Back in 1992, an English police officer named John Munden returned from a
vacation to find that a series of ATM withdrawals had cleaned out his bank
account. His complaints to the bank were not received well; they responded
that their systems were secure and only Mr. Munden could have made those
withdrawals. When he persisted, the bank (the Halifax Building Society)
had him prosecuted (and convicted) for fraud. It took four years, and
a great deal of effort by a researcher named Ross Anderson, to shine a
light on Halifax's poor security, and to get Mr. Munden freed on appeal.
Even so, the attitude of the banking industry has changed little;
complaints of "phantom withdrawals" are given little credence, and account
holders often end up footing the bill. (Some countries, including the
U.S., give consumers more protection than others, such as Britain, in this
Given that peoples' money - and freedom - are being staked on the security
of the ATM system, it would be nice to know that this system is truly
secure. But banks, unsurprisingly, are unenthusiastic about opening up
their systems to external review. Mr. Anderson and colleagues have
continued their research into the phantom withdrawal problem, and have
served as expert witnesses in associated court cases. Recently they turned
up something interesting.
The personal ID numbers (PINs) used to verify the person using an ATM card
are kept in a carefully-guarded database. It is not generally possible to
extract a specific PIN directly. Instead, the ATM system operates through
a set of hardware security modules that can give "yes or no" answers for a
given account number and PIN. Thus, it is claimed, even a corrupt insider
would be reduced to guessing to obtain a specific PIN number. The search
space is not that large (10,000 numbers), but it still requires an average
of 5,000 guesses to obtain a single PIN.
Mike Bond and Piotr Zielinski, working with Mr. Anderson, found a
vulnerability in this system; their writeup is available (for now) on the
web in PDF format (also
available here while
Cryptome, which apparently has been broken into, gets back on its feet). By
manipulating a simple "decimalization table" used in the generation of the
PIN from the account number, an attacker can quickly determine which digits
are present in the PIN. Using that information and some additional tricks,
the researchers were able to extract PIN numbers using an average of
15 guesses. An attacker, they conclude, would be able to extract about
7,000 PINs over the course of a half-hour lunch break.
Citibank has responded to this discovery by seeking a gag order to suppress the
disclosure of the vulnerability information. The information, says
Citibank, is confidential and should not be released publicly. This action
immediately had the obvious effect: once word got out, the paper describing
the vulnerability was copied far and wide across the net, beyond any
feasible recall. Even in the modern world, once information gets out, it
Citibank could certainly argue that it does not want to provide useful
information to those who would attack its systems. On the other hand, the
rising tide of phantom withdrawal cases suggests that some of this
information is in the hands of the Bad Guys already. Could it be that the
banks are really trying to avoid (1) admitting that phantom
withdrawals are a real problem, and (2) undertaking the expensive task
of fixing their systems?
Evidence in the software field consistently suggests that vendors do not
rush out to fix their security problems in the absence of considerable
external pressure to do so. This is especially true if the costs of the
problems can be pushed onto somebody else. The banking industry
needs disclosure of its problems if we are to have any confidence in
its security at all. As with vulnerabilities in the software industry,
banking vulnerabilities should be handled with some care. But the
information has to get out, or the problems will not be fixed in any sort
of timely way. Consider, for example, the uproar the resulted when Matt
a vulnerability in master-keyed door locks which, apparently, had been
known to locksmiths (but not fixed) for decades.
The lessons we have learned in the software world are applicable in a much
wider context. Continued defense of our ways of working, including
disclosure of security problems and open review of security-related
systems, is important for our security and freedom.
This is true with regard to our computing systems, and far beyond.
Comments (8 posted)
[This article was contributed by Joe 'Zonker'
About three years ago a volunteer project, sparked by Marco Trevisani,
started working on DeMuDi
Multimedia Distribution). The goal of
DeMuDi was to provide a multimedia GNU/Linux distribution. Not just a
distribution with multimedia players and viewers, but a distribution
with tools to author multimedia content. Originally devised for
distribution at the International Computer Music Conference, the project
took on a life of its own after that conference.
According to Guenter Geiger, one of the developers who worked on the
original DeMuDi project and who has been one of the main volunteers
until recently, the project sparked the AGNULA (A GNU/Linux Audio
distribution) project. (Note: The availability of the AGNULA website
leaves much to be desired. It may be easier to get information on AGNULA
using Google's caching feature.) The AGNULA project was started by
Nicola Bernardini. Bernardini, the manager of Centro Tempo Reale in Florence,
delivered a proposal to the European Commission. The EC gave a green
light to the project, and provided a two-year funding package starting
April 1, 2002.
The AGNULA project is coordinated by Tempo Reale and involves research
institutions in Paris, Barcelona, Stockholm and the Free Software
Foundation Europe. The goal of the project is to produce two
distributions, DeMuDi and a Red Hat-based version
called ReHMuDi, as well as a number of multimedia packages. Only free
software is to be used to build these distributions.
Unfortunately, development of the distributions under the AGNULA project
do not seem to be proceeding quite as quickly as some might have hoped.
Trevisani, who was the Technical Coordinator for the AGNULA/DeMuDi
up a few weeks ago on the Debian developer media list
about the problems with DeMuDi as a separate distribution and the need for
a internal Debian multimedia project:
After one year of work and having
reached release 0.9 I definitely think that is time to start a
Debian-Multimedia internal-projects...I'm aware that there is no chance for
the project for growing and lasting in the future if it does not become
quite urgently a Debian internal projects.
Trevisani has stepped down from his position as Technical Coordinator
for the project after one year of work and the release of DeMuDi 0.9.
The position is now being handled by Andrea Glorioso. Glorioso also took
part in the discussion on the Debian developer mailing list, and says
that they're trying to find a good way to cooperate between the AGNULA project and Debian. However, there are some technical hurdles in coordinating packages with Debian, since the stable distribution moves very slowly and the testing and unstable distributions are (by definition) always in a state of flux.
Geiger has also stopped working on DeMuDi and says that he wants to
"concentrate more on pushing the idea within Debian, simply by
maintaining the DeMuDi packages within the Debian framework." Geiger
says that the main problem with DeMuDi is a lack of developers. A glance at
developer mailing list archives shows that there's not a lot of
activity on that front.
While some developers are being paid for work related to Linux
multimedia, Geiger says there is little money for creating the
distribution itself. According to Geiger, "the big part of the money is
going into the subprojects...the small part that is left for building
the two distributions is divided equally among DeMuDi and RehMuDi." Both
Geiger and Trevisani have worked on DeMuDi as volunteers.
For now, Geiger says that the he hopes there will be more discussion
within Debian about an internal multimedia project. He also
mentioned that a separate mailing list for discussion of a multimedia
project has been requested. As of yet, there's no official word on the
status of an internal Debian project.
Whether the AGNULA projects will result in a usable multimedia
distribution, or if Trevisani and Geiger will be successful in producing
a viable sub-project within Debian, remains to be seen. If Linux is
going to make any kind of dent in Microsoft's share on the desktop,
we'll definitely need multimedia applications that can compete with the
commercial counterparts for Windows and the Mac OS. There are a number
of applications that are showing promise, but a distribution that
bundles the applications could be a huge boon in luring users away from
proprietary platforms and onto Linux.
Comments (5 posted)
The U.S. Patent and Trademark Office continues to amaze with the range of
software technologies that it is willing to patent. Here are a couple of
- Interwoven has been awarded patent
#6,505,212 for a "system and method for website development."
What the patent really covers, though, is a revision control
system; the management of web site content is just one possible use
suggested in the patent abstract. This patent covers content
management systems like Zope quite clearly; revision control systems
like CVS could also be threatened, however. (See also: Interwoven's
press release on the patent).
- Amazon, meanwhile, was just given patent
#6,525,747, which covers online discussion systems. This patent
would appear to cover just about any site which allows the posting of
comments. It might be limited somewhat, however, by its reference to
"items offered for sale" as the starting point for discussions.
There is no doubt that copious amounts of prior art can be found for both
of these patents. Your editor first used a revision control system -
accessed with punch cards - over twenty years ago. Web sites allowing
discussions existed before Amazon hit the net, and certainly before 1999,
when the patent was filed.
But prior art does not help address the real problem: the patent office is
allowing companies to try to fence off little bits of the intellectual
landscape without regard to originality or any pretense of promoting any
sort of progress. Increasingly, it is impossible to write any sort of
nontrivial program that does not infringe upon somebody's patent. The only
saving grace is the fact that most of these patents are never enforced.
Otherwise, software development would grind to a halt - at least, in those
countries which allow software patents.
Comments (8 posted)
It's been a little while since we have posted one of these updates. That
is as it should be...better to fill our pages with the stuff you all
came to read. We'll let you get into this week's hot
security updates shortly, but, first, a word from your sponsor.
The individual subscription count stands at almost exactly 2500; it really
has not changed much in the last couple months. 2500 subscribers will keep
the lights on for now, but that's really not enough to keep things going in
the long term. Somehow we are going to have to find a way to inspire quite
a few more of you to subscribe.
That said, here's a quick heads up: we'll be making a small change to
subscription pricing shortly. Until now, we have encouraged readers to
take out monthly subscriptions for a couple of reasons: we didn't want to
risk going under with a large unfulfilled subscription liability, and we
were doing our best to avoid getting in trouble with our credit card
merchant bank. At this point, we are reasonably confident that we'll
figure this out somehow and find a way to stick around for the long term.
And our new
merchant bank is rather more friendly than the old one was. The monthly
renewals are also costing us a fair amount in processing fees.
So we will soon (within a week or two) implement a discount for longer-term
subscriptions. It won't be huge, but it will reflect the difference in our
costs, and, hopefully, encourage a shift away from the monthly method. An
announcement will go out when the new scheme goes into effect.
Thanks, as always, for supporting LWN.
Comments (21 posted)
Page editor: Jonathan Corbet
Inside this week's LWN.net Weekly Edition
- Security: Giving root to the web; new vulnerabilities in bitchx, vnc, webmin, and zlib
- Kernel: Object-based rmap; page clustering; /proc and threads; driver porting
- Distributions: The demise of MicroBSD
- Development: Heartbeat 1.0.1,
JACK 0.50.0, MICO 2.3.9, MySQL 4.0.11, RT 3.0 Beta 2,
JACK Rack 1.4.1, Hydrogen 0.7.5, PythonCAD R4, LGP Game Project,
XFree86 4.3.0, Wine 20030219, Python 2.3a2.
- Press: Lawrence Lessig on European software patents,
UI configurability, Sun's CPU plans, The Linux Uprising,
ELCPS v1.0, portable Ogg players, Lindows notebook.
- Announcements: FSF Associate Membership Meeting, free replacements for Windows software,
YAPC::NA::2003 Registration, Seminar on Free and Open Source Software, Dublin,
linuxmagau.org, IT in 2003.
- Letters: Free software and commercial use; Microsoft RMS