RE: FW: Citibank tries to gag crypto bug disclo sure

[John.Airey () rnib org uk]

Looks to me like the story isn't gagged any longer: 

http://news.bbc.co.uk/1/hi/england/2798029.stm 

- 
John Airey, BSc (Jt Hons), CNA, RHCE 
Internet systems support officer, ITCSD, Royal National Institute of the
Blind, 
Bakewell Road, Peterborough PE2 6XU, 
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey () rnib org uk 

A world of difference - in the UK, 37 million people put their faith on the
last census as "Christian". In Saudi Arabia, this answer would carry a death
sentence for any Saudi.



> -----Original Message----- 
> From: Richard M. Smith [mailto:rms () computerbytesman com] 
> Sent: 20 February 2003 23:39 
> To: full-disclosure () lists netsys com 
> Subject: [Full-disclosure] FW: Citibank tries to gag crypto bug 
> disclosure 
>
>
> From http://cryptome.org/pacc.htm 
>
> To: ukcrypto () chiark greenend org uk 
> Subject: Citibank tries to gag crypto bug disclosure 
> Date: Thu, 20 Feb 2003 09:57:34 +0000 
> From: Ross Anderson <Ross.Anderson () cl cam ac uk> 
>
> Citibank is trying to get an order in the High Court today gagging 
> public 
> disclosure of crypto vulnerabilities: 
>
>   http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_gag.pdf 
>
> I have written to the judge opposing the order: 
>
>   http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_response.pdf 
>
> The background is that my student Mike Bond has discovered 
> some really 
> horrendous vulnerabilities in the cryptographic equipment 
> commonly used 
> to protect the PINs used to identify customers to cash machines: 
>
>   http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf 
>
> These vulnerabilities mean that bank insiders can almost 
> trivially find 
> out the PINs of any or all customers. The discoveries happened while 
> Mike 
> and I were working as expert witnesses on a `phantom withdrawal' case. 
>
> The vulnerabilities are also scientifically interesting: 
>
>   http://cryptome.org/pacc.htm 
>
> For the last couple of years or so there has been a rising tide of 
> phantoms. 
> I get emails with increasing frequency from people all over the world 
> whose 
> banks have debited them for ATM withdrawals that they deny 
> making. Banks 
> in 
> many countries simply claim that their systems are secure and so the 
> customers must be responsible. It now looks like some of these 
> vulnerabilities have also been discovered by the bad guys. Our courts 
> and 
> regulators should make the banks fix their systems, rather than just 
> lying 
> about security and dumping the costs  on the customers. 
>
> Curiously enough, Citi was also the bank in the case that set 
> US law on 
> phantom withdrawals from ATMs (Judd v Citibank). They lost. I hope 
> that's 
> an omen, if not a precedent ... 
>
> _______________________________________________ 
> Full-Disclosure - We believe in it. 
> Charter: http://lists.netsys.com/full-disclosure-charter.html 

  
- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html