Forgot your password?
typodupeerror
Security The Almighty Buck News IT

ATM Vendors Threaten, Stop Research Presentation 134

Posted by Soulskill
from the money-inside-atms-wants-to-be-free dept.
An anonymous reader writes "A presentation about 'The Underground Economy,' by Italian white hat hacker and security expert Raoul Chiesa, was replaced at the last minute during last week's Hack In The Box conference. The reason behind this cancellation was that Chiesa received legal pressure from ATM vendors over the fact that the originally scheduled presentation covers details of various techniques and exploits of vulnerabilities that cyber criminals use to break into ATMs — flaws that have been known for a long time."
This discussion has been archived. No new comments can be posted.

ATM Vendors Threaten, Stop Research Presentation

Comments Filter:
  • by commodore64_love (1445365) on Monday July 05, 2010 @01:48PM (#32801360) Journal

    No government nor corporation has a right to muzzle our mouths.

    • Re: (Score:2, Insightful)

      No government nor corporation has a right to muzzle our mouths.

      No they don't, but they did and they do... And the public couldn't care less. If he put it on piratebay, he can still get in trouble. His name is all over it. Only anonymous disclosure can remedy this.

      • Why would he be in trouble? It's not illegal to speak or publish your thoughts. That's the reason why the US Bill of Rights and EU Charters of Fundamental Rights exist.

        • by Yuan-Lung (582630) on Monday July 05, 2010 @02:09PM (#32801584)

          Why would he be in trouble? It's not illegal to speak or publish your thoughts.

          Really?

          I am thinking of a number.... it's between 13,256,278,887,989,457,651,018,865,901,401,704,639 and 13,256,278,887,989,457,651,018,865,901,401,704,641

          • by Zwets (645911)

            I am thinking of a number.... it's between 13,256,278,887,989,457,651,018,865,901,401,704,639 and 13,256,278,887,989,457,651,018,865,901,401,704,641

            Hmmm... "between inclusive" or "between exclusive"?

          • by commodore64_love (1445365) on Monday July 05, 2010 @04:26PM (#32802882) Journal

            13,256,278,887,989,457,651,018,865,901,401,704,640

            I am protected by this law, which nullifies any other law: "Congress shall make no law... abridging the freedom of speech, or of the press" and "The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people." and "The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people."

            Give me the paper that was banned from the conference. I'll publish it. I don't give a frak.

            • by justin12345 (846440) on Monday July 05, 2010 @04:56PM (#32803158)
              The problem is you don't really have to be convicted of a crime to be thrown in jail, have your property confiscated, or have your life ruined. My aunt is a criminal defense attorney. She defends people the government (US not Italian) has declared potential criminals. According to her, unless you are a very wealthy individual, simply being accused of a serious crime will either land you in jail for a while, ruin you financially, or most likely both. If you have a generous family they might be able to sell a house to keep you out of jail on bail (assuming you are declared innocent). In the end, most people plea bargain, which usually results in some sort of parole arrangement where their every move is monitored by a bunch of thugs that got all Cs in high school.

              The DMCA makes even knowing that number a crime. Publishing it here even more so. Though I doubt you will, you could spend the rest of your life and every penny you will ever make convincing a series of judges that the First Amendment supersedes the DMCA.

              I'm not saying this is right. I'm specifically saying its wrong.
              • I know a guy who fought a similar case. He created a website about a new mall coming to his town, to provide information to residents about what stores would be there and what it would look like.

                After the mall was completed the owner sued the webmaster, claiming the name of the dot-com site was copyrighted. It took about 4 years and eventually rose to the level of the US Supreme Court, but the webmaster won. His website was protected by the Constitution. It ended-up costing zero out of his pocket becaus

                • Well that is comforting; listening to my Aunt or Slashdot it's kinda shocking libraries are still legal. I'm not the sort to just roll over, but getting into a 1st Amendment court battle frankly scares the shit out of me. I both make (my own) and market (other people's) art that really run the razor's edge of violating other peoples copyrights (for practically no money), its good to know that "fair use" is still something that exists, despite what we hear.
                  • by mattack2 (1165421)

                    Well that is comforting; listening to my Aunt or Slashdot it's kinda shocking libraries are still legal.

                    What is it about the legality of libraries that is shocking to you? The fact that they can loan out (not make additional copies of) copyrighted material? That is covered by the First Sale Doctrine http://en.wikipedia.org/wiki/First_sale_doctrine [wikipedia.org]

                    BTW, some other thread today or yesterday had a comment mentioning something about libraries being paid for by our tax dollars. While that is true now, it wasn'

            • by jd (1658)

              Actually, no. Since there are endless debates over whether there are Constitutional rights to Native Americans, children, criminals, foreigners, illegal aliens, tarrarists (though what's wrong with paving roads, I don't know), etc, it follows that the Bill of Rights is really just a list of permissions. A right is just that, a right. It cannot be given, it cannot be taken away. It is. A permission must be given and may be taken away at the discretion of the giver. It follows that there is no, and never real

              • One's rights simply are, if you follow your logic to an extreme, then you have no rights because anything you have, or are could be taken by force. The principles of rights established are simply things you have/are. The right to own property was never established in the constitution, but simply is.
                • by jd (1658)

                  Your private thoughts cannot be taken from you, so there is the first right. Your emotions, state-of-mind, knowledge, intellect and understanding are likewise yours and yours alone.

                  Secondly, there's very little you really own anyway - virtually everything you claim is rented, licensed or mortgaged - and it's actually quite hard to take something you don't have in the first place.

                  Thirdly, the ability of group X to take something is not the same as group X then owning it. Let us say that the US enshrined the

                  • by nagnamer (1046654)

                    Your private thoughts cannot be taken from you, so there is the first right. Your emotions, state-of-mind, knowledge, intellect and understanding are likewise yours and yours alone.

                    It's interesting to note that you are linking 'rights' to 'ownership', whereas I would think rights have more to do with action and expression than with shit you own.

                    Instead of having the 'right to speak freely' you have 'right to free speech' as if 'free speech' is something you can take and own. Thinking like that leads to concepts like 'taking away' things instead of 'preventing you from doing something'. Needless to say, stopping you from 'expressing' or 'doing' is quite different from 'taking something

                    • >>>I would think rights have more to do with action and expression than with shit you own.

                      At its core, rights ARE about ownership. You own your own body and you own the various things your body can do - like think, speak, act, create. For example if a politician is granted the power to muzzle your mouth, then you no longer really own yourself - you are now the property of the politician. You're a serf and he's your master.

                      Natural Rights philosophy was discovered specifically to say, "I am no lo

                    • by nagnamer (1046654)

                      Natural Rights philosophy was discovered specifically to say, "I am no longer your property. I am no longer a serf. I can say whatever I please." It was a rebellion against the old feudal system where humans did not own themselves, but instead were owned by the manor's master or lord.

                      That was very informative. Thanks. However, that is what rights were in the beginning. And since we no longer live in a feudal society (although it's not too far either), the definition calls for revision.

                • by nagnamer (1046654)

                  [...] you have no rights because anything you have, or are could be taken by force.

                  Provided the statement above is true, 'rights' would simply be a belief. And as with any belief system, they are non-debatable. You either believe you have rights or you don't, and reality ceases to matter.

                  • The ability to protect and enforce one's rights (even if defined in believe) is the reality of them. The government's recognition of this expands on that concept.
                    • by nagnamer (1046654)

                      The ability to protect and enforce one's rights (even if defined in believe) is the reality of them. The government's recognition of this expands on that concept.

                      Of course. Beliefs are like that: it's real as long as you believe, and you act accordingly.

              • by Mattcelt (454751)

                While technically correct, you're missing the point of the document. The US Constitution and the Declaration of Independence both expressly recognize that there some "natural" rights granted by a power higher than the government: "endowed by their Creator with certain unalienable Rights".

                And the Bill of Rights is similar. While not "granting" the rights, per se (because they are granted by the "Creator", and cannot therefore be granted by the government), it expressly forbids the government from passing a

              • by sjames (1099)

                Actually, the Constitution goes further even though it is ignored wholesale. It declares any such violation to not be an act of government at all, which in theory makes whoever does it guilty of a whole host of crimes no different than if I walk up to a stranger and forceably kidnap him and lock him in a cage.

              • >>>whether there are Constitutional rights to Native Americans, children, criminals, foreigners, illegal aliens, tarrarists

                Constitutional Law applies to any landmass where the US Government currently has jurisdiction. Although there are scumbag politicians who try to claim otherwise, in order to remove the shackles the constitution places on them, they are wrong. The Law is the law and applies everywhere within the US jurisdiction.

            • by Golddess (1361003)

              I am protected by this law

              Show where where in that law it says you have freedom from responsibility* for your words, and I'll agree.

              *Just for the sake of argument, lets say that sharing that number is a Bad Thing. Yes, I know what that number is, but I'm not here to argue whether it is a Bad Thing to share. I'm simply stating that the 1st amendment is not the be-all, end-all, do-anything-I-want-and-get-away-with-it law you seem to be implying it is. I will agree that perhaps the federal government doesn't have the power to do a

          • 13,256,278,887,989,457,651,018,865,901,401,704,639 and 13,256,278,887,989,457,651,018,865,901,401,704,641

            Too easy. 13,256,278,887,989,457,651,018,865,901,401,704,640.123,552,754,203,344,346,122,675

        • by countertrolling (1585477) on Monday July 05, 2010 @02:10PM (#32801596) Journal

          It's not illegal to speak or publish your thoughts.

          It's not illegal to take pictures either, but people are still being harassed for it. Those rights are regularly violated, and not enough people stand up to it to take notice. Our rights don't mean much if nobody will defend them.

          Why would he be in trouble?

          Precedence. People have been arrested for revealing exploits. And several conferences have been canceled in the states over these issues in the past also.

          The safest bet by far is to remain anonymous. The information is more important than the guy's ego.

          • How do ATM vendors cancel a conference anyway? Shouldn't the correct response for Hack in the Box to give be a hearty fuck off?

            • by cdrguru (88047)

              Lawsuit. Everything in the US is driven by lawsuits.

              Real simple. You call up the conference chairperson (or the venue where the conference is being held) and say "Our lawyer wants to thenk you for accepting liability for our ATM losses for the next six months. Of course, if you don't go ahead with the ATM security presentation we wouldn't have a case."

              What do you do? I guess if you have the legal fund to stack up against the in-house counsel of a couple of banks it doesn't matter, let them threaten away

              • Re: (Score:2, Troll)

                >>>What do you do?

                Say nothing, hang up, and continue with my original plans. I will not be intimidated, even if it leads to my own imprisonment. Better to live free, than to be on my knees licking the boots of some lawyer, corporation, or politician.

                Remember the Ghetto Riots in Germany? Had I been alive at the time, I probably would have been part of them. I will not walk peacefully into a shower room. Nor will I give-up my right to open my mouth and speak-out, or publish any paper I desire.

              • The proper thing to do, in that case, is to make sure you don't actually have any assets that can be recovered. It's not as if there isn't gigantic heap of ways do do that, mostly involving "incorporating" and they very words, "limited liability."

            • The same way that slashdotters read the summary.
            • by shentino (1139071)

              Simple.

              They come in with lawyers and threaten to sue the living daylights out of them if they don't comply.

        • by JockTroll (996521) on Monday July 05, 2010 @02:35PM (#32801840)

          It's not illegal, but Big Money makes and enforce its own laws. And the most important of those laws is: we're rich and powerful, obey us or else.

          Too bad nobody calls their "else". People don't know their rights anymore, or are afraid to defend them. Unfortunately with good reason because there's plenty of both public and private uniformed thugs who make up the law on the spot and exercise their might with the power of the baton.

          Another decade of this, or less, and the populace will have been forced into submission, ready to do anything if ordered to by an "authority figure".

          Wise up, people: organize yourselves, gather in pro-rights associations and have lawyers on your side. When a person or group of people is harassed by uniformed or suited goons, take them to court. Have the fact publicized by the press or by any means necessary. Embarass them, ridicule them, nothing kills fear more than laughter. Nothing hurts more than a good lawsuit.

          A guy I knew once was just touched by a private security guard at a mall who was trying to play Dirty Harry. He immediately fell to the ground screaming like a stuck pig. A friend nearby promptly shouted "MY GOD WHAT HAVE YOU DONE TO HIM!" He remained still on the ground and another friend (female) kept screaming "MURDERER! MURDERER!"

          It was PRICELESS. All caught on tape. People around gathered, and this uniformed guy was probably thinking if he had better run away or gun down everyone. Manager got called. Ambulance was called. Police appeared. Although this guy wasn't hurt, the fact that he had been pushed by the guard with no reason (seen on the CCTV when the security firm tried to exculpate themselves) was ground for criminal charged against the guard and for a big lawsuit against the firm by the mall management. The bad publicity (thing ended up on TV and papers) caused the firm to lose all contracts throughout the city and collapsed in a couple of months.

          Play hard. We can win, but gloves must come off. If they shit on you, you shit back. With some diarrhoea.

          • by nagnamer (1046654)

            A guy I knew once was just touched by a private security guard at a mall who was trying to play Dirty Harry. He immediately fell to the ground screaming like a stuck pig.

            Good going. You blew the cover now. Your friend will not be thrown into jail and forced to pay the security company for damages.

            • by JockTroll (996521)

              So what? Good luck using that post as evidence, and the company cannot sue anyone because they do not exist anymore. They're closed, bankrupt, gone. :)

              Anyway, the little scene was only needed to call attention. It was illegal for the guard to grab the guy since he hadn't given him any reason to do it, but without the drama nobody would have noticed and the manager would not have wanted to see the CCTV footage in order to avoid possible lawsuits - he had an interest in demonstrating the robocop wannabe had v

              • by nagnamer (1046654)

                Remember some things: those clowns cannot even touch you unless you give them GOOD reason to do it

                It also helps to know that 'these clowns' happen to be ordinary people like you (?) and me (???), and they also happen to work in a system. Whether you hate the system or not, that has nothing to do with them. And fucking with a random clown is not going to dismantle the system. It will simply remove one of its agents (the sec worker and sec company), but that's about the extent of the damage you are able to inflict. Another sec company will fill the void.

                • by JockTroll (996521)

                  Well, "ordinary people" do not go around playing Dirty Harry because they believe they can. And it was not about fucking up a random agent, it was about setting an example: security firms now working in the area are far more careful, and the incident prompted the local authorities to investigate past complaints into what were correctly perceived as abuses of power on the part of overzealous (read: braindead self-sodomizing coprophage) security personnel. Abuses on the part of rent-a-thugs are now taken far

                  • by nagnamer (1046654)

                    Dismantling the system would be nice, because a good rebuild is in order. For the moment, we can hammer out some bends, however. Don't think you cannot make a difference, that's what they want you to think. Take no shit from anyone. Organize yourselves. Defend your rights.

                    Point is, if people stopped taking shit from other people, the system would be considered dismantled. The reason that doesn't happen is that the system is still in place and supported by those who fall victim to it.

                    • by JockTroll (996521)

                      Actually that's not the case. It's only in recent times that people have stopped reacting, stopped (mostly) taking to the streets and stopped caring because there's an overwhelming feeling that the adversary is just too powerful to take on. We allowed too many "authority figures" to play Gene Hunt and make up laws on the spot, we allowed too many private interests to buy the law.
                      If this defeatist attitude had existed at the beginning of the Industrial Revolution, people would still be forced to work ungodly

                    • by nagnamer (1046654)

                      they only swallow the offences down because they think there's nothing they can do.

                      Which basically supports the system, so it's just as good.

                    • by JockTroll (996521)

                      Now look, I see you're not the usual loserboy and you understand pretty well the matter. You say correctly that inaction supports the abusers, I say that we must act to correct this. I say, never swallow and offense. Never "get over it". Fight. They will always get away scot-free unless people rise up and challenge them and for every discomfort this may cause you, remember that the future holds far worse if the abusers are left unfought. It may take a million men to march and make a difference, but it takes

      • by s0litaire (1205168) on Monday July 05, 2010 @02:03PM (#32801516)

        What we really need is a "Wiki" we can "leak" things to...
        what's it called again.... ermm Pirate-leaks, no Wiki-Bay
        Nope can't remember the name...

        • A few days ago slashdot published a very interesting article [slashdot.org] about that. The second link is what you are looking for.
    • Re: (Score:1, Insightful)

      if the governments or corporations have the ability to convince people to muzzle themselves, and no one who depends on the protection of their savings will stand up to fight for the self-muzzled, then any "rights" are irrelevant.
    • by techsoldaten (309296) on Monday July 05, 2010 @02:02PM (#32801504) Journal

      Here are the slides.

      http://www.slideshare.net/null0x00/raoul-nullcon2010-day1 [slideshare.net]

      He gave this presenation at nullcon already. Nothing too creepy there...

      M

    • Re: (Score:3, Informative)

      by Sponge Bath (413667)

      They don't have the right, but they do have the guns and goons.

    • by Sulphur (1548251)

      s^mouths^moufs^

    • by wmac (1107843)
      If you want to hurt people and jeopardize their life (economic or whatever) by being selfish, every government has the right to avoid that.
      • Governments have a responsibility to do that to protect the rights of their constituents. Governments do not inherently and SHOULD NOT have rights. Ever.
  • by nixNscratches (957550) on Monday July 05, 2010 @01:55PM (#32801418)
    The people who are using it to cause damages already know how this is done. The only dangerous part about something like this is that the public might be made aware of just how far from secure most financial transactions are.
    • by Wowsers (1151731) on Monday July 05, 2010 @02:20PM (#32801710) Journal

      I don't trust ANY banks. As for ATM security, the new "chip / pin" on credit and debit cards in Europe is insecure, even more so as cards STILL have the magnetic strip on them, which has the exact same details in the chip on the magnetic strip, making the inclusion of the chip pointless.

      • Re: (Score:2, Insightful)

        by Moddington (1721244)
        It may be pointless now, but there's always the possibility that they're using cards with both the old strip and the new chip as an intermediate step, to try to shift card owners over to using just the chip a little more softly. Of course, it could also just be another example of incompetence in security.
        • it's not card owners using/not using the chip that is the problem, it's the retailers. I don't know how many places I've gone to that still don't use the chip readers (most of which already have machines that accept the chip) and I'm forced to use the magnetic strip. The worst is, we're not talking about little mom-and-pop convenience stores, places like Wal-Mart and Canadian Tire still don't accept chip cards.
          • Here in Ireland, you can hardly get by with out a chip on your card. I have had serious problems with my U.S credit and debit cards excepting at ATMS ... DOH!
      • by abigsmurf (919188) on Monday July 05, 2010 @02:55PM (#32802070)
        You are completely wrong about what you think chip and pin is.

        The magnetic strip on the card contains the exact same information as on regular cards.

        The chip contains the pin, if the pin is guessed incorrectly 3 times, the card will lock itself. If a chip and pin terminal senses a pin, it will not authorise a transaction without the pin (which on correct entry will cause the card to send an encrypted 'pin verified' code to the bank).

        The only way chip and pin cards have been compromised (outside of cards using outdated protocols in a lab envoironment) is standard card skimming. You copy the magnetic stripe and PIN from a compromised terminal to clone the card. This only works if you use the cloned card on a non-chip and pin terminal. To do this you need to leave the country as all terminals in the UK (and other chip and pin countries) are required to be chip and pin. Nothing like someone suddenly making a massive purchase 1000 miles away in a different country 30 minutes after making one in their home country to flag up a transaction with the bank.

        Basically, the only practical vulnerability at the moment for chip and pin is a vulnerability for strip only cards. There's a reason there's been massive reductions in ATM fraud in chip and pin countries.
        • by lgw (121541)

          There are actually exploits to extract the PIN (or otherwise make the card usable in a chip-and-PIN reader), given a lot of time and equipment applied to a given card. The terminal-card protocol has some issues, apparantly.

          But the practical upshot of chip-and-PIN in most places is that, in the old system when your magstripe was duped you'd have quite limited liability, but now when you're the victim of the exact same attack you bear the entire cost (at most banks) because "you must have told someone your P

          • by abigsmurf (919188)
            Yeah there was some lab people who demonstrated that it was possible on some specific cards using a specific type of terminal that you could confuse the reader into sending a verified code. It was incredibly unlikely to ever be used 'in the wild' as it needed expensive equiptment and older generation chip and pin cards (which are all expiring now anyway.

            One of the strengths of chip and pin is that the chips on the cards themselves can carry new versions of the protocol, as well as the readers.

            I (and m
            • by lgw (121541)

              It was incredibly unlikely to ever be used 'in the wild' as it needed expensive equiptment and older generation chip and pin cards (which are all expiring now anyway.

              Sure, we're safe until electronic equipment gets smaller, faster, and cheaper. :) And the second most common weakness in electronic security systems (after poor key managment) is "fall back to less secure mode", which chip-and-PIN is plagued with. Sure, it may eventually evolve into something secure, but there's currently no end in sight for the ability to extract money from a stolen card.

              It's great that the UK has that consumer protection, BTW; I wish there was more of that spirit going around.

    • by PPH (736903)

      the public might be made aware of just how far from secure most financial transactions are.

      And that is dangerous exactly how? If the public can be educated to take a few precautions that will keep their accounts and financial data more secure, that's a good thing. If the public comes to understand that the risks involved with certain products or services are too high, they might not buy them. But then the only thing that's endangered is the profit margins of the outfits trying to sell us this garbage.

    • by javelinco (652113)
      There are some real problems with that argument. While it's true that there are people exploiting the vulnerabilities in the wild, the number of people who'd LIKE to be exploiting these weaknesses is far greater than the number who are.

      Think of it this way - with computer exploits, you often have a small group that has a bunch of exploits they keep under lock and key in order to pull of the jobs they want to do. But you've got a LOT of people who, if given a tool to take advantages of those exploits, wo
  • Security through obscurity, we all know how well that works... *sigh

    • A large amount of criminals are rather dumb. That is often why they choose a life of crime. In particular, someone who is going to go around trying to hack ATMs is pretty dumb. You aren't going to get a whole lot of money out of them. If the hack is based around someone's particular account, you'll get a max of like $500 per day for an account, that is generally the highest you see withdrawal limits (if you need more you go in the bank). Even if you could get the ATM to empty itself, you'd get maybe $10,000

      • by EdIII (1114411)

        You're attempting to give an example where obscurity can have some value towards the security of the system. It sounds convincing, but I am not entirely sold that the people performing ATM fraud are that inept. There are some pretty sophisticated people out there that will obtain the information regardless of how privileged it is.

        I do get your point. However, let's assume you are entirely correct and obscurity is a worthwhile consideration in security. It does not make it right, legal, or ethical to forc

  • by countertrolling (1585477) on Monday July 05, 2010 @02:01PM (#32801496) Journal

    in the USA?? I would not recommend that at all. Just put it on the net from a secure location..

  • It always backfires (Score:5, Interesting)

    by retardpicnic (1762292) <retardpicnic@gmail.com> on Monday July 05, 2010 @02:20PM (#32801706)

    Remember when Jeff Moss had his talk cancelled, or Kim Zetter? All it did was make people salivate to read thier presentation when they released it online at a later date. The last thing you want to do to this demographic is tell them the info is "too dangerous (see awesome) for them to hear. It will be everywhere with in the week.

    • Remember when Jeff Moss had his talk cancelled, or Kim Zetter? All it did was make people salivate to read thier presentation when they released it online at a later date. The last thing you want to do to this demographic is tell them the info is "too dangerous (see awesome) for them to hear. It will be everywhere with in the week.

      This is exactley right, in the precious words of my 18 months old neice "Hahaha, you can't tell me no."

  • Funny (Score:1, Interesting)

    Its funny that they think, I'm assuming, that not letting someone speak about it is helping them in any way. The more people who know about vulnerabilities the safer we are because while there will be more people working to exploit it, there are also more people working to patch it.
  • Slides are sanitized (Score:4, Informative)

    by prxp (1023979) on Monday July 05, 2010 @04:59PM (#32803178)
    According to TFA:

    Even though this is not the first time that ATM vendors prevented a security researcher to publicly disclose findings about flaws in their devices at a conference, this instance is really surprising, since Chiesa held this same presentation at a couple of security conferences already, and the slides he employed are also available [slideshare.net] online.

    The thing is these slides are sanitized, the details of the ATM attack were removed.

    Does anybody know where to find a non-sanitized version?

  • They could try to intimidate you and say stop and desist everybody, but I have to wonder, if by doing this they are not giving the illusion that ATMs are safe. I applauded the effort that one consultant did security wise about the flaw with microsoft, and then turning around and posting on youtube (or whatever) the flaw ....so that M$ could not hide behind their usual crap....they were forced to fix it right away and issue a patch, this tends to let me think the same with this situation, disclose the proble

16.5 feet in the Twilight Zone = 1 Rod Serling

Working...