Oh, you also neglected to pay attention to how your proposal enables man-in-the-middle attacks. Again, you lack any verification by the user. All the bracelet knows is that they were presented with a valid signature. I'm making a purchase in Wal-Mart, but your plan doesn't actually verify it's Wal-Mart's certificate.

It's absolutely wrong that I am proposing a 'stealable' ID.

And I didn't say you were proposing a 'stealable' ID. I said I can read the code remotely. Which lets me charge you $20, just as if you were making a purchase.

See, your proposal failed to include any sort of verification by the bracelet-wearer that they wanted to make the purchase, or even verify the purchase amount.

Even if you do require something like a button press, standard location and equipment means I can push the button on your bracelet by "accidentally" bumping into you.

In other words, your proposal makes a modern version of "pickpocketing" not only possible, but extremely easy to do.

That said, I do think that groups like the NSA and FBI have been quite successful in keeping people (like Jeff4747) remarkably uneducated.

That's extremely amusing since you managed to completely fail to understand the problems I pointed out. You leapt to ID theft when I was talking about stealing plain-old money.

But good job pontificating with maximum hypocrisy.

Yeah, that's a terrible idea.

First, it's wireless, so I can "grab" your identity when you walk by. That'll be handy. It's even going to be strapped to a similar body part, so I can know exactly where to "accidentally" bump into you if it requires pushing a button to activate.

Second, you are transmitting the code through the purchase system. That's very handy, because I can just capture the code via your compromised PC.

"Two-factor" authentication systems work because the data does not flow through a single system. If my credit company texts me a one-time PIN to approve a purchase, you have to intercept both the purchase and the text message. The text message also lets me verify the purchase (Hey, the cash register says $23, but the text message says $475).

Third, it's a surveillance state dream come true.

You then bring up thought leaders, demonstrating that this is either sarcasm or massive stupidity.

There are plenty of billionaires who will pay to distribute Reason's pseudo-intellectual bullshit to the masses.

Yes, facts like Manning was not sentenced to LIFE in prison, but for 35 years. And facts like Manning leaked far more documents than Petraeus did. And facts like her name is Chelsea Manning.

Yes, Petraeus's sentence was a joke. But when you're going to be harping on "facts", you kinda need to get yours correct.

As for this fine gentleman who just got sentenced, he's going to serve about 15 hours per victim (unless he gets paroled or other early release). Less than a day per crime doesn't seem unreasonable. If anything, it's rather light for extortion.

Just find the black guy. If he's for it, then they are opposed and will fight to the death to stop it.

I really hope in the next two years Obama comes out in favor of breathing. Watching Boehner and McConnell repeatedly pass out would be entertaining.

Not quite.

The vote has to be scheduled by the "rules" committee. Which more-or-less means the speaker can prevent any bill from reaching the floor of the House.

Theoretically, the way around this is a discharge petition - if a majority of House members sign the petition, it leaves committee and goes to the floor.

That almost never succeeds, because it requires members of the majority to say "fuck you" to their party leadership, resulting in losing committee assignments and other perks.

Yes, the malware would report back the values for the same image as the non-infected drives, giving you the same results as the majority.

That's how it should be done, but that isn't necessarily how it always will be done. An executive hears that a simple device would let just anyone read their valuable firmware, and suddenly he wants to disable the interface unless you execute a super-secret command. And now your JTAG interface isn't raw hardware access.

Because humans do not write perfect software. In addition, people are willing to aid spy agencies for money.

You boot up with a known good BIOS, after the system has loaded up, while it's still live, you pull the good BIOS chip, insert the bricked one, run your firmware update

And since the malware is already running, it writes itself into the new chip.

Boot from a randomly chosen Linux rescue disk, and check the various proms.

And those proms are read by the firmware in those proms. Why does the firmware have to respond with what is actually running?

With this you can dump what the firmware claims is the buffer and memory of your harddrive.

FTFY.

Simply because attack code doesn't know what output verification code must produce.

Why? To create the malware, they most likely reverse engineered the old firmware. So they know what verification code they must return.

power on, flash your firmware

From what? You saved it to some local storage, where it can be modified. For example, you saved it to your hard disk which you now are attempting to re-flash. But the hard disk was infected. It detects that you ware writing a firmware image to the disk, and injects itself into the new firmware image.

Firmware malware is not a trivial undertaking. So we're talking about extremely extensive effort by people who can develop very sophisticated attacks. You can't expect that they would leave any "easy" way of removing the malware open.