27C3 and Misunderstandings about Security
We’ve hooked a computer to the video stream of the 27C3 conference. Currently we’re listening to the keynote speech which touches a relevant topic for security issue. Are you happy or are you unhappy? It sounds a bit strange, but usually happy people have nothing to worry about. So in turn it does make sense not to worry people. The examples given in the keynote were electronic voting machines. The process of selecting a government by anonymous voting is a cornerstone of democracies. This is exactly why electronic voting must not happen through black boxes. India has already threatened (and arrested) security researchers who analyse the security of the voting machines used in the country.
Electronic voting is only one example. Another one is the publication about the broken chip and PIN design of bank cards by Steven Murdoch, Saar Drimer, Mike Bond and Ross Anderson. Quoting from the blog entry describing the issue: „The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it’s doing a chip-and-signature transaction while the terminal thinks it’s chip-and-PIN.“ The research results were published in 2009. They were discussed at the 26C3. In 2010 one of Ross Anderson’s research students, Omar Choudary, published his thesis. In turn the bankers’ trade association has filed a written complain to the University of Cambridge, demanding that the thesis and a blog posting should be taken offline.
As Ross Anderson wrote in his reply, this demand in contrary to the work of independent research. Universities do not work like this. It must be emphasised that there is no way to improve security by keeping information about severe security bugs secret. This won’t work, and it certainly does not strengthen the trust into technology.
Vendors often talk about responsible disclosure while in reality they want to keep the lid on security problems. This is irresponsible, and this is why we believe in responsible sharing of publications, peer review and actually fixing security problems.
Now watching the next talk from 27C3.