Cambridge student Omar S Choudary has published his Master's thesis, which explains how to build a gadget that protects the hacking of bank cards. To do so, he has to include a fair amount of information on how the cards work and what the security flaws are. The UK Cards Association are in uproar, and are demanding that the material be taken down:
"The publication of this level of detail" goes beyond "the boundary of responsible disclosure. Essentially, it places in the public domain a blueprint for building a device which purports to exploit a loophole in the security of chip and PIN."You might think that, rather then blaming a clever student, they would ask themselves how their "crackproof" chip and pin system can be hacked by a young student working at sub-PhD level. But no, and they go on to issue a veiled threat:
Therefore, "we would ask that this research be removed from public access immediately, and would hope that you are able to give us comfort about your policy towards future disclosures."Here's the reply by Ross Anderson, Professor of Computer Security:
You seem to think that we might censor a student's thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values. Thus even though the decision to put the thesis online was Omar's, we have no choice but to back him. That would hold even if we did not agree with the material!If only our noble institutions would be as robust about our ancient rights and privileges - Magna Carta, habeas corpus, free speech, that kind of thing.
Now you know who to support in the next Boat Race. Well done, Cambridge.
H/t Big Brother Watch.
A very eloquent rebuttal (two fingers doesn't do it justice). IIRC flaws in Chip 'N Pin were already being talked about before the system was fully introduced. Regardless of the technical aspects, when did you last see anybody attempt to shield the keypad when asked to enter their PIN? I ALWAYS do, but I seem to be in a minority of one...
ReplyDeleteNow a payment by mobile phone system is being touted as a replacement for conventional money and cards!!!
All I can say to that is "Go forth and multiply"
While he was working on the Manahattan project Richard Feynman, later a Physics Nobel Laureate, dscovered that he could easily crack supposedly secure filing cabinets and safes containing the most sensitive details of how to build the bomb.
ReplyDeleteHe let this be known to the project's senior military staff. Were they horrified at the failure of their secure systems such that they scrapped them all and immediately requisitioned properly secure equipment?
Well, no. Their reaction was to issue an urgent memo to the effect that Fenyman was to be kept away from secure filing cabinets and safes.
That's how these people 'in authority' 'think'.
Cambridge has always taken a very independent view. Which is how it produces the best scientists, and the best spies.
ReplyDeleteIt's not so much the hacking risk - with care from the user, this should be very rare. It's the ability of the card issuers to track every single purchase that worries me. Cash is King.
ReplyDeleteJim - indeed. Same as when people manage to hack into sensitive military networks. Not 'thank you for helping us find a potential weakness that could have compromised national security', but 'go to jail, do not pass go ...'
ReplyDelete