Feeds

Cryptome escapes Thales' attack dogs in bank security row

Global giant pulls DMCA nastygram, swears it wasn't stifling research

SANS - Survey on application security programs

Defence giant Thales has withdrawn its demand for the removal of banking security documents from whistle-blowing website Cryptome.

The global corporation filed a DMCA* takedown notice last week citing copyright infringement: two of its manuals for cryptographic equipment have been available from Cryptome since 2003.

Ross Anderson, a professor in security engineering at the University of Cambridge Computer Laboratory, fired a broadside at Thales earlier this week arguing that the action amounted to attempted censorship. The manuals documented the software interfaces between hardware security modules in cash machines and other equipment, an important thread of research in banking security.

"API security has been a goldmine for security researchers, it’s been an embarrassment for the industry, in which Thales is one of two dominant players. Hence the attempt to close down our mine," Anderson explained. The computer science expert went on to argue that removing the long-standing resource would hamper competition as well as inhibiting research, comparing the case to the ill-fated Lexmark DMCA case against Static Control Components.

In response, Thales conceded that the DMCA takedown nastygram was a mistake and withdrew it. Rather than seek to inhibit research into banking security Thales was only seeking the removal of and out-of-date and obsolete resource, the security firm said in a statement.

Thales is in no way trying to censor information that would benefit banking security research.

The information concerned, as has been noted, has been available since 2003 and is in fact obsolete. It also does not reflect the current Thales payment hardware security module.

It is not unusual for Thales to suggest that out-of-date information is removed from web sites so that it doesn’t cause confusion or mislead our customers.

This would normally be handled with a polite request to the web site owner; on this occasion, unfortunately, we were over zealous in initiating a takedown notice. That notice is being withdrawn, and we would like to apologise to the site owner of Cryptome for the distress it caused.

Thales fully appreciates the benefits of openly sharing information relating to our security products and fully supports legitimate academic research in this area. The most up-to-date and accurate information can be obtained directly from Thales.

Thales added that its e-Security division is actively involved in key technical forums such as ASC X9, Global Platform, NACHA, PCI SSC, Smart Card Alliance and OASIS, all of which contribute to banking security research. A letter sent to John Young of Cryptome by Thales along the same lines as the statement it supplied to El Reg can be found here. ®

* The US Digital Millennium Copyright Act.

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.