lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <009301c2d939$33069d70$6701a8c0@rms2>
From: rms at computerbytesman.com (Richard M. Smith)
Subject: FW: Citibank tries to gag crypto bug disclosure

>From http://cryptome.org/pacc.htm

To: ukcrypto@...ark.greenend.org.uk
Subject: Citibank tries to gag crypto bug disclosure
Date: Thu, 20 Feb 2003 09:57:34 +0000
From: Ross Anderson <Ross.Anderson@...cam.ac.uk>

Citibank is trying to get an order in the High Court today gagging
public 
disclosure of crypto vulnerabilities:

  http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_gag.pdf

I have written to the judge opposing the order:

  http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_response.pdf

The background is that my student Mike Bond has discovered some really 
horrendous vulnerabilities in the cryptographic equipment commonly used 
to protect the PINs used to identify customers to cash machines:

  http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf

These vulnerabilities mean that bank insiders can almost trivially find 
out the PINs of any or all customers. The discoveries happened while
Mike 
and I were working as expert witnesses on a `phantom withdrawal' case.

The vulnerabilities are also scientifically interesting:

  http://cryptome.org/pacc.htm

For the last couple of years or so there has been a rising tide of
phantoms.
I get emails with increasing frequency from people all over the world
whose 
banks have debited them for ATM withdrawals that they deny making. Banks
in
many countries simply claim that their systems are secure and so the 
customers must be responsible. It now looks like some of these 
vulnerabilities have also been discovered by the bad guys. Our courts
and 
regulators should make the banks fix their systems, rather than just
lying 
about security and dumping the costs  on the customers.

Curiously enough, Citi was also the bank in the case that set US law on 
phantom withdrawals from ATMs (Judd v Citibank). They lost. I hope
that's 
an omen, if not a precedent ...


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ