The Volokh Conspiracy
[Eugene Volokh, July 11, 2008 at 1:47pm] Trackbacks
"Chipmaker Sues To Silence Security Researchers,"

in the Netherlands. For my thoughts on the First Amendment and speech that reveals security breaches, see my Crime-Facilitating Speech (Stanford Law Review, 2005), though of course the legal analysis would apply only to U.S. lawsuits.

Related Posts (on one page):

  1. Dutch Court Denies Chipmaker's Request to Enjoin Academics' Publication of Security Flaws:
  2. "Chipmaker Sues To Silence Security Researchers,"
Hei Lun Chan (mail) (www):
First thought I had was potato chips ...
7.11.2008 5:37pm
Fub:
Following the links in the cited article, the paper reveals why NXP/Phillips has its undies in a bunch. They relied on security by obscurity. From the first graf of Karsten Nohl's paper cited in the CNET article (emphasis mine):
The secret cipher that secures Mifare Classic RFID tags used in access control systems, subway tickets, and various other security-related applications has recently been disclosed [1]. Since the security of the Mifare cards partly relies on the secrecy of this algorithm, we concluded that the cards are too weak for all security-related applications since the algorithm can be found with modest effort. A report for the Dutch government that assesses the impact of our findings on a nationwide ticketing system in the Netherlands was released on February 29th [2]. The report confirms our findings, but asserts that systems will likely be secure for another two years since the attack is still costly. In the report, the attack is estimated to require $9,000 worth of hardware to break secrets keys in a matter of hours. We argue that this is a gross over-estimate and present an attack that recovers secret keys within minutes on a typical desktop PC or within seconds on an FPGA. Our attack exploits statistical weaknesses of the cipher.
So, instead of a strong encryption algorithm which relies on secrecy of keys, Phillips relied on an obscure but weak algorithm. That's an elementary error. What is remarkable is that a major and otherwise well reputed company would make it.
7.11.2008 6:22pm
martinned (mail) (www):
In my capacity of Dutch law guy, I would say there are several problems with this suit, only one of which is the free speach rights of the university and its researchers.

The bigger problem, from just thinking about it for a moment, would be that the company is claiming to stand up for an interest that is not their own. In common law terms: the researchers probably don't have a duty of care towards the company here, but the company is claiming to defend the duty of care the university might have towards the general public, public transportation systems, etc.

The free speach angle would be dealt with by the court in a relatively relaxed (by US standards) way, in that the court would weigh the interests at stake, while tilting the scales only a little in favour of the university. (After all, the constitution says that you are free to speak subject to your responsibility under the law, and that law includes the civil code's unlawful act regime.) In this case, though, I don't see how the university could have a duty of care towards the companyhere , so this whole thing is a non-starter as far as I'm concerned.
7.11.2008 9:19pm
David Schwartz (mail):
Plus, their duty of care to the public in general is best served by making sure that those who trust people who should not be trusted be punished to the maximum extent possible. A "secret algorithm" is one of the clearest signs of broken cryptography.
7.12.2008 9:46am

Post as: [Register] [Log In]

Account:
Password:
Link B I Strike Block Quote
Remember info?

[Important Note to Helpful Readers: If we have confusing typos and especially ugly formatting errors, such as an unclosed underline or bold tag, we'd love to hear from you about them -- but please e-mail the author about this, rather than leaving a comment. We often won't read the comments for a while after the post, and if there's a glaring formatting error, we'd see it quickly when we revisit the post, even without the comment; and in any event the comment likely isn't going to be that helpful to your fellow comment readers. So please e-mail us directly about glitches like this. Thanks!]

Comment Policy: We'd like the posts to be civil, of course (no profanity, personal insults, and the like), but we're also hoping that people try to be as calm, reasoned, and substantive as possible. So please, also avoid rants, invective, substantial and repeated exaggeration, and radical departures from the topic of the thread. Sticking with substance -- and staying on-topic -- will make the comments more helpful to other readers, and more pleasant.

As editors, we reserve the right to delete posts, and even to kick out posters, though we hope that both of these will be exceptional events. (We also reserve the right to be busy with other things, and therefore (1) not remove all the posts that might merit removal, and (2) ignore demands such as "You should remove A's posts, because they're just as bad as B's!")

Here's a tip: Reread your post, and think of what people would think if you said this over dinner. If you think people would view you as a crank, a blowhard, or as someone who vastly overdoes it on the hyperbole, rewrite your post before hitting enter.

And if you think this is the other people's fault -- you're one of the few who sees the world clearly, but fools wrongly view you as a crank, a blowhard, or as someone who overdoes it on the hyperbole -- then you should still rewrite your post before hitting enter. After all, if you're one of the few who sees the world clearly, then surely it's especially important that you frame your arguments in a way that is persuasive and as unalienating as possible, even to fools.

Our goal is to provide an interesting and pleasant environment that can help inform readers. To do that, we'll occasionally have to exercise our editorial discretion. Think of this as an in-person discussion group, where having different voices is critical to a great conversation -- but where sometimes the leader has to deal with cranks who sour the conversation more than they enliven it.

Naturally, there's always a risk that this discretion will be used erroneously, no matter how well-intentioned the editor. But discussion groups (especially on the Internet, but also off it) generally need an editor who'll occasionally make such judgments.

And, remember, it's a big Internet. If you think we were mistaken in removing your post (or, in extreme cases, in removing you) -- or if you prefer a more free-for-all approach -- there are surely plenty of ways you can still get your views out.

PicoSearch
Help