Juniper Networks Gags "ATM Jackpot" Researcher

Security and networking company Juniper yields to ATM vendor pressure...
June 30, 2009 -- 

RISKY.BIZ EXCLUSIVE -- A demonstration in which security researcher Barnaby Jack would "jackpot" an ATM live on stage at the upcoming Black Hat security conference in Las Vegas has been pulled by his employer.

Security and network device vendor Juniper Networks forced Mr. Jack to cancel his presentation, an anticipated highlight of the Black Hat event, following pressure from the affected ATM vendor. The demonstration would have seen the researcher hack an ATM live on stage, causing it to spit out cash, or "jackpot".

"The affected ATM vendor has expressed to us concern about publicly disclosing the research findings before its constituents were fully protected," a statement issued by Juniper Networks reads. "Considering the scope and possible exposure of this issue on other vendors, Juniper decided to postpone Jack’s presentation until all affected vendors have sufficiently addressed the issues found in his research."

Risky.Biz understands the ATM vendor had been given notification of the upcoming presentation, and Juniper Networks was initially happy for Mr. Jack to present his research findings publicly.

Security researcher and the maintainer of the Open Source Vulnerability Database, Brian Martin, told Risky.Biz the cancelation of security-themed presentations by researchers' employers is an all-too-common experience. "Why does it come down to the vendor changing their mind or waiting to pressure," he asks. "They knew about the research, knew about the talk."

The latest cancellation echoes a similar event in 2005, when a talk on vulnerabilities in Cisco equipment by Michael Lynn was pulled from the conference by the networking giant in cooperation with Lynn's employer, security software maker ISS, which is now a division of IBM.

In a dramatic twist, Lynn resigned and gave his talk anyway. Ironically, he was hired by Juniper Networks, where he still works to this day.

In 2008 a talk on flaws in Apple's FileVault encryption technology was also pulled following pressure from the computer maker.

A security researcher who did not wish to be named expressed his disappointment at the cancellation. "It is a shame that this work won't see the light of day, at least for now," he told Risky.Biz. "Barnaby has always done great work and it would be great to learn some of his innovative new approaches to attacking systems that we trust with all of our money... plus, it's just damn cool."

Want more exclusive security news? Sign up for our weekly newsletter here. Get your weekly dose of infosec news, opinion and podcasts!"