No it doesn't? I'm not taking the side of the banks here, just trying to understand why the author took the approach he did. It's a shame that at times the HN community is one of single-mindedness where opposite views are met with immediate down-votes.
"Third, Omar’s thesis does not contain any new information on the No-PIN vulnerability. That was discovered by Steven Murdoch, Saar Drimer and me in 2009, disclosed responsibly to the industry, and published in February this year. It is not expected that an MPhil thesis contain novel scientific work."
Well I think you hit the nail on the head, that the disclosure isn't responsible. I'm all for bringing the flaws in chip-and-pin to the public attention, however I find it distasteful that a leading university publishing the schematics of a device that can be used to commit fraud, receives so much applause for this community.
I get the impression that this has captured the public mood of "sticking it to the bankers", when really Cambridge have gone about this one the wrong way.
My reading of the whole incident is that the exploit was disclosed (responsibly) to the banks 1 year ago and the banks have done nothing to fix the problem. Since then the professor (along with others) published a paper detailing the exploit. Finally the MPhil student cited the previously published paper in his thesis (it would be a crappy thesis to not reference current similar work)
At no point do I get the indication that the MPhil student was acting in a way that was 'irresponsible' - I don't know how you have come to that conclusion.
"Responsible disclosure" is a term with a specific meaning in the field of security, using the term is not equivalent to agreeing with it's implied meaning.
In fact, many would argue that responsible disclosure is anything but, since it has the tendancy tp maximize the amount of time the public is at risk.
All of this is ignoring the fact that this paper wasnt even disclosure at al...
