Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

ATM Vendors Threaten, Stop Research Presentation

Soulskill posted more than 4 years ago | from the money-inside-atms-wants-to-be-free dept.

Security 134

An anonymous reader writes "A presentation about 'The Underground Economy,' by Italian white hat hacker and security expert Raoul Chiesa, was replaced at the last minute during last week's Hack In The Box conference. The reason behind this cancellation was that Chiesa received legal pressure from ATM vendors over the fact that the originally scheduled presentation covers details of various techniques and exploits of vulnerabilities that cyber criminals use to break into ATMs — flaws that have been known for a long time."

Sorry! There are no comments related to the filter you selected.

I just woke from a coma (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#32801314)

Hot grits and naked and petrified natalie portman. Why does this laptop only have a power cord? Where is ethernet if i'm on the internet?

Re: I just woke from a coma (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32801594)

Oh shit oh shit OH SHIT. I've got a greased up Yoda doll shoved up my ass!

Publish it on Piratebay instead (5, Insightful)

commodore64_love (1445365) | more than 4 years ago | (#32801360)

No government nor corporation has a right to muzzle our mouths.

Re:Publish it on Piratebay instead (2, Insightful)

countertrolling (1585477) | more than 4 years ago | (#32801412)

No government nor corporation has a right to muzzle our mouths.

No they don't, but they did and they do... And the public couldn't care less. If he put it on piratebay, he can still get in trouble. His name is all over it. Only anonymous disclosure can remedy this.

Re:Publish it on Piratebay instead (1)

commodore64_love (1445365) | more than 4 years ago | (#32801494)

Why would he be in trouble? It's not illegal to speak or publish your thoughts. That's the reason why the US Bill of Rights and EU Charters of Fundamental Rights exist.

Re:Publish it on Piratebay instead (4, Insightful)

Yuan-Lung (582630) | more than 4 years ago | (#32801584)

Why would he be in trouble? It's not illegal to speak or publish your thoughts.

Really?

I am thinking of a number.... it's between 13,256,278,887,989,457,651,018,865,901,401,704,639 and 13,256,278,887,989,457,651,018,865,901,401,704,641

Re:Publish it on Piratebay instead (1)

Zwets (645911) | more than 4 years ago | (#32801800)

I am thinking of a number.... it's between 13,256,278,887,989,457,651,018,865,901,401,704,639 and 13,256,278,887,989,457,651,018,865,901,401,704,641

Hmmm... "between inclusive" or "between exclusive"?

Re:Publish it on Piratebay instead (0)

Anonymous Coward | more than 4 years ago | (#32802492)

The ambiguity is what makes his thought legal.

As for the thread... remember that the laws in Italy aren't the same as the ones in the US.

Re:Publish it on Piratebay instead (4, Informative)

commodore64_love (1445365) | more than 4 years ago | (#32802882)

13,256,278,887,989,457,651,018,865,901,401,704,640

I am protected by this law, which nullifies any other law: "Congress shall make no law... abridging the freedom of speech, or of the press" and "The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people." and "The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people."

Give me the paper that was banned from the conference. I'll publish it. I don't give a frak.

Re:Publish it on Piratebay instead (4, Interesting)

justin12345 (846440) | more than 4 years ago | (#32803158)

The problem is you don't really have to be convicted of a crime to be thrown in jail, have your property confiscated, or have your life ruined. My aunt is a criminal defense attorney. She defends people the government (US not Italian) has declared potential criminals. According to her, unless you are a very wealthy individual, simply being accused of a serious crime will either land you in jail for a while, ruin you financially, or most likely both. If you have a generous family they might be able to sell a house to keep you out of jail on bail (assuming you are declared innocent). In the end, most people plea bargain, which usually results in some sort of parole arrangement where their every move is monitored by a bunch of thugs that got all Cs in high school.

The DMCA makes even knowing that number a crime. Publishing it here even more so. Though I doubt you will, you could spend the rest of your life and every penny you will ever make convincing a series of judges that the First Amendment supersedes the DMCA.

I'm not saying this is right. I'm specifically saying its wrong.

Re:Publish it on Piratebay instead (1)

jd (1658) | more than 4 years ago | (#32803290)

Actually, no. Since there are endless debates over whether there are Constitutional rights to Native Americans, children, criminals, foreigners, illegal aliens, tarrarists (though what's wrong with paving roads, I don't know), etc, it follows that the Bill of Rights is really just a list of permissions. A right is just that, a right. It cannot be given, it cannot be taken away. It is. A permission must be given and may be taken away at the discretion of the giver. It follows that there is no, and never really has been, any "Constitutional right" to free speech.

(The original draft of the Magna Carta got very close to actually creating legal rights, by openly stating that violation of those rights by the Government was a criminal offense that could be punished as such, eliminating any notion of Sovereign Immunity. Neither the final version nor the US Constitution has such a clause, and both the US and UK exempt the Government from any legal action.)

It's not like you could seriously do anything. The majority of Americans would be more likely to regard you as an economic criminal than to agree with the publication of anything that could make them aware of the risks. America is a very risk-averse culture - not through not taking risks, but through not wanting to think about them too much. Far from becoming a folk hero and/or a martyr to free speech, if you got thrown in jail, you'd be much more likely labeled "one of the Bad Guys". The Government might even end up more popular, not less. The quaint but utterly incorrect notion that an individual can do anything worth a damn might apply to small towns but never applied to the US historically and certainly doesn't in a country estimated at 300 million. Especially in a country where people have always played second-fiddle to corporate culture.

Re:Publish it on Piratebay instead (1)

aztracker1 (702135) | more than 4 years ago | (#32803720)

One's rights simply are, if you follow your logic to an extreme, then you have no rights because anything you have, or are could be taken by force. The principles of rights established are simply things you have/are. The right to own property was never established in the constitution, but simply is.

Re:Publish it on Piratebay instead (1)

thePowerOfGrayskull (905905) | more than 4 years ago | (#32803326)

13,256,278,887,989,457,651,018,865,901,401,704,639 and 13,256,278,887,989,457,651,018,865,901,401,704,641

Too easy. 13,256,278,887,989,457,651,018,865,901,401,704,640.123,552,754,203,344,346,122,675

Re:Publish it on Piratebay instead (5, Interesting)

countertrolling (1585477) | more than 4 years ago | (#32801596)

It's not illegal to speak or publish your thoughts.

It's not illegal to take pictures either, but people are still being harassed for it. Those rights are regularly violated, and not enough people stand up to it to take notice. Our rights don't mean much if nobody will defend them.

Why would he be in trouble?

Precedence. People have been arrested for revealing exploits. And several conferences have been canceled in the states over these issues in the past also.

The safest bet by far is to remain anonymous. The information is more important than the guy's ego.

Re:Publish it on Piratebay instead (1)

Peach Rings (1782482) | more than 4 years ago | (#32801646)

How do ATM vendors cancel a conference anyway? Shouldn't the correct response for Hack in the Box to give be a hearty fuck off?

Re:Publish it on Piratebay instead (0)

Anonymous Coward | more than 4 years ago | (#32801690)

There hackers, not rich. I bet the ATM vendors and there clients feel its worth a lot of money to keep this as quiet as possible, and thus able to put a lot of legal power behind there statements.

Re:Publish it on Piratebay instead (0, Informative)

Anonymous Coward | more than 4 years ago | (#32801762)

They're, as in "THEY ARE." Not "there." It's really not that hard. *sigh* Kids these days...

Re:Publish it on Piratebay instead (0)

Anonymous Coward | more than 4 years ago | (#32802154)

You missed the other "there" which should be "their."
It's really not that hard. *sigh* Grammar nazis these days...

Re:Publish it on Piratebay instead (1)

cdrguru (88047) | more than 4 years ago | (#32802358)

Lawsuit. Everything in the US is driven by lawsuits.

Real simple. You call up the conference chairperson (or the venue where the conference is being held) and say "Our lawyer wants to thenk you for accepting liability for our ATM losses for the next six months. Of course, if you don't go ahead with the ATM security presentation we wouldn't have a case."

What do you do? I guess if you have the legal fund to stack up against the in-house counsel of a couple of banks it doesn't matter, let them threaten away. But really, who wants to take that risk?

That's all it is, a calculated risk.

Re:Publish it on Piratebay instead (1, Troll)

commodore64_love (1445365) | more than 4 years ago | (#32802922)

>>>What do you do?

Say nothing, hang up, and continue with my original plans. I will not be intimidated, even if it leads to my own imprisonment. Better to live free, than to be on my knees licking the boots of some lawyer, corporation, or politician.

Remember the Ghetto Riots in Germany? Had I been alive at the time, I probably would have been part of them. I will not walk peacefully into a shower room. Nor will I give-up my right to open my mouth and speak-out, or publish any paper I desire. To do that would be the same as making myself a slave with a muzzle that my master jerks every now and then.

Re:Publish it on Piratebay instead (1)

zippthorne (748122) | more than 4 years ago | (#32803220)

The proper thing to do, in that case, is to make sure you don't actually have any assets that can be recovered. It's not as if there isn't gigantic heap of ways do do that, mostly involving "incorporating" and they very words, "limited liability."

Re:Publish it on Piratebay instead (1)

thePowerOfGrayskull (905905) | more than 4 years ago | (#32803336)

The same way that slashdotters read the summary.

Re:Publish it on Piratebay instead (5, Interesting)

JockTroll (996521) | more than 4 years ago | (#32801840)

It's not illegal, but Big Money makes and enforce its own laws. And the most important of those laws is: we're rich and powerful, obey us or else.

Too bad nobody calls their "else". People don't know their rights anymore, or are afraid to defend them. Unfortunately with good reason because there's plenty of both public and private uniformed thugs who make up the law on the spot and exercise their might with the power of the baton.

Another decade of this, or less, and the populace will have been forced into submission, ready to do anything if ordered to by an "authority figure".

Wise up, people: organize yourselves, gather in pro-rights associations and have lawyers on your side. When a person or group of people is harassed by uniformed or suited goons, take them to court. Have the fact publicized by the press or by any means necessary. Embarass them, ridicule them, nothing kills fear more than laughter. Nothing hurts more than a good lawsuit.

A guy I knew once was just touched by a private security guard at a mall who was trying to play Dirty Harry. He immediately fell to the ground screaming like a stuck pig. A friend nearby promptly shouted "MY GOD WHAT HAVE YOU DONE TO HIM!" He remained still on the ground and another friend (female) kept screaming "MURDERER! MURDERER!"

It was PRICELESS. All caught on tape. People around gathered, and this uniformed guy was probably thinking if he had better run away or gun down everyone. Manager got called. Ambulance was called. Police appeared. Although this guy wasn't hurt, the fact that he had been pushed by the guard with no reason (seen on the CCTV when the security firm tried to exculpate themselves) was ground for criminal charged against the guard and for a big lawsuit against the firm by the mall management. The bad publicity (thing ended up on TV and papers) caused the firm to lose all contracts throughout the city and collapsed in a couple of months.

Play hard. We can win, but gloves must come off. If they shit on you, you shit back. With some diarrhoea.

Re:Publish it on Piratebay instead (4, Insightful)

s0litaire (1205168) | more than 4 years ago | (#32801516)

What we really need is a "Wiki" we can "leak" things to...
what's it called again.... ermm Pirate-leaks, no Wiki-Bay
Nope can't remember the name...

Re:Publish it on Piratebay instead (1)

aBaldrich (1692238) | more than 4 years ago | (#32802750)

A few days ago slashdot published a very interesting article [slashdot.org] about that. The second link is what you are looking for.

Re:Publish it on Piratebay instead (0)

Anonymous Coward | more than 4 years ago | (#32804840)

Wiki Leaks...

Re:Publish it on Piratebay instead (2, Insightful)

Michael Kristopeit (1751814) | more than 4 years ago | (#32801498)

if the governments or corporations have the ability to convince people to muzzle themselves, and no one who depends on the protection of their savings will stand up to fight for the self-muzzled, then any "rights" are irrelevant.

Re:Publish it on Piratebay instead (3, Informative)

techsoldaten (309296) | more than 4 years ago | (#32801504)

Here are the slides.

http://www.slideshare.net/null0x00/raoul-nullcon2010-day1 [slideshare.net]

He gave this presenation at nullcon already. Nothing too creepy there...

M

Re:Publish it on Piratebay instead (4, Informative)

MagicM (85041) | more than 4 years ago | (#32801518)

He edited out the "creepy" slides (37 and 39).

Re:Publish it on Piratebay instead (2, Funny)

techsoldaten (309296) | more than 4 years ago | (#32801620)

Yeah, I hear there were graphic depictions of live naked taranatulas on both slides, glad he pulled them.

M

Re:Publish it on Piratebay instead (1)

jd (1658) | more than 4 years ago | (#32803136)

They weren't just live and naked, either. I hear Arachnids Gone Wild is paying him a fortune for the originals.

Re:Publish it on Piratebay instead (2, Informative)

Sponge Bath (413667) | more than 4 years ago | (#32801544)

They don't have the right, but they do have the guns and goons.

Re:Publish it on Piratebay instead (1)

Michael Kristopeit (1751814) | more than 4 years ago | (#32801894)

They don't have the right [to muzzle], but they do have the guns and goons.

yeah, i realized the "muzzle" might have been a gun reference and not a reference to a tool to stop animals from biting humans.

Re:Publish it on Piratebay instead (0)

Anonymous Coward | more than 4 years ago | (#32801568)

No government nor corporation has a right to muzzle our mouths.

They did/do not. They just brought the consequences of going against their will to the mind of a few people.

And with enough money to make someones life miserable thats all thats really needed.

Re:Publish it on Piratebay instead (0)

Anonymous Coward | more than 4 years ago | (#32801600)

That's the problem, it's practically on piratebay already. Somebody pipes up and wants to tell the rest of the world outside of the "underground" that this thing exists and is being used and he gets a slap in the face with a hot cup of shut the fuck up.

Re:Publish it on Piratebay instead (0)

Anonymous Coward | more than 4 years ago | (#32801792)

Whatsay you and I go photograph the Miami-Dade's metrorail system...

Re:Publish it on Piratebay instead (1)

Sulphur (1548251) | more than 4 years ago | (#32802588)

s^mouths^moufs^

Re:Publish it on Piratebay instead (0)

Anonymous Coward | more than 4 years ago | (#32802680)

If the ATM makers are slacking and don't want to fix these vulnerabilities, they should be punished .... This guy has to put these presentations up on the internet and let people read it and screw those ATMs.

Re:Publish it on Piratebay instead (1)

Smallpond (221300) | more than 4 years ago | (#32803168)

If the ATM makers are slacking and don't want to fix these vulnerabilities, they should be punished .... This guy has to put these presentations up on the internet and let people read it and screw those ATMs.

Mostly vulnerabilities are in the protocols. Changing them requires updating ATMs, switches and bank software. It could be rolled out gradually, but in the meantime they would still have to support the old protocols. Its pretty easy to find information on this stuff anyway:

http://www.javvin.com/networksecurity/ATMNetworkSecurity.html [javvin.com]

Re:Publish it on Piratebay instead (1)

ticktickboom (1054594) | more than 4 years ago | (#32804614)

Remind me: Why do we want to kill off this excellent free service??? simply because its free...

you'd rather your bank was burgled? (0, Flamebait)

Michael Kristopeit (1751814) | more than 4 years ago | (#32801382)

bottom line, there will ALWAYS be exploit potential... the banks have trusted the justice system to prosecute offenders.

where are all the headlines pointing out how easily tumbler locks can be opened? security isn't about building the biggest wall.

presenting this information can only decrease the security and value of your savings. anyone that argues that the information needs to be public is probably broke.

Re:you'd rather your bank was burgled? (5, Insightful)

countertrolling (1585477) | more than 4 years ago | (#32801456)

you'd rather your bank was burgled?

No, I'd rather hold the bank responsible for any loss. They should have to replace the money. With that kind of incentive, they might actually try to make their systems a bit more secure. An important step in this direction would be to quit using cheap commodity systems in their networks.

Re:you'd rather your bank was burgled? (0)

Michael Kristopeit (1751814) | more than 4 years ago | (#32801686)

They should have to replace the money.

yes, they should. but they don't, and they won't. the losses will be absorbed by a degradation of value of the dollar caused by federal bailouts.

when the banks use less cheap systems, who will pay for that? are you going to use the bank with free checking, or the one with $39/mo checking? has any money in your checking account ever been stolen and not returned? if the systems were "a bit more secure" would they not still be "not completely secure"? there will ALWAYS be exploit pathways. once they are defined, commodity cracking solutions are available almost instantly. nothing is gained by pointing out a new exploit pathway other than the praise and thanks from would-be criminals.

Re:you'd rather your bank was burgled? (1)

AnonymousClown (1788472) | more than 4 years ago | (#32801810)

What in the World ...

Any devaluation that may be happening with the dollar is irrelevant to this discussion. Chewbacca would have been more relevant to the discussion.

The banks will do what they always do: pass any costs plus a hefty markup to the consumer. The banks make more money on fees and penalties than they ever did as honest bankers. Like they do now. $3.00 ATM fees?!? The transaction is pretty much free to them. Sure , they have a lot of bogus "costs" they say they incur, but the fact of the matter is ATM fees are extremely profitable gravy that are only beat in profitability by the fees that cell phone carriers charge for text messages.

Re:you'd rather your bank was burgled? (1)

Michael Kristopeit (1751814) | more than 4 years ago | (#32801962)

i wasn't talking about devaluation that may, or definitely is, happening... i was talking about the devaluation that would exist if every person in america held a tool that could extract an arbitrary amount of unearned dollars from any ATM.

so it seems you believe the banks should upgrade their entire ATM hardware infrastructure, and yet you complain about a fee and claim the transaction is "pretty much free".... yeah, except for their costs. a french fry is pretty much free to mcdonald's. why do they charge for them?

Re:you'd rather your bank was burgled? (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#32802340)

I've been going through your posting history, and it appears that you're kinda retarded... Ever think of signing up for some special education? You sure could use it...

Re:you'd rather your bank was burgled? (0)

Anonymous Coward | more than 4 years ago | (#32802246)

Michael Kristopeit: YOU ARE NOTHING!

Re:you'd rather your bank was burgled? (1)

CastrTroy (595695) | more than 4 years ago | (#32801700)

While I'm not sure if they are legally responsible, I would have to say that they do bear the cost. I have had my bank card duped twice in the last 4 years, and both times the bank fixed the problem before I even realized the money was gone. I'm not sure which banks you deal with, but of all the times I have had this happen to me, or any body I personally know, the bank has put the money back in the account very quickly. Granted it would be better if it didn't happen in the first place. However, depending on how severely the system is flawed, it may not be possible to fix the problem at all, without changing out all the current machines, and settling on a new standard, which may again have its own list of faults.

Re:you'd rather your bank was burgled? (1)

lgw (121541) | more than 4 years ago | (#32802186)

What decade are you living in? Banks don't bear costs, taxpayers do in the form of bailouts. If the government is just going to print money to give to the banks, why not instead go with a simpler system where a fraudulent ATM withdraw is simply not recorded as a debit to any account? Same inflation either way ...

Re:you'd rather your bank was burgled? (1, Insightful)

Anonymous Coward | more than 4 years ago | (#32802418)

Try watching "Corrupt Banking System" on Youtube...

You obviously don't know what the Fractional Reserve system is, nor that the banks now OWN all of us, since we can never produce enough goods or labour to pay off all the debts that the banks are allowed to print out of thin air...

Re:you'd rather your bank was burgled? (0)

Anonymous Coward | more than 4 years ago | (#32801884)

GOD FORBID they should step up and take responsibility for the problem. No we'll just sweep this one under the rug and hope no one is looking. Then they have the audacity to threaten the author if he reveals what he knows. Bastards. I agree with others that Wikileaks is probably the best way to do this. Beware those who seek to control information for they see themself as your master (someone here has that as their sig and it seemed appropriate for the occasion). Shoehornjob

Re:you'd rather your bank was burgled? (5, Insightful)

schon (31600) | more than 4 years ago | (#32801472)

presenting this information can only decrease the security and value of your savings.

You're an idiot.

As the article states, the information is already known by the bad guys. Keeping it secret helps the bad guys, and hurts everyone else. Making it public will encourage the banks to fix the vulnerabilities, which will increase the security and value of my savings.

anyone that argues that the information needs to be public is probably broke.

No, the people who argue that the information needs to be public actually understand the issue here.

Re:you'd rather your bank was burgled? (-1, Flamebait)

Michael Kristopeit (1751814) | more than 4 years ago | (#32801570)

the information is already known by the bad guys

so EVERY bad guy, including would-be bad guys, already know this? do you know it? how about you post it as an anonymous response to this comment.... i mean, it's everywhere, right?

the people who argue that the information needs to be public actually understand the issue here.

you mean the issue where more exposure can only lead to more exploitation, and degradation of the value of a dollar?

are offenders currently prosecuted and convicted? yes. if the specific exploit was plugged, would others ALWAYS still exist? yes.

you're the worst kind of idiot.

Re:you'd rather your bank was burgled? (0, Flamebait)

Jarjarthejedi (996957) | more than 4 years ago | (#32801866)

so EVERY bad guy, including would-be bad guys, already know this? do you know it? how about you post it as an anonymous response to this comment.... i mean, it's everywhere, right?

Oh yes, because the fact that someone far removed from the problems doesn't know the details of it prove that no one could possibly already know the details. I mean, it's so obvious, no security issues exist, because I don't know about them, so if I don't know about them, then no one can, because they can't be well known. IT'S PERFECTLY REASONABLE LOGIC! /sarcasm

you mean the issue where more exposure can only lead to more exploitation, and degradation of the value of a dollar?

*citation needed*

are offenders currently prosecuted and convicted?

Probably not. It's kind of hard to arrest and prosecute someone for doing something you don't even know is possible...

if the specific exploit was plugged, would others ALWAYS still exist?

Ah yes, the great 'there will always be problems, so why bother fixing them' argument. Remind me never to work with you, you're the worst kind of person for working on technology. Will there always be issues? Probably, though not certainly. Should those issues be fixed as quickly as possible (prioritizing bigger issues of course). YES. Period. Not fixing the problem and silencing people to keep it hidden is the worst kind of security that exists. It's like sticking your head in the sand so you can't see the bad things happening around you, and it's bound to cause more issues than just fixing the problem would. But heck, if it's never going to be perfect, why not just open the thing up so that people can steal money whenever they want?

Re:you'd rather your bank was burgled? (1)

Michael Kristopeit (1751814) | more than 4 years ago | (#32802018)

you mean the issue where more exposure can only lead to more exploitation, and degradation of the value of a dollar?

*citation needed*

so you are suggesting that publishing instructions on how to perform an act will lead to less people executing that act....... *logic needed*

the great 'there will always be problems, so why bother fixing them' argument. Remind me never to work with you, you're the worst kind of person for working on technology.

ahhh yes, the classic "don't point out the potential of man in the middle network attacks, or the ability of humans to get inside a closed box" argument.

you aren't qualified to work with me.

Re:you'd rather your bank was burgled? (0, Troll)

JockTroll (996521) | more than 4 years ago | (#32802318)

"so you are suggesting that publishing instructions on how to perform an act will lead to less people executing that act....... *logic needed*"

Everybody who has half a brain and went through basic chemistry knows enough to wreak some toxic havoc. Hint: bleach + ammonia. Do you think we should ban chemistry books, wannabe inquisitor masturbator boy? Afraid of knowledge? Scared by science? Did a science jock beat you up in high school, loserboy? Did he twist your arms while reading Aristotle?

Re:you'd rather your bank was burgled? (0)

Anonymous Coward | more than 4 years ago | (#32802592)

... so arguing logic in response to ignorance, according to you, makes someone scared of knowledge and science, and the reason that that someone would be scared of knowledge and science would be assumed to be because a "science jock" beat them up in high school.

living up to your username at least. wouldn't someone scared of knowledge be too scared of having the knowledge of being scared of knowledge that they would never actually be scared of it? or is that too much science and logic for you? do you rely more on weak stereotypes and dogma?

i never said ban the information. i said that publicly presenting this specific case is irresponsible and doesn't teach anyone anything other than how to steal from banks... an act that has no non-criminal use, in direct opposition to chemistry which always has a potential non-criminal use. the presentation is no more useful to a banker or banking student or society, than would be a text explaining why leaving the bank's money out in the open in the lobby utilizing the honor system is worse than hiring a teller and putting the money in a drawer kept closed with a 6 pin tumbler lock. at the same time, putting all money sequentially behind every known security lock, guarded by armed men is too wasteful for a commercial bank to remain in business, and also suggests the local populace requires this level of protection from themselves and their neighbors.

PEOPLE CAN STEAL FROM BANKS. THE JUSTICE DEPARTMENT PROSECUTES AND CONVICTS PEOPLE THAT STEAL FROM BANKS. YOU ARE ONLY AS SECURE AS YOUR NEIGHBOR CHOOSES TO ALLOW YOU TO BE. DEAL WITH IT.

Re:you'd rather your bank was burgled? (1)

Delarth799 (1839672) | more than 4 years ago | (#32802788)

And your a hell of a lot more secure with an alarm system and security cameras and deadbolts on your doors than unlocked doors and no security system.

Re:you'd rather your bank was burgled? (1)

JockTroll (996521) | more than 4 years ago | (#32803256)

LOL. No information is "criminal" or "non-criminal". Information is just information and it's good for people to know just how secure the machines they rely on to handle their cash is. Those ATM vendors were just scared that people could know how insecure their hardware and software was, and that they would have to spend money (SHOCK! HORROR!) to address the issue. Better to silence those dangerous "citizens", in the interest of corporate buggery.

Run, coward, run. I live. I hunger. Beware.

Re:you'd rather your bank was burgled? (0)

Anonymous Coward | more than 4 years ago | (#32804712)

and perhaps like an algae tank in an aquarium, the flaws are purposefully left in the ATMs to detract would be thieves from arming themselves and stealing money from banks "the old fashioned way".

US currency is backed ONLY by TRUST. trust in a government of the people. trust in OURSELVES.

when people like JockTroll make themselves known as a threat to that trust, i don't run. there is nothing to beware that a few bullets can't stop.

you are NOTHING.

Re:you'd rather your bank was burgled? (1, Interesting)

h4rr4r (612664) | more than 4 years ago | (#32802032)

Says the moron that thinks ignoring the problem is as good as fixing it.

Re:you'd rather your bank was burgled? (1)

Michael Kristopeit (1751814) | more than 4 years ago | (#32802136)

only a moron would conclude that i think the problem should be ignored. i think that publishing the details of how to steal money from banks is irresponsible... and it seems so do the people that were going to present it, as they have concluded it is in their best interest to not present it.

Re:you'd rather your bank was burgled? (1)

quanticle (843097) | more than 4 years ago | (#32802496)

Publication, or the threat thereof is the only way that this problem will get addressed. According to this researcher, these exploits are being used by criminals right now. Its the ATM companies that want this covered up, so that they can present their machines as "totally secure", when in fact they're riddled with more holes than Swiss cheese.

In fact, publication would help the banks, as they would be able to test ATMs to see which ones were vulnerable. This would allow them to hold the ATM vendors accountable, rather than just having to accept a certain level of "loss" from ATMs.

Re:you'd rather your bank was burgled? (2, Insightful)

lgw (121541) | more than 4 years ago | (#32802206)

Never argue with a man who cannot learn how to operate the "Shift" key.

Re:you'd rather your bank was burgled? (1)

gmthor (1150907) | more than 4 years ago | (#32802176)

so EVERY bad guy, including would-be bad guys, already know this? do you know it? how about you post it as an anonymous response to this comment.... i mean, it's everywhere, right?

Actually, probably everybody on this conference knows about this already.
Also it's not like he gives a step by step presentation on how to get cash out of an ATM.

Re:you'd rather your bank was burgled? (0)

Anonymous Coward | more than 4 years ago | (#32801604)

the people who argue that the information needs to be public actually understand the issue here.

It seems to me that the people that understand the issue here the most have chosen not to go forward with their public presentation.

Re:you'd rather your bank was burgled? (1)

Jarjarthejedi (996957) | more than 4 years ago | (#32801802)

It seems to me that the people who understand the issue here the most have been intimidated into inaction by people who might or might not understand the issue but understand that revealing any flaws in their methods would mean less profit for them, and that's all they care about.

Re:you'd rather your bank was burgled? (1)

CastrTroy (595695) | more than 4 years ago | (#32802102)

Maybe the people who are trying to stop the information from going public are some of the same people who are exploiting the flaws. The more public the flaws, and the more people exploiting it, the more likely it is that the flaw will be fixed. If you were making lots of money from an existing flaw, wouldn't you want that flaw to remain open?

Re:you'd rather your bank was burgled? (1)

jimicus (737525) | more than 4 years ago | (#32802516)

There is such a tendency on /. to think in black and white.

It's already known by some bad guys. How widely known is another matter altogether - are they discussing it openly on web forums? Discussing it openly on web forums which require registration and somebody who's already on the forum to vouch for you before they'll let you view anything? Discussing it on Usenet? Discussing it under blankets in a locked room after dark?

How widely is it being exploited in the wild? How much is being lost every year through this sort of fraud? How much would it cost to fix?

Re:you'd rather your bank was burgled? (1)

The Wild Norseman (1404891) | more than 4 years ago | (#32801938)

where are all the headlines pointing out how easily tumbler locks can be opened?

This isn't a headline of how easy it is to bypass ATM security, per se (as what you're implying), this is if, for example, Schlage or Master tries to tell a locksmith that he cannot give a presentation on some of the vulnerabilities of a padlock. There are ALREADY dozens of books out there for sale in major bookstores and Amazon.com detailing how to pick locks -- describing techniques and tools (and some books tell you where to obtain these tools). The lock-making companies have responded not by attempting to curtail the freedom to publish this information, but to make the locks stronger and more difficult to bypass.

security isn't about building the biggest wall.

Security through obscurity -- which is what the banks are essentially desiring in this case -- isn't all that effective either.

presenting this information can only decrease the security and value of your savings.

No, the bank itself not spending its "hard earned" profits on increasing already known and presented security issues decreases the security and value of your savings.

This isn't dangerous in the way they claim (5, Insightful)

nixNscratches (957550) | more than 4 years ago | (#32801418)

The people who are using it to cause damages already know how this is done. The only dangerous part about something like this is that the public might be made aware of just how far from secure most financial transactions are.

Re:This isn't dangerous in the way they claim (3, Interesting)

Wowsers (1151731) | more than 4 years ago | (#32801710)

I don't trust ANY banks. As for ATM security, the new "chip / pin" on credit and debit cards in Europe is insecure, even more so as cards STILL have the magnetic strip on them, which has the exact same details in the chip on the magnetic strip, making the inclusion of the chip pointless.

Re:This isn't dangerous in the way they claim (2, Insightful)

Moddington (1721244) | more than 4 years ago | (#32801882)

It may be pointless now, but there's always the possibility that they're using cards with both the old strip and the new chip as an intermediate step, to try to shift card owners over to using just the chip a little more softly. Of course, it could also just be another example of incompetence in security.

Re:This isn't dangerous in the way they claim (1)

Pingmaster (1049548) | more than 4 years ago | (#32802092)

it's not card owners using/not using the chip that is the problem, it's the retailers. I don't know how many places I've gone to that still don't use the chip readers (most of which already have machines that accept the chip) and I'm forced to use the magnetic strip. The worst is, we're not talking about little mom-and-pop convenience stores, places like Wal-Mart and Canadian Tire still don't accept chip cards.

Re:This isn't dangerous in the way they claim (0)

Anonymous Coward | more than 4 years ago | (#32802872)

The weirdest thing I've seen is from a gas station here in Germany:
They have machines to use the chip / PIN and the register randomly tells them to use that or to just use the magnetic strip with a signature. Because it's "more secure" that way.

Yeah, sure. Because my signature is actually ON the card for everybody to copy whereas the PIN is only in my head.

Re:This isn't dangerous in the way they claim (1)

Island Admin (1562905) | more than 4 years ago | (#32803054)

Here in Ireland, you can hardly get by with out a chip on your card. I have had serious problems with my U.S credit and debit cards excepting at ATMS ... DOH!

Re:This isn't dangerous in the way they claim (4, Insightful)

abigsmurf (919188) | more than 4 years ago | (#32802070)

You are completely wrong about what you think chip and pin is.

The magnetic strip on the card contains the exact same information as on regular cards.

The chip contains the pin, if the pin is guessed incorrectly 3 times, the card will lock itself. If a chip and pin terminal senses a pin, it will not authorise a transaction without the pin (which on correct entry will cause the card to send an encrypted 'pin verified' code to the bank).

The only way chip and pin cards have been compromised (outside of cards using outdated protocols in a lab envoironment) is standard card skimming. You copy the magnetic stripe and PIN from a compromised terminal to clone the card. This only works if you use the cloned card on a non-chip and pin terminal. To do this you need to leave the country as all terminals in the UK (and other chip and pin countries) are required to be chip and pin. Nothing like someone suddenly making a massive purchase 1000 miles away in a different country 30 minutes after making one in their home country to flag up a transaction with the bank.

Basically, the only practical vulnerability at the moment for chip and pin is a vulnerability for strip only cards. There's a reason there's been massive reductions in ATM fraud in chip and pin countries.

Re:This isn't dangerous in the way they claim (1)

lgw (121541) | more than 4 years ago | (#32802272)

There are actually exploits to extract the PIN (or otherwise make the card usable in a chip-and-PIN reader), given a lot of time and equipment applied to a given card. The terminal-card protocol has some issues, apparantly.

But the practical upshot of chip-and-PIN in most places is that, in the old system when your magstripe was duped you'd have quite limited liability, but now when you're the victim of the exact same attack you bear the entire cost (at most banks) because "you must have told someone your PIN".

And chip-and-PIN is a credit card thing, why are you going on about ATM fraud?

Re:This isn't dangerous in the way they claim (1)

abigsmurf (919188) | more than 4 years ago | (#32802364)

Yeah there was some lab people who demonstrated that it was possible on some specific cards using a specific type of terminal that you could confuse the reader into sending a verified code. It was incredibly unlikely to ever be used 'in the wild' as it needed expensive equiptment and older generation chip and pin cards (which are all expiring now anyway.

One of the strengths of chip and pin is that the chips on the cards themselves can carry new versions of the protocol, as well as the readers.

I (and millions of other Brits) have a chip and pin debit card in my wallet that I use as my sole method of getting cash out.

In the UK it's mandated by law that the banks have to prove that you were negligent with your card details to refuse to pay out (very difficult to do).

Re:This isn't dangerous in the way they claim (1)

lgw (121541) | more than 4 years ago | (#32802714)

It was incredibly unlikely to ever be used 'in the wild' as it needed expensive equiptment and older generation chip and pin cards (which are all expiring now anyway.

Sure, we're safe until electronic equipment gets smaller, faster, and cheaper. :) And the second most common weakness in electronic security systems (after poor key managment) is "fall back to less secure mode", which chip-and-PIN is plagued with. Sure, it may eventually evolve into something secure, but there's currently no end in sight for the ability to extract money from a stolen card.

It's great that the UK has that consumer protection, BTW; I wish there was more of that spirit going around.

Re:This isn't dangerous in the way they claim (0)

Anonymous Coward | more than 4 years ago | (#32802426)

What I really hate about this new format is that I get to choose between (a) holding on to my card and exposing my PIN entry, OR (b) masking my entry under my hand, but having to let go of my card to do it.

Oh, and posting AC because this is a borrowed pc... (heh, captcha is 'durable')

The bigger danger... (0)

Anonymous Coward | more than 4 years ago | (#32803498)

Is that chip-and-pin is supposed to be "secure" so the liability for fraudulent transactions can be shifted back onto the consumer, or at the least, they are expected to somehow prove their innocence (that they didn't leak their pin somehow) which is generally impossible.

In the manner in which they are currently deployed, chip and pin cards are no more secure than regular non-chipped cards, but not everybody recognizes this.

Re:This isn't dangerous in the way they claim (1)

PPH (736903) | more than 4 years ago | (#32801812)

the public might be made aware of just how far from secure most financial transactions are.

And that is dangerous exactly how? If the public can be educated to take a few precautions that will keep their accounts and financial data more secure, that's a good thing. If the public comes to understand that the risks involved with certain products or services are too high, they might not buy them. But then the only thing that's endangered is the profit margins of the outfits trying to sell us this garbage.

Re:This isn't dangerous in the way they claim (1)

javelinco (652113) | more than 4 years ago | (#32801916)

There are some real problems with that argument. While it's true that there are people exploiting the vulnerabilities in the wild, the number of people who'd LIKE to be exploiting these weaknesses is far greater than the number who are.

Think of it this way - with computer exploits, you often have a small group that has a bunch of exploits they keep under lock and key in order to pull of the jobs they want to do. But you've got a LOT of people who, if given a tool to take advantages of those exploits, would use them - and use them a lot. We call them script kiddies. The same is true, if not more so, in the world of actual $$ - don't you think? Not EVERYONE would try to take advantage of this knowledge - but MORE people would - and that number would likely be significant.

Of course, FIXING these attack vectors would be the preferred method for dealing with the problem, instead of trying to suppress the information. But that's where the real world goes head-to-head with our ideals.

ahh yes... (1)

polle404 (727386) | more than 4 years ago | (#32801484)

Security through obscurity, we all know how well that works... *sigh

Re:ahh yes... (0)

Anonymous Coward | more than 4 years ago | (#32801950)

Security through obscurity, we all know how well that works... *sigh

Hey, I still have MY money, so fuck you it works.

Actually it can work very well (1)

Sycraft-fu (314770) | more than 4 years ago | (#32802484)

A large amount of criminals are rather dumb. That is often why they choose a life of crime. In particular, someone who is going to go around trying to hack ATMs is pretty dumb. You aren't going to get a whole lot of money out of them. If the hack is based around someone's particular account, you'll get a max of like $500 per day for an account, that is generally the highest you see withdrawal limits (if you need more you go in the bank). Even if you could get the ATM to empty itself, you'd get maybe $10,000-20,000. Ok well that is on a device that has a camera, and belongs to a financial institution. Banks have a lot of pull with law enforcement and a lot of reason to want to catch someone stealing from their ATMs.

So, doing this would be a dumb crime. Doing it once, the only real way you are going to have a chance not to get caught, doesn't net you enough to be worth it. Doing it on a recurring basis pretty much guarantees you get caught. It is just not a smart crime.

As such the sort of people who would do it are not the sort who are going to sit and carefully investigate ATM security, perhaps buy their own and test it. They are the kind of criminal who would do it if there's a how to guide. If someone gives them the directions, they'll say "Hey, easy money!" and do it.

Thus keeping it obscure really DOES work. This "Security through obscurity doesn't work," thing is a bogus statement that people online like to parrot. While it isn't the best kind of security, it doesn't mean it is worthless.

In the real, physical, world you have to accept that all security is imperfect. No matter what you do, someone can get by it. You can have an underground vault surrounded by trained armed guards, doesn't matter. All someone needs is an attack force large enough to get rid of your guards and sufficient time and tools to physically dismantle your protections. There is no magic, perfect, "Nobody can get past this." You can only aim for two things:

1) Having security good enough that nobody who would try to get through it could. Whatever level of threat you are likely to face, you have security that can stop that.

2) Having security that seems good enough that nobody will try. Make it intimidating to the point that nobody is going to even attempt to get around it.

Well, part of #2 is obscurity. You don't tell people everything you are doing. They don't know what all they have to get past. Their ability to try and draw up a plan is compromised by the fact that they do not know what all they have to deal with.

Take something like, say, the security of the CIA building. There's plenty of security you can see, they have their own, armed, police force, there are physical barriers and so on. However if you think that's all there is you are a fool. What else might there be? You don't know, and that makes it real hard to plan how to overcome.

Re:Actually it can work very well (1)

EdIII (1114411) | more than 4 years ago | (#32803228)

You're attempting to give an example where obscurity can have some value towards the security of the system. It sounds convincing, but I am not entirely sold that the people performing ATM fraud are that inept. There are some pretty sophisticated people out there that will obtain the information regardless of how privileged it is.

I do get your point. However, let's assume you are entirely correct and obscurity is a worthwhile consideration in security. It does not make it right, legal, or ethical to forcibly suppress another person's right to free speech.

They can enjoy their obscurity up the point that somebody discloses the information and removes it. Nothing more than that.

On the other hand, what is the value of disclosure? I feel that it forces companies to acknowledge their failings and work on making the product or service better. I think transparency in companies providing security can only be a good thing.

I have an example too. Adobe (burn in hell). Their document security is about as strong as a wet piece of toilet paper and everybody knows it. Yet they abused their power and used some quite thuggish people at the FBI to unlawfully, unethically, and quiet disgracefully take away a person's freedom that simply showed the world how worthless they were. If a company chooses security through obscurity and can pull it off for years on end with few incidents... more power to them. However, acting like authoritarian thugs and suppressing information is where it just goes too far.

Makes perfect sense (0)

Anonymous Coward | more than 4 years ago | (#32801492)

If researches aren't allowed to talk about those flaws, perhaps they'll just go away?

Black hat confrence? (5, Insightful)

countertrolling (1585477) | more than 4 years ago | (#32801496)

in the USA?? I would not recommend that at all. Just put it on the net from a secure location..

China? (0)

AnonymousClown (1788472) | more than 4 years ago | (#32801592)

in the USA?? I would not recommend that at all. Just put it on the net from a secure location..

Have the Chinese host it.

Dear China: Please host this to show the decadent capitalist pigs who are enslaved by the banks how their system is screwing them over.

Re:China? (1)

ToasterMonkey (467067) | more than 4 years ago | (#32802008)

Have the Chinese host it.

Dear China: Please host this to show the decadent capitalist pigs who are enslaved by the banks how their system is screwing them over.

Uh yah, please do. China doesn't have banks, laws, or lack of freedom of speech after all. Go for it dude.

Re:Black hat confrence? (0)

Anonymous Coward | more than 4 years ago | (#32801598)

The conference was in Amsterdam. Amsterdam != United States of America by any stretch of the imagination.

Re:Black hat confrence? (1)

countertrolling (1585477) | more than 4 years ago | (#32801664)

:-) You didn't RTFA!

For your edification: This unexpected development makes me wonder if Barnaby Jack's previously thwarted demonstration will actually take place at this year's Black Hat USA taking place later this month.

HTH...

It always backfires (5, Interesting)

retardpicnic (1762292) | more than 4 years ago | (#32801706)

Remember when Jeff Moss had his talk cancelled, or Kim Zetter? All it did was make people salivate to read thier presentation when they released it online at a later date. The last thing you want to do to this demographic is tell them the info is "too dangerous (see awesome) for them to hear. It will be everywhere with in the week.

Re:It always backfires (1)

ComputerGeek01 (1182793) | more than 4 years ago | (#32803086)

Remember when Jeff Moss had his talk cancelled, or Kim Zetter? All it did was make people salivate to read thier presentation when they released it online at a later date. The last thing you want to do to this demographic is tell them the info is "too dangerous (see awesome) for them to hear. It will be everywhere with in the week.

This is exactley right, in the precious words of my 18 months old neice "Hahaha, you can't tell me no."

Funny (2, Interesting)

acalltoreason (1732266) | more than 4 years ago | (#32801888)

Its funny that they think, I'm assuming, that not letting someone speak about it is helping them in any way. The more people who know about vulnerabilities the safer we are because while there will be more people working to exploit it, there are also more people working to patch it.

Get Use to It! (0)

Anonymous Coward | more than 4 years ago | (#32802754)

This is the same as when anti-white racists put pressure on any forum that tries to have speakers speak about the facts of the genetic basis of racial differences in intelligence and more importantly morality and behavior.

No one tries to save free speech there! Even when it is the destruction of their race that is at stake!

Slides are sanitized (3, Informative)

prxp (1023979) | more than 4 years ago | (#32803178)

According to TFA:

Even though this is not the first time that ATM vendors prevented a security researcher to publicly disclose findings about flaws in their devices at a conference, this instance is really surprising, since Chiesa held this same presentation at a couple of security conferences already, and the slides he employed are also available [slideshare.net] online.

The thing is these slides are sanitized, the details of the ATM attack were removed.

Does anybody know where to find a non-sanitized version?

Re: (1)

clint999 (1277046) | more than 4 years ago | (#32803342)

so EVERY bad guy, including would-be bad guys, already know this? do you know it? how about you post it as an anonymous response to this comment.... i mean, it's everywhere, right?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?