Messenger refuses to be shot

Heart-warming story in The Register.

Computer scientists from Cambridge University have rebuffed attempts by a banking association to persuade them to take down a thesis covering the shortcomings of Chip-and-PIN as a payment verification method.

Omar Choudary’s masters thesis contains too much information about how it might be possible to fool a retailing terminal into thinking a PIN authorising a purchase had been entered, as far as the bankers are concerned. Noted cryptographer and banking security expert Professor Ross Anderson gives short shrift to the argument that publishing the research exceeds the bounds of responsible disclosure, politely but firmly telling the UK Cards Association that the research was already in the public domain and that Choudary’s work would stay online.

Anderson is one of Choudary’s supervisors in the latter’s research…

Ross Anderson is one of the most imperturbable guys I know, and his response to the bankers’ impertinence is right in character. It reads:

The bankers’ trade association has written to Cambridge University asking for the MPhil thesis of one of our research students, Omar Choudary, to be taken offline. They complain it contains too much detail of our No-PIN attack on Chip-and-PIN and thus “breaches the boundary of responsible disclosure”; they also complain about Omar’s post on the subject to this blog.

Needless to say, we’re not very impressed by this, and I made this clear in my response to the bankers. (I am embarrassed to see I accidentally left Mike Bond off the list of authors of the No-PIN vulnerability. Sorry, Mike!) There is one piece of Christmas cheer, though: the No-PIN attack no longer works against Barclays’ cards at a Barclays merchant. So at least they’ve started to fix the bug – even if it’s taken them a year. We’ll check and report on other banks later.

The bankers also fret that “future research, which may potentially be more damaging, may also be published in this level of detail”. Indeed. Omar is one of my coauthors on a new Chip-and-PIN paper that’s been accepted for Financial Cryptography 2011. So here is our Christmas present to the bankers: it means you all have to come to this conference to hear what we have to say!

This highlights an issue that also came up with WikiLeaks. The US government used a system for holding its confidential communications that was intrinsically insecure (a unified database with something like two million officials authorised to use it). When its insecurity is finally revealed by Bradley Manning (and then WikiLeaks), the response is to rage against the breach whereas the rational thing to do is to rethink the security architecture. Governments are entitled to keep some secrets. But if those secrets are important, then they ought to be seriously protected, not put at risk in such a clueless way. So exposure fulfils a vital function, however annoying it may be at the time.

One wonders, though, if anyone in the UK Cabinet Office is paying attention to all this. As far as I know, the Coalition is still committed to the computerisation of NHS medical records embarked upon by New Labour. This means that the UK is constructing the same kind of intrinsically-insecure system as that breached by WikiLeaks. If the NHS system is built, the UK will have a centralised database of highly confidential documents — the medical records of every citizen — to which upwards 100,000 people of different organisational grades will have routine rights of access. Imagine the fuss there will be when the News of the World pays some bent geek to access the medical records of Cabinet ministers, celebrities and the like.

The only way to keep systems secure is what Ross calls compartmentation. In a way, that’s what the US government abandoned in the aftermath of 9/11 as it struggled to respond to the damaging discovery that its intelligence agencies had failed to “join up the dots”. The system that Bradley Manning accessed and WikiLeaks published was the government’s response to the criticisms.

But at least governments have some options available to them; they can change — or abandon — their systems. If the Coalition is wise, it will rethink the NHS database. Banks, however, don’t have as many options because they are caught in a special trap. On the one hand, customers can’t be persuaded to use online systems unless the banks swear blind that they are 100% secure. But no system can be that secure and so banks have to perpetuate the illusion of such security — which is the worst scenario of all because that encourages people to trust everything to it.

The only rational attitude to online systems is cautious scepticism about their security. By constantly reminding us of the vulnerabilities in these systems, Ross and his group are performing a valuable public service, even if the bankers don’t like it.

UPDATE: Excellent piece in the Guardian which includes this:

In view of the UKCA’s letter, Anderson has authorised Choudary’s thesis to be published as a Computer Laboratory technical report.

“This will make it easier for people to find and cite, and will ensure that its presence on our website is permanent,” his reply to the UKCA states.

“It is outrageous that the banking industry should try to censor a student’s thesis even though it was lawful and already in the public domain,” Anderson told the Guardian.

“It was particularly surprising for its chair, Melanie Johnson, to make this request; as a former MP she must be aware of the Human Rights Act, and as a former Cambridge graduate student she should have a better understanding of this university’s culture.

“Her intervention was completely counterproductive for the banks who employ her: Omar’s thesis will now be read by thousands of people who would otherwise not have heard of it,” he said.