[HSM's] application programming interfaces (APIs) had become unmanageably complex, and in the early 2000s Mike Bond, Jolyon Clulow and I found that by sending sequences of commands to the machine that its designers hadn't anticipated, it was often possible to break the device spectacularly. This became a thriving field of security research.

But a blog post from Anderson detailing this clumsy attempt to remove something using the blunt instrument of a DMCA takedown notice suddenly brought the company to its senses. A few days after his post appeared, the same person who had sent Young the less-than-friendly takedown notice followed it up with this rather more chummy missive:

Thales is in no way trying to censor information that would benefit banking security research.

The information concerned, as has been noted, has been available since 2003 and is in fact obsolete. It also does not reflect the current Thales payment hardware security module.

It is not unusual for Thales to suggest that out-of-date information is removed from web sites so that it doesn't cause confusion or mislead our customers. This would normally be handled with a polite request to the web site owner; on this occasion, unfortunately, we were over-zealous in initiating a takedown notice.

Thales fully appreciates the benefits of openly sharing information relating to our security products and fully supports legitimate academic research in this area. The most up-to-date and accurate information can be obtained directly from Thales.

I therefore wish to withdraw my earlier request for you to remove or disable access to the material in question and apologise for any distress it may have caused.

Credit for Thales' recantation goes to incorruptible security critic Ross Anderson who blogged and telephoned Thales to thrash the zealots

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Last week, Digital Journal reported that the documents obtained by PCJF detailed how the FBI cooperated with the Department of Homeland Security, US military and private corporations to monitor and investigate Occupy Wall Street protesters as "domestic terrorists" and "criminals." The documents prove that federal agencies are "functioning as a de facto intelligence arm of Wall Street and corporate America," PCJF said.

Thorough analyses of the documents has now revealed a heavily redacted file that clearly mentions a plan to use snipers to assassinate Occupy protesters. The names of the groups or individuals involved in the murderous plot have been redacted, so it is impossible to identify them at this time. What is known is that the FBI never alerted any of the potential victims of the danger to their lives.

An identified [redacted] of October planned to engage in sniper attacks against protesters in Houston, Texas, if deemed necessary. An identified [redacted] had received intelligence that indicated the protesters in New York and Seattle planned similar protests in Houston, Dallas, San Antonio and Austin, Texas. [Redacted] planned to gather intelligence against the leaders of the protest groups and obtain photographs then formulate a plan to kill the leadership via suppressed sniper rifles.

“We don’t have discretion to grant exceptions in situations like this. Once we find out someone has a criminal history of dishonesty or breach of trust we can no longer employ them.”

Dimon himself took home roughly $23 million in 2011, about the same as the year before, according to Bloomberg. Compare that to newspaper reporters, who earn an average salary of $43,780 according to the Bureau of Labor Statistics, or between $20,000 and $60,000 per year according to Payscale.

For fun, let's just compare a bit more. The average reporter at The New York Times earns about $93,000 per year, according to Glassdoor.com. The New York Times Company reported an operating profit of $56.7 million in 2011.

Dimon's salary not only dwarfs that of us media-folk; he's also making millions more than most of his employees. The average JPMorgan employee made $341,552 last year, according to Bloomberg News.

Compounding things, for individuals with Arabic names, sanctions lists provide only a few alternate spellings. The U.S. Treasury Department offers 12 possible spellings for Moammar Gadhafi, though language experts say there are more than 100 for the family name alone.

Unlike other so-called script languages such as Chinese or Japanese, Arabic has no transliteration standards. Pronunciation of the same names varies by place, and written Arabic contains few vowels, opening the door to a larger range of acceptable translations. Mohamed can also be transliterated as Mahmut, Mehmud or dozens of other variants.

Banks allow clients to transliterate their names as they see fit when they open new accounts. When a government publishes a new watch list, the banks' software uses so-called fuzzy logic to search for alternative spellings, similar to how Google suggests alternative phrases when it detects a possible typo in a search.

In March 2009, Brian Peters received an email from someone purporting to be a citizen of Malaysia. The e-mail informed Peters that certain third parties in the United States and Canada owed the purported Malaysian money, but that "they can not transfer the funds to any bank account outside America continent due to their new company policy [sic]." He asked Peters to "assist me in receiving the funds and forward to me." He offered to pay Peters 12 percent of the money. Peters agreed after apparently negotiating an increase of his fee to 15 percent.

Peters deposited the $808,988.90 in checks received from the purported Malaysian at Chino Commercial Bank. After the bank notified Peters that the checks had cleared, Peters wire transferred $468,000 to Hong Kong. Shortly thereafter, the checks were dishonored after the bank detected that they had been altered. Since Peters was personally liable for any overdrafts on the account, which had only a few thousand dollars, the bank sought to attach property owned by Peters to collect on the overdraft. The trial court granted the bank’s motion to attach against Peters in the amount of $458,782.60.

Fortunately, the type of attack described in the research is difficult to undertake and is unlikely to carry a sufficient risk-reward ratio to interest genuine fraudsters. And, in the unlikely event that such an attack were to take place in the UK marketplace, the banking industry's fraud prevention systems would be able to detect when such an attack had happened.

Nevertheless, publication of such details could encourage nuisance attacks on the payment card systems, undermine public confidence in them and/or give organised crime access to material they might be able to develop further.

The bankers also fret that "future research, which may potentially be more damaging, may also be published in this level of detail". Indeed. Omar is one of my coauthors on a new Chip-and-PIN paper that's been accepted for Financial Cryptography 2011. So here is our Christmas present to the bankers: it means you all have to come to this conference to hear what we have to say!

"In light of Citizens' apparent delay in complying with FFIEC security standards, a reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs' account against fraudulent access.... If this duty not to disclose customer information is to have any weight in the age of online banking, then banks must certainly employ sufficient security measures to protect their customers' online accounts."