[RC5] [saag] Of potential interest -- Citibank tries to gag crypto bug (fwd)

Ralph W. Reid rreid at sunset.net
Sat Feb 22 04:14:20 EST 2003

Since Distributed Net demonstrated some time ago that DES was not
very secure at all, and since we are currently working on some RC5
decryption, I thought the enclosed note I received from another list
might be of some interest here.  Enjoy.

Forwarded message:
>From bugtraq-return-8369-rreid=sunset.net at securityfocus.com  Fri Feb 21 06:09:22 2003
>Mailing-List: contact bugtraq-help at securityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq at securityfocus.com>
>List-Help: <mailto:bugtraq-help at securityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe at securityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe at securityfocus.com>
>Delivered-To: mailing list bugtraq at securityfocus.com
>Delivered-To: moderator for bugtraq at securityfocus.com
>Date: Thu, 20 Feb 2003 16:13:57 -0700 (MST)
>From: Dave Ahmad <da at securityfocus.com>
>To: bugtraq at securityfocus.com
>Subject: [saag]  Of potential interest -- Citibank tries to gag crypto bug 
> disclosure (fwd)
>Message-ID: <Pine.LNX.4.43.0302201613430.3034-100000 at mail.securityfocus.com>
>MIME-Version: 1.0
>Content-Type: TEXT/PLAIN; charset=US-ASCII
>X-UIDL: /:(#!B^l"!C-E"!@/W"!
>David Mirza Ahmad
>8D 9A B1 33 82 3D B3 D0 40 EB  AB F0 1E 67 C6 1A 26 00 57 12
>---------- Forwarded message ----------
>Date: Thu, 20 Feb 2003 14:04:01 -0800
>From: Robert Moskowitz <rgm-sec at htt-consult.com>
>To: saag at mit.edu
>Subject: [saag]  Of potential interest -- Citibank tries to gag crypto bug
>    disclosure
> >To: ukcrypto at chiark.greenend.org.uk
> >Subject: Citibank tries to gag crypto bug disclosure
> >Date: Thu, 20 Feb 2003 09:57:34 +0000
> >From: Ross Anderson <Ross.Anderson at cl.cam.ac.uk>
> >
> >
> >Citibank is trying to get an order in the High Court today gagging
> >public disclosure of crypto vulnerabilities:
> >
> >    http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_gag.pdf
> >
> >I have written to the judge opposing the order:
> >
> >    http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_response.pdf
> >
> >The background is that my student Mike Bond has discovered some really
> >horrendous vulnerabilities in the cryptographic equipment commonly
> >used to protect the PINs used to identify customers to cash machines:
> >
> >    http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf
> >
> >These vulnerabilities mean that bank insiders can almost trivially
> >find out the PINs of any or all customers. The discoveries happened
> >while Mike and I were working as expert witnesses on a `phantom
> >withdrawal' case.
> >
> >The vulnerabilities are also scientifically interesting:
> >
> >    http://cryptome.org/pacc.htm
> >
> >For the last couple of years or so there has been a rising tide of
> >phantoms. I get emails with increasing frequency from people all over
> >the world whose banks have debited them for ATM withdrawals that they
> >deny making. Banks in many countries simply claim that their systems
> >are secure and so the customers must be responsible. It now looks like
> >some of these vulnerabilities have also been discovered by the bad
> >guys. Our courts and regulators should make the banks fix their
> >systems, rather than just lying about security and dumping the costs
> >on the customers.
> >
> >Curiously enough, Citi was also the bank in the case that set US law
> >on phantom withdrawals from ATMs (Judd v Citibank). They lost. I hope
> >that's an omen, if not a precedent ...
> >
> >Ross Anderson
>Robert Moskowitz
>TruSecure Corporation
>Security Interest EMail: rgm-sec at htt-consult.com
>saag mailing list
>saag at mit.edu

Ralph.  N6BNO.  Wisdom comes from central processing, not from I/O.
rreid at sunset.net  http://personalweb.sunset.net/~rreid
Opinions herein are either mine or they are flame bait.
1 = x^0
To unsubscribe, send 'unsubscribe rc5' to majordomo at lists.distributed.net
rc5-digest subscribers replace rc5 with rc5-digest

More information about the rc5 mailing list