Monday, December 27, 2010

Cambridge university refuses to censor student's thesis on chip-and-PIN vulnerabilities

Cambridge university refuses to censor student's thesis on chip-and-PIN vulnerabilities: "After the UK banking trade association wrote to Cambridge university to have a student's master's thesis censored because it documented a well-known flaw in the chip-and-PIN system, Cambridge's Ross Anderson sent an extremely stiff note in reply:

Second, you seem to think that we might censor a student's thesis, which is lawful and already in the
public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton,
and of Darwin; censoring writings that offend the powerful is offensive to our deepest values. Thus even
though the decision to put the thesis online was Omar's, we have no choice but to back him. That would
hold even if we did not agree with the material! Accordingly I have authorised the thesis to be issued as
a Computer Laboratory Technical Report. This will make it easier for people to find and to cite, and will
ensure that its presence on our web site is permanent....

...Fifth, you say 'Concern was expressed to us by the police that the student was allowed to falsify a
transaction in a shop in Cambridge without first warning the merchant'. I fail to understand the basis
for this. The banks in France had claimed (as you did) that their systems were secure; a French TV
programme wished to discredit this claim (as Newsnight discredited yours); and I understand that Omar
did a No-PIN transaction on the card of a French journalist with the journalist's consent and on camera.
At no time was there any intent to commit fraud; the journalist's account was debited in due course in
accordance with his mandate and the merchant was paid. It is perfectly clear that no transaction was
falsified in any material sense. I would not consider such an experiment to require a reference to our
ethics committee. By that time the Newsnight programme had appeared and the No-PIN attack was
entirely in the public domain. The French television programme was clearly in the public interest, as it
made it more difficult for banks in France to defraud their customers by claiming that their systems were
secure when they were not.

You complain that our work may undermine public confidence in the payments system. What will
support public confidence in the payments system is evidence that the banks are frank and honest in
admitting its weaknesses when they are exposed, and diligent in effecting the necessary remedies. Your
letter shows that, instead, your member banks do their lamentable best to deprecate the work of those
outside their cosy club, and indeed to censor it.

A Merry Christmas to all Bankers

Letter to bankers (PDF)

(via /.)


No comments:

Post a Comment