[Cross-posted]
[This appears to be a growing trend: a corporation creates an insecure
product or protocol, and then tries to bring in the force of the law
against people who plan to publish (disclose) that insecurity. The
DMCA in the US is meant precisely to gag vulnerability publishers and
to prevent tools for discovering vulnerabilities from being created
and distributed.
All the more reason to use FLOSS and open protocols. When you cannot
audit your software or the protocols and algorithms it uses can you
ever be sure be sure of actual security as opposed to security being
simulated at the point of a gun?
-- Raju]
This is an RFC 1153 digest.
(1 message)
----------------------------------------------------------------------
Date: Thu, 20 Feb 2003 14:04:01 -0800
From: Robert Moskowitz <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: [saag] Of potential interest -- Citibank tries to gag crypto bug
disclosure
>To: [EMAIL PROTECTED]
>Subject: Citibank tries to gag crypto bug disclosure
>Date: Thu, 20 Feb 2003 09:57:34 +0000
>From: Ross Anderson <[EMAIL PROTECTED]>
>
>
>Citibank is trying to get an order in the High Court today gagging
>public disclosure of crypto vulnerabilities:
>
> http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_gag.pdf
>
>I have written to the judge opposing the order:
>
> http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_response.pdf
>
>The background is that my student Mike Bond has discovered some really
>horrendous vulnerabilities in the cryptographic equipment commonly
>used to protect the PINs used to identify customers to cash machines:
>
> http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf
>
>These vulnerabilities mean that bank insiders can almost trivially
>find out the PINs of any or all customers. The discoveries happened
>while Mike and I were working as expert witnesses on a `phantom
>withdrawal' case.
>
>The vulnerabilities are also scientifically interesting:
>
> http://cryptome.org/pacc.htm
>
>For the last couple of years or so there has been a rising tide of
>phantoms. I get emails with increasing frequency from people all over
>the world whose banks have debited them for ATM withdrawals that they
>deny making. Banks in many countries simply claim that their systems
>are secure and so the customers must be responsible. It now looks like
>some of these vulnerabilities have also been discovered by the bad
>guys. Our courts and regulators should make the banks fix their
>systems, rather than just lying about security and dumping the costs
>on the customers.
>
>Curiously enough, Citi was also the bank in the case that set US law
>on phantom withdrawals from ATMs (Judd v Citibank). They lost. I hope
>that's an omen, if not a precedent ...
>
>Ross Anderson
Robert Moskowitz
TruSecure Corporation
Security Interest EMail: [EMAIL PROTECTED]
_______________________________________________
saag mailing list
[EMAIL PROTECTED]
https://jis.mit.edu/mailman/listinfo/saag
------------------------------
End of this Digest
******************
--
Raj Mathur [EMAIL PROTECTED] http://kandalaya.org/
It is the mind that moves
================================================
To unsubscribe, send email to [EMAIL PROTECTED] with unsubscribe in subject
header. Check archives at http://www.mail-archive.com/ilugd%40wpaa.org
