[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [interesting-people Home]
Subject: [IP] Citibank tries to gag crypto bug disclosure
------ Forwarded Message From: Brian Randell <Brian.Randell@newcastle.ac.uk> Date: Thu, 20 Feb 2003 12:15:09 +0000 To: farber@cis.upenn.edu Subject: Fwd: [open-source] Citibank tries to gag crypto bug disclosure Dave: I assume you've seen this, but just in case ... cheers Brian PS I was at Monday's meeting at Microsoft research in Cambridge, in honour of Roger Needham, at which Ross Anderson gave an excellent about this work. >To: open-source@csl.sri.com >Subject: [open-source] Citibank tries to gag crypto bug disclosure >Date: Thu, 20 Feb 2003 09:58:47 +0000 >From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk> >X-Spam-Status: No, score=0.5 threshold=8.0 >X-Spam-Level: x >Sender: open-source-owner@csl.sri.com >Reply-To: Ross Anderson <Ross.Anderson@cl.cam.ac.uk> >X-Newcastle-MailScanner: Found to be clean > > >Citibank is trying to get an order in the High Court today gagging >public disclosure of crypto vulnerabilities: > > http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_gag.pdf > >I have written to the judge opposing the order: > > http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_response.pdf > >The background is that my student Mike Bond has discovered some really >horrendous vulnerabilities in the cryptographic equipment commonly >used to protect the PINs used to identify customers to cash machines: > > http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf > >These vulnerabilities mean that bank insiders can almost trivially >find out the PINs of any or all customers. The discoveries happened >while Mike and I were working as expert witnesses on a `phantom >withdrawal' case. > >The vulnerabilities are also scientifically interesting: > > http://cryptome.org/pacc.htm > >For the last couple of years or so there has been a rising tide of >phantoms. I get emails with increasing frequency from people all over >the world whose banks have debited them for ATM withdrawals that they >deny making. Banks in many countries simply claim that their systems >are secure and so the customers must be responsible. It now looks like >some of these vulnerabilities have also been discovered by the bad >guys. Our courts and regulators should make the banks fix their >systems, rather than just lying about security and dumping the costs >on the customers. > >Curiously enough, Citi was also the bank in the case that set US law >on phantom withdrawals from ATMs (Judd v Citibank). They lost. I hope >that's an omen, if not a precedent ... > >Ross Anderson -- School of Computing Science, University of Newcastle, Newcastle upon Tyne, NE1 7RU, UK EMAIL = Brian.Randell@newcastle.ac.uk PHONE = +44 191 222 7923 FAX = +44 191 222 8232 URL = http://www.cs.ncl.ac.uk/~brian.randell/ ------ End of Forwarded Message ------------------------------------- To unsubscribe or update your address, click http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [interesting-people Home]
Powered by eList eXpress LLC