[Infowarrior] - Juniper Networks Gags "ATM Jackpot" Researcher

Tue Jun 30 12:14:47 UTC 2009

Juniper Networks Gags "ATM Jackpot" Researcher
Patrick Gray's picture
Security and networking company Juniper yields to ATM vendor pressure...
By Patrick Gray
June 30, 2009 --

http://risky.biz/news_and_opinion/patrick-gray/2009-06-30/juniper-networks-gags-atm-jackpot-researcher

RISKY.BIZ EXCLUSIVE -- A demonstration in which security researcher  
Barnaby Jack would "jackpot" an ATM live on stage at the upcoming  
Black Hat security conference in Las Vegas has been pulled by his  
employer.

Security and network device vendor Juniper Networks forced Mr. Jack to  
cancel his presentation, an anticipated highlight of the Black Hat  
event, following pressure from the affected ATM vendor. The  
demonstration would have seen the researcher hack an ATM live on  
stage, causing it to spit out cash, or "jackpot".

"The affected ATM vendor has expressed to us concern about publicly  
disclosing the research findings before its constituents were fully  
protected," a statement issued by Juniper Networks reads. "Considering  
the scope and possible exposure of this issue on other vendors,  
Juniper decided to postpone Jack’s presentation until all affected  
vendors have sufficiently addressed the issues found in his research."

Risky.Biz understands the ATM vendor had been given notification of  
the upcoming presentation, and Juniper Networks was initially happy  
for Mr. Jack to present his research findings publicly.

Security researcher and the maintainer of the Open Source  
Vulnerability Database, Brian Martin, told Risky.Biz the cancelation  
of security-themed presentations by researchers' employers is an all- 
too-common experience. "Why does it come down to the vendor changing  
their mind or waiting to pressure," he asks. "They knew about the  
research, knew about the talk."

The latest cancellation echoes a similar event in 2005, when a talk on  
vulnerabilities in Cisco equipment by Michael Lynn was pulled from the  
conference by the networking giant in cooperation with Lynn's  
employer, security software maker ISS, which is now a division of IBM.

In a dramatic twist, Lynn resigned and gave his talk anyway.  
Ironically, he was hired by Juniper Networks, where he still works to  
this day.

In 2008 a talk on flaws in Apple's FileVault encryption technology was  
also pulled following pressure from the computer maker.

A security researcher who did not wish to be named expressed his  
disappointment at the cancellation. "It is a shame that this work  
won't see the light of day, at least for now," he told Risky.Biz.  
"Barnaby has always done great work and it would be great to learn  
some of his innovative new approaches to attacking systems that we  
trust with all of our money... plus, it's just damn cool."