Cambridge refuses censorship on chip-and-PIN vulnerabilities

According to BoingBoing, the UK banking trade association wrote to Cambridge to have a student’s master’s thesis censored as it documented a well-known flaw in the chip-and-PIN system, Cambridge University’s Ross Anderson replied with the following:

Second, you seem to think that we might censor a student’s thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values. Thus even though the decision to put the thesis online was Omar’s, we have no choice but to back him. That would hold even if we did not agree with the material! Accordingly I have authorised the thesis to be issued as a Computer Laboratory Technical Report. This will make it easier for people to find and to cite, and will ensure that its presence on our web site is permanent….

You complain that our work may undermine public confidence in the payments system. What will support public confidence in the payments system is evidence that the banks are frank and honest in admitting its weaknesses when they are exposed, and diligent in effecting the necessary remedies. Your letter shows that, instead, your member banks do their lamentable best to deprecate the work of those outside their cosy club, and indeed to censor it. [Source: Cambridge]

The reply is full of win, academic world scores one.

How to compile PHP mcrypt extension in OS X

I have just switched from using MacPorts to using Homebrew and I decide to use what’s provided by Apple Mac OS X as much as possible. This means that I’ll be using the Apache and PHP 5.3.3 that is provided as part of Apple’s XCode. Unfortunately, there are some extensions that are just not available as part of Apple’s PHP package. One of them would be mcrypt.

One of the ways to get mcrypt in would be to recompile the entire PHP source code. That method works but I would prefer using Apple’s stock PHP and just load a few additional modules. The following instructions documents how I managed to install PHP mcrypt by compiling the extension. I hope it can help in your work too.

Firstly I got libmcrypt from Homebrew. To do that:

[code lang=”bash”]brew install libmcrypt[/code]

libmcrypt is needed for PHP mcrypt. You’ll also need to download a copy of PHP source code. The PHP that comes with my OS X is 5.3.3:

[code lang=”bash”]kahwee:~ kahwee$ which php
/usr/bin/php
kahwee:~ kahwee$ php -v
PHP 5.3.3 (cli) (built: Aug 22 2010 19:41:55)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
kahwee:~ kahwee$ [/code]

So I downloaded and extracted my copy to: /Users/kahwee/Packages/php-5.3.3

All the PHP extensions are located here: /Users/kahwee/Packages/php-5.3.3/ext. I am going to require mcrypt so let’s get the extension (.so) file.

Current I’m in /Users/kahwee/Packages/php-5.3.3/ext/mcrypt/module/mcrypt. Let’s start by running phpize, it’s a utility to prepare for the build environment.

[code lang=”bash”]kahwee:mcrypt kahwee$ phpize
Configuring for:
PHP Api Version: 20090626
Zend Module Api No: 20090626
Zend Extension Api No: 220090626[/code]

Run aclocal, then ./configure:

[code lang=”bash”]kahwee:mcrypt kahwee$ aclocal
kahwee:mcrypt kahwee$ ./configure
checking for grep that handles long lines and -e… /usr/bin/grep
checking for egrep… /usr/bin/grep -E
checking for a sed that does not truncate output… /usr/bin/sed
……[/code]

Finally we can make the extension:

[code lang=”bash”]kahwee:mcrypt kahwee$ make
/bin/sh /Users/kahwee/Packages/php-5.3.3/ext/mcrypt/libtool –mode=compile cc -I. -I/Users/kahwee/Packages/php-5.3.3/ext/mcrypt -DPHP_ATOM_INC -I/Users/kahwee/Packages/php-5.3.3/ext/mcrypt/include -I/Users/kahwee/Packages/php-5.3.3/ext/mcrypt/main -I/Users/kahwee/Packages/php-5.3.3/ext/mcrypt -I/usr/include/php -I/usr/include/php/main -I/usr/include/php/TSRM -I/usr/include/php/Zend -I/usr/include/php/ext -I/usr/include/php/ext/date/lib -I/usr/local/include -DHAVE_CONFIG_H -g -O2 -c /Users/kahwee/Packages/php-5.3.3/ext/mcrypt/mcrypt.c -o mcrypt.lo
mkdir .libs

……

Libraries have been installed in:
/Users/kahwee/Packages/php-5.3.3/ext/mcrypt/modules

If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the -LLIBDIR'
flag during linking and do at least one of the following:
- add LIBDIR to the
DYLD_LIBRARY_PATH’ environment variable
during execution

See any operating system documentation about shared libraries for

more information, such as the ld(1) and ld.so(8) manual pages.

Build complete.
Don’t forget to run ‘make test’.

[/code]

Now you can find your extension in the module folder. For my case, it is found in /Users/kahwee/Packages/php-5.3.3/ext/mcrypt/modules/mcrypt.so

BlackBerry to be banned in Saudi Arabia

Likely for censorship reasons. BlackBerry devices does some encryption that has been deemed as a obstacle toward censorship and surveillance practices.

Saudi Arabia to Ban BlackBerry Service on Friday

Saudi Arabia has ordered the suspension of Research in Motion’s BlackBerry service as of Friday, as it does not meet current regulations, according to the country’s telecommunications regulator.

The suspension will cover all services, including e-mail and instant messaging, said an official from the Communications and Information Technology Commission (CITC), who requested not to be named. He did not specify what were the current local regulations that BlackBerry did not comply with.

BlackBerry’s service is to be suspended in neighboring United Arab Emirates (UAE) from Oct. 11 because it does not fall in line with the country’s regulations, the UAE telecommunications regulator said on Sunday.

RIM is also in negotiations with the Indian government over the country’s demands that security agencies should be able to intercept BlackBerry data.

In a customer update earlier this week circulated to the media, RIM said that it does not possess a “master key,” nor does any “back door” exist in the system that would allow RIM or any third party to gain unauthorized access to the encryption key or corporate data. The symmetric key system used in the BlackBerry security architecture for enterprise customers ensures that only the customer possesses a copy of the encryption key. (Source: PC World)

I’m standing on the BlackBerry side for this one.