ATM Vendors Threaten, Stop Research Presentation

← Back to Stories (view on slashdot.org)

ATM Vendors Threaten, Stop Research Presentation

Posted by Soulskill on Monday July 5, 2010 @05:41AM from the money-inside-atms-wants-to-be-free dept.

An anonymous reader writes "A presentation about 'The Underground Economy,' by Italian white hat hacker and security expert Raoul Chiesa, was replaced at the last minute during last week's Hack In The Box conference. The reason behind this cancellation was that Chiesa received legal pressure from ATM vendors over the fact that the originally scheduled presentation covers details of various techniques and exploits of vulnerabilities that cyber criminals use to break into ATMs — flaws that have been known for a long time."

22 of 134 comments (clear)

Min score:

Reason:

Sort:

Publish it on Piratebay instead by commodore64_love · 2010-07-05 05:48 · Score: 5, Insightful

No government nor corporation has a right to muzzle our mouths.

--
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
1. Re:Publish it on Piratebay instead by countertrolling · 2010-07-05 05:54 · Score: 2, Insightful
  
  No government nor corporation has a right to muzzle our mouths.
  No they don't, but they did and they do... And the public couldn't care less. If he put it on piratebay, he can still get in trouble. His name is all over it. Only anonymous disclosure can remedy this.
  
  --
  For justice, we must go to Don Corleone
2. Re:Publish it on Piratebay instead by techsoldaten · 2010-07-05 06:02 · Score: 3, Informative
  
  Here are the slides.
  http://www.slideshare.net/null0x00/raoul-nullcon2010-day1
  He gave this presenation at nullcon already. Nothing too creepy there...
  M
3. Re:Publish it on Piratebay instead by s0litaire · 2010-07-05 06:03 · Score: 4, Insightful
  
  What we really need is a "Wiki" we can "leak" things to...
  what's it called again.... ermm Pirate-leaks, no Wiki-Bay
  Nope can't remember the name...
  
  --
  Laters Sol "Have you found the secrets of the universe? Asked Zebade "I'm sure I left them here somewhere"
4. Re:Publish it on Piratebay instead by MagicM · 2010-07-05 06:03 · Score: 4, Informative
  
  He edited out the "creepy" slides (37 and 39).
5. Re:Publish it on Piratebay instead by Sponge+Bath · 2010-07-05 06:05 · Score: 2, Informative
  
  They don't have the right, but they do have the guns and goons.
6. Re:Publish it on Piratebay instead by Yuan-Lung · 2010-07-05 06:09 · Score: 4, Insightful
  
  Why would he be in trouble? It's not illegal to speak or publish your thoughts.
  Really?
  
  I am thinking of a number.... it's between 13,256,278,887,989,457,651,018,865,901,401,704,639 and 13,256,278,887,989,457,651,018,865,901,401,704,641
7. Re:Publish it on Piratebay instead by countertrolling · 2010-07-05 06:10 · Score: 5, Interesting
  
  It's not illegal to speak or publish your thoughts.
  It's not illegal to take pictures either, but people are still being harassed for it. Those rights are regularly violated, and not enough people stand up to it to take notice. Our rights don't mean much if nobody will defend them.
  Why would he be in trouble?
  Precedence. People have been arrested for revealing exploits. And several conferences have been canceled in the states over these issues in the past also.
  The safest bet by far is to remain anonymous. The information is more important than the guy's ego.
  
  --
  For justice, we must go to Don Corleone
8. Re:Publish it on Piratebay instead by techsoldaten · 2010-07-05 06:13 · Score: 2, Funny
  
  Yeah, I hear there were graphic depictions of live naked taranatulas on both slides, glad he pulled them.
  M
9. Re:Publish it on Piratebay instead by JockTroll · 2010-07-05 06:35 · Score: 5, Interesting
  
  It's not illegal, but Big Money makes and enforce its own laws. And the most important of those laws is: we're rich and powerful, obey us or else.
  Too bad nobody calls their "else". People don't know their rights anymore, or are afraid to defend them. Unfortunately with good reason because there's plenty of both public and private uniformed thugs who make up the law on the spot and exercise their might with the power of the baton.
  Another decade of this, or less, and the populace will have been forced into submission, ready to do anything if ordered to by an "authority figure".
  Wise up, people: organize yourselves, gather in pro-rights associations and have lawyers on your side. When a person or group of people is harassed by uniformed or suited goons, take them to court. Have the fact publicized by the press or by any means necessary. Embarass them, ridicule them, nothing kills fear more than laughter. Nothing hurts more than a good lawsuit.
  A guy I knew once was just touched by a private security guard at a mall who was trying to play Dirty Harry. He immediately fell to the ground screaming like a stuck pig. A friend nearby promptly shouted "MY GOD WHAT HAVE YOU DONE TO HIM!" He remained still on the ground and another friend (female) kept screaming "MURDERER! MURDERER!"
  It was PRICELESS. All caught on tape. People around gathered, and this uniformed guy was probably thinking if he had better run away or gun down everyone. Manager got called. Ambulance was called. Police appeared. Although this guy wasn't hurt, the fact that he had been pushed by the guard with no reason (seen on the CCTV when the security firm tried to exculpate themselves) was ground for criminal charged against the guard and for a big lawsuit against the firm by the mall management. The bad publicity (thing ended up on TV and papers) caused the firm to lose all contracts throughout the city and collapsed in a couple of months.
  Play hard. We can win, but gloves must come off. If they shit on you, you shit back. With some diarrhoea.
  
  --
  Geeks are so full of shit that "beating the crap out of them" takes a whole new meaning.
10. Re:Publish it on Piratebay instead by commodore64_love · 2010-07-05 08:26 · Score: 4, Informative
  
  13,256,278,887,989,457,651,018,865,901,401,704,640
  I am protected by this law, which nullifies any other law: "Congress shall make no law... abridging the freedom of speech, or of the press" and "The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people." and "The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people."
  Give me the paper that was banned from the conference. I'll publish it. I don't give a frak.
  
  --
  "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
11. Re:Publish it on Piratebay instead by justin12345 · 2010-07-05 08:56 · Score: 4, Interesting
  
  The problem is you don't really have to be convicted of a crime to be thrown in jail, have your property confiscated, or have your life ruined. My aunt is a criminal defense attorney. She defends people the government (US not Italian) has declared potential criminals. According to her, unless you are a very wealthy individual, simply being accused of a serious crime will either land you in jail for a while, ruin you financially, or most likely both. If you have a generous family they might be able to sell a house to keep you out of jail on bail (assuming you are declared innocent). In the end, most people plea bargain, which usually results in some sort of parole arrangement where their every move is monitored by a bunch of thugs that got all Cs in high school.
  
  The DMCA makes even knowing that number a crime. Publishing it here even more so. Though I doubt you will, you could spend the rest of your life and every penny you will ever make convincing a series of judges that the First Amendment supersedes the DMCA.
  
  I'm not saying this is right. I'm specifically saying its wrong.
  
  --
  Cool art gallery, if you're into that sort of thing.
This isn't dangerous in the way they claim by nixNscratches · 2010-07-05 05:55 · Score: 5, Insightful

The people who are using it to cause damages already know how this is done. The only dangerous part about something like this is that the public might be made aware of just how far from secure most financial transactions are.
1. Re:This isn't dangerous in the way they claim by Wowsers · 2010-07-05 06:20 · Score: 3, Interesting
  
  I don't trust ANY banks. As for ATM security, the new "chip / pin" on credit and debit cards in Europe is insecure, even more so as cards STILL have the magnetic strip on them, which has the exact same details in the chip on the magnetic strip, making the inclusion of the chip pointless.
  
  --
  Take Nobody's Word For It.
2. Re:This isn't dangerous in the way they claim by Moddington · 2010-07-05 06:39 · Score: 2, Insightful
  
  It may be pointless now, but there's always the possibility that they're using cards with both the old strip and the new chip as an intermediate step, to try to shift card owners over to using just the chip a little more softly. Of course, it could also just be another example of incompetence in security.
3. Re:This isn't dangerous in the way they claim by abigsmurf · 2010-07-05 06:55 · Score: 4, Insightful
  
  You are completely wrong about what you think chip and pin is.
  
  The magnetic strip on the card contains the exact same information as on regular cards.
  
  The chip contains the pin, if the pin is guessed incorrectly 3 times, the card will lock itself. If a chip and pin terminal senses a pin, it will not authorise a transaction without the pin (which on correct entry will cause the card to send an encrypted 'pin verified' code to the bank).
  
  The only way chip and pin cards have been compromised (outside of cards using outdated protocols in a lab envoironment) is standard card skimming. You copy the magnetic stripe and PIN from a compromised terminal to clone the card. This only works if you use the cloned card on a non-chip and pin terminal. To do this you need to leave the country as all terminals in the UK (and other chip and pin countries) are required to be chip and pin. Nothing like someone suddenly making a massive purchase 1000 miles away in a different country 30 minutes after making one in their home country to flag up a transaction with the bank.
  
  Basically, the only practical vulnerability at the moment for chip and pin is a vulnerability for strip only cards. There's a reason there's been massive reductions in ATM fraud in chip and pin countries.
Re:you'd rather your bank was burgled? by countertrolling · 2010-07-05 05:58 · Score: 5, Insightful

you'd rather your bank was burgled?
No, I'd rather hold the bank responsible for any loss. They should have to replace the money. With that kind of incentive, they might actually try to make their systems a bit more secure. An important step in this direction would be to quit using cheap commodity systems in their networks.

--
For justice, we must go to Don Corleone
Re:you'd rather your bank was burgled? by schon · 2010-07-05 06:00 · Score: 5, Insightful

presenting this information can only decrease the security and value of your savings.
You're an idiot.
As the article states, the information is already known by the bad guys. Keeping it secret helps the bad guys, and hurts everyone else. Making it public will encourage the banks to fix the vulnerabilities, which will increase the security and value of my savings.

anyone that argues that the information needs to be public is probably broke.
No, the people who argue that the information needs to be public actually understand the issue here.
Black hat confrence? by countertrolling · 2010-07-05 06:01 · Score: 5, Insightful

in the USA?? I would not recommend that at all. Just put it on the net from a secure location..

--
For justice, we must go to Don Corleone
It always backfires by retardpicnic · 2010-07-05 06:20 · Score: 5, Interesting

Remember when Jeff Moss had his talk cancelled, or Kim Zetter? All it did was make people salivate to read thier presentation when they released it online at a later date. The last thing you want to do to this demographic is tell them the info is "too dangerous (see awesome) for them to hear. It will be everywhere with in the week.

--
sig loading.......
Re:you'd rather your bank was burgled? by lgw · 2010-07-05 07:11 · Score: 2, Insightful

Never argue with a man who cannot learn how to operate the "Shift" key.

--
Socialism: a lie told by totalitarians and believed by fools.
Slides are sanitized by prxp · 2010-07-05 08:59 · Score: 3, Informative

According to TFA:

Even though this is not the first time that ATM vendors prevented a security researcher to publicly disclose findings about flaws in their devices at a conference, this instance is really surprising, since Chiesa held this same presentation at a couple of security conferences already, and the slides he employed are also available online.

The thing is these slides are sanitized, the details of the ATM attack were removed.

Does anybody know where to find a non-sanitized version?