Hacker News new | past | comments | ask | show | jobs | submit login
Prof. Ross Anderson's response to a takedown request about security research (cam.ac.uk)
336 points by randomwalker on Dec 25, 2010 | hide | past | web | favorite | 54 comments

Some background information.

The fundamental reason why this is a big deal is that in the UK, the repercussions of fraud are skewed towards customers rather than the banks. The relevant legal standard is that customers must exercise "reasonable care" with their PIN if the bank is to bear the cost of fraud. Of course, banks always insist that their systems are secure, and that it was the customer's fault. http://www.timesonline.co.uk/tol/money/consumer_affairs/arti...

The Cambridge team has been investigating vulnerabilities in the EMV standard underlying Chip and PIN (ubiquitous in the UK) for a long time.

From 2006: http://www.lightbluetouchpaper.org/2006/03/15/chip-and-skim/

If I understand correctly they first started to find serious vulnerabilities in 2009.

Blog post: http://www.lightbluetouchpaper.org/2009/08/25/defending-agai...

Paper: "Optimised to Fail: Card Readers for Online Banking" http://www.cl.cam.ac.uk/~sd410/papers/optimised_fail.pdf

Media: http://www.youtube.com/watch?v=U1QAnb-wnTs

They escalated that attack in 2010. http://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-i...

Paper: http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.p...

Media: http://www.youtube.com/watch?v=1pMuV2o4Lrw

I don't really understand the logic behind chip and pin cards. Do you really want me to disclose my card and my PIN to a completely untrusted machine a stranger hands to me? How do I know the vendor won't just record both and replay them, charging me for things I didn't pay?

Chip cards cannot be "replayed" or cloned, that's why there's a chip in the first place. The chip stores card's private key that is used to digitally sign a (purchase) transaction. Each transaction is a multi-message exchange in real-time between the terminal and the bank and it includes an unique ID generated by the bank, which is covered by the signature. This effectively prevents a replay.

The private key cannot be read from the chip without the use of a tunneling microscope or other hardware exotics. In fact it is not untypical for a chip to have a built-in protection against key retrieval that is set to physically fry the chip. The PIN is used to tell the chip to do the digital signing. No PIN = no signing.

That's how it works in general. This application of the smartcard technology is almost 20 years old, so while there are some variations one could still call it sufficiently mature :grin

Each transaction is a multi-message exchange in real-time between the terminal and the bank and it includes an unique ID generated by the bank

That may or may not be case (there is no way for customers to check that), but the problem is that this encrypted communication is between some third party's terminal and my bank, not between my chip and my bank. IIRC correctly, the protocol in the end boils down to:

- bank asks terminal 'Can you verify that the customer is who he claims to be?'

- terminal asks user for PIN

- terminal asks chip: is this PIN correct?

- chip replies: yes.

So, I have to trust that the terminal will not e.g. put my PIN on Twitter.

Worse, that terminal-chip communication is not encrypted. Hence, it is vulnerable to a man-in-the-middle attack. That is what 'chip and PIN is broken' demonstrated.

Actually, no, that's not how it worked when I last looked at it. At the high-level it was:

- bank asks terminal "Here's a random token, have the chip sign it with its private key"

- terminal asks the customer for the PIN

- terminal feeds PIN into the chip, and this enables signing function

- terminal feeds bank's token into the chip, gets the signature back and forwards it to the bank

What you described looks like something designed by a layman with very basic understanding of the cryptography. I will not be shocked if this was in fact deployed, but I still find it very unlikely.

I reread http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.p..., and things are indeed similar to what you describe. If I understand things correctly, the difference is that the "and this enables signing function" part isn't there. It is enabled by default, and gets disabled only when PIN check fails. That is 'necessary' because the terminal can skip this step if it wants to do a transaction without PIN check.

A man in the middle can hide the "check this PIN" request that the terminal sends from the chip and send a "PIN is OK" reply to the terminal. That way, the terminal thinks PIN check succeeded, and the chip thinks it is doing a payment without PIN check.

Sure, an attacker can't easily sign a fake transaction, but he can compromise the terminal and get hold of the PIN, and then use the PIN somewhere else where a signed transaction isn't required.

This has actually happened: http://business.timesonline.co.uk/tol/business/law/article71...

Ah, good, I didn't know that the chip could process information. I thought it was just storage. I'm glad to find out it's more secure than I thought, thanks.

I am quite certain that the EMV chip, which is the chip on your card, must authenticate the POS machines it talks to. The authentication is done using public key cryptography.

So it's not sufficient just to host a fake machine and expect it to be accepted within the EMV infrastructure (cards, POC machines and backend processors).

Of course, extracting the entered PIN is trivial to do with a covertly modified terminal. (skimming) Short of the card being stolen, that shouldn't let anyone access your account, assuming the crypto implementation is sound. Likewise, the card without the PIN is designed to be equally useless, though support for legacy payment systems partially undermines all of this. I suspect a modified terminal which records entered PINs and clones the magnetic strips would let you withdraw cash from the victim's account via Cirrus/Visa Plus.

I guess the idea is that recording and copying the PIN is harder than recording and copying a signature.

For the original complaint, see this PDF (via Light Blue Touch): http://www.cl.cam.ac.uk/~rja14/Papers/20101221110342233.pdf

An important but often overlooked fact is that while there's no universal freedom of speech in British Law (although the UK is a member of the European convention on human rights which has such a protection), universities specifically are required to act to protect freedom of speech of their members.

The University of Cambridge is legally obliged to stand behind this research under the 1986 Education Act which states:

  (2) The duty imposed by subsection (1) above includes
  (in particular) the duty to ensure, so far as is
  reasonably practicable, that the use of any premises 
  of the establishment is not denied to any individual 
  or body of persons on any ground connected with—
  (a)the beliefs or views of that individual or of any
  member of that body; or
  (b)the policy or objectives of that body.
Full text: http://www.legislation.gov.uk/ukpga/1986/61/section/43

while there's no universal freedom of speech in British Law...

Perhaps not in written law, but I think you'd have a hard time convincing a judge that the British constitution does not guarantee freedom of speech.

As my legal friends as fond of pointing out, an unwritten constitution has the important advantage that its words can't be twisted the way that a written constitution can.

The Felony Treason Act 1848 is still on the books. Sure, a couple of Lords may have said that expressing anti-monarchist sentiment won't be punished, but where is the line drawn? [1]

Can you be transported to Australia for poking the Duchess of Cornwall with a stick? What about shouting "Off with their heads!" at the Prince of Wales? [2]

The absence of a constitutional guarantee of free speech, and the persistence of lèse majesté offenses should be a point of embarrassment.

[1] http://www.guardian.co.uk/media/2003/jun/26/pressandpublishi...

[2] http://thelede.blogs.nytimes.com/2010/12/09/video-of-protest...

Can you be transported to Australia for poking the Duchess of Cornwall with a stick? What about shouting "Off with their heads!" at the Prince of Wales?

No, and no.

The British constitution is not a computer program applied by an automaton; issues are decided by experienced judges who, above all else, apply common sense.

(The British constitution isn't even self-consistent: The supremacy of parliament is absolute, but the 1931 Statute of Westminster places limits on that power. Constitutional scholars routinely shrug their shoulders at such matters and fall back to "well, we all know what they meant".)

Perhaps I've been unclear. I am not alleging that English law is adjudicated by a FSM.

I don't think that anyone will be convicted of Felony Treason. No one thinks that James Hewitt will be put to death under the Treason Act of 1351. This doesn't make the existence of such laws any less absurd or offensive.

In the US, there seems to be a proud tradition of using archaic or seldom applied laws to harass those who fail to show deference. (For example, jaywalking as a pretext for a walking-while-black offense, or wiretapping for filming police brutality.) We might as well keep a clean house to forestall that sort of nonsense.

Edit: There's also the matter of British libel law and the jurisdiction shopping that it encourages as a mechanism for harassing those who might exercise their speech rights.

But an unwritten constitution is easier to change, because there is nothing written down to refer to as a 'base.'

Canadian constitutional law has something called the 'living tree doctrine', which states that the constitution can grow and evolve over time, being reinterpreted in new contexts. To push the metaphor a bit further, I'd point out that a living tree is considerably more resilient than a dead tree, and is likely to adapt to conditions which might otherwise destroy it.

I don't think anyone can seriously claim that the commerce clause of the US constitution was intended to grant the vast powers which it has been used to uphold; but because the US constitution is -- theoretically -- not subject to growth and reinterpretation the way that the Canadian or British constitutions are, a legal fiction has been adopted instead.

If the commerce clause had been interpreted within the context of the Canadian or British constitutions, it would probably have been handled as "we're going to read one new power into this" on a number of occasions, rather than the "yes, this clause gives you the power to do everything" which seems to have occurred in the US.

I find it extremely disingenuous to say that because the Canadian (or British) Constitution can easily be re-interpreted in different contexts, that it will always be interpreted in 'the correct way.' You seem to be pointing to examples of the US Constitution being interpreted poorly, making the implication that a 'dead tree' constitution can only be interpreted poorly, and a 'living tree' constitution can only be interpreted in a good way.

A constitution that can be easily re-interpreted may allow for your government to 'turn on a dime,' but it makes no claims to whether your government is turning in a good or bad direction.

As to the US Constitution:

* The US Constitution can be re-interpreted by the US Supreme Court through the setting of legal precedent.

* The US Constitution can be amended by Congress. (Prohibition was a Constitutional Amendment).

* The current interpretation of the commerce clause could be overturned by the US Supreme Court should a case come before them, and the make-up of the justices leans towards overturning the current state of affairs.

There are other basic protections built in to attempt to prevent turning on a dime in a bad direction, as decided by the legislative and executive branches. Since the Court has no enforcement powers of their own, an unpopular turn away from the appearance of consistency could result in a toothless ruling and a constitutional crisis.

Let's use your example, the Court suddenly ruling to overturn the current interpretation of the Commerce Clause. Assuming "current" means "1964 and later", this would also overturn the Civil Rights Act. The CRA was based upon the Commerce Clause, and Heart of Atlanta Motel v. United States (1964) upheld its broad definition of interstate commerce [1].

I would have a hard time believing Congress would follow along with a ruling that simultaneously overturned a hugely popular law and decreased their powers. (However, I am aware that there have been a few rulings that might be counterarguments.)

[1]Epstien, Walker. Constitutional Law for a Changing America: Rights, Liberties, and Justice 5th ed. Page 658.

The U.S. Constitution absolutely cannot be amended by Congress.

Amended by Congress with the approval of the States. It's a slight difference. In the grand scheme of things like checks and balances, it matters, but in the real-world Congress is the only one that has the power to start the process. The States themselves can't float a Constitutional amendment so far as I understand it.

In fact they can, but it has never happened. The relevant text is here: http://www.usconstitution.net/const.html#Article5. The basic idea is that 2/3 of the state legislatures must call a Constitutional Convention, where the Amendment(s) will be proposed and sent to the states for ratification.

  The Congress shall have Power...
  To regulate Commerce with foreign Nations, and among the several States, and with the Indian tribes;"
It's not really a matter of living versus dead trees. The US judicial system has just plainly ignored the "among the several States" caveat for the last 100 years. I'm not advocating either side of this example, by how does growing and consuming marijuana on your own property fall under regulated commerce "among the several States?" I understand it was originally banned using taxation powers (i.e. charge a stamp tax on it, but don't sell the stamps), but that pretext seems to have now been dropped.

Without endorsement, as a result of reading the recent Virginia decision on the constitutionality of the health care purchase mandate (which I mention without endorsement of either side), it has been ruled by the Supreme Court in Wickard v. Filburn (1942) [1] that the US government can regulate the act of a farmer growing wheat to feed his own chickens on the grounds that had the farmer not grown that wheat, he would have then participated in the national wheat market that Congress could regulate, that his failure to purchase wheat on this market therefore affected the market by his absence, and thereby Congress can regulate his action in accordance with the Commerce Clause.

Again, I mention this without endorsement of either side; I mention this just because I only recently learned about this myself.

[1]: http://en.wikipedia.org/wiki/Wickard_v._Filburn

That kind of ruling just turns my stomach. The court used a an enumerated power--that was primarily intended to prevent tariffs being erected between the states--to effectively remove all limits to federal power. Gonzales v. Raich (2005)[1] is analogous to the Wickard v. Filburn case that you cite. In his dissent, Justice Thomas said the following:

  If the Federal Government can regulate growing a half-dozen cannabis plants for personal
  consumption (not because it is interstate commerce, but because it is inextricably bound up
  with interstate commerce), then Congress' Article I powers -- as expanded by the Necessary
  and Proper Clause -- have no meaningful limits. Whether Congress aims at the possession of
  drugs, guns, or any number of other items, it may continue to "appropria[te] state police
  powers under the guise of regulating commerce."
[1]: http://en.wikipedia.org/wiki/Gonzales_v._Raich

> To push the metaphor a bit further, I'd point out that a living tree is considerably more resilient than a dead tree, and is likely to adapt to conditions which might otherwise destroy it.

Trees that grow in unexpected ways get cut down.

Explicit amendments are far more legitimate.

The US has amended its constitution several times. If something really is a good idea, the amendment process is no real obstacle.

>because there is nothing written down to refer to as a 'base

Except for 1000 years of legal precedence

If one of the smartest computer security guys was prepared to do all this work and throw lots of expensive experts (well grad students) at finding your bugs - would you:

1, Send developers to all their seminars to learn something

2, Buy them drinks

3, Sue them

If anything, the banks promoting this technology should be sued for false advertising.

in many cases banks refused to reimburse cardholders who reported unauthorised card use, claiming that their systems could not fail


2 decades earlier they prosecuted people who reported ATM losses for fraud - because ATMs were perfectly secure.

They run windows95/2000 how can that ever be secure :)

p.s my reference is a blue screen of death on one :)


Numerous paper's on ross's page



1 and 2 are not mutually exclusive. Exactly why is the seminar not at the local pub?

Reading that letter makes me proud of the Security Group at Cambridge University. Ross Anderson took us for a couple of Security courses in second/third year Computer Science and was interesting, direct and completely no-nonsense. He emphasised that policy and ignorance were often the main causes of failures, especially with LAS, NHS centralisation (UK government projects). I find strong individuals like Anderson inspiring when they take on organisations who attack knowledge rather than being hands-on and fixing their systems.

The Security II course is especially relevant. I am not sure that everyone can access these resources but the lecture notes cover a variety of modern hardware approaches to security (including chip-and-pin). Try: http://www.cl.cam.ac.uk/teaching/1011/SecurityII/

I highly recommend Anderson's Security Engineering, the first edition is available online: http://www.cl.cam.ac.uk/~rja14/book.html

Every university, scientific and social community, and research organization that think they have to pander to the requests of corporations and those in power, must make note of this.

We have had enough "Dark Ages" in the past. Let's learn something from history.

I really enjoyed the language!

Same here. After the first page, I was laughing aloud. The whole letter reads like a two page, very official statement claiming "You sir, are an idiot." Then again - he's British :) I love it, especially that my course this year included exactly that paper and we spent considerable time on it for comparison to many other types of attacks.

Indeed, that was a burn of academic proportions.

Lovely. The project looks very interesting.

http://www.cl.cam.ac.uk/~osc22/scd/ "Smart Card Detective"

Dear Jeff Bezos and Amazon: Take note of how it's done by real men. By your actions WRT Orwell and Wikileaks, you've shown that you aren't worthy to shine the shoes of a real information-bearer, and you aren't fit to host my cloud nodes either. Sincerely, Marsh Ray

A service provider terminating Wikileaks for AUP violations after they began publishing classified diplomatic cables; one of the oldest educational institutions on Earth standing up for a student's MPhil thesis.

Totally the same thing. How did I miss this?

It seems that the point is that Wikileaks apparently broke no laws.

You don't have to break a law to violate an AUP.

You have to live up to more than your own AUP to be worthy of respect in my book. I'd go so far as to say anyone who does only the minimum required by policies they themselves wrote and defers the rest to extra-constitutional influence from the likes of Sen. Lieberman is pretty darn low.

So sure, do whatever you can get away with under your AUP, just don't expect me to respect you for it (or trust you with my data).

Cambridge is the University of Erasmus, of Newton, and of Darwin


Do you have some details on the background of this issue?

No the OP, but:

A news story about the initial issue: http://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-i...

The take down notice (pdf): http://www.cl.cam.ac.uk/~rja14/Papers/20101221110342233.pdf

Here's the original BBC Newsnight report: http://www.youtube.com/watch?v=JPAX32lgkrw


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact