Cambridge university refuses to censor student's thesis on chip-and-PIN vulnerabilities

Discuss

66 Responses to “Cambridge university refuses to censor student's thesis on chip-and-PIN vulnerabilities”

  1. Anonymous says:

    Just to remind the grammarians out there, the treatment of collective plurals is one of the faultlines between AE and BE.

  2. Anonymous says:

    Bravo!

  3. Anonymous says:

    At no time was there any intent to commit fraud; the journalist’s account was debited in due course in accordance with his mandate and the merchant was paid. It is perfectly clear that no transaction was falsified in any material sense.

  4. madfin says:

    To those still fighting the revolutionary war, may I suggest mota?

  5. Anonymous says:

    Guys you all got manipulated by Cambridge’s PR. Can I read any argument that backs the bank’s point of view? Can I read the exact wordings of the letter the bank sent? Did they really ask the exploit to be “censored” or to just undisclose it until patched. Oh but I got to read again about that exploit and the people the great people who found it and yeah Newton and Darwin went to Cam so it must be a great school! Well done.

    Alex, PhD at Cambridge Uni

    • Tzctboin says:

      That you think that delaying disclosure is not a form of censorship is such an exercise of double-think and double-speak that it should be included in the next edition of that famous book ITzctboin hope you may have read during your prestigious education.

      Tzctboin
      Computer Technician
      Technological College of Netzahualcoyotl City.

    • princeminski says:

      You may look in vain for any argument which supports the bank’s point of view because most people who come to this site are well aware that virtually any American institution of higher learning would break both kneecaps in its haste to fellate any bank or other corporate interest.

    • Anonymous says:

      You actually can read the letter the bank sent, but you have to want to do it enough to click through two links from this page. Hiding it so deeply is a cunning PR trick indeed.

  6. Anonymous says:

    This is awesome. Cambridge, way to go!!

  7. tylerkaraszewski says:

    That is awesome.

  8. bryze says:

    Wow, Amazon.com should adopt the same policy towards meddling senators.

  9. Anonymous says:

    @astrochimp
    “This is, of course, good, though keep in mind that Anderson is a tenured professor.”

    Since Thatcher’s magnificent reforms, there is no such thing as tenure in the UK.
    All contracts are renewed every few years, the only difference between junior and senior faculty is the salary, and the renewal period gradually getting a bit longer – but saturates at 3-4 years.
    But no worries, he won’t be sacked ;-).

    @ Anon @ 8:32/26.12

    I had a brief look at the thesis – all relevant information in it seems already published, so there is no real question of delayed publication.
    In 2008/2009 Ross Anderson & co. sent the information to banks, and after waiting for the industry to react for several months to a year for different parts, published it in 2009.
    They didn’t just go ahead and immediately publish material potentially problematic for payment systems – the banking association really has not much to complain about.

  10. cameronh1403 says:

    Nice…very nice. Glad to see some schools back their students no matter what. Here in the US, the school would cave and let the bank do whatever they wanted.

  11. Anonymous says:

    “Hoping you enjoyed having your ass kicked as much as I enjoyed kicking it. Happy Holidays!

    Sincerely,

    Ross Anderson”

  12. Baby Lamont says:

    BOOSH!!!

  13. Ernunnos says:

    Boom! Headshot!

  14. Anonymous says:

    “Cambridge is the University of … Darwin; censoring writings that offend the powerful is offensive to our deepest values.”

    Darwin censored himself for fear of offending the Church, and only published The Origin of Species when Wallace scooped him. Perhaps the University should censure him retroactively.

    • karl_jones says:

      Darwin censored himself for fear of offending the Church, and only published The Origin of Species when Wallace scooped him. Perhaps the University should censure him retroactively.

      No, the University should out him retroactively. Have the Advanced Physics department send back the time machine they’re going to invent next year.

      On a serious note: I cheered and applauded upon reading the University’s manifesto. Give ‘em hell!

  15. daev says:

    tsk, tsk… grammar fail in the last displayed paragraph (I’d expect better from Cambridge, of all places).

    Good for them, anyways, for sticking to principle.

  16. Peter says:

    Great response, but missed opportunity.

    They could have had the letter read:
    “Attached is a letter we received on December 1st. I think you should be aware that some asshole is signing your name to very stupid letters.”

  17. Nescio says:

    Daev – there is no “grammar fail” in the last displayed paragraph. The use of “is” and “are”, referring to the banking system and its weaknesses respectively, is correct. So is the use of “effecting”.

    • daev says:

      Daev – there is no “grammar fail” in the last displayed paragraph. The use of “is” and “are”, referring to the banking system and its weaknesses respectively, is correct. So is the use of “effecting”.

      “evidence that the banks are frank and honest in admitting its weaknesses when they are exposed”

      “its”? How about “their”? “Banks” being plural and all…

      • Anonymous says:

        “What will support public confidence in the payments system is evidence that the banks are frank and honest in admitting its weaknesses when they are exposed, and diligent in effecting the necessary remedies. ”

        “its” refers to “the payments system” – singular; “their” refers to “weaknesses” – plural. No error.

        ETA Sorry, I didn’t realise at first that you had already noted that yourself. Just my inner pedant demanding an airing!

  18. john s. erickson, ph.d. says:

    This is a story that has been repeated in one form or another for almost two decades (and in the abstract, forever). The specifics vary — DRM, voting, ATM, energy, food production — but the theme is the same: Mr. Big in the Executive Suite compromises hard-core solutions in order to save costs and make their product easier for users, usually ignoring the advice of true experts, then whines when their “solutions” are cracked. Boo-Hoo.

    This is simply further evidence that corporate executives and politicians believe that “physics” (I’m broadly applying the term, to include the “physics” of cryptography, etc) is an optional annoyance, that the Marketing mantra “perception is ALL there is” applies in all scenarios, and that by shear will they can change reality. Boo-Hoo.

  19. Anonymous says:

    When the Bridgestone Tire Company, of Japan, tried to block an American student’s Ph.D. thesis that Bridgestone objected to, at the University of Akron, in Ohio, the University of Akron backed the Ph.D. student.

    That is a rare instance of a University in America not caving into corporate pressures.

    George H. Morgan
    Professional Engineer
    Registered Patent Agent

  20. Boondocker says:

    Absolutely wonderful to read this on Christmas. Finally, a spine.

  21. hallam says:

    Ross does go off on these rants.

    If I was responsible for the security of a bank scheme that was broken, I would probably write to researchers to request that they don’t publish the details. Where the request is out of order is that the request was made to the University and not directly to the researcher. In other words they attempted to censor publication rather than politely request responsible disclosure.

    The Chip and Pin scheme has problems, but has significantly reduced card-present fraud. What I find rather unhelpful in Ross’ attacks is that he tends to imply that the consequence of the sloppy implementation is fraud when in practice it is merely going to mean that the banks are going to have to eventually bite the bullet and pay to replace the faulty cards and card readers.

    Quite why the banks did not hire someone competent to design the protocol is a mystery to me. There are plenty of competent designers in the business, the chip and pin protocols do not need to meet particularly complex requirements.

    It would be a shame if people were to conclude from Ross’ criticisms that it is impossible to design secure cryptographic protocols. This is clearly not the case. Ross has no doubt examined my own Internet and payment protocols, many others have, nobody has found issues to date. There are many other architects in the business who have a solid record doing that type of work.

    • bardfinn says:

      “Quite why the banks did not hire someone competent to design the protocol is a mystery to me.”

      They did not actually hire someone to design the protocol.

      A chip design firm chose to implement a protocol, the details of which were considered “top secret” to “protect the interests of our customers”, (read: security through obscurity), the chip and support systems were marketed to various institutions and industries for various uses, and some know-nothing MBA-degree-holding bank executive, sitting on (or chairing) an industry discussion panel, concerned solely with his annual bonus for making every quarter better than the last, brought up several possible “solutions” to their “leap forward initiative” on securing transactions, and (quite possibly with a variety of kickbacks and bribes) this particular system was shown as the most secure and least expensive (or equivalently secure and least expensive) solution, and the planning group (which contained absolutely no-one who possessed an EE, CS, or IT education) worked with the CIO’s (none of whom have any CS, EE, or IT educations — CIO’s of financial firms are MBAs / accountants / efficiency experts to a man) to set this system as an industry-wide standard in the country and to ensure that all legislation lobbying supported it and none opposed it.

      In short, the protocol was chosen — not because it was secure — but because it was a “win-win for our bottom line”. And as no-one involved in the decision to use it understood it, including the people designing it and marketing it, they could not know that it was, in fact, a gigantic life-ruining turd — and even if they /could/ know it, it wasn’t going to be /their/ lives ruined, since they have never and will never have to wonder where they will live and what they will eat tomorrow. They make in one year enough for any reasonable person to live for twenty years on. Their decisions are not based on their skills, but on whether someone somewhere will take their candy away over something anyone /can/ understand: the profit margin.

    • Stooge says:

      hallam, I don’t understand why you find Ross Anderson’s hypothesised fraud objectionable.

      Surely if false transactions are made while banks maintain that their implementation of chip & PIN is impregnable then those banks will blame the innocent customer, refuse to issue a refund, and thus de facto commit fraud.

    • dragonfrog says:

      In other words they attempted to censor publication rather than politely request responsible disclosure.

      Well, by the sounds of it, they can’t very well request responsible disclosure, since they already got it something over a year ago. From Ross’s letter:

      “Third, Omar’s thesis does not contain any new information on the No-PIN vulnerability. That was discovered by Steven Murdoch, Saar Drimer and me in 2009, disclosed responsibly to the industry, and published in February this year.”

      And, to echo what Stooge says – if the banks hold customers responsible for fraudulent transactions, maintaining and potentially testifying under oath that their chip & PIN implementation rules out such fraud, when they’ve known for over a year that the fraud is in fact possible, then they in turn are committing a more widespread and massive fraud than any individual card scamming operation.

    • pajh says:

      hallam, if I were responsible for the security of a bank scheme that was broken, I’d probably try to /fix the security/ instead of trampling over people to hush it up.

    • Ian Betteridge says:

      Hallam, I think you’re missing the point a little.

      “If I was responsible for the security of a bank scheme that was broken, I would probably write to researchers to request that they don’t publish the details.”

      Nothing in the student’s MPhil thesis represented original research: the security issues he wrote about had been published in the 2010 IEEE Symposium on Security and Privacy, and the paper had been circulated to the banking industry for two months prior to publication. And, in fact, some banks have already taken action to fix the issue (notably Barclays).

  22. yerbamatte says:

    Woohoo! You go girl!

  23. Anonymous says:

    It’s worth noting….we call them universities here in the UK..not ‘schools’. A school is where you go as a child. A university is where you go as an adult. This may seem pedantic to our whooping American cousins but not if you are a university student!!

    • Anonymous says:

      Even in the UK, arguing a single point about semantics is practically the definition of pedantic behavior.

    • Anonymous says:

      This is a factual note to a comment saying… “It’s worth noting….we call them universities here in the UK..not ‘schools’.” If fact in the UK many institutions of higher education at university level are referred to as “Schools” — e.g. “The London School of Economics” or “The School of Oriental & African Studies” …

      • AlexG55 says:

        Neither the LSE nor SOAS is a university- they’re both part of the University of London. The term “school” is sometimes used in the UK for a part of a university which specialises in a particular subject (such as LSE, SOAS, and some medical schools) but never for the university as a whole.

  24. Anonymous says:

    anyone else notice that the individual getting smacked down is former government minister melanie johnson? haha! what a tool!

  25. Toxa says:

    What a joy to read this, what a great Christmas gift: restoring a bit the faith I have on mankind.

  26. Wirelizard says:

    “Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values.”

    What an excellent, genteel way to say, “Fuck off, you nasty parvenu creep”.

    Proof that some institutions still have spines – nice Christmas gift!

    • A.Lwin says:

      This is gonna become my quote of the day.

      “Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values.” – Ross Anderson

  27. Anonymous says:

    Seems similar issue happened in france in 1999 which led to 10 months of jail suspended sentence.
    http://fr.wikipedia.org/wiki/Serge_Humpich

  28. jphilby says:

    Awright! I’ll be damned. This is what academe was like before the 50-60s cave-in to corporate interests.

    There may be hope for the world yet.

  29. Scamout says:

    I’m not sure what hight tech vulnerability is referred to in this article but I have to wonder if it really matters. I’ve been saying since the technology first came out that it had a major flaw in that if you can wave a card past a reader, you can also wave a reader past a card.

    Now we know that this is happening.

    The industry tells us that there have been no reported incidents of fraud being committed in this manner. The problem is that there is no way of knowing. It would be one of those “I wonder how they got my card number” incidents.

    I’ve been blogging about it for a couple of years now.

    Tom Mahoney, Director
    Merchant911.org

    • Anonymous says:

      It’s about Chip & Pin, not contact-less technology. Two completely different things, both with their own problems.

    • Anonymous says:

      This article is not talking about the rfid equipped cards you are referring to, but the chip and pin system in place across Europe, which involves inserting a card into a reader and entering a pin for every credit card transaction (rather than swipe and sign in the US. Despite the flaws found, chip and pin has radically reduced fraud in participating nations, though it seems we are approaching time for the next-gen solution

  30. Anonymous says:

    Thank you Cambridge University for standing up to censorship, for standing up to Corporate bullying and supporting intellectual integrity. At a time when so many institutions are caving into to pressure from business and government yours was a most refreshing stance.

    Kindest Regards,
    Judith van der Roos.

  31. PrettyBoyTim says:

    I had to look up ‘parvenu’, but I find it is an ugly word.

  32. emilyr says:

    Just in case anyone’s curious the actual thesis is downloadable here:
    http://www.cl.cam.ac.uk/~osc22/docs/mphil_acs_osc22.pdf

  33. Anonymous says:

    You mean you can stand up to the banks when they demand special treatment here in the United St-… oh, wait.

  34. Bevin says:

    Oh sure, it *says* Ross Anderson wrote this, but I think it was really Johhny Letter: http://www.youtube.com/watch?v=1L6nKv0hc5I

  35. Feenicks says:

    boo yah!

  36. dasfreak says:

    Just to get the uppity colonies upset and to provide some contrast.

    “Yale is the college of George H W Bush and George W Bush. We’d be delighted to censor this dissertation for you. What’s more we’ll find some obscure college by-law and use it to expel the student in question. We apologise for the inconvenience and would like to have you help draft future policies to avoid embarrasment to other large corporate interest groups in the future.”

  37. Anonymous says:

    “This is, of course, good, though keep in mind that Anderson is a tenured professor. University administrators, often concerned more with the bottom line than with academic freedom, tend to roll over much more readily on such issues.”

    This is Cambridge, you know. We don’t really do that kind of thing. Professor Anderson wouldn’t ever get the sack though; almost everyone in both the CS and law departments loves him (including me).

  38. daev says:

    meh… reading fail. Looks like I picked the wrong weekend to parse sentence structure.

  39. c2r says:

    Wonder if the same famed schooling would stand up for the unrelated indie that would have discovered the same thing; seems to me there’s millions out there that can move the Earth but cannot make use of this ‘truth umbrella’. Is there any ‘truth’ institution that actively searches for what they believe in to back it up ?

  40. TheNipponese says:

    Can someone who actually understands Chip and PIN, and has read the interesting parts of the thesis, break down the vulnerability without the ‘academic piety thumps corporate greed’ snobbism? I know this is BB, but forgive me.

  41. c2r says:

    To summarize this for you, “Banks are bad for your health, Cambridge confirms.”

  42. scotchmi_st says:

    I think it’s worth pointing out that part of the reason Cambridge uni is seen to be standing up to this company may well be that they are by no means a small institution. To put it mildly, the colleges collectively have /resources/.

  43. c2r says:

    Hey, its a 0-day vulnerability! Hackers didn’t yet figure this one out – still using this B & W thing: http://www.boingboing.net/2010/12/12/sales-pitch-from-an.html

Leave a Reply