First, he thrusts the knife in, then violently twists it -- "Accordingly I have authorised the thesis to be issued as a Computer Laboratory Technical Report. This will make it easier for people to find and to cite, and will ensure that its presence on our web site is permanent....". Classic.
Prof. Anderson shows good character.<p>Let's talk about the other side. Businesses have always acted this way when it comes to computer security (for at least the last 15 years, feel free to cite earlier examples). By now they probably understand that what they're doing is wrong, from a security perspective. They may even understand that issuing takedowns increases publicity. Still, business are sociopathic, they don't care about the legitimacy of their actions. They have a staff of lawyers they're already paying for, and a responsibility to defend trade secrets and protect their product base. So they marshal their lawyers, essentially for free, and maybe they get something out of the effort as a result. If they don't, nothing much was lost, and they generally don't care about their perception in the security community. Same old story. This incident is less about someone standing up to a bully and more about someone weathering another wave coming out of the ocean.
Link to original letter - oh boy this is a good read: <a href="http://www.cl.cam.ac.uk/~rja14/Papers/ukca.pdf" rel="nofollow">http://www.cl.cam.ac.uk/~rja14/Papers/ukca.pdf</a>
To be fair I didn't read this the first time it was on HN - I'm inclined to think that the title of the post is more descriptive than the original, and its deserving front page material, even if it is a duplicate.
BBC video on chip & pin findings: <a href="http://www.youtube.com/watch?v=_yyfcHSXZLc" rel="nofollow">http://www.youtube.com/watch?v=_yyfcHSXZLc</a>
Intentionally or unintentionally, this has got to be one of the best pieces of marketing for research inclined students and faculty that they could have ever produced.<p>So much so, that the skeptic in me thinks this was intentionally leaked.<p>I had always considered possibly applying to the University of Cambridge, and I know they are Ivy League...but this letter, firmly solidifies them as a contender for any higher education I might pursue.
><i>You complain that ... and indeed to censor it.</i><p>The penultimate para in the original letter, wow! A befitting answer to a bully, and how! :)
I tend to disagree with the banks' assessment that it will undermine public confidence. The research gives the public one more piece of information to judge the risks for placing their money in a financial institution.<p>The banking sector as participants in a free market who frequently advocate for opening of more sectors of the economy to the free market (and rightly so) should be encouraging such research. The research gives consumers of banking services more accurate information to consider when deciding how accessible their money should be. Additional information allows consumers to make more informed choices regarding the trade offs between security and convenience. Banks could offer insurance to their customers to protect them against the risks while still keeping the benefits of increased convenience.<p>It's an opportunity for the banks to differentiate their services and cater to the needs of their customers. Yes, not having a PIN is less secure, but it's also more convenient, with proper positioning of their products banks should be able to offer tailored solutions that better address the needs of their customers.
"we have no choice but to back him. That would hold even if we did not agree with the material!"<p>Reminds me of a Frankin quote: "Sir, I disagree with you, but I will fight to the death for your right to say it."
Wouldn't it have been far nobler to approach the banks affected by the exploit with these findings rather than publishing schematics for the exploit into the public domain?