Two Cambridge University researchers have discovered serious flaws in the security that many banks use in Auomatic Teller Machines around the world. The researchers, Mike Bond and Piotr Zielinski, released their findings in a paper, but various powers-that-be in the banking industry are not happy.Not only are the banks upset that their encryption is flawed (as they should be) but they seem to be pretty peeved that additional information about the flaws could be widely circulated, particularly that testimony by the researchers and other security experts may be made public through their testimony in an upcoming court case.
It’s not particularly surprising that the banking and credit card industry is trying to prohibit these researchers from releasing their findings. This is an ongoing debate in the computer security sphere. Should researchers loudly proclaim the flaws in commonly-used security in order to prod vendors and users to plug the holes quickly, thus risking allowing more would-be criminals the opportunity to crack not-yet-patched systems, or should they try to keep their discoveries under wraps in order to give the vendors more time to issue fixes?
The fact is that users are generally delinquent in patching their systems in a timely manner (as is evidenced in Microsoft’s own SQL Server machines recently being affected by the Slammer Virus even though there had been a patch for that flaw for months). I believe that it takes a genuine security panic to ensure that the majority of insecure systems will be patched in a timely manner, and it’s likely that by the time “white hat” security experts uncover a particular security hole it’s likely that criminals have been exploiting the hole for some time already. In this case, it appears that criminals may have known about the flaws before the Cambridge researchers discovered it.
I think that giving the vendors of a particular product or device a reasonable time period to produce a patch is fair, but after that, security researchers should shout their findings from the rooftops. What do you think?
>> ..they seem to be pretty peeved that additional information about the flaws could be widely circulated. It’s not particularly surprising that the banking and credit card industry is trying to prohibit these researchers from releasing their findings.
>>
The battle goes beyond the computer security field to the general media. I would say there is an on-going attempt to re-invent censorship, and to generally kill the free flow of information. It didn’t get any better with the events of 9/11. These days, when it suits them, the authorities use terrorism to throw a big scare and censor out information as needed. Also, the fact that major mediahouses around the world are thesedays controlled by a handful of people does not help matters. We all need to watch out freedom, and let’s hope freedom triumphs again.
I think iit goes to freedom of speech. If you have something to say it shouldn’t matter what it is you are saying, whether it is for good or bad. It’s up to individuals what they do with that information.
If you find a secuirity hole like this no one has a problem with you pointing it out. If you find one you let the banks know and those in charge of fixing it. I am one that’s against telling the whole world how to hack into something. The only reason people go telling everyone is because they want the few minutes of glory saying they found a hole. A responsable person notifies those who can/will fix it.
It’s not censorship, it’s being responsable. No one wants to cover up that there is a hole. It’s just ir-responsable to go telling the whole world there is a hole.
tell it to the people that are responsible, and those people don’t react soon enough or not at all, telling it the whole world is the best thing they can do ….
just to build pressure on the people responsible.
People also have the right to know when something isn’t that secure as they think it is ….
“tell it to the people that are responsible, and those people don’t react soon enough or not at all, telling it the whole world is the best thing they can do ….”
Yes but this sometimes comes down to “I emailed almost 18 hours ago with no reply” That _obviously_ means that the person/s responsible for fixing it don’t regard at is serious and have no intention of fixing it. They could call in every employee they have and be scrambling like mad to get something done about it but just because you have not heard back from them yet does not mean you are free to go public with no available patch. Sometimes they don’t want to reply until they have something to say other than “holly shit! thanks!”. Give them time to release a patch for it (don’t just write one and go public, let them offer it in the source and on the site). If you _honesty_ believe that they just don’t give a shit and will get to it when they feel like it (and are taking to long) _then_ you go public early. Sometimes they also need time to notify business partners and those on their mailing lists first. Regardless of stated reason, most people that release early usually do so because they don’t want anyone else to steal their thunder and 3 minutes of fame.
Perhaps it would be the responsible thing to do if they chose not to release the information to the public. But like my mother used to say – “It doesn’t matter weather you did the right thing or not if I made you do it.”
I don’t protest either way, but note this:
If they were truly free, it’d be up to them, without legal consequence (as per the first amendment), to choose weather they wished to release the information or not.
If we force them not to say anything, we all get to sleep better at night… but at the expense of freedom and faith in all that is good in people.
It isn’t hard to see why so many people turn the way they do… In a world where we are forced into a frame of right or wrong, where faith in the hearts of people has all but died, where the value of good has dwindled to poverty. In a world where, to get ahead, you have to bend the rules of law and morality.
In a world where being a decent person doesn’t mean a thing next to money and power.
I get preachy when stuff like that comes up. *shrugs*
I have to agree that the DMCA has already taken its toll on free speech. The old strategy of divide and conquer at its finest continues to work. First you define a new kind of speech that is not protected by the first amendment. In the DMCA’s case it’s linked to copyright. The key thing is that you have to make sure that it’s not the speech itself that’s redefined but the intent of the speech, which can be manipulated. And of course you have to make sure that the speech we are trying to censor is inferred to aid or enable criminal behavior which everyone can agree is bad. And now the public can get all wrapped up in the debate about the degree of ‘bad’ that a particular form of speech takes while the subterfuge is that the whole time free speech is insidiously being subverted. The fact that people are even debating the ‘badness’ of a particular form of speech is a sign that they have already consented that some speech should be limited. The cold, hard, truth about free speech is that it’s an all or nothing proposition. You can’t have partially free speech, that is an oxymoron. Now the strategy is simple. You simply sytematically enact laws that limit the ‘speech’ that could be construed as criminal intent, or aiding criminal behavior, culminating in a police state. It’s easier to accuse someone of using speech for criminal intent than it is to prove that free speech caused a crime to occur. So now it’s as easy as guilt by intent rather than having to actually commit a crime using info from free speech.
So once you start to agree that certain forms of speech are ‘bad’ you have fallen into the trap. That’s the short-sitedness of the american people. They’d rather prohibit the kinds of speech that they don’t like to hear, thus giving away rights, than to accept that without free speech, the rest of the constitution is essentially meaningless. Wake up! If someone wants to broadcast to the world a bank security flaw, so be it. You don’t censor speech that _can_ lead to a crime. Free speech does not cause criminal behavior. That’s essentially what the root of the argument is. If we tell (reveal information), then more crimes can occur. How pompous that argument is. Talk about self-agrandizing behavior. Show me the proof that by censoring information about security flaws, security breaches are lower.
Show me the proof that by censoring information on sex that less sex will occur.
Show me the proof that by censoring information on capitolism that capitolism will not occur.
Show me the proof that by censoring the information on genetics that mutating biological virii will not occur.
Show me the proof that by censoring the information on ______ that _________ will not occur.
How many hundreds of thousands of people died to give america free speech and how many fools wouldn’t give it a second thought to give it away….
blah rights blah blah freedom blah censorship blah blah responsibility blah security-through-obscurity blah blah science blah here’s the
freakin’ paper:
http://cryptome.org/dtapc.pdf
Information wants to be free.
Just a for instance:
Someone leaks word that something is not ‘so’ secure as others might think it is.
Situation A: Joe’s an average guy, hear’s word about the insecurity, shrugs his shoulders, thinks “Another day, something else to concern one’s self with”. He makes a pot of coffee and watches the tube.
Situation B: Joe Up’n’arms is someone that thinks every little thing means that someone’s out to get his pot of gold. Better lock it up before it’s too late. Calls all the banks in town and says, “I’ll never have my money in your *#*@( bank again!”. Calls everyone he knows and alerts the media, panic ensues. Joe forgot to read the fine print, nothing major to worry about.
Situation C: Joe Underground hears about the news and knows a little code. Pops on the PC and hacks away. “What do you know”, he quips. Proceeds to browse through bank account numbers and PIN’s, nothing concerns him, it’s just numbers. He makes a pot of coffee and watches the tube.
Moral of it all: It depends upon what kind of person receives the information and what they do with it. The information is just that…information. It’s not right or wrong.
One time a few weeks ago I went to my bank to deposit my pay check. I put my card in and it asked me for my pin.. I was in a hurry and not paying attention and I thought it was asking English or Spanish… welp I hit the button that is usally the “english” option and to my suprise it just went to the next screen and asked me if I wanted to deposit or withdrawl! So I did my transactions NEVER putting in my PIN number! I called up the bank the following day to tell them about this and they said that I probably put it in and didn’t remember doing it.. I said “No.. trust me.. I did not put the pin in!”. next day I tried it again..and again.. same thing.. so I call up again.. they say “hmmm.. we’ll send some one to check it out” and sure enough.. the day after that call.. the problem was fixed.
“Ross Anderson, a […] highly regarded security expert”
really?
Bruce Schneier’s opinion on full disclosure vs secrecy may be found here: http://www.counterpane.com/crypto-gram-0302.html . A really interesting read.
I feel for them. I actually was in a foreign country early last year & suddenly I couldn’t use my debit card anymore. My bank is a little more responsible, apparently: they noticed a large charge on my card (unusual for me, & in fact someone was trying to defraud me), refused that charge, & shut off all access to the account. I learned the details when I returned to the States & called to find out what happened.
So, it was embarassing that I couldn’t use my debit card to pay my hotel bill, but I feel lucky.
I’ve seen far too many software companies refuse to fix known problems until they are made to look bad in the public eye. If you’ve given them some time to do something and they’re dragging their feet, then they need to be poked with the hot branding iron of shame in the public eye. It’s the only thing that cuts through all the BS red tape and politics inside most companies.
Should be required reading, in fact 😉
The sad thing is that anyone who tries to tell these kinds of things to other people also have an artificial limiting system imposed on them by “the people who want it to stay this way.” The tool is “discrediting.” By claiming that someone who speaks up about the things that _venom said is a paranoid or a hypersensitive or that they’ve taken things out of context, etc. Beware of this. There is always someone ready to discredit you for speaking up about things that they don’t want others to believe. This isn’t UFO conspiracy nonsense, this is the nature of what the USA was supposed to have been founded on.