
Prof. Ross Anderson's response to a takedown request about security research - randomwalker
http://www.cl.cam.ac.uk/~rja14/Papers/ukca.pdf
======
randomwalker
Some background information.

The fundamental reason why this is a big deal is that in the UK, the
repercussions of fraud are skewed towards customers rather than the banks. The
relevant legal standard is that customers must exercise "reasonable care" with
their PIN if the bank is to bear the cost of fraud. Of course, banks always
insist that their systems are secure, and that it was the customer's fault.
[http://www.timesonline.co.uk/tol/money/consumer_affairs/arti...](http://www.timesonline.co.uk/tol/money/consumer_affairs/article6249940.ece)

The Cambridge team has been investigating vulnerabilities in the EMV standard
underlying Chip and PIN (ubiquitous in the UK) for a long time.

From 2006: <http://www.lightbluetouchpaper.org/2006/03/15/chip-and-skim/>

If I understand correctly they first started to find serious vulnerabilities
in 2009.

Blog post: [http://www.lightbluetouchpaper.org/2009/08/25/defending-
agai...](http://www.lightbluetouchpaper.org/2009/08/25/defending-against-
wedge-attacks/)

Paper: "Optimised to Fail: Card Readers for Online Banking"
<http://www.cl.cam.ac.uk/~sd410/papers/optimised_fail.pdf>

Media: <http://www.youtube.com/watch?v=U1QAnb-wnTs>

They escalated that attack in 2010.
[http://www.lightbluetouchpaper.org/2010/02/11/chip-and-
pin-i...](http://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-
broken/)

Paper:
[http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.p...](http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf)

Media: <http://www.youtube.com/watch?v=1pMuV2o4Lrw>

~~~
StavrosK
I don't really understand the logic behind chip and pin cards. Do you really
want me to disclose my card _and_ my PIN to a completely untrusted machine a
stranger hands to me? How do I know the vendor won't just record both and
replay them, charging me for things I didn't pay?

~~~
huhtenberg
Chip cards cannot be "replayed" or cloned, that's why there's a chip in the
first place. The chip stores card's private key that is used to digitally sign
a (purchase) transaction. Each transaction is a multi-message _exchange_ in
real-time between the terminal and the bank and it includes an unique ID
generated by the bank, which is covered by the signature. This effectively
prevents a replay.

The private key cannot be read from the chip without the use of a tunneling
microscope or other hardware exotics. In fact it is not untypical for a chip
to have a built-in protection against key retrieval that is set to physically
fry the chip. The PIN is used to tell the chip to do the digital signing. No
PIN = no signing.

That's how it works in general. This application of the smartcard technology
is almost 20 years old, so while there are some variations one could still
call it sufficiently _mature_ :grin

~~~
Someone
_Each transaction is a multi-message exchange in real-time between the
terminal and the bank and it includes an unique ID generated by the bank_

That may or may not be case (there is no way for customers to check that), but
the problem is that this encrypted communication is between some third party's
terminal and my bank, not between my chip and my bank. IIRC correctly, the
protocol in the end boils down to:

\- bank asks terminal 'Can you verify that the customer is who he claims to
be?'

\- terminal asks user for PIN

\- terminal asks chip: is this PIN correct?

\- chip replies: yes.

So, I have to trust that the terminal will not e.g. put my PIN on Twitter.

Worse, that terminal-chip communication is not encrypted. Hence, it is
vulnerable to a man-in-the-middle attack. That is what 'chip and PIN is
broken' demonstrated.

~~~
huhtenberg
Actually, no, that's not how it worked when I last looked at it. At the high-
level it was:

\- bank asks terminal "Here's a random token, have the chip sign it with its
private key"

\- terminal asks the customer for the PIN

\- terminal feeds PIN into the chip, and this enables signing function

\- terminal feeds bank's token into the chip, gets the signature back and
forwards it to the bank

What you described looks like something designed by a layman with very basic
understanding of the cryptography. I will not be _shocked_ if this was in fact
deployed, but I still find it very unlikely.

~~~
Someone
I reread
[http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.p...](http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf),
and things are indeed similar to what you describe. If I understand things
correctly, the difference is that the "and this enables signing function" part
isn't there. It is enabled by default, and gets disabled only when PIN check
fails. That is 'necessary' because the terminal can skip this step if it wants
to do a transaction without PIN check.

A man in the middle can hide the "check this PIN" request that the terminal
sends from the chip and send a "PIN is OK" reply to the terminal. That way,
the terminal thinks PIN check succeeded, and the chip thinks it is doing a
payment without PIN check.

------
ig1
An important but often overlooked fact is that while there's no universal
freedom of speech in British Law (although the UK is a member of the European
convention on human rights which has such a protection), universities
specifically are required to act to protect freedom of speech of their
members.

The University of Cambridge is legally obliged to stand behind this research
under the 1986 Education Act which states:

    
    
      (2) The duty imposed by subsection (1) above includes
      (in particular) the duty to ensure, so far as is
      reasonably practicable, that the use of any premises 
      of the establishment is not denied to any individual 
      or body of persons on any ground connected with—
      
      (a)the beliefs or views of that individual or of any
      member of that body; or
      
      (b)the policy or objectives of that body.
    

Full text: <http://www.legislation.gov.uk/ukpga/1986/61/section/43>

~~~
cperciva
_while there's no universal freedom of speech in British Law..._

Perhaps not in _written_ law, but I think you'd have a hard time convincing a
judge that the British constitution does not guarantee freedom of speech.

As my legal friends as fond of pointing out, an unwritten constitution has the
important advantage that its words can't be twisted the way that a written
constitution can.

~~~
pyre
But an unwritten constitution is easier to change, because there is nothing
written down to refer to as a 'base.'

~~~
cperciva
Canadian constitutional law has something called the 'living tree doctrine',
which states that the constitution can grow and evolve over time, being
reinterpreted in new contexts. To push the metaphor a bit further, I'd point
out that a living tree is considerably more resilient than a dead tree, and is
likely to adapt to conditions which might otherwise destroy it.

I don't think anyone can seriously claim that the commerce clause of the US
constitution was intended to grant the vast powers which it has been used to
uphold; but because the US constitution is -- theoretically -- not subject to
growth and reinterpretation the way that the Canadian or British constitutions
are, a legal fiction has been adopted instead.

If the commerce clause had been interpreted within the context of the Canadian
or British constitutions, it would probably have been handled as "we're going
to read _one new power_ into this" on a number of occasions, rather than the
"yes, this clause gives you the power to do _everything_ " which seems to have
occurred in the US.

~~~
pyre
I find it extremely disingenuous to say that because the Canadian (or British)
Constitution can easily be re-interpreted in different contexts, that it will
always be interpreted in 'the correct way.' You seem to be pointing to
examples of the US Constitution being interpreted poorly, making the
implication that a 'dead tree' constitution can _only_ be interpreted poorly,
and a 'living tree' constitution can _only_ be interpreted in a good way.

A constitution that can be easily re-interpreted may allow for your government
to 'turn on a dime,' but it makes no claims to whether your government is
turning in a good or bad direction.

As to the US Constitution:

* The US Constitution can be re-interpreted by the US Supreme Court through the setting of legal precedent.

* The US Constitution can be amended by Congress. (Prohibition was a Constitutional Amendment).

* The current interpretation of the commerce clause could be overturned by the US Supreme Court should a case come before them, and the make-up of the justices leans towards overturning the current state of affairs.

~~~
runningdogx
The U.S. Constitution absolutely cannot be amended by Congress.

~~~
pyre
Amended by Congress with the approval of the States. It's a slight difference.
In the grand scheme of things like checks and balances, it matters, but in the
real-world Congress is the only one that has the power to start the process.
The States themselves can't float a Constitutional amendment so far as I
understand it.

~~~
gthank
In fact they can, but it has never happened. The relevant text is here:
<http://www.usconstitution.net/const.html#Article5>. The basic idea is that
2/3 of the state legislatures must call a Constitutional Convention, where the
Amendment(s) will be proposed and sent to the states for ratification.

------
oiuytuikolikuhy
If one of the smartest computer security guys was prepared to do all this work
and throw lots of expensive experts (well grad students) at finding your bugs
- would you:

1, Send developers to all their seminars to learn something

2, Buy them drinks

3, Sue them

~~~
iwwr
If anything, the banks promoting this technology should be sued for false
advertising.

 _in many cases banks refused to reimburse cardholders who reported
unauthorised card use, claiming that their systems could not fail_

<http://en.wikipedia.org/wiki/Chip_and_PIN>

~~~
oiuytuikolikuhy
2 decades earlier they prosecuted people who reported ATM losses for fraud -
because ATMs were perfectly secure.

~~~
waqf
reference?

~~~
oiuytuikolikuhy
Numerous paper's on ross's page

<http://www.cl.cam.ac.uk/~rja14/Papers/wcf.html>

------
mjac
Reading that letter makes me proud of the Security Group at Cambridge
University. Ross Anderson took us for a couple of Security courses in
second/third year Computer Science and was interesting, direct and completely
no-nonsense. He emphasised that policy and ignorance were often the main
causes of failures, especially with LAS, NHS centralisation (UK government
projects). I find strong individuals like Anderson inspiring when they take on
organisations who attack knowledge rather than being hands-on and fixing their
systems.

The Security II course is especially relevant. I am not sure that everyone can
access these resources but the lecture notes cover a variety of modern
hardware approaches to security (including chip-and-pin). Try:
<http://www.cl.cam.ac.uk/teaching/1011/SecurityII/>

I highly recommend Anderson's Security Engineering, the first edition is
available online: <http://www.cl.cam.ac.uk/~rja14/book.html>

------
socratees
Every university, scientific and social community, and research organization
that think they _have_ to pander to the requests of corporations and those in
power, must make note of this.

We have had enough "Dark Ages" in the past. Let's learn something from
history.

------
alimoeeny
I really enjoyed the language!

~~~
viraptor
Same here. After the first page, I was laughing aloud. The whole letter reads
like a two page, very official statement claiming "You sir, are an idiot."
Then again - he's British :) I love it, especially that my course this year
included exactly that paper and we spent considerable time on it for
comparison to many other types of attacks.

------
alecco
Lovely. The project looks very interesting.

<http://www.cl.cam.ac.uk/~osc22/scd/> "Smart Card Detective"

------
marshray
Dear Jeff Bezos and Amazon: Take note of how it's done by real men. By your
actions WRT Orwell and Wikileaks, you've shown that you aren't worthy to shine
the shoes of a real information-bearer, and you aren't fit to host my cloud
nodes either. Sincerely, Marsh Ray

~~~
jedsmith
A service provider terminating Wikileaks for AUP violations after they began
publishing classified diplomatic cables; one of the oldest educational
institutions on Earth standing up for a student's MPhil thesis.

Totally the same thing. How did I miss this?

~~~
pshapiro
It seems that the point is that Wikileaks apparently broke no laws.

~~~
subway
You don't have to break a law to violate an AUP.

~~~
marshray
You have to live up to more than your own AUP to be worthy of respect in my
book. I'd go so far as to say anyone who does only the minimum required by
policies they themselves wrote and defers the rest to extra-constitutional
influence from the likes of Sen. Lieberman is pretty darn low.

So sure, do whatever you can get away with under your AUP, just don't expect
me to respect you for it (or trust you with my data).

------
barrkel
On Google docs viewer:

[http://docs.google.com/viewer?url=http://www.cl.cam.ac.uk/~r...](http://docs.google.com/viewer?url=http://www.cl.cam.ac.uk/~rja14/Papers/ukca.pdf)

------
Eliezer
_Cambridge is the University of Erasmus, of Newton, and of Darwin_

CMOA

------
iwwr
Do you have some details on the background of this issue?

~~~
latch
No the OP, but:

A news story about the initial issue:
[http://www.lightbluetouchpaper.org/2010/02/11/chip-and-
pin-i...](http://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-
broken/)

The take down notice (pdf):
<http://www.cl.cam.ac.uk/~rja14/Papers/20101221110342233.pdf>

------
patrickdc
Baller!

