atmel programmers. I would choose the one that > has the best documentation and the best linux support. Beware of > programmers that come with a Windows app and nothing else. You can't > use a standard smartcard reader to program an Atmel chip. Would an exception to this be if the OS on the smartcard accepted arbitrary instructions to self-modify the smartcard's memory, or read arbitrary sections of it back out to the reader..? > As for the dangers of playing with smartcards, they are real. > DirecTV has apparently used customer lists of some of these > manufacturers to pick on people. Assuming you aren't stealing > service, you should be able to win in court, but it will cost you so > much to defend yourself that it won't really matter whether you "win" > or "lose." I'm not worried myself because I work for a University > research lab, but if you are on your own and don't have a legal > staff, you will have to assess the risk for yourself. Well, I'm in Canada so some, but not all risk is alleviated. In simpler cases, Canadian courts often award court costs to the defendant, and in *some* BC case law I've read, the judge even goes so far as to include costs for the defendant's lawyer (!) when it was obvious the plaintiff was fighting a losing battle and just being litigious jerks. University research labs are cool. Mmm... tunnelling electron microscopes.. :) _______________________________________________ Muscle mailing list [EMAIL PROTECTED] http://lists.musclecard.com/mailman/listinfo/muscle
