
Cambridge University refuses to censor student's thesis - r11t
http://www.boingboing.net/2010/12/25/cambridge-university-1.html
======
jburwell
First, he thrusts the knife in, then violently twists it -- "Accordingly I
have authorised the thesis to be issued as a Computer Laboratory Technical
Report. This will make it easier for people to find and to cite, and will
ensure that its presence on our web site is permanent....". Classic.

~~~
p_nathan
The Brits often have _such_ a way with words. Bless them.

~~~
chunkyslink
The English have a way with ... English!

Fancy that.

------
blhack
>Cambridge is the University of Erasmus, of Newton, and of Darwin.

This is a very elegant way of giving them the finger.

~~~
elblanco
It's also a surprising _appeal to authority_ logical fallacy. Those people
don't work there anymore.

(not that I disagree with them that they shouldn't censor the findings)

~~~
vl
I don't see the reason for downvoting parent. Full quote is "Cambridge is the
University of Erasmus, of Newton, and of Darwin; censoring writings that
offend the powerful is offensive to our deepest values", and first part struck
me as completely irrelevant to the second part, somewhat unworthy of this
otherwise well-convened letter.

In addition to that I don't see it as an "elegant way of giving finger", how
mentioning of historic figures conveys the "finger message"?

~~~
yesbabyyes
Erasmus, Newton and Darwin all published writings which offended the powerful.
Cambridge didn't censor that, and they seem to see that as a winning strategy.

------
liuhenry
Previous post/discussion: <http://news.ycombinator.com/item?id=2039117>

------
nsdsudf
Prof. Anderson shows good character.

Let's talk about the other side. Businesses have always acted this way when it
comes to computer security (for at least the last 15 years, feel free to cite
earlier examples). By now they probably understand that what they're doing is
wrong, from a security perspective. They may even understand that issuing
takedowns increases publicity. Still, business are sociopathic, they don't
care about the legitimacy of their actions. They have a staff of lawyers
they're already paying for, and a responsibility to defend trade secrets and
protect their product base. So they marshal their lawyers, essentially for
free, and maybe they get something out of the effort as a result. If they
don't, nothing much was lost, and they generally don't care about their
perception in the security community. Same old story. This incident is less
about someone standing up to a bully and more about someone weathering another
wave coming out of the ocean.

~~~
ggchappell
I think I see what you are saying, but I don't agree with the contrast you
mention in your last sentence.

Consider: being sociopathic, not caring about the legitimacy of their actions,
harassing someone when the risk to them is small -- how does this differ from
being a bully?

~~~
sudont
Eventually a bully may learn. A true sociopath will continue no matter how
many times punished.

~~~
ggchappell
Interesting point.

But if that's true, then businesses almost never act in a manner we would call
sociopathic. And my earlier comment (suitably modified) still stands.

~~~
nsdsudf
Hi ggchapell,

We agree on your point. The company is being a bully. My issue is with the
reception of the story. The larger picture is that frivolous takedown notices
are issued all the time, and will continue to be issued willfully by companies
until there is disincentive to do so.

Prof. Anderson's actions are commendable. I do not wish to detract from them.
However, with the candor I hope a security researcher would appreciate, I
point out that both parties probably expected this exchange would take place,
and both parties understand Prof. Anderson's response is ineffective. (The
Internet, however, may not.)

Prof. Anderson has successfully stood up to this organization, but he has only
maintained parity. This kind of incident will repeat as long as companies
believe they can get something out of it. Someone else will cave or will plain
not know any better. The companies' goal is, basically, harassment, and they
will continue to do it regardless of anything that's happened so far. So I
guess my point is that I would rather see people discussing how to remedy this
old situation than remarking on the letter, which while entertaining and well-
written, is actually the signifier of a losing battle.

(unfortunately this is the last I can comment on this topic)

------
instakill
Brilliant. If only more institutions had a spine like the one displayed here.

~~~
CrazedGeek
They're legally required to: <http://news.ycombinator.com/item?id=2039235>

~~~
Qz
They're not legally required to be so badass about it.

------
yesbabyyes
Link to original letter - oh boy this is a good read:
<http://www.cl.cam.ac.uk/~rja14/Papers/ukca.pdf>

~~~
gridspy
Nice last paragraph:

Nonetheless, I am delighted to note your ﬁrm statement that the attack will no
longer work and pleased that the industry has been ﬁnally been able to deal
with this security issue, albeit some considerable time after the original
disclosure back in 2009.

------
rlmw
To be fair I didn't read this the first time it was on HN - I'm inclined to
think that the title of the post is more descriptive than the original, and
its deserving front page material, even if it is a duplicate.

~~~
liuhenry
Agreed, but it is useful/insightful to have the comments/discussion on hand.

------
emilepetrone
BBC video on chip & pin findings: <http://www.youtube.com/watch?v=_yyfcHSXZLc>

------
w1ntermute
Dupe: <http://news.ycombinator.com/item?id=2039117>

------
isomorph
He's a good lecturer too. Funny how being a good lecturer and being a badass
correlate.

~~~
jlees
"Security! Security! Security!"

Although there were some fantastic lecturers at Cambridge who were somehow
very terrible at getting the material across, but whose content/personalities
were so enjoyable it was worth turning up anyway. I dare say it's the same
everywhere.

------
revorad
The thesis - <http://www.cl.cam.ac.uk/~osc22/docs/mphil_acs_osc22.pdf>

------
marcamillion
Intentionally or unintentionally, this has got to be one of the best pieces of
marketing for research inclined students and faculty that they could have ever
produced.

So much so, that the skeptic in me thinks this was intentionally leaked.

I had always considered possibly applying to the University of Cambridge, and
I know they are Ivy League...but this letter, firmly solidifies them as a
contender for any higher education I might pursue.

------
raghava
> _You complain that ... and indeed to censor it._

The penultimate para in the original letter, wow! A befitting answer to a
bully, and how! :)

------
koski
I wonder when Cambridge starts to be blocked by the banks then ... :)

------
fleitz
I tend to disagree with the banks' assessment that it will undermine public
confidence. The research gives the public one more piece of information to
judge the risks for placing their money in a financial institution.

The banking sector as participants in a free market who frequently advocate
for opening of more sectors of the economy to the free market (and rightly so)
should be encouraging such research. The research gives consumers of banking
services more accurate information to consider when deciding how accessible
their money should be. Additional information allows consumers to make more
informed choices regarding the trade offs between security and convenience.
Banks could offer insurance to their customers to protect them against the
risks while still keeping the benefits of increased convenience.

It's an opportunity for the banks to differentiate their services and cater to
the needs of their customers. Yes, not having a PIN is less secure, but it's
also more convenient, with proper positioning of their products banks should
be able to offer tailored solutions that better address the needs of their
customers.

------
drivebyacct2
For the third time, we get it.

------
kwoks
Am proud of being in the University of Cambridge.....we don't produce apps.

------
GrandMasterBirt
"we have no choice but to back him. That would hold even if we did not agree
with the material!"

Reminds me of a Frankin quote: "Sir, I disagree with you, but I will fight to
the death for your right to say it."

~~~
instakill
Surely you mean Voltaire?

"I disapprove of what you say, but I will defend to the death your right to
say it"

------
Tarski
Wouldn't it have been far nobler to approach the banks affected by the exploit
with these findings rather than publishing schematics for the exploit into the
public domain?

~~~
wjy
I believe the article states they notified the banks before publishing the
original work.

~~~
Tarski
No it doesn't? I'm not taking the side of the banks here, just trying to
understand why the author took the approach he did. It's a shame that at times
the HN community is one of single-mindedness where opposite views are met with
immediate down-votes.

~~~
drm237
> ... because it documented a well-known flaw in the chip-and-PIN system...

The author of the article at least believes that it is a well-known flaw so
responsible disclosure isn't really applicable.

~~~
Tarski
Well I think you hit the nail on the head, that the disclosure isn't
responsible. I'm all for bringing the flaws in chip-and-pin to the public
attention, however I find it distasteful that a leading university publishing
the schematics of a device that can be used to commit fraud, receives so much
applause for this community.

I get the impression that this has captured the public mood of "sticking it to
the bankers", when really Cambridge have gone about this one the wrong way.

~~~
foamdino
My reading of the whole incident is that the exploit was disclosed
(responsibly) to the banks 1 year ago and the banks have done nothing to fix
the problem. Since then the professor (along with others) published a paper
detailing the exploit. Finally the MPhil student cited the previously
published paper in his thesis (it would be a crappy thesis to not reference
current similar work)

At no point do I get the indication that the MPhil student was acting in a way
that was 'irresponsible' - I don't know how you have come to that conclusion.

