Feeds

back to article Cryptome escapes Thales' attack dogs in bank security row

Defence giant Thales has withdrawn its demand for the removal of banking security documents from whistle-blowing website Cryptome. The global corporation filed a DMCA* takedown notice last week citing copyright infringement: two of its manuals for cryptographic equipment have been available from Cryptome since 2003. Ross …

COMMENTS

This topic is closed for new posts.
Silver badge

If the system is secure...

...then even after all the details have been explained, once the locks engage it will remain secure.

If your system is relying on security by obscurity, then your system is insecure.

11
1
Bronze badge

I remember my Java and Linux friends spouting that junk too.

Every system is insecure.

I remember my Java and Linux friends spouting that junk too. "Oh, it is so secure because it is open source, people can look at it." "Oh, no vulnerabilities because so many people have looked at it and for sure someone would notice any vulnerabilities."

If you know enough about about any complex software you can eventually break it.

But it isn't just software, it is anything. It is why you don't share your password, why government's have "top secret" classifications, why you don't let the thug down the street borrow your car keys.

0
3
Silver badge

Re: I remember my Java and Linux friends spouting that junk too.

@WatAWorld,

Re-read his comment, you've completely missed his point!

He's not saying "It's more secure because you've let the world see it", he's saying that a secure system will remain secure even after all the details of how it works have been explained.

Giving someone access to something (keys - physical or password, documents - top secret or otherwise) isn't about the security of the system. No system can tell whether that user who's just authenticated properly (i.e. by entering correct credentials, or by inserting a key into a lock) is genuine. Even biometrics would fail on this if someone 'lent' you their auth token (their finger).

The OP was talking about designing secure systems, not about how many eyes reduces bugs. There's a big difference, and the availability of docs only makes it easier to find a security weakness, it doesn't suddenly make it possible - an attacker could *potentially* stumble upon a weakness with no access to the documents, the difference being that with no access to the documents the likelihood of a 'friend' finding it is also reduced dramatically.

Incidentally

"Oh, no vulnerabilities because so many people have looked at it and for sure someone would notice any vulnerabilities."

Is indeed a silly thing to say, there's a higher chance of someone noticing vulnerabilities, but it's anything but certain.

1
0
Silver badge

Re: I remember my Java and Linux friends spouting that junk too.

No system can be 100% secure indefinitely as over time a "secure" system will become insecure due technology progressing. So let's take "secure" to mean "invulnerable to the best-effort attempt available at the moment".

Ben Tasker gets closer to what I meant. I wasn't talking about F/OSS as such, just that security by obscurity is useless. It's useless because the user (i.e. the customer) is unaware what vulnerabilities exist and is thus unable to mitigate them.

Let's take a more mundane example. Your front door probably has a Yale-style lock. It is "secure"? As in, is it anti-bump, anti-snap, anti-pick and anti-drill? How do you actually know? From the packaging? Or from details on how the lock works and its design?

The former is security by obscurity, the latter is full disclosure. For example, anti-snap can have the weakening cur from the top to the bottom, or the bottom to the top. One of these designs is almost certainly worthless, the other is better; which is which? How can you know unless the details of how ant-snap locks work is in the public domain?

Now let's come back to Thales. If we know all the details on how the Thales system works, based on our knowledge of good security design and procedures which should all be in the public domain we can maybe say "I know how this lock/system works, and I am satisfied that when it engages it will remain secure". It also allows us to take mitigating actions should a vulnerability exist. Or you just believe the hype (*cough*Medeco*cough*). Luckily you can find out all about this (at the moment). Imagine how things would be if only the bad guys knew? And only the bad guys would know because the good guys would be too scared to discuss it in case they ended up in jail.

Oh and something else to consider, if you are relying on the packaging of your locks, your insurance might be invalid (even if it claims to meet the correct standards); so that £15 lock you just got from the DIY store might end up costing you an awful lot more.

0
0
FAIL

Yeah Right!

If Thales was interested in only having current information on its products onthe web it would voluntarily publish all manuals and specifications and maintain them as product development continued.

Instead we have zero publication and incompetent attempts at censoring old copies.

5
1
Big Brother

As a side note, has anyone experienced flipping on a light to see cockroaches scramble for cover?

6
0
Silver badge
Flame

I said, lawyer, when you're short on your dough .... It's fun to splurge a D-M-C-A....

The information concerned, as has been noted, has been available since 2003 and is in fact obsolete. It also does not reflect the current Thales payment hardware security module.

Then deliver the up-to-date manuals posthaste to Cryptome, you state-financed killtool deliverers and frigates-for-Taiwan (not to mention submarines-for-Malaysia) corruption scandal overlords.

2
0
Bronze badge
Coffee/keyboard

It helps to have famous friends...

"[O]n this occasion, unfortunately, we were over zealous..."

Yeah, right.

Although you caught me with my hand overzealously inserted into the cookie jar, it is nor normally the case. In fact, I am allergic to cookies.

13
0
Bronze badge

Re: It helps to have famous friends...

I have to agree with your comment (Yeah, right.), to which I would simply add:

BULLSHIT!!!!!!

0
0
Bronze badge

or just possibly...

they don't want the old 'obsolete' information out there for people to realise that it used to be about security but it is now about cost reduction

1
0
Anonymous Coward

Thales Fails

Scramble for cover, talk some shit... deny deny deny...

Standard.

1
0
Anonymous Coward

As a Thales user

I must point out that it's almost impossible to get the documents even if you own dozens of the bloody things

3
1
Silver badge
Holmes

For a broad meaning of 'obsolete'.

"The information concerned, as has been noted, has been available since 2003 and is in fact obsolete"

In the context of banking systems, 'obsolete' probably means that the systems documented in those manuals are still being used by a big % of Thales customers, and that security holes/errors discovered in them - with the help of these manuals- could cost the company lots of money in updates/patches. To me, together with the lack of official manuals as noted in other comments, this says lots about the priorities at Thales.

2
0
Silver badge

Re: For a broad meaning of 'obsolete'.

The implication of the "its obsolete" argument is that Cryptome, rather than Thales, is the source of material for legit users.

2
0
Bronze badge

Re: For a broad meaning of 'obsolete'.

Almost: "obsolete" = "even though this hardware is still in use all over the world by a large number of corporations, we no longer sell it"

1
0
Bronze badge

Publishing bank vault combinations and armoured car schedules

Publishing bank vault combinations and armoured car schedules would also benefit bank security research I suppose.

1
3
FAIL

Re: Publishing bank vault combinations and armoured car schedules

That's not analagous to an API definition, which is more like the instructions "turn the dial fully clockwise to reset, then enter your combination, then pull the lever".

2
0
This topic is closed for new posts.