Banking Equipment Vendor Tries To Censor Security Research With DMCA Notice -- Then Backs Down When Called Out For It

from the abusing-the-system dept

Abuse of the DMCA takedown process to remove material that is awkward or embarrassing for a company is a common enough topic on Techdirt. But here's one with a slight twist. It concerns hardware security modules (HSMs), which manage the cryptographic keys and PINs used to authenticate bank card transactions. These were generally regarded as pretty secure -- until researchers started analyzing them, as Ross Anderson, head of the Security Research Laboratory at Cambridge University, explains:

[HSM's] application programming interfaces (APIs) had become unmanageably complex, and in the early 2000s Mike Bond, Jolyon Clulow and I found that by sending sequences of commands to the machine that its designers hadn't anticipated, it was often possible to break the device spectacularly. This became a thriving field of security research.
Of course, "thriving" here means "we found lots of security holes", which is why those manufacturing HSMs would rather people didn't do much research in this area. Recently, that desire led to the banking equipment manufacturer Thales sending a DMCA takedown notice to John Young, who runs the well-known Cryptome site, demanding that he remove a manual for one of their HSM products. What makes this demand particularly ridiculous is the fact that the manual had been on Cryptome since 2003 without any previous problems and, according to Young, is also widely available on the Internet, including from Thales itself.

But a blog post from Anderson detailing this clumsy attempt to remove something using the blunt instrument of a DMCA takedown notice suddenly brought the company to its senses. A few days after his post appeared, the same person who had sent Young the less-than-friendly takedown notice followed it up with this rather more chummy missive:

Thales is in no way trying to censor information that would benefit banking security research.

The information concerned, as has been noted, has been available since 2003 and is in fact obsolete. It also does not reflect the current Thales payment hardware security module.
So why on earth bother trying to take it down?
It is not unusual for Thales to suggest that out-of-date information is removed from web sites so that it doesn't cause confusion or mislead our customers. This would normally be handled with a polite request to the web site owner; on this occasion, unfortunately, we were over-zealous in initiating a takedown notice.
Well, there's rather a lot of "out-of-date" information on the Internet -- most of it, in fact -- and generally people don't resort to DMCA takedowns to try to remove it; "over-zealous" doesn't even begin to describe the disproportionate nature of the reaction here.
Thales fully appreciates the benefits of openly sharing information relating to our security products and fully supports legitimate academic research in this area. The most up-to-date and accurate information can be obtained directly from Thales.
Let's hope the company remembers that next time somebody posts information about security flaws in its systems.
I therefore wish to withdraw my earlier request for you to remove or disable access to the material in question and apologise for any distress it may have caused.
But as Young points out:
Credit for Thales' recantation goes to incorruptible security critic Ross Anderson who blogged and telephoned Thales to thrash the zealots
Indeed. And it really shouldn't be necessary for professors of computer security to waste their time exposing abusive DMCA takedowns in this way, when they could be more usefully winkling out yet more dangerous flaws in hardware security modules, for example....

Follow me @glynmoody on Twitter or identi.ca, and on Google+



Reader Comments (rss)

(Flattened / Threaded)

  •  
    icon
    Ninja (profile), Jan 24th, 2013 @ 2:51am

    Instead of trying to censor such things why didn't they grab the opportunities to improve their products? Weird times when you risk getting sued/jailed for pointing security holes or other flaws.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Jan 24th, 2013 @ 3:08am

      Re:

      Its an ancient practice, some rulers kept a spear handy for dealing with messengers that brought bad news.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Michael, Jan 24th, 2013 @ 4:20am

      Re:

      Sweeping a problem conveniently under a nearby rug is probably cheaper (at least short term) than fixing it.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      Bergman (profile), Jan 24th, 2013 @ 4:53pm

      Re:

      To the bureaucratic mindset, problems do not exist until someone points them out. It doesn't matter if the problem in question is killing thousands of people a day, it doesn't exist until someone officially notices it.

      And since it doesn't exist until noticed, the person who noticed it is clearly the cause, because it didn't exist until that person got involved.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Michael, Jan 24th, 2013 @ 4:26am

    Misquoted

    Thales is in no way trying to censor information that would benefit banking security research

    I think that is supposed to read

    Thales attempt to censor materials used in research to benefit banking security is not to be interpreted as an attempt to censor information that would benefit banking security research because we don't want to look like we are trying to censor information that would benefit banking security research but we still want to deny we have security holes in our systems via the highly secure "head in sand" methodology

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jan 24th, 2013 @ 6:45am

    How dare anyone subject our products to review of claims made.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    orbitalinsertion (profile), Jan 24th, 2013 @ 6:52am

    And not a word as to why it is or isn't a copyright concern. Nice work.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jan 24th, 2013 @ 7:07am

    Same story we've been hearing for awhile now.... "on the internet" means that you don't have to be proven guilty to be guilty, you just have to piss someone off.


    Lawmakers just don't understand the technology, so they assume that if it makes someone unhappy it must be wrong, so they make it wrong. What ever happened to the capitalist and inventive USA?

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jan 24th, 2013 @ 7:14am

    "winkling"??

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      nasch (profile), Jan 24th, 2013 @ 1:16pm

      Re:

      winĚkle
      tr.v. winĚkled, winĚkling, winĚkles Chiefly British
      To pry, extract, or force from a place or position. Often used with out.
      [From winkle (from the process of extracting periwinkles from their shells).]

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jan 24th, 2013 @ 7:28am

    At least...

    They retracted and issued an apology. Now if we could just get the DOJ to learn this lesson.

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This