Slashdot Mirror

← Back to Stories (view on slashdot.org)

ATM Vendors Threaten, Stop Research Presentation

Posted by Soulskill on from the money-inside-atms-wants-to-be-free dept.

An anonymous reader writes "A presentation about 'The Underground Economy,' by Italian white hat hacker and security expert Raoul Chiesa, was replaced at the last minute during last week's Hack In The Box conference. The reason behind this cancellation was that Chiesa received legal pressure from ATM vendors over the fact that the originally scheduled presentation covers details of various techniques and exploits of vulnerabilities that cyber criminals use to break into ATMs — flaws that have been known for a long time."

93 of 134 comments (clear)

  1. Publish it on Piratebay instead by commodore64_love · · Score: 5, Insightful

    No government nor corporation has a right to muzzle our mouths.

    --
    "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
    1. Re:Publish it on Piratebay instead by countertrolling · · Score: 2, Insightful

      No government nor corporation has a right to muzzle our mouths.

      No they don't, but they did and they do... And the public couldn't care less. If he put it on piratebay, he can still get in trouble. His name is all over it. Only anonymous disclosure can remedy this.

      --
      For justice, we must go to Don Corleone
    2. Re:Publish it on Piratebay instead by commodore64_love · · Score: 1

      Why would he be in trouble? It's not illegal to speak or publish your thoughts. That's the reason why the US Bill of Rights and EU Charters of Fundamental Rights exist.

      --
      "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
    3. Re:Publish it on Piratebay instead by Michael+Kristopeit · · Score: 1, Insightful

      if the governments or corporations have the ability to convince people to muzzle themselves, and no one who depends on the protection of their savings will stand up to fight for the self-muzzled, then any "rights" are irrelevant.

    4. Re:Publish it on Piratebay instead by techsoldaten · · Score: 3, Informative

      Here are the slides.

      http://www.slideshare.net/null0x00/raoul-nullcon2010-day1

      He gave this presenation at nullcon already. Nothing too creepy there...

      M

    5. Re:Publish it on Piratebay instead by s0litaire · · Score: 4, Insightful

      What we really need is a "Wiki" we can "leak" things to...
      what's it called again.... ermm Pirate-leaks, no Wiki-Bay
      Nope can't remember the name...

      --
      Laters Sol "Have you found the secrets of the universe? Asked Zebade "I'm sure I left them here somewhere"
    6. Re:Publish it on Piratebay instead by MagicM · · Score: 4, Informative

      He edited out the "creepy" slides (37 and 39).

    7. Re:Publish it on Piratebay instead by Sponge+Bath · · Score: 2, Informative

      They don't have the right, but they do have the guns and goons.

    8. Re:Publish it on Piratebay instead by Yuan-Lung · · Score: 4, Insightful

      Why would he be in trouble? It's not illegal to speak or publish your thoughts.

      Really?

      I am thinking of a number.... it's between 13,256,278,887,989,457,651,018,865,901,401,704,639 and 13,256,278,887,989,457,651,018,865,901,401,704,641

    9. Re:Publish it on Piratebay instead by countertrolling · · Score: 5, Interesting

      It's not illegal to speak or publish your thoughts.

      It's not illegal to take pictures either, but people are still being harassed for it. Those rights are regularly violated, and not enough people stand up to it to take notice. Our rights don't mean much if nobody will defend them.

      Why would he be in trouble?

      Precedence. People have been arrested for revealing exploits. And several conferences have been canceled in the states over these issues in the past also.

      The safest bet by far is to remain anonymous. The information is more important than the guy's ego.

      --
      For justice, we must go to Don Corleone
    10. Re:Publish it on Piratebay instead by techsoldaten · · Score: 2, Funny

      Yeah, I hear there were graphic depictions of live naked taranatulas on both slides, glad he pulled them.

      M

    11. Re:Publish it on Piratebay instead by Peach+Rings · · Score: 1

      How do ATM vendors cancel a conference anyway? Shouldn't the correct response for Hack in the Box to give be a hearty fuck off?

    12. Re:Publish it on Piratebay instead by Zwets · · Score: 1

      I am thinking of a number.... it's between 13,256,278,887,989,457,651,018,865,901,401,704,639 and 13,256,278,887,989,457,651,018,865,901,401,704,641

      Hmmm... "between inclusive" or "between exclusive"?

      --
      One of the lessons of history is that nothing is often a good thing to do and always a clever thing to say. - Will Duran
    13. Re:Publish it on Piratebay instead by JockTroll · · Score: 5, Interesting

      It's not illegal, but Big Money makes and enforce its own laws. And the most important of those laws is: we're rich and powerful, obey us or else.

      Too bad nobody calls their "else". People don't know their rights anymore, or are afraid to defend them. Unfortunately with good reason because there's plenty of both public and private uniformed thugs who make up the law on the spot and exercise their might with the power of the baton.

      Another decade of this, or less, and the populace will have been forced into submission, ready to do anything if ordered to by an "authority figure".

      Wise up, people: organize yourselves, gather in pro-rights associations and have lawyers on your side. When a person or group of people is harassed by uniformed or suited goons, take them to court. Have the fact publicized by the press or by any means necessary. Embarass them, ridicule them, nothing kills fear more than laughter. Nothing hurts more than a good lawsuit.

      A guy I knew once was just touched by a private security guard at a mall who was trying to play Dirty Harry. He immediately fell to the ground screaming like a stuck pig. A friend nearby promptly shouted "MY GOD WHAT HAVE YOU DONE TO HIM!" He remained still on the ground and another friend (female) kept screaming "MURDERER! MURDERER!"

      It was PRICELESS. All caught on tape. People around gathered, and this uniformed guy was probably thinking if he had better run away or gun down everyone. Manager got called. Ambulance was called. Police appeared. Although this guy wasn't hurt, the fact that he had been pushed by the guard with no reason (seen on the CCTV when the security firm tried to exculpate themselves) was ground for criminal charged against the guard and for a big lawsuit against the firm by the mall management. The bad publicity (thing ended up on TV and papers) caused the firm to lose all contracts throughout the city and collapsed in a couple of months.

      Play hard. We can win, but gloves must come off. If they shit on you, you shit back. With some diarrhoea.

      --
      Geeks are so full of shit that "beating the crap out of them" takes a whole new meaning.
    14. Re:Publish it on Piratebay instead by cdrguru · · Score: 1

      Lawsuit. Everything in the US is driven by lawsuits.

      Real simple. You call up the conference chairperson (or the venue where the conference is being held) and say "Our lawyer wants to thenk you for accepting liability for our ATM losses for the next six months. Of course, if you don't go ahead with the ATM security presentation we wouldn't have a case."

      What do you do? I guess if you have the legal fund to stack up against the in-house counsel of a couple of banks it doesn't matter, let them threaten away. But really, who wants to take that risk?

      That's all it is, a calculated risk.

    15. Re:Publish it on Piratebay instead by Sulphur · · Score: 1

      s^mouths^moufs^

    16. Re:Publish it on Piratebay instead by aBaldrich · · Score: 1

      A few days ago slashdot published a very interesting article about that. The second link is what you are looking for.

      --
      In soviet russia the government regulates the companies.
    17. Re:Publish it on Piratebay instead by commodore64_love · · Score: 4, Informative

      13,256,278,887,989,457,651,018,865,901,401,704,640

      I am protected by this law, which nullifies any other law: "Congress shall make no law... abridging the freedom of speech, or of the press" and "The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people." and "The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people."

      Give me the paper that was banned from the conference. I'll publish it. I don't give a frak.

      --
      "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
    18. Re:Publish it on Piratebay instead by commodore64_love · · Score: 1, Troll

      >>>What do you do?

      Say nothing, hang up, and continue with my original plans. I will not be intimidated, even if it leads to my own imprisonment. Better to live free, than to be on my knees licking the boots of some lawyer, corporation, or politician.

      Remember the Ghetto Riots in Germany? Had I been alive at the time, I probably would have been part of them. I will not walk peacefully into a shower room. Nor will I give-up my right to open my mouth and speak-out, or publish any paper I desire. To do that would be the same as making myself a slave with a muzzle that my master jerks every now and then.

      --
      "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
    19. Re:Publish it on Piratebay instead by jd · · Score: 1

      They weren't just live and naked, either. I hear Arachnids Gone Wild is paying him a fortune for the originals.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    20. Re:Publish it on Piratebay instead by justin12345 · · Score: 4, Interesting

      The problem is you don't really have to be convicted of a crime to be thrown in jail, have your property confiscated, or have your life ruined. My aunt is a criminal defense attorney. She defends people the government (US not Italian) has declared potential criminals. According to her, unless you are a very wealthy individual, simply being accused of a serious crime will either land you in jail for a while, ruin you financially, or most likely both. If you have a generous family they might be able to sell a house to keep you out of jail on bail (assuming you are declared innocent). In the end, most people plea bargain, which usually results in some sort of parole arrangement where their every move is monitored by a bunch of thugs that got all Cs in high school.

      The DMCA makes even knowing that number a crime. Publishing it here even more so. Though I doubt you will, you could spend the rest of your life and every penny you will ever make convincing a series of judges that the First Amendment supersedes the DMCA.

      I'm not saying this is right. I'm specifically saying its wrong.

      --
      Cool art gallery, if you're into that sort of thing.
    21. Re:Publish it on Piratebay instead by Smallpond · · Score: 1

      If the ATM makers are slacking and don't want to fix these vulnerabilities, they should be punished .... This guy has to put these presentations up on the internet and let people read it and screw those ATMs.

      Mostly vulnerabilities are in the protocols. Changing them requires updating ATMs, switches and bank software. It could be rolled out gradually, but in the meantime they would still have to support the old protocols. Its pretty easy to find information on this stuff anyway:

      http://www.javvin.com/networksecurity/ATMNetworkSecurity.html

    22. Re:Publish it on Piratebay instead by zippthorne · · Score: 1

      The proper thing to do, in that case, is to make sure you don't actually have any assets that can be recovered. It's not as if there isn't gigantic heap of ways do do that, mostly involving "incorporating" and they very words, "limited liability."

      --
      Can you be Even More Awesome?!
    23. Re:Publish it on Piratebay instead by jd · · Score: 1

      Actually, no. Since there are endless debates over whether there are Constitutional rights to Native Americans, children, criminals, foreigners, illegal aliens, tarrarists (though what's wrong with paving roads, I don't know), etc, it follows that the Bill of Rights is really just a list of permissions. A right is just that, a right. It cannot be given, it cannot be taken away. It is. A permission must be given and may be taken away at the discretion of the giver. It follows that there is no, and never really has been, any "Constitutional right" to free speech.

      (The original draft of the Magna Carta got very close to actually creating legal rights, by openly stating that violation of those rights by the Government was a criminal offense that could be punished as such, eliminating any notion of Sovereign Immunity. Neither the final version nor the US Constitution has such a clause, and both the US and UK exempt the Government from any legal action.)

      It's not like you could seriously do anything. The majority of Americans would be more likely to regard you as an economic criminal than to agree with the publication of anything that could make them aware of the risks. America is a very risk-averse culture - not through not taking risks, but through not wanting to think about them too much. Far from becoming a folk hero and/or a martyr to free speech, if you got thrown in jail, you'd be much more likely labeled "one of the Bad Guys". The Government might even end up more popular, not less. The quaint but utterly incorrect notion that an individual can do anything worth a damn might apply to small towns but never applied to the US historically and certainly doesn't in a country estimated at 300 million. Especially in a country where people have always played second-fiddle to corporate culture.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    24. Re:Publish it on Piratebay instead by thePowerOfGrayskull · · Score: 1

      13,256,278,887,989,457,651,018,865,901,401,704,639 and 13,256,278,887,989,457,651,018,865,901,401,704,641

      Too easy. 13,256,278,887,989,457,651,018,865,901,401,704,640.123,552,754,203,344,346,122,675

    25. Re:Publish it on Piratebay instead by thePowerOfGrayskull · · Score: 1

      The same way that slashdotters read the summary.

    26. Re:Publish it on Piratebay instead by aztracker1 · · Score: 1

      One's rights simply are, if you follow your logic to an extreme, then you have no rights because anything you have, or are could be taken by force. The principles of rights established are simply things you have/are. The right to own property was never established in the constitution, but simply is.

      --
      Michael J. Ryan - tracker1.info
    27. Re:Publish it on Piratebay instead by wmac · · Score: 1

      If you want to hurt people and jeopardize their life (economic or whatever) by being selfish, every government has the right to avoid that.

    28. Re:Publish it on Piratebay instead by Mattcelt · · Score: 1

      While technically correct, you're missing the point of the document. The US Constitution and the Declaration of Independence both expressly recognize that there some "natural" rights granted by a power higher than the government: "endowed by their Creator with certain unalienable Rights".

      And the Bill of Rights is similar. While not "granting" the rights, per se (because they are granted by the "Creator", and cannot therefore be granted by the government), it expressly forbids the government from passing any law which artificially restricts those rights.

    29. Re:Publish it on Piratebay instead by jd · · Score: 1

      Your private thoughts cannot be taken from you, so there is the first right. Your emotions, state-of-mind, knowledge, intellect and understanding are likewise yours and yours alone.

      Secondly, there's very little you really own anyway - virtually everything you claim is rented, licensed or mortgaged - and it's actually quite hard to take something you don't have in the first place.

      Thirdly, the ability of group X to take something is not the same as group X then owning it. Let us say that the US enshrined the true right to own some specific type of property. That property would then be yours absolutely and no seizure - by other individuals or by the Government - could alter your ownership. This actually applies to certain classes of antiquity, which is why those items cannot be owned by Governments, museums or private collectors - no matter how obtained - unless the accepted owner authorizes that transfer of ownership. New Zealand, Egypt and Iraq have obtained many items back that way, as have some percentage of Jewish families persecuted in WW2. Of course, this implies a means of enforcement. The US doesn't recognize the ICJ and the ICJ - unlike the European Court of Human Rights - doesn't deal with disputes between individuals and governments. However, recognition of the ICJ and abandonment of Sovereign Immunity would certainly cripple opportunities for abuse.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    30. Re:Publish it on Piratebay instead by sjames · · Score: 1

      Actually, the Constitution goes further even though it is ignored wholesale. It declares any such violation to not be an act of government at all, which in theory makes whoever does it guilty of a whole host of crimes no different than if I walk up to a stranger and forceably kidnap him and lock him in a cage.

    31. Re:Publish it on Piratebay instead by shentino · · Score: 1

      Simple.

      They come in with lawyers and threaten to sue the living daylights out of them if they don't comply.

    32. Re:Publish it on Piratebay instead by nagnamer · · Score: 1

      [...] you have no rights because anything you have, or are could be taken by force.

      Provided the statement above is true, 'rights' would simply be a belief. And as with any belief system, they are non-debatable. You either believe you have rights or you don't, and reality ceases to matter.

      --
      Every harsh word you utter has the right address. It only sounds harsh because the one on the envelope is the wrong one.
    33. Re:Publish it on Piratebay instead by nagnamer · · Score: 1

      Your private thoughts cannot be taken from you, so there is the first right. Your emotions, state-of-mind, knowledge, intellect and understanding are likewise yours and yours alone.

      It's interesting to note that you are linking 'rights' to 'ownership', whereas I would think rights have more to do with action and expression than with shit you own.

      Instead of having the 'right to speak freely' you have 'right to free speech' as if 'free speech' is something you can take and own. Thinking like that leads to concepts like 'taking away' things instead of 'preventing you from doing something'. Needless to say, stopping you from 'expressing' or 'doing' is quite different from 'taking something from you'.

      If you objectify your action, you, at the same time, externalize it. It's as if it's not something you can do, but something you must obtain (or be given) in order to use. So, from the very beginning it's formulated in a way that introduces the concepts of 'giving' and 'taking away'.

      With actions, there is nothing to 'give' or 'take'. You can only forcibly prevent them (or choose not to).

      --
      Every harsh word you utter has the right address. It only sounds harsh because the one on the envelope is the wrong one.
    34. Re:Publish it on Piratebay instead by nagnamer · · Score: 1

      You missed the other "there" which should be "their."

      It was just a warning shot.

      --
      Every harsh word you utter has the right address. It only sounds harsh because the one on the envelope is the wrong one.
    35. Re:Publish it on Piratebay instead by nagnamer · · Score: 1

      A guy I knew once was just touched by a private security guard at a mall who was trying to play Dirty Harry. He immediately fell to the ground screaming like a stuck pig.

      Good going. You blew the cover now. Your friend will not be thrown into jail and forced to pay the security company for damages.

      --
      Every harsh word you utter has the right address. It only sounds harsh because the one on the envelope is the wrong one.
    36. Re:Publish it on Piratebay instead by JockTroll · · Score: 1

      So what? Good luck using that post as evidence, and the company cannot sue anyone because they do not exist anymore. They're closed, bankrupt, gone. :)

      Anyway, the little scene was only needed to call attention. It was illegal for the guard to grab the guy since he hadn't given him any reason to do it, but without the drama nobody would have noticed and the manager would not have wanted to see the CCTV footage in order to avoid possible lawsuits - he had an interest in demonstrating the robocop wannabe had violated both the law and the premises' policy by playing Tough Guy.

      Had the "victim" not thrown the little scene and his friends not called attention to the fact, he would have simply been another citizen mistreated by a dumb thug in a silly uniform, and we already have plenty of them. By calling the public's attention to the illegal action of the aforementioned thug, and causing the management to check out the facts (in order to avoid damage of course, not in the interests of justice), a lesson has been taught to many a rent-a-goon.

      Remember some things: those clowns cannot even touch you unless you give them GOOD reason to do it, and pointing at a silly hat on a stand is not a good reason. They're not police officers, they cannot search you and they cannot detain you unless you've done something really illegal and even then, they must immediately call the police. If they simply detain you, check your nation's laws because they can be charged for kidnapping. Call the cops yourself in such a case: have the emergency number on a one-touch call on your phone and press it, talk loud, it will be recorded.

      You're as helpless as you want to be. They want you to believe you're helpless, but it's still not the case. The law can bite both ways.

      --
      Geeks are so full of shit that "beating the crap out of them" takes a whole new meaning.
    37. Re:Publish it on Piratebay instead by nagnamer · · Score: 1

      Remember some things: those clowns cannot even touch you unless you give them GOOD reason to do it

      It also helps to know that 'these clowns' happen to be ordinary people like you (?) and me (???), and they also happen to work in a system. Whether you hate the system or not, that has nothing to do with them. And fucking with a random clown is not going to dismantle the system. It will simply remove one of its agents (the sec worker and sec company), but that's about the extent of the damage you are able to inflict. Another sec company will fill the void.

      --
      Every harsh word you utter has the right address. It only sounds harsh because the one on the envelope is the wrong one.
    38. Re:Publish it on Piratebay instead by JockTroll · · Score: 1

      Well, "ordinary people" do not go around playing Dirty Harry because they believe they can. And it was not about fucking up a random agent, it was about setting an example: security firms now working in the area are far more careful, and the incident prompted the local authorities to investigate past complaints into what were correctly perceived as abuses of power on the part of overzealous (read: braindead self-sodomizing coprophage) security personnel. Abuses on the part of rent-a-thugs are now taken far more seriously and as a consequence, those clowns behave because they know darn well they can't get another job that easily (not with an assault charge and after being fired for improper conduct).

      Dismantling the system would be nice, because a good rebuild is in order. For the moment, we can hammer out some bends, however. Don't think you cannot make a difference, that's what they want you to think. Take no shit from anyone. Organize yourselves. Defend your rights.

      --
      Geeks are so full of shit that "beating the crap out of them" takes a whole new meaning.
    39. Re:Publish it on Piratebay instead by nagnamer · · Score: 1

      Dismantling the system would be nice, because a good rebuild is in order. For the moment, we can hammer out some bends, however. Don't think you cannot make a difference, that's what they want you to think. Take no shit from anyone. Organize yourselves. Defend your rights.

      Point is, if people stopped taking shit from other people, the system would be considered dismantled. The reason that doesn't happen is that the system is still in place and supported by those who fall victim to it.

      --
      Every harsh word you utter has the right address. It only sounds harsh because the one on the envelope is the wrong one.
    40. Re:Publish it on Piratebay instead by commodore64_love · · Score: 1

      I know a guy who fought a similar case. He created a website about a new mall coming to his town, to provide information to residents about what stores would be there and what it would look like.

      After the mall was completed the owner sued the webmaster, claiming the name of the dot-com site was copyrighted. It took about 4 years and eventually rose to the level of the US Supreme Court, but the webmaster won. His website was protected by the Constitution. It ended-up costing zero out of his pocket because the justices ordered the mall to pay for all legal expenses.

      This turned-out to be an important ruling because it also protected sites like paypaylsucks.com or ebaysucks.com, which were facing similar "you can't use our name" lawsuits. Our right to speak freely, and either criticize or support companies, has been protected.

      It only takes one man willing to stand-up for his legal rights to nullify portions of the DMCA that are unconstitutional.

      --
      "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
    41. Re:Publish it on Piratebay instead by commodore64_love · · Score: 1

      >>>whether there are Constitutional rights to Native Americans, children, criminals, foreigners, illegal aliens, tarrarists

      Constitutional Law applies to any landmass where the US Government currently has jurisdiction. Although there are scumbag politicians who try to claim otherwise, in order to remove the shackles the constitution places on them, they are wrong. The Law is the law and applies everywhere within the US jurisdiction.

      --
      "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
    42. Re:Publish it on Piratebay instead by commodore64_love · · Score: 1

      >>>I would think rights have more to do with action and expression than with shit you own.

      At its core, rights ARE about ownership. You own your own body and you own the various things your body can do - like think, speak, act, create. For example if a politician is granted the power to muzzle your mouth, then you no longer really own yourself - you are now the property of the politician. You're a serf and he's your master.

      Natural Rights philosophy was discovered specifically to say, "I am no longer your property. I am no longer a serf. I can say whatever I please." It was a rebellion against the old feudal system where humans did not own themselves, but instead were owned by the manor's master or lord.

      By the way this philosophy came from Scotland, an oppressed people who felt they did not own themselves. Coincidence? Not really. Everybody desires to throw-off the shackles that restrain them. It was later copied by the Americans, Canadians, and the Indians who also wanted to throw-off the English Parliament's shackles.

      --
      "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
    43. Re:Publish it on Piratebay instead by JockTroll · · Score: 1

      Actually that's not the case. It's only in recent times that people have stopped reacting, stopped (mostly) taking to the streets and stopped caring because there's an overwhelming feeling that the adversary is just too powerful to take on. We allowed too many "authority figures" to play Gene Hunt and make up laws on the spot, we allowed too many private interests to buy the law.
      If this defeatist attitude had existed at the beginning of the Industrial Revolution, people would still be forced to work ungodly hours in unsafe conditions and sleeping in barracks-like housing by the factories.
      The trend back towards those time has begun the moment the interested parties thought they could get away with it, because rights and liberties cannot simply be won, they must be constantly defended. Besides, those who want to defend their rights are too often divided because they don't like "some" rights defended, while those who want them taken away are united.
      Nobody actually supports a system that victimizes them: they only swallow the offences down because they think there's nothing they can do. I - and I'm not alone - say there's PLENTY to be done. Get organized. Get on the line. Fight.

      --
      Geeks are so full of shit that "beating the crap out of them" takes a whole new meaning.
    44. Re:Publish it on Piratebay instead by justin12345 · · Score: 1

      Well that is comforting; listening to my Aunt or Slashdot it's kinda shocking libraries are still legal. I'm not the sort to just roll over, but getting into a 1st Amendment court battle frankly scares the shit out of me. I both make (my own) and market (other people's) art that really run the razor's edge of violating other peoples copyrights (for practically no money), its good to know that "fair use" is still something that exists, despite what we hear.

      --
      Cool art gallery, if you're into that sort of thing.
    45. Re:Publish it on Piratebay instead by nagnamer · · Score: 1

      Natural Rights philosophy was discovered specifically to say, "I am no longer your property. I am no longer a serf. I can say whatever I please." It was a rebellion against the old feudal system where humans did not own themselves, but instead were owned by the manor's master or lord.

      That was very informative. Thanks. However, that is what rights were in the beginning. And since we no longer live in a feudal society (although it's not too far either), the definition calls for revision.

      --
      Every harsh word you utter has the right address. It only sounds harsh because the one on the envelope is the wrong one.
    46. Re:Publish it on Piratebay instead by nagnamer · · Score: 1

      they only swallow the offences down because they think there's nothing they can do.

      Which basically supports the system, so it's just as good.

      --
      Every harsh word you utter has the right address. It only sounds harsh because the one on the envelope is the wrong one.
    47. Re:Publish it on Piratebay instead by aztracker1 · · Score: 1

      The ability to protect and enforce one's rights (even if defined in believe) is the reality of them. The government's recognition of this expands on that concept.

      --
      Michael J. Ryan - tracker1.info
    48. Re:Publish it on Piratebay instead by JockTroll · · Score: 1

      Now look, I see you're not the usual loserboy and you understand pretty well the matter. You say correctly that inaction supports the abusers, I say that we must act to correct this. I say, never swallow and offense. Never "get over it". Fight. They will always get away scot-free unless people rise up and challenge them and for every discomfort this may cause you, remember that the future holds far worse if the abusers are left unfought. It may take a million men to march and make a difference, but it takes one Rosa Parks to start.

      --
      Geeks are so full of shit that "beating the crap out of them" takes a whole new meaning.
    49. Re:Publish it on Piratebay instead by nagnamer · · Score: 1

      The ability to protect and enforce one's rights (even if defined in believe) is the reality of them. The government's recognition of this expands on that concept.

      Of course. Beliefs are like that: it's real as long as you believe, and you act accordingly.

      --
      Every harsh word you utter has the right address. It only sounds harsh because the one on the envelope is the wrong one.
    50. Re:Publish it on Piratebay instead by Boomshadow · · Score: 1

      Governments have a responsibility to do that to protect the rights of their constituents. Governments do not inherently and SHOULD NOT have rights. Ever.

    51. Re:Publish it on Piratebay instead by mattack2 · · Score: 1

      Well that is comforting; listening to my Aunt or Slashdot it's kinda shocking libraries are still legal.

      What is it about the legality of libraries that is shocking to you? The fact that they can loan out (not make additional copies of) copyrighted material? That is covered by the First Sale Doctrine http://en.wikipedia.org/wiki/First_sale_doctrine

      BTW, some other thread today or yesterday had a comment mentioning something about libraries being paid for by our tax dollars. While that is true now, it wasn't the origin of libraries.

    52. Re:Publish it on Piratebay instead by justin12345 · · Score: 1

      Yeah, that is it. Its pretty shocking that hasn't been overturned yet.

      --
      Cool art gallery, if you're into that sort of thing.
    53. Re:Publish it on Piratebay instead by Golddess · · Score: 1

      I am protected by this law

      Show where where in that law it says you have freedom from responsibility* for your words, and I'll agree.

      *Just for the sake of argument, lets say that sharing that number is a Bad Thing. Yes, I know what that number is, but I'm not here to argue whether it is a Bad Thing to share. I'm simply stating that the 1st amendment is not the be-all, end-all, do-anything-I-want-and-get-away-with-it law you seem to be implying it is. I will agree that perhaps the federal government doesn't have the power to do anything per the 10th amendment, but the states certainly do per that same amendment.

      --
      "I'm not sure I like the fugnutish tone you used in your post!" -RogL (608926)-
  2. This isn't dangerous in the way they claim by nixNscratches · · Score: 5, Insightful

    The people who are using it to cause damages already know how this is done. The only dangerous part about something like this is that the public might be made aware of just how far from secure most financial transactions are.

    1. Re:This isn't dangerous in the way they claim by Wowsers · · Score: 3, Interesting

      I don't trust ANY banks. As for ATM security, the new "chip / pin" on credit and debit cards in Europe is insecure, even more so as cards STILL have the magnetic strip on them, which has the exact same details in the chip on the magnetic strip, making the inclusion of the chip pointless.

      --
      Take Nobody's Word For It.
    2. Re:This isn't dangerous in the way they claim by PPH · · Score: 1

      the public might be made aware of just how far from secure most financial transactions are.

      And that is dangerous exactly how? If the public can be educated to take a few precautions that will keep their accounts and financial data more secure, that's a good thing. If the public comes to understand that the risks involved with certain products or services are too high, they might not buy them. But then the only thing that's endangered is the profit margins of the outfits trying to sell us this garbage.

      --
      Have gnu, will travel.
    3. Re:This isn't dangerous in the way they claim by Moddington · · Score: 2, Insightful

      It may be pointless now, but there's always the possibility that they're using cards with both the old strip and the new chip as an intermediate step, to try to shift card owners over to using just the chip a little more softly. Of course, it could also just be another example of incompetence in security.

    4. Re:This isn't dangerous in the way they claim by __aagmrb7289 · · Score: 1

      There are some real problems with that argument. While it's true that there are people exploiting the vulnerabilities in the wild, the number of people who'd LIKE to be exploiting these weaknesses is far greater than the number who are.

      Think of it this way - with computer exploits, you often have a small group that has a bunch of exploits they keep under lock and key in order to pull of the jobs they want to do. But you've got a LOT of people who, if given a tool to take advantages of those exploits, would use them - and use them a lot. We call them script kiddies. The same is true, if not more so, in the world of actual $$ - don't you think? Not EVERYONE would try to take advantage of this knowledge - but MORE people would - and that number would likely be significant.

      Of course, FIXING these attack vectors would be the preferred method for dealing with the problem, instead of trying to suppress the information. But that's where the real world goes head-to-head with our ideals.

    5. Re:This isn't dangerous in the way they claim by abigsmurf · · Score: 4, Insightful

      You are completely wrong about what you think chip and pin is.

      The magnetic strip on the card contains the exact same information as on regular cards.

      The chip contains the pin, if the pin is guessed incorrectly 3 times, the card will lock itself. If a chip and pin terminal senses a pin, it will not authorise a transaction without the pin (which on correct entry will cause the card to send an encrypted 'pin verified' code to the bank).

      The only way chip and pin cards have been compromised (outside of cards using outdated protocols in a lab envoironment) is standard card skimming. You copy the magnetic stripe and PIN from a compromised terminal to clone the card. This only works if you use the cloned card on a non-chip and pin terminal. To do this you need to leave the country as all terminals in the UK (and other chip and pin countries) are required to be chip and pin. Nothing like someone suddenly making a massive purchase 1000 miles away in a different country 30 minutes after making one in their home country to flag up a transaction with the bank.

      Basically, the only practical vulnerability at the moment for chip and pin is a vulnerability for strip only cards. There's a reason there's been massive reductions in ATM fraud in chip and pin countries.

    6. Re:This isn't dangerous in the way they claim by Pingmaster · · Score: 1

      it's not card owners using/not using the chip that is the problem, it's the retailers. I don't know how many places I've gone to that still don't use the chip readers (most of which already have machines that accept the chip) and I'm forced to use the magnetic strip. The worst is, we're not talking about little mom-and-pop convenience stores, places like Wal-Mart and Canadian Tire still don't accept chip cards.

    7. Re:This isn't dangerous in the way they claim by lgw · · Score: 1

      There are actually exploits to extract the PIN (or otherwise make the card usable in a chip-and-PIN reader), given a lot of time and equipment applied to a given card. The terminal-card protocol has some issues, apparantly.

      But the practical upshot of chip-and-PIN in most places is that, in the old system when your magstripe was duped you'd have quite limited liability, but now when you're the victim of the exact same attack you bear the entire cost (at most banks) because "you must have told someone your PIN".

      And chip-and-PIN is a credit card thing, why are you going on about ATM fraud?

      --
      Socialism: a lie told by totalitarians and believed by fools.
    8. Re:This isn't dangerous in the way they claim by abigsmurf · · Score: 1

      Yeah there was some lab people who demonstrated that it was possible on some specific cards using a specific type of terminal that you could confuse the reader into sending a verified code. It was incredibly unlikely to ever be used 'in the wild' as it needed expensive equiptment and older generation chip and pin cards (which are all expiring now anyway.

      One of the strengths of chip and pin is that the chips on the cards themselves can carry new versions of the protocol, as well as the readers.

      I (and millions of other Brits) have a chip and pin debit card in my wallet that I use as my sole method of getting cash out.

      In the UK it's mandated by law that the banks have to prove that you were negligent with your card details to refuse to pay out (very difficult to do).

    9. Re:This isn't dangerous in the way they claim by lgw · · Score: 1

      It was incredibly unlikely to ever be used 'in the wild' as it needed expensive equiptment and older generation chip and pin cards (which are all expiring now anyway.

      Sure, we're safe until electronic equipment gets smaller, faster, and cheaper. :) And the second most common weakness in electronic security systems (after poor key managment) is "fall back to less secure mode", which chip-and-PIN is plagued with. Sure, it may eventually evolve into something secure, but there's currently no end in sight for the ability to extract money from a stolen card.

      It's great that the UK has that consumer protection, BTW; I wish there was more of that spirit going around.

      --
      Socialism: a lie told by totalitarians and believed by fools.
    10. Re:This isn't dangerous in the way they claim by Island+Admin · · Score: 1

      Here in Ireland, you can hardly get by with out a chip on your card. I have had serious problems with my U.S credit and debit cards excepting at ATMS ... DOH!

    11. Re:This isn't dangerous in the way they claim by Jezral · · Score: 1

      Seriously? You're paranoid about letting go of your card for the 3 seconds it takes to enter the PIN? The card remains right in front of you, no more than 4cm away from your hands...

      Where do you live where stealing cards at the payment terminal in full public view is so frequent that you feel a need to be paranoid about it? I've never even heard of such a case of theft/assault.

      No, the real problem with the chip system is that when you put the card in the holder, the security code is facing away from you, visible to the store clerk...

  3. Re:you'd rather your bank was burgled? by countertrolling · · Score: 5, Insightful

    you'd rather your bank was burgled?

    No, I'd rather hold the bank responsible for any loss. They should have to replace the money. With that kind of incentive, they might actually try to make their systems a bit more secure. An important step in this direction would be to quit using cheap commodity systems in their networks.

    --
    For justice, we must go to Don Corleone
  4. Re:you'd rather your bank was burgled? by schon · · Score: 5, Insightful

    presenting this information can only decrease the security and value of your savings.

    You're an idiot.

    As the article states, the information is already known by the bad guys. Keeping it secret helps the bad guys, and hurts everyone else. Making it public will encourage the banks to fix the vulnerabilities, which will increase the security and value of my savings.

    anyone that argues that the information needs to be public is probably broke.

    No, the people who argue that the information needs to be public actually understand the issue here.

  5. ahh yes... by polle404 · · Score: 1

    Security through obscurity, we all know how well that works... *sigh

    --

    ~men are from earth. women are from earth. deal with it.~
  6. Black hat confrence? by countertrolling · · Score: 5, Insightful

    in the USA?? I would not recommend that at all. Just put it on the net from a secure location..

    --
    For justice, we must go to Don Corleone
    1. Re:Black hat confrence? by countertrolling · · Score: 1

      :-) You didn't RTFA!

      For your edification: This unexpected development makes me wonder if Barnaby Jack's previously thwarted demonstration will actually take place at this year's Black Hat USA taking place later this month.

      HTH...

      --
      For justice, we must go to Don Corleone
  7. Re:you'd rather your bank was burgled? by CastrTroy · · Score: 1

    While I'm not sure if they are legally responsible, I would have to say that they do bear the cost. I have had my bank card duped twice in the last 4 years, and both times the bank fixed the problem before I even realized the money was gone. I'm not sure which banks you deal with, but of all the times I have had this happen to me, or any body I personally know, the bank has put the money back in the account very quickly. Granted it would be better if it didn't happen in the first place. However, depending on how severely the system is flawed, it may not be possible to fix the problem at all, without changing out all the current machines, and settling on a new standard, which may again have its own list of faults.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  8. It always backfires by retardpicnic · · Score: 5, Interesting

    Remember when Jeff Moss had his talk cancelled, or Kim Zetter? All it did was make people salivate to read thier presentation when they released it online at a later date. The last thing you want to do to this demographic is tell them the info is "too dangerous (see awesome) for them to hear. It will be everywhere with in the week.

    --
    sig loading.......
    1. Re:It always backfires by ComputerGeek01 · · Score: 1

      Remember when Jeff Moss had his talk cancelled, or Kim Zetter? All it did was make people salivate to read thier presentation when they released it online at a later date. The last thing you want to do to this demographic is tell them the info is "too dangerous (see awesome) for them to hear. It will be everywhere with in the week.

      This is exactley right, in the precious words of my 18 months old neice "Hahaha, you can't tell me no."

  9. Re:you'd rather your bank was burgled? by Jarjarthejedi · · Score: 1

    It seems to me that the people who understand the issue here the most have been intimidated into inaction by people who might or might not understand the issue but understand that revealing any flaws in their methods would mean less profit for them, and that's all they care about.

    --
    There are two kinds of fool One says 'This is old therefore good' Another says 'This is new therefore better'- Dean Ing
  10. Re:you'd rather your bank was burgled? by AnonymousClown · · Score: 1
    What in the World ...

    Any devaluation that may be happening with the dollar is irrelevant to this discussion. Chewbacca would have been more relevant to the discussion.

    The banks will do what they always do: pass any costs plus a hefty markup to the consumer. The banks make more money on fees and penalties than they ever did as honest bankers. Like they do now. $3.00 ATM fees?!? The transaction is pretty much free to them. Sure , they have a lot of bogus "costs" they say they incur, but the fact of the matter is ATM fees are extremely profitable gravy that are only beat in profitability by the fees that cell phone carriers charge for text messages.

    --
    RIP America

    July 4, 1776 - September 11, 2001

  11. Funny by acalltoreason · · Score: 1, Interesting

    Its funny that they think, I'm assuming, that not letting someone speak about it is helping them in any way. The more people who know about vulnerabilities the safer we are because while there will be more people working to exploit it, there are also more people working to patch it.

    --
    Where has reason in the world gone? Have we abandoned it in favor of power and politics?
  12. Re:you'd rather your bank was burgled? by The+Wild+Norseman · · Score: 1

    where are all the headlines pointing out how easily tumbler locks can be opened?

    This isn't a headline of how easy it is to bypass ATM security, per se (as what you're implying), this is if, for example, Schlage or Master tries to tell a locksmith that he cannot give a presentation on some of the vulnerabilities of a padlock. There are ALREADY dozens of books out there for sale in major bookstores and Amazon.com detailing how to pick locks -- describing techniques and tools (and some books tell you where to obtain these tools). The lock-making companies have responded not by attempting to curtail the freedom to publish this information, but to make the locks stronger and more difficult to bypass.

    security isn't about building the biggest wall.

    Security through obscurity -- which is what the banks are essentially desiring in this case -- isn't all that effective either.

    presenting this information can only decrease the security and value of your savings.

    No, the bank itself not spending its "hard earned" profits on increasing already known and presented security issues decreases the security and value of your savings.

    --
    "A government is a body of people usually -- notably -- ungoverned." -Shepherd Book
  13. Re:China? by ToasterMonkey · · Score: 1

    Have the Chinese host it.

    Dear China: Please host this to show the decadent capitalist pigs who are enslaved by the banks how their system is screwing them over.

    Uh yah, please do. China doesn't have banks, laws, or lack of freedom of speech after all. Go for it dude.

  14. Re:you'd rather your bank was burgled? by h4rr4r · · Score: 1, Interesting

    Says the moron that thinks ignoring the problem is as good as fixing it.

  15. Re:you'd rather your bank was burgled? by CastrTroy · · Score: 1

    Maybe the people who are trying to stop the information from going public are some of the same people who are exploiting the flaws. The more public the flaws, and the more people exploiting it, the more likely it is that the flaw will be fixed. If you were making lots of money from an existing flaw, wouldn't you want that flaw to remain open?

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  16. Re:you'd rather your bank was burgled? by gmthor · · Score: 1

    so EVERY bad guy, including would-be bad guys, already know this? do you know it? how about you post it as an anonymous response to this comment.... i mean, it's everywhere, right?

    Actually, probably everybody on this conference knows about this already.
    Also it's not like he gives a step by step presentation on how to get cash out of an ATM.

    --
    How do I uncompress my MD5 archive?
  17. Re:you'd rather your bank was burgled? by lgw · · Score: 1

    What decade are you living in? Banks don't bear costs, taxpayers do in the form of bailouts. If the government is just going to print money to give to the banks, why not instead go with a simpler system where a fraudulent ATM withdraw is simply not recorded as a debit to any account? Same inflation either way ...

    --
    Socialism: a lie told by totalitarians and believed by fools.
  18. Re:you'd rather your bank was burgled? by lgw · · Score: 2, Insightful

    Never argue with a man who cannot learn how to operate the "Shift" key.

    --
    Socialism: a lie told by totalitarians and believed by fools.
  19. Re:you'd rather your bank was burgled? by Anonymous Coward · · Score: 1, Insightful

    Try watching "Corrupt Banking System" on Youtube...

    You obviously don't know what the Fractional Reserve system is, nor that the banks now OWN all of us, since we can never produce enough goods or labour to pay off all the debts that the banks are allowed to print out of thin air...

  20. Actually it can work very well by Sycraft-fu · · Score: 1

    A large amount of criminals are rather dumb. That is often why they choose a life of crime. In particular, someone who is going to go around trying to hack ATMs is pretty dumb. You aren't going to get a whole lot of money out of them. If the hack is based around someone's particular account, you'll get a max of like $500 per day for an account, that is generally the highest you see withdrawal limits (if you need more you go in the bank). Even if you could get the ATM to empty itself, you'd get maybe $10,000-20,000. Ok well that is on a device that has a camera, and belongs to a financial institution. Banks have a lot of pull with law enforcement and a lot of reason to want to catch someone stealing from their ATMs.

    So, doing this would be a dumb crime. Doing it once, the only real way you are going to have a chance not to get caught, doesn't net you enough to be worth it. Doing it on a recurring basis pretty much guarantees you get caught. It is just not a smart crime.

    As such the sort of people who would do it are not the sort who are going to sit and carefully investigate ATM security, perhaps buy their own and test it. They are the kind of criminal who would do it if there's a how to guide. If someone gives them the directions, they'll say "Hey, easy money!" and do it.

    Thus keeping it obscure really DOES work. This "Security through obscurity doesn't work," thing is a bogus statement that people online like to parrot. While it isn't the best kind of security, it doesn't mean it is worthless.

    In the real, physical, world you have to accept that all security is imperfect. No matter what you do, someone can get by it. You can have an underground vault surrounded by trained armed guards, doesn't matter. All someone needs is an attack force large enough to get rid of your guards and sufficient time and tools to physically dismantle your protections. There is no magic, perfect, "Nobody can get past this." You can only aim for two things:

    1) Having security good enough that nobody who would try to get through it could. Whatever level of threat you are likely to face, you have security that can stop that.

    2) Having security that seems good enough that nobody will try. Make it intimidating to the point that nobody is going to even attempt to get around it.

    Well, part of #2 is obscurity. You don't tell people everything you are doing. They don't know what all they have to get past. Their ability to try and draw up a plan is compromised by the fact that they do not know what all they have to deal with.

    Take something like, say, the security of the CIA building. There's plenty of security you can see, they have their own, armed, police force, there are physical barriers and so on. However if you think that's all there is you are a fool. What else might there be? You don't know, and that makes it real hard to plan how to overcome.

    1. Re:Actually it can work very well by EdIII · · Score: 1

      You're attempting to give an example where obscurity can have some value towards the security of the system. It sounds convincing, but I am not entirely sold that the people performing ATM fraud are that inept. There are some pretty sophisticated people out there that will obtain the information regardless of how privileged it is.

      I do get your point. However, let's assume you are entirely correct and obscurity is a worthwhile consideration in security. It does not make it right, legal, or ethical to forcibly suppress another person's right to free speech.

      They can enjoy their obscurity up the point that somebody discloses the information and removes it. Nothing more than that.

      On the other hand, what is the value of disclosure? I feel that it forces companies to acknowledge their failings and work on making the product or service better. I think transparency in companies providing security can only be a good thing.

      I have an example too. Adobe (burn in hell). Their document security is about as strong as a wet piece of toilet paper and everybody knows it. Yet they abused their power and used some quite thuggish people at the FBI to unlawfully, unethically, and quiet disgracefully take away a person's freedom that simply showed the world how worthless they were. If a company chooses security through obscurity and can pull it off for years on end with few incidents... more power to them. However, acting like authoritarian thugs and suppressing information is where it just goes too far.

  21. Re:you'd rather your bank was burgled? by quanticle · · Score: 1

    Publication, or the threat thereof is the only way that this problem will get addressed. According to this researcher, these exploits are being used by criminals right now. Its the ATM companies that want this covered up, so that they can present their machines as "totally secure", when in fact they're riddled with more holes than Swiss cheese.

    In fact, publication would help the banks, as they would be able to test ATMs to see which ones were vulnerable. This would allow them to hold the ATM vendors accountable, rather than just having to accept a certain level of "loss" from ATMs.

    --
    We all know what to do, but we don't know how to get re-elected once we have done it
  22. Re:you'd rather your bank was burgled? by jimicus · · Score: 1

    There is such a tendency on /. to think in black and white.

    It's already known by some bad guys. How widely known is another matter altogether - are they discussing it openly on web forums? Discussing it openly on web forums which require registration and somebody who's already on the forum to vouch for you before they'll let you view anything? Discussing it on Usenet? Discussing it under blankets in a locked room after dark?

    How widely is it being exploited in the wild? How much is being lost every year through this sort of fraud? How much would it cost to fix?

  23. Slides are sanitized by prxp · · Score: 3, Informative
    According to TFA:

    Even though this is not the first time that ATM vendors prevented a security researcher to publicly disclose findings about flaws in their devices at a conference, this instance is really surprising, since Chiesa held this same presentation at a couple of security conferences already, and the slides he employed are also available online.

    The thing is these slides are sanitized, the details of the ATM attack were removed.

    Does anybody know where to find a non-sanitized version?

  24. Re:you'd rather your bank was burgled? by JockTroll · · Score: 1

    LOL. No information is "criminal" or "non-criminal". Information is just information and it's good for people to know just how secure the machines they rely on to handle their cash is. Those ATM vendors were just scared that people could know how insecure their hardware and software was, and that they would have to spend money (SHOCK! HORROR!) to address the issue. Better to silence those dangerous "citizens", in the interest of corporate buggery.

    Run, coward, run. I live. I hunger. Beware.

    --
    Geeks are so full of shit that "beating the crap out of them" takes a whole new meaning.
  25. Re:you'd rather your bank was burgled? by JockTroll · · Score: 1

    "the flaws are purposefully left in the ATMs to detract would be thieves from arming themselves and stealing money from banks "the old fashioned way".

    LOOOOOL! Congratulations, loserboy. You're eligible for the Most Gullible Idiot in the World Award! Either that, or you're a low-level employee of some ATM maker. Either way, my diarrhoea is your shampoo.

    Trust your masters, loserboy. Give them all of your money. Do as they say, they know what's better for you. Right.

    --
    Geeks are so full of shit that "beating the crap out of them" takes a whole new meaning.
  26. or...you could.... by hesaigo999ca · · Score: 1

    They could try to intimidate you and say stop and desist everybody, but I have to wonder, if by doing this they are not giving the illusion that ATMs are safe. I applauded the effort that one consultant did security wise about the flaw with microsoft, and then turning around and posting on youtube (or whatever) the flaw ....so that M$ could not hide behind their usual crap....they were forced to fix it right away and issue a patch, this tends to let me think the same with this situation, disclose the problem after 1 week of letting them know, and they will have to force a firmware upgrade to all outlets....that's what most people are forced to do with their machines, ... why not them???