Cambridge university refuses to censor student’s thesis on chip-and-PIN vulnerabilities
Cory Doctorow at 8:33 AM Saturday, Dec 25, 2010 
After the UK banking trade association wrote to Cambridge university to have a student’s master’s thesis censored because it documented a well-known flaw in the chip-and-PIN system, Cambridge’s Ross Anderson sent an extremely stiff note in reply:

Second, you seem to think that we might censor a student’s thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values. Thus even though the decision to put the thesis online was Omar’s, we have no choice but to back him. That would hold even if we did not agree with the material! Accordingly I have authorised the thesis to be issued as a Computer Laboratory Technical Report. This will make it easier for people to find and to cite, and will ensure that its presence on our web site is permanent….
…Fifth, you say ‘Concern was expressed to us by the police that the student was allowed to falsify a transaction in a shop in Cambridge without first warning the merchant’. I fail to understand the basis for this. The banks in France had claimed (as you did) that their systems were secure; a French TV programme wished to discredit this claim (as Newsnight discredited yours); and I understand that Omar did a No-PIN transaction on the card of a French journalist with the journalist’s consent and on camera. At no time was there any intent to commit fraud; the journalist’s account was debited in due course in accordance with his mandate and the merchant was paid. It is perfectly clear that no transaction was falsified in any material sense. I would not consider such an experiment to require a reference to our ethics committee. By that time the Newsnight programme had appeared and the No-PIN attack was entirely in the public domain. The French television programme was clearly in the public interest, as it made it more difficult for banks in France to defraud their customers by claiming that their systems were secure when they were not.
You complain that our work may undermine public confidence in the payments system. What will support public confidence in the payments system is evidence that the banks are frank and honest in admitting its weaknesses when they are exposed, and diligent in effecting the necessary remedies. Your letter shows that, instead, your member banks do their lamentable best to deprecate the work of those outside their cosy club, and indeed to censor it.

Good stuff, time to find the thesis then.

Please someone tell me the weakness without me having to read the thesis 🙂

it’s a “bank’s”* demand, not a “banker’s” demand.

* and actually it’s not even a bank, it’s a banking industry representative organisation created and funded to do PR and whitewashing.

what happened to points 1,3 and 4 – censored ?

Bloody right an’ all! Free Speech is an incredibly valuable yet fragile commodity, which is being threatened all the time by those wishing to protect their own interests.

Exposing weaknesses in such a system is surely an act of great public service, as it’s the banks who reassure us about security, yet who are obliged to ensure that their systems are indeed what they claim to be. How dare private enterprise even attempt to silence those presenting the truth!

I’m not one for censorship, me. I had an interesting discussion with senior university staff while I was there, over a video presentation (on censorship!) that I warned contained images that some may find offensive. They banned me from showing it, in direct contravention to their own policy on upholding freedom of speech and expression within the context of education and freedom of information. Even their own lawyers were confuddled over it. I did however get top marks for my presentation, even without actually presenting anything at all, as I’d proven my point perfectly. 😀

This one?

Love it

Go away, bank!

This one?

No, power analysis of crypto devices is old news. I suspect they mean the man-in-the-middle attack – see Ross Anderson’s blog, always worth a read if you’re into these things.

this one

The central ?aw in the protocol is that the PIN veri-
?cation step is never explicitly authenticated. Whilst the
authenticated data sent to the bank contains two ?elds which
incorporate information about the result of the cardholder
veri?cation – the Terminal Veri?cation Results (TVR) and
the Issuer Application Data (IAD), they do not together
provide an unambiguous encoding of the events which took
place during the protocol run

this one

No, that paper’s been around for a while. But you’re getting closer!

Thanks, stoner, for your critique, I was somewhat constrained by the character limit on the thread title and had to edit quickly. I’m really sorry I offended your delicate sensibilities in not being perfectly grammatically correct. Just blame it on my working-class upbringing and secondary school education. I never had the benefit of a middle-class upbringing and fancy university education. Apologies for that.

Dont worry your pretty little working class head about it – it wasn’t a grammatical error, just a factual one.

I’d have thought that a PR hack would be quite upset to be called a banker, when they’re obviously quite different occupations (note I didnt call either of them professions).

it’s a “bank’s”* demand, not a “banker’s” demand.

* and actually it’s not even a bank, it’s a banking industry representative organisation created and funded to do PR and whitewashing.

Oh! I thought the title was swear filter avoidance, hey hoy!

Free speech rules… 😆

what are the professions? I want an exhaustive list

lawyer doctor accountant actuary architect

engineer?

By “profession” I mean you have to sit exams to do it, and I mean lots of exams, and tough ones, including exams on integrity and professional conduct, and then you have to carry on staying on top of developments in the field otherwise you get sued

So no, PR and banking do not count. Especially not banking!

I want an exhaustive list

Here you go – 270 professional bodies on here, including banking and PR. But even that’s not exhaustive – I’m a member of a professional body that’s not on there.

I can’t remember the exact quote but it went something like this.

“Not all unskilled work requires no skill and not all professions are professional.”

As far as the OP goes excellent. “Can you please hide the fact that we are incompetent in sorting out a security issue.”

That Ross Anderson should change his profession to high-horse climbing.

Although he’d have some stiff competition from some of you lot.

(I do think he’s right though, just a bit of a prat)

Bickering at Christmas. Tut tut.

it’s a “bank’s”* demand, not a “banker’s” demand

sure as shit I’m not going looking for the “details” ( 😉 )

Isn’t it possible that the individual making the demands was a banker anyway ? (is there a definition of a banker, beyond the cockernee one ?)

Bickering at Christmas. Tut tut.

Wouldn’t be Christmas without a bit of a barney.

Dont worry your pretty little working class head about it – it wasn’t a grammatical error, just a factual one.

What a banker.

I’ve had a fancy uniservity edumacation, and I’m still a stupid little idiot!!! 😀

That Ross Anderson should change his profession to high-horse climbing

I know, I hate it when people have principles and stand by them why cant we have more people like Lib dems MPs whose pledges and principles mean nothing.

stoner you could have spoken on the issue rather than just be supercilious

Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values.

laying it on a bit thick IMO

Not really. Freedom of information and science go hand in hand. Trying to sensor scientific knowledge goes back to to Galileo e.t.c.

It’s not uncommon to embargo theses depending on the subject matter, although it is usually done for ethical and cultural reasons relating to subjects involved in the research (e.g. people you’ve spoken to, groups you have studied etc). Research done for commercial purposes – consultancy and the like – is frequently not made public. And academics do lots of work which never sees the light of internal seminars, let alone conferences, journal articles or press releases. I can only speak from a social sciences perspective, however.

stoner you could have spoken on the issue rather than just be supercilious

Mleh, I agree with my alma mater. I was pointing out that it was the defensive act of a commercially driven organisation, not a bit of bitching by a grumpy banker which the thread title incorrectly implied.

“details” are obviously sooooo unnecessary.

Don’t worry about it Stoner. You’re getting your knickers in a twist over nowt.

Don’t worry your ‘desperately striving for recognition from my peers’ head about it…

The BBA’s honorary chairman is Marcus Agius, the chairman of Barclays

I was pointing out that it was the defensive act of a commercially driven organisation, not a bit of bitching by a grumpy banker which the thread title incorrectly implied.

I’m guessing the BBA and the “grumpy bankers” may have pretty close ties, perhaps even, and I’m guessing here, the BBA statement maybe, y’know, a cover for when bankers don’t want to get their hands dirty with a fight they know makes them look bad…

I’m just guessing though.

Good guess, nick. Did you come up with that all on your own?

I’m just saying that its an organisation throwing its weight around, not one arsehole banker.

Stoner – Does a tautology qualify as being a grammatical error?

i.e it’s lots of arseholes throwing their weight in a unified direction.

I’m just saying that its an organisation throwing its weight around, not one arsehole banker.

what is the collective noun for a group of asshole bankers, I wonder..?

It’s arsehole not asshole.

Standards round here have really suffered of late.

And the collective noun for a bunch of arseholes is a “Labour party”. So for banking arseholes maybe It’s a LIBOR party.

You really should pull that stick out of your ass arse Stoner. I feel it is stopping us from seeing the best of you.

I don’t really think we should discuss what the collective term ‘Conservative Party’ describes really, this being a Family Forum and all that…. 😐

arsehole….asshole, mleh semantics…

like maybe; bankers or their trade organisation…same thing, different name.

A raping? of bankers

A pestilence of direct telephone marketing executives?