Cambridge university refuses to censor student's thesis on chip-and-PIN vulnerabilities

After the UK banking trade association wrote to Cambridge university to have a student's master's thesis censored because it documented a well-known flaw in the chip-and-PIN system, Cambridge's Ross Anderson sent an extremely stiff note in reply:

Second, you seem to think that we might censor a student's thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values. Thus even though the decision to put the thesis online was Omar's, we have no choice but to back him. That would hold even if we did not agree with the material! Accordingly I have authorised the thesis to be issued as a Computer Laboratory Technical Report. This will make it easier for people to find and to cite, and will ensure that its presence on our web site is permanent....
...Fifth, you say 'Concern was expressed to us by the police that the student was allowed to falsify a transaction in a shop in Cambridge without first warning the merchant'. I fail to understand the basis for this. The banks in France had claimed (as you did) that their systems were secure; a French TV programme wished to discredit this claim (as Newsnight discredited yours); and I understand that Omar did a No-PIN transaction on the card of a French journalist with the journalist's consent and on camera. At no time was there any intent to commit fraud; the journalist's account was debited in due course in accordance with his mandate and the merchant was paid. It is perfectly clear that no transaction was falsified in any material sense. I would not consider such an experiment to require a reference to our ethics committee. By that time the Newsnight programme had appeared and the No-PIN attack was entirely in the public domain. The French television programme was clearly in the public interest, as it made it more difficult for banks in France to defraud their customers by claiming that their systems were secure when they were not.
You complain that our work may undermine public confidence in the payments system. What will support public confidence in the payments system is evidence that the banks are frank and honest in admitting its weaknesses when they are exposed, and diligent in effecting the necessary remedies. Your letter shows that, instead, your member banks do their lamentable best to deprecate the work of those outside their cosy club, and indeed to censor it.

A Merry Christmas to all Bankers

Letter to bankers (PDF)

(via /.)

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE: cryptography • Science

More at Boing Boing

Eurovision 2013: An American in London

The technology that links taxonomy and Star Trek

Anonymous

Just to remind the grammarians out there, the treatment of collective plurals is one of the faultlines between AE and BE.
Anonymous

Bravo!
Anonymous

At no time was there any intent to commit fraud; the journalist’s account was debited in due course in accordance with his mandate and the merchant was paid. It is perfectly clear that no transaction was falsified in any material sense.
madfin

To those still fighting the revolutionary war, may I suggest mota?
Anonymous

Guys you all got manipulated by Cambridge’s PR. Can I read any argument that backs the bank’s point of view? Can I read the exact wordings of the letter the bank sent? Did they really ask the exploit to be “censored” or to just undisclose it until patched. Oh but I got to read again about that exploit and the people the great people who found it and yeah Newton and Darwin went to Cam so it must be a great school! Well done.

Alex, PhD at Cambridge Uni
- Tzctboin
  
  That you think that delaying disclosure is not a form of censorship is such an exercise of double-think and double-speak that it should be included in the next edition of that famous book ITzctboin hope you may have read during your prestigious education.
  
  Tzctboin
  Computer Technician
  Technological College of Netzahualcoyotl City.
- princeminski
  
  You may look in vain for any argument which supports the bank’s point of view because most people who come to this site are well aware that virtually any American institution of higher learning would break both kneecaps in its haste to fellate any bank or other corporate interest.
- Anonymous
  
  You actually can read the letter the bank sent, but you have to want to do it enough to click through two links from this page. Hiding it so deeply is a cunning PR trick indeed.
Anonymous

This is awesome. Cambridge, way to go!!
tylerkaraszewski

That is awesome.
bryze

Wow, Amazon.com should adopt the same policy towards meddling senators.
Anonymous

@astrochimp
“This is, of course, good, though keep in mind that Anderson is a tenured professor.”

Since Thatcher’s magnificent reforms, there is no such thing as tenure in the UK.
All contracts are renewed every few years, the only difference between junior and senior faculty is the salary, and the renewal period gradually getting a bit longer – but saturates at 3-4 years.
But no worries, he won’t be sacked ;-).

@ Anon @ 8:32/26.12

I had a brief look at the thesis – all relevant information in it seems already published, so there is no real question of delayed publication.
In 2008/2009 Ross Anderson & co. sent the information to banks, and after waiting for the industry to react for several months to a year for different parts, published it in 2009.
They didn’t just go ahead and immediately publish material potentially problematic for payment systems – the banking association really has not much to complain about.
cameronh1403

Nice…very nice. Glad to see some schools back their students no matter what. Here in the US, the school would cave and let the bank do whatever they wanted.
- Anonymous
  
  Thats because the US is run by corporations and the UK is not.
- astrochimp
  
  This is, of course, good, though keep in mind that Anderson is a tenured professor. University administrators, often concerned more with the bottom line than with academic freedom, tend to roll over much more readily on such issues.
  - Matt J
    
    Tenure? No such thing here.
Anonymous

“Hoping you enjoyed having your ass kicked as much as I enjoyed kicking it. Happy Holidays!

Sincerely,

Ross Anderson”
Baby Lamont

BOOSH!!!
Ernunnos

Boom! Headshot!
Anonymous

“Cambridge is the University of … Darwin; censoring writings that offend the powerful is offensive to our deepest values.”

Darwin censored himself for fear of offending the Church, and only published The Origin of Species when Wallace scooped him. Perhaps the University should censure him retroactively.
- karl_jones
  
  Darwin censored himself for fear of offending the Church, and only published The Origin of Species when Wallace scooped him. Perhaps the University should censure him retroactively.
  
  No, the University should out him retroactively. Have the Advanced Physics department send back the time machine they’re going to invent next year.
  
  On a serious note: I cheered and applauded upon reading the University’s manifesto. Give ‘em hell!
daev

tsk, tsk… grammar fail in the last displayed paragraph (I’d expect better from Cambridge, of all places).

Good for them, anyways, for sticking to principle.
- princeminski
  
  Were you joking when you used the term “anyways” in your “grammar fail” post?
Peter

Great response, but missed opportunity.

They could have had the letter read:
“Attached is a letter we received on December 1st. I think you should be aware that some asshole is signing your name to very stupid letters.”
Nescio

Daev – there is no “grammar fail” in the last displayed paragraph. The use of “is” and “are”, referring to the banking system and its weaknesses respectively, is correct. So is the use of “effecting”.
- daev
  
  Daev – there is no “grammar fail” in the last displayed paragraph. The use of “is” and “are”, referring to the banking system and its weaknesses respectively, is correct. So is the use of “effecting”.
  
  “evidence that the banks are frank and honest in admitting its weaknesses when they are exposed”
  
  “its”? How about “their”? “Banks” being plural and all…
  - Anonymous
    
    “What will support public confidence in the payments system is evidence that the banks are frank and honest in admitting its weaknesses when they are exposed, and diligent in effecting the necessary remedies. ”
    
    “its” refers to “the payments system” – singular; “their” refers to “weaknesses” – plural. No error.
    
    ETA Sorry, I didn’t realise at first that you had already noted that yourself. Just my inner pedant demanding an airing!
john s. erickson, ph.d.

This is a story that has been repeated in one form or another for almost two decades (and in the abstract, forever). The specifics vary — DRM, voting, ATM, energy, food production — but the theme is the same: Mr. Big in the Executive Suite compromises hard-core solutions in order to save costs and make their product easier for users, usually ignoring the advice of true experts, then whines when their “solutions” are cracked. Boo-Hoo.

This is simply further evidence that corporate executives and politicians believe that “physics” (I’m broadly applying the term, to include the “physics” of cryptography, etc) is an optional annoyance, that the Marketing mantra “perception is ALL there is” applies in all scenarios, and that by shear will they can change reality. Boo-Hoo.
Anonymous

When the Bridgestone Tire Company, of Japan, tried to block an American student’s Ph.D. thesis that Bridgestone objected to, at the University of Akron, in Ohio, the University of Akron backed the Ph.D. student.

That is a rare instance of a University in America not caving into corporate pressures.

George H. Morgan
Professional Engineer
Registered Patent Agent
Boondocker

Absolutely wonderful to read this on Christmas. Finally, a spine.
hallam

Ross does go off on these rants.

If I was responsible for the security of a bank scheme that was broken, I would probably write to researchers to request that they don’t publish the details. Where the request is out of order is that the request was made to the University and not directly to the researcher. In other words they attempted to censor publication rather than politely request responsible disclosure.

The Chip and Pin scheme has problems, but has significantly reduced card-present fraud. What I find rather unhelpful in Ross’ attacks is that he tends to imply that the consequence of the sloppy implementation is fraud when in practice it is merely going to mean that the banks are going to have to eventually bite the bullet and pay to replace the faulty cards and card readers.

Quite why the banks did not hire someone competent to design the protocol is a mystery to me. There are plenty of competent designers in the business, the chip and pin protocols do not need to meet particularly complex requirements.

It would be a shame if people were to conclude from Ross’ criticisms that it is impossible to design secure cryptographic protocols. This is clearly not the case. Ross has no doubt examined my own Internet and payment protocols, many others have, nobody has found issues to date. There are many other architects in the business who have a solid record doing that type of work.
- bardfinn
  
  “Quite why the banks did not hire someone competent to design the protocol is a mystery to me.”
  
  They did not actually hire someone to design the protocol.
  
  A chip design firm chose to implement a protocol, the details of which were considered “top secret” to “protect the interests of our customers”, (read: security through obscurity), the chip and support systems were marketed to various institutions and industries for various uses, and some know-nothing MBA-degree-holding bank executive, sitting on (or chairing) an industry discussion panel, concerned solely with his annual bonus for making every quarter better than the last, brought up several possible “solutions” to their “leap forward initiative” on securing transactions, and (quite possibly with a variety of kickbacks and bribes) this particular system was shown as the most secure and least expensive (or equivalently secure and least expensive) solution, and the planning group (which contained absolutely no-one who possessed an EE, CS, or IT education) worked with the CIO’s (none of whom have any CS, EE, or IT educations — CIO’s of financial firms are MBAs / accountants / efficiency experts to a man) to set this system as an industry-wide standard in the country and to ensure that all legislation lobbying supported it and none opposed it.
  
  In short, the protocol was chosen — not because it was secure — but because it was a “win-win for our bottom line”. And as no-one involved in the decision to use it understood it, including the people designing it and marketing it, they could not know that it was, in fact, a gigantic life-ruining turd — and even if they /could/ know it, it wasn’t going to be /their/ lives ruined, since they have never and will never have to wonder where they will live and what they will eat tomorrow. They make in one year enough for any reasonable person to live for twenty years on. Their decisions are not based on their skills, but on whether someone somewhere will take their candy away over something anyone /can/ understand: the profit margin.
  - mdh
    
    –applause–
- Stooge
  
  hallam, I don’t understand why you find Ross Anderson’s hypothesised fraud objectionable.
  
  Surely if false transactions are made while banks maintain that their implementation of chip & PIN is impregnable then those banks will blame the innocent customer, refuse to issue a refund, and thus de facto commit fraud.
- dragonfrog
  
  In other words they attempted to censor publication rather than politely request responsible disclosure.
  
  Well, by the sounds of it, they can’t very well request responsible disclosure, since they already got it something over a year ago. From Ross’s letter:
  
  “Third, Omarâ€™s thesis does not contain any new information on the No-PIN vulnerability. That was discovered by Steven Murdoch, Saar Drimer and me in 2009, disclosed responsibly to the industry, and published in February this year.”
  
  And, to echo what Stooge says – if the banks hold customers responsible for fraudulent transactions, maintaining and potentially testifying under oath that their chip & PIN implementation rules out such fraud, when they’ve known for over a year that the fraud is in fact possible, then they in turn are committing a more widespread and massive fraud than any individual card scamming operation.
- pajh
  
  hallam, if I were responsible for the security of a bank scheme that was broken, I’d probably try to /fix the security/ instead of trampling over people to hush it up.
- Ian Betteridge
  
  Hallam, I think you’re missing the point a little.
  
  “If I was responsible for the security of a bank scheme that was broken, I would probably write to researchers to request that they don’t publish the details.”
  
  Nothing in the student’s MPhil thesis represented original research: the security issues he wrote about had been published in the 2010 IEEE Symposium on Security and Privacy, and the paper had been circulated to the banking industry for two months prior to publication. And, in fact, some banks have already taken action to fix the issue (notably Barclays).
yerbamatte

Woohoo! You go girl!
Anonymous

It’s worth noting….we call them universities here in the UK..not ‘schools’. A school is where you go as a child. A university is where you go as an adult. This may seem pedantic to our whooping American cousins but not if you are a university student!!
- Anonymous
  
  Even in the UK, arguing a single point about semantics is practically the definition of pedantic behavior.
  - Nescio
    
    Anon – “pedantic behavior”? In the UK we spell behaviour with a “u” ;-)
- Anonymous
  
  This is a factual note to a comment saying… “It’s worth noting….we call them universities here in the UK..not ‘schools’.” If fact in the UK many institutions of higher education at university level are referred to as “Schools” — e.g. “The London School of Economics” or “The School of Oriental & African Studies” …
  - AlexG55
    
    Neither the LSE nor SOAS is a university- they’re both part of the University of London. The term “school” is sometimes used in the UK for a part of a university which specialises in a particular subject (such as LSE, SOAS, and some medical schools) but never for the university as a whole.
Anonymous

anyone else notice that the individual getting smacked down is former government minister melanie johnson? haha! what a tool!
Toxa

What a joy to read this, what a great Christmas gift: restoring a bit the faith I have on mankind.
Wirelizard

“Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values.”

What an excellent, genteel way to say, “Fuck off, you nasty parvenu creep”.

Proof that some institutions still have spines – nice Christmas gift!
- A.Lwin
  
  This is gonna become my quote of the day.
  
  “Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values.” – Ross Anderson
Anonymous

Seems similar issue happened in france in 1999 which led to 10 months of jail suspended sentence.
http://fr.wikipedia.org/wiki/Serge_Humpich
jphilby

Awright! I’ll be damned. This is what academe was like before the 50-60s cave-in to corporate interests.

There may be hope for the world yet.
Scamout

I’m not sure what hight tech vulnerability is referred to in this article but I have to wonder if it really matters. I’ve been saying since the technology first came out that it had a major flaw in that if you can wave a card past a reader, you can also wave a reader past a card.

Now we know that this is happening.

The industry tells us that there have been no reported incidents of fraud being committed in this manner. The problem is that there is no way of knowing. It would be one of those “I wonder how they got my card number” incidents.

I’ve been blogging about it for a couple of years now.

Tom Mahoney, Director
Merchant911.org
- Anonymous
  
  It’s about Chip & Pin, not contact-less technology. Two completely different things, both with their own problems.
- Anonymous
  
  This article is not talking about the rfid equipped cards you are referring to, but the chip and pin system in place across Europe, which involves inserting a card into a reader and entering a pin for every credit card transaction (rather than swipe and sign in the US. Despite the flaws found, chip and pin has radically reduced fraud in participating nations, though it seems we are approaching time for the next-gen solution
Anonymous

Thank you Cambridge University for standing up to censorship, for standing up to Corporate bullying and supporting intellectual integrity. At a time when so many institutions are caving into to pressure from business and government yours was a most refreshing stance.

Kindest Regards,
Judith van der Roos.
PrettyBoyTim

I had to look up ‘parvenu’, but I find it is an ugly word.
emilyr

Just in case anyone’s curious the actual thesis is downloadable here:
http://www.cl.cam.ac.uk/~osc22/docs/mphil_acs_osc22.pdf
Anonymous

You mean you can stand up to the banks when they demand special treatment here in the United St-… oh, wait.
Bevin

Oh sure, it *says* Ross Anderson wrote this, but I think it was really Johhny Letter: http://www.youtube.com/watch?v=1L6nKv0hc5I
Feenicks

boo yah!
dasfreak

Just to get the uppity colonies upset and to provide some contrast.

“Yale is the college of George H W Bush and George W Bush. We’d be delighted to censor this dissertation for you. What’s more we’ll find some obscure college by-law and use it to expel the student in question. We apologise for the inconvenience and would like to have you help draft future policies to avoid embarrasment to other large corporate interest groups in the future.”
Anonymous

“This is, of course, good, though keep in mind that Anderson is a tenured professor. University administrators, often concerned more with the bottom line than with academic freedom, tend to roll over much more readily on such issues.”

This is Cambridge, you know. We don’t really do that kind of thing. Professor Anderson wouldn’t ever get the sack though; almost everyone in both the CS and law departments loves him (including me).
daev

meh… reading fail. Looks like I picked the wrong weekend to parse sentence structure.
c2r

Wonder if the same famed schooling would stand up for the unrelated indie that would have discovered the same thing; seems to me there’s millions out there that can move the Earth but cannot make use of this ‘truth umbrella’. Is there any ‘truth’ institution that actively searches for what they believe in to back it up ?
TheNipponese

Can someone who actually understands Chip and PIN, and has read the interesting parts of the thesis, break down the vulnerability without the ‘academic piety thumps corporate greed’ snobbism? I know this is BB, but forgive me.
c2r

To summarize this for you, “Banks are bad for your health, Cambridge confirms.”
scotchmi_st

I think it’s worth pointing out that part of the reason Cambridge uni is seen to be standing up to this company may well be that they are by no means a small institution. To put it mildly, the colleges collectively have /resources/.
c2r

Hey, its a 0-day vulnerability! Hackers didn’t yet figure this one out – still using this B & W thing: http://www.boingboing.net/2010/12/12/sales-pitch-from-an.html