"Chipmaker Sues To Silence Security Researchers,"

in the Netherlands. For my thoughts on the First Amendment and speech that reveals security breaches, see my Crime-Facilitating Speech (Stanford Law Review, 2005), though of course the legal analysis would apply only to U.S. lawsuits.

Hei Lun Chan (mail) (www):
First thought I had was potato chips ...
7.11.2008 6:37pm
Following the links in the cited article, the paper reveals why NXP/Phillips has its undies in a bunch. They relied on security by obscurity. From the first graf of Karsten Nohl's paper cited in the CNET article (emphasis mine):
The secret cipher that secures Mifare Classic RFID tags used in access control systems, subway tickets, and various other security-related applications has recently been disclosed [1]. Since the security of the Mifare cards partly relies on the secrecy of this algorithm, we concluded that the cards are too weak for all security-related applications since the algorithm can be found with modest effort. A report for the Dutch government that assesses the impact of our findings on a nationwide ticketing system in the Netherlands was released on February 29th [2]. The report confirms our findings, but asserts that systems will likely be secure for another two years since the attack is still costly. In the report, the attack is estimated to require $9,000 worth of hardware to break secrets keys in a matter of hours. We argue that this is a gross over-estimate and present an attack that recovers secret keys within minutes on a typical desktop PC or within seconds on an FPGA. Our attack exploits statistical weaknesses of the cipher.
So, instead of a strong encryption algorithm which relies on secrecy of keys, Phillips relied on an obscure but weak algorithm. That's an elementary error. What is remarkable is that a major and otherwise well reputed company would make it.
7.11.2008 7:22pm
martinned (mail) (www):
In my capacity of Dutch law guy, I would say there are several problems with this suit, only one of which is the free speach rights of the university and its researchers.

The bigger problem, from just thinking about it for a moment, would be that the company is claiming to stand up for an interest that is not their own. In common law terms: the researchers probably don't have a duty of care towards the company here, but the company is claiming to defend the duty of care the university might have towards the general public, public transportation systems, etc.

The free speach angle would be dealt with by the court in a relatively relaxed (by US standards) way, in that the court would weigh the interests at stake, while tilting the scales only a little in favour of the university. (After all, the constitution says that you are free to speak subject to your responsibility under the law, and that law includes the civil code's unlawful act regime.) In this case, though, I don't see how the university could have a duty of care towards the companyhere , so this whole thing is a non-starter as far as I'm concerned.
7.11.2008 10:19pm
David Schwartz (mail):
Plus, their duty of care to the public in general is best served by making sure that those who trust people who should not be trusted be punished to the maximum extent possible. A "secret algorithm" is one of the clearest signs of broken cryptography.
7.12.2008 10:46am