Blog article
See all stories »

UK Cards Association attempt to supress Cambridge research

The UK Cards Association (previously known as APACS) has written to the University of Cambridge asking them to remove a paper, claiming that it contains information that might be of use to criminals. The thesis, from a master's project by Omar Choudary, showed how to build a device that protects cardholders from tampered Chip & PIN terminals.

Professor Ross Anderson responded to the request, and refused to censor Omar's research:

...
“Second, you seem to think that we might censor a student’s thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values. Thus even though the decision to put the thesis online was Omar’s, we have no choice but to back him. That would hold even if we did not agree with the material! Accordingly I have authorised the thesis to be issued as a Computer Laboratory Technical Report. This will make it easier for people to find and to cite, and will ensure that its presence on our web site is permanent.”
...
There are further details in the post on Light Blue Touchpaper.
8568

Comments: (6)

John Dring
John Dring - Intel Network Services - Swindon 07 January, 2011, 04:45Be the first to give this comment the thumbs up 0 likes

Brilliant and just the right response.

A Finextra member
A Finextra member 12 January, 2011, 12:07Be the first to give this comment the thumbs up 0 likes

Dear Steven,

Could you clarify the hardware cost of this attack? Some figures were quoted in the press, but I'd be interested to hear first-hand.

Steven Murdoch
Steven Murdoch - University College London - London 12 January, 2011, 12:21Be the first to give this comment the thumbs up 0 likes

Ben,

The hardware costs would be small. Its hard to put a number on it because it dramatically depends on how many of the devices are manufactured. My estimate is that if you wanted to manufacture 10, it would cost about $100, including labour. If you wanted to manufacture 100,000 it would cost about $10.

Steven.

A Finextra member
A Finextra member 12 January, 2011, 12:40Be the first to give this comment the thumbs up 0 likes

Steven,

To clarify, 10 units cost $100 ($10/unit) or 10 units cost $100/unit?

A Finextra member
A Finextra member 12 January, 2011, 12:44Be the first to give this comment the thumbs up 0 likes

I assume you meant $100/unit when manufacturing 10 units. In my opinion, this makes the attack practical.

Steven Murdoch
Steven Murdoch - University College London - London 12 January, 2011, 12:45Be the first to give this comment the thumbs up 0 likes

$100 per unit (very approximately; for low quantities component cost can easily vary by a factor of 5 depending on supplier and how soon the components are needed).

Steven Murdoch

Steven Murdoch

Royal Society University Research Fellow

University College London

Member since

01 Jul 2009

Location

London

Blog posts

9

Comments

35

More from Steven

This post is from a series of posts in the group:

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...


See all