Cambridge university refuses to censor student's thesis on chip-and-PIN vulnerabilities

After the UK banking trade association wrote to Cambridge university to have a student's master's thesis censored because it documented a well-known flaw in the chip-and-PIN system, Cambridge's Ross Anderson sent an extremely stiff note in reply:
Second, you seem to think that we might censor a student's thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values. Thus even though the decision to put the thesis online was Omar's, we have no choice but to back him. That would hold even if we did not agree with the material! Accordingly I have authorised the thesis to be issued as a Computer Laboratory Technical Report. This will make it easier for people to find and to cite, and will ensure that its presence on our web site is permanent....

...Fifth, you say 'Concern was expressed to us by the police that the student was allowed to falsify a transaction in a shop in Cambridge without first warning the merchant'. I fail to understand the basis for this. The banks in France had claimed (as you did) that their systems were secure; a French TV programme wished to discredit this claim (as Newsnight discredited yours); and I understand that Omar did a No-PIN transaction on the card of a French journalist with the journalist's consent and on camera. At no time was there any intent to commit fraud; the journalist's account was debited in due course in accordance with his mandate and the merchant was paid. It is perfectly clear that no transaction was falsified in any material sense. I would not consider such an experiment to require a reference to our ethics committee. By that time the Newsnight programme had appeared and the No-PIN attack was entirely in the public domain. The French television programme was clearly in the public interest, as it made it more difficult for banks in France to defraud their customers by claiming that their systems were secure when they were not.

You complain that our work may undermine public confidence in the payments system. What will support public confidence in the payments system is evidence that the banks are frank and honest in admitting its weaknesses when they are exposed, and diligent in effecting the necessary remedies. Your letter shows that, instead, your member banks do their lamentable best to deprecate the work of those outside their cosy club, and indeed to censor it.

A Merry Christmas to all Bankers

Letter to bankers (PDF)

(via /.)

66

  1. Nice…very nice. Glad to see some schools back their students no matter what. Here in the US, the school would cave and let the bank do whatever they wanted.

    1. This is, of course, good, though keep in mind that Anderson is a tenured professor. University administrators, often concerned more with the bottom line than with academic freedom, tend to roll over much more readily on such issues.

  2. “Hoping you enjoyed having your ass kicked as much as I enjoyed kicking it. Happy Holidays!

    Sincerely,

    Ross Anderson”

  3. “Cambridge is the University of … Darwin; censoring writings that offend the powerful is offensive to our deepest values.”

    Darwin censored himself for fear of offending the Church, and only published The Origin of Species when Wallace scooped him. Perhaps the University should censure him retroactively.

    1. Darwin censored himself for fear of offending the Church, and only published The Origin of Species when Wallace scooped him. Perhaps the University should censure him retroactively.

      No, the University should out him retroactively. Have the Advanced Physics department send back the time machine they’re going to invent next year.

      On a serious note: I cheered and applauded upon reading the University’s manifesto. Give ’em hell!

  4. Great response, but missed opportunity.

    They could have had the letter read:
    “Attached is a letter we received on December 1st. I think you should be aware that some asshole is signing your name to very stupid letters.”

  5. Ross does go off on these rants.

    If I was responsible for the security of a bank scheme that was broken, I would probably write to researchers to request that they don’t publish the details. Where the request is out of order is that the request was made to the University and not directly to the researcher. In other words they attempted to censor publication rather than politely request responsible disclosure.

    The Chip and Pin scheme has problems, but has significantly reduced card-present fraud. What I find rather unhelpful in Ross’ attacks is that he tends to imply that the consequence of the sloppy implementation is fraud when in practice it is merely going to mean that the banks are going to have to eventually bite the bullet and pay to replace the faulty cards and card readers.

    Quite why the banks did not hire someone competent to design the protocol is a mystery to me. There are plenty of competent designers in the business, the chip and pin protocols do not need to meet particularly complex requirements.

    It would be a shame if people were to conclude from Ross’ criticisms that it is impossible to design secure cryptographic protocols. This is clearly not the case. Ross has no doubt examined my own Internet and payment protocols, many others have, nobody has found issues to date. There are many other architects in the business who have a solid record doing that type of work.

    1. hallam, I don’t understand why you find Ross Anderson’s hypothesised fraud objectionable.

      Surely if false transactions are made while banks maintain that their implementation of chip & PIN is impregnable then those banks will blame the innocent customer, refuse to issue a refund, and thus de facto commit fraud.

    2. In other words they attempted to censor publication rather than politely request responsible disclosure.

      Well, by the sounds of it, they can’t very well request responsible disclosure, since they already got it something over a year ago. From Ross’s letter:

      “Third, Omar’s thesis does not contain any new information on the No-PIN vulnerability. That was discovered by Steven Murdoch, Saar Drimer and me in 2009, disclosed responsibly to the industry, and published in February this year.”

      And, to echo what Stooge says – if the banks hold customers responsible for fraudulent transactions, maintaining and potentially testifying under oath that their chip & PIN implementation rules out such fraud, when they’ve known for over a year that the fraud is in fact possible, then they in turn are committing a more widespread and massive fraud than any individual card scamming operation.

    3. hallam, if I were responsible for the security of a bank scheme that was broken, I’d probably try to /fix the security/ instead of trampling over people to hush it up.

    4. “Quite why the banks did not hire someone competent to design the protocol is a mystery to me.”

      They did not actually hire someone to design the protocol.

      A chip design firm chose to implement a protocol, the details of which were considered “top secret” to “protect the interests of our customers”, (read: security through obscurity), the chip and support systems were marketed to various institutions and industries for various uses, and some know-nothing MBA-degree-holding bank executive, sitting on (or chairing) an industry discussion panel, concerned solely with his annual bonus for making every quarter better than the last, brought up several possible “solutions” to their “leap forward initiative” on securing transactions, and (quite possibly with a variety of kickbacks and bribes) this particular system was shown as the most secure and least expensive (or equivalently secure and least expensive) solution, and the planning group (which contained absolutely no-one who possessed an EE, CS, or IT education) worked with the CIO’s (none of whom have any CS, EE, or IT educations — CIO’s of financial firms are MBAs / accountants / efficiency experts to a man) to set this system as an industry-wide standard in the country and to ensure that all legislation lobbying supported it and none opposed it.

      In short, the protocol was chosen — not because it was secure — but because it was a “win-win for our bottom line”. And as no-one involved in the decision to use it understood it, including the people designing it and marketing it, they could not know that it was, in fact, a gigantic life-ruining turd — and even if they /could/ know it, it wasn’t going to be /their/ lives ruined, since they have never and will never have to wonder where they will live and what they will eat tomorrow. They make in one year enough for any reasonable person to live for twenty years on. Their decisions are not based on their skills, but on whether someone somewhere will take their candy away over something anyone /can/ understand: the profit margin.

    5. Hallam, I think you’re missing the point a little.

      “If I was responsible for the security of a bank scheme that was broken, I would probably write to researchers to request that they don’t publish the details.”

      Nothing in the student’s MPhil thesis represented original research: the security issues he wrote about had been published in the 2010 IEEE Symposium on Security and Privacy, and the paper had been circulated to the banking industry for two months prior to publication. And, in fact, some banks have already taken action to fix the issue (notably Barclays).

  6. It’s worth noting….we call them universities here in the UK..not ‘schools’. A school is where you go as a child. A university is where you go as an adult. This may seem pedantic to our whooping American cousins but not if you are a university student!!

    1. This is a factual note to a comment saying… “It’s worth noting….we call them universities here in the UK..not ‘schools’.” If fact in the UK many institutions of higher education at university level are referred to as “Schools” — e.g. “The London School of Economics” or “The School of Oriental & African Studies” …

      1. Neither the LSE nor SOAS is a university- they’re both part of the University of London. The term “school” is sometimes used in the UK for a part of a university which specialises in a particular subject (such as LSE, SOAS, and some medical schools) but never for the university as a whole.

    2. Even in the UK, arguing a single point about semantics is practically the definition of pedantic behavior.

  7. “Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values.”

    What an excellent, genteel way to say, “Fuck off, you nasty parvenu creep”.

    Proof that some institutions still have spines – nice Christmas gift!

    1. This is gonna become my quote of the day.

      “Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values.” – Ross Anderson

  8. Awright! I’ll be damned. This is what academe was like before the 50-60s cave-in to corporate interests.

    There may be hope for the world yet.

  9. You mean you can stand up to the banks when they demand special treatment here in the United St-… oh, wait.

  10. Just to get the uppity colonies upset and to provide some contrast.

    “Yale is the college of George H W Bush and George W Bush. We’d be delighted to censor this dissertation for you. What’s more we’ll find some obscure college by-law and use it to expel the student in question. We apologise for the inconvenience and would like to have you help draft future policies to avoid embarrasment to other large corporate interest groups in the future.”

  11. “This is, of course, good, though keep in mind that Anderson is a tenured professor. University administrators, often concerned more with the bottom line than with academic freedom, tend to roll over much more readily on such issues.”

    This is Cambridge, you know. We don’t really do that kind of thing. Professor Anderson wouldn’t ever get the sack though; almost everyone in both the CS and law departments loves him (including me).

  12. tsk, tsk… grammar fail in the last displayed paragraph (I’d expect better from Cambridge, of all places).

    Good for them, anyways, for sticking to principle.

  13. Daev – there is no “grammar fail” in the last displayed paragraph. The use of “is” and “are”, referring to the banking system and its weaknesses respectively, is correct. So is the use of “effecting”.

    1. Daev – there is no “grammar fail” in the last displayed paragraph. The use of “is” and “are”, referring to the banking system and its weaknesses respectively, is correct. So is the use of “effecting”.

      “evidence that the banks are frank and honest in admitting its weaknesses when they are exposed”

      “its”? How about “their”? “Banks” being plural and all…

      1. “What will support public confidence in the payments system is evidence that the banks are frank and honest in admitting its weaknesses when they are exposed, and diligent in effecting the necessary remedies. ”

        “its” refers to “the payments system” – singular; “their” refers to “weaknesses” – plural. No error.

        ETA Sorry, I didn’t realise at first that you had already noted that yourself. Just my inner pedant demanding an airing!

  14. I’m not sure what hight tech vulnerability is referred to in this article but I have to wonder if it really matters. I’ve been saying since the technology first came out that it had a major flaw in that if you can wave a card past a reader, you can also wave a reader past a card.

    Now we know that this is happening.

    The industry tells us that there have been no reported incidents of fraud being committed in this manner. The problem is that there is no way of knowing. It would be one of those “I wonder how they got my card number” incidents.

    I’ve been blogging about it for a couple of years now.

    Tom Mahoney, Director
    Merchant911.org

    1. It’s about Chip & Pin, not contact-less technology. Two completely different things, both with their own problems.

    2. This article is not talking about the rfid equipped cards you are referring to, but the chip and pin system in place across Europe, which involves inserting a card into a reader and entering a pin for every credit card transaction (rather than swipe and sign in the US. Despite the flaws found, chip and pin has radically reduced fraud in participating nations, though it seems we are approaching time for the next-gen solution

  15. Thank you Cambridge University for standing up to censorship, for standing up to Corporate bullying and supporting intellectual integrity. At a time when so many institutions are caving into to pressure from business and government yours was a most refreshing stance.

    Kindest Regards,
    Judith van der Roos.

  16. Wonder if the same famed schooling would stand up for the unrelated indie that would have discovered the same thing; seems to me there’s millions out there that can move the Earth but cannot make use of this ‘truth umbrella’. Is there any ‘truth’ institution that actively searches for what they believe in to back it up ?

  17. Can someone who actually understands Chip and PIN, and has read the interesting parts of the thesis, break down the vulnerability without the ‘academic piety thumps corporate greed’ snobbism? I know this is BB, but forgive me.

  18. I think it’s worth pointing out that part of the reason Cambridge uni is seen to be standing up to this company may well be that they are by no means a small institution. To put it mildly, the colleges collectively have /resources/.

  19. Just to remind the grammarians out there, the treatment of collective plurals is one of the faultlines between AE and BE.

  20. At no time was there any intent to commit fraud; the journalist’s account was debited in due course in accordance with his mandate and the merchant was paid. It is perfectly clear that no transaction was falsified in any material sense.

  21. Guys you all got manipulated by Cambridge’s PR. Can I read any argument that backs the bank’s point of view? Can I read the exact wordings of the letter the bank sent? Did they really ask the exploit to be “censored” or to just undisclose it until patched. Oh but I got to read again about that exploit and the people the great people who found it and yeah Newton and Darwin went to Cam so it must be a great school! Well done.

    Alex, PhD at Cambridge Uni

    1. You actually can read the letter the bank sent, but you have to want to do it enough to click through two links from this page. Hiding it so deeply is a cunning PR trick indeed.

    2. You may look in vain for any argument which supports the bank’s point of view because most people who come to this site are well aware that virtually any American institution of higher learning would break both kneecaps in its haste to fellate any bank or other corporate interest.

    3. That you think that delaying disclosure is not a form of censorship is such an exercise of double-think and double-speak that it should be included in the next edition of that famous book ITzctboin hope you may have read during your prestigious education.

      Tzctboin
      Computer Technician
      Technological College of Netzahualcoyotl City.

  22. @astrochimp
    “This is, of course, good, though keep in mind that Anderson is a tenured professor.”

    Since Thatcher’s magnificent reforms, there is no such thing as tenure in the UK.
    All contracts are renewed every few years, the only difference between junior and senior faculty is the salary, and the renewal period gradually getting a bit longer – but saturates at 3-4 years.
    But no worries, he won’t be sacked ;-).

    @ Anon @ 8:32/26.12

    I had a brief look at the thesis – all relevant information in it seems already published, so there is no real question of delayed publication.
    In 2008/2009 Ross Anderson & co. sent the information to banks, and after waiting for the industry to react for several months to a year for different parts, published it in 2009.
    They didn’t just go ahead and immediately publish material potentially problematic for payment systems – the banking association really has not much to complain about.

  23. This is a story that has been repeated in one form or another for almost two decades (and in the abstract, forever). The specifics vary — DRM, voting, ATM, energy, food production — but the theme is the same: Mr. Big in the Executive Suite compromises hard-core solutions in order to save costs and make their product easier for users, usually ignoring the advice of true experts, then whines when their “solutions” are cracked. Boo-Hoo.

    This is simply further evidence that corporate executives and politicians believe that “physics” (I’m broadly applying the term, to include the “physics” of cryptography, etc) is an optional annoyance, that the Marketing mantra “perception is ALL there is” applies in all scenarios, and that by shear will they can change reality. Boo-Hoo.

  24. When the Bridgestone Tire Company, of Japan, tried to block an American student’s Ph.D. thesis that Bridgestone objected to, at the University of Akron, in Ohio, the University of Akron backed the Ph.D. student.

    That is a rare instance of a University in America not caving into corporate pressures.

    George H. Morgan
    Professional Engineer
    Registered Patent Agent

  25. anyone else notice that the individual getting smacked down is former government minister melanie johnson? haha! what a tool!

Comments are closed.