Subject: RISKS DIGEST 14.59 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Tuesday 11 May 1993 Volume 14 : Issue 59 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Worst Computer Nightmare Contest (Shari Steele via Arthur R. McGee) IFIP resolution on demeaning games (Richard Wexelblat) Fake ATM Machine Steals PINs (Eric) Teller Users Beware (Tapper) More on Census imposters invading Cary (George Entenman) NIST Advisory Board Seeks Comments on Crypto (Clipper-Capstone Chip Info) New NIST/NSA Revelations (Dave Banisar) The RISKS Forum is a moderated digest discussing risks; comp.risks is its Usenet counterpart. Undigestifiers are available throughout the Internet, but not from RISKS. Contributions should be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with appropriate, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 14, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. For information regarding delivery of RISKS by FAX, phone 310-455-9300 (or send FAX to RISKS at 310-455-2364, or EMail to risks-fax@vortex.com). ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Sat, 8 May 1993 08:44:37 -0700 (PDT) From: "Arthur R. McGee" Subject: Worst Computer Nightmare Contest (fwd) ---------- Forwarded message ---------- Date: Fri, 7 May 1993 09:48:07 -0400 From: ssteele@eff.org (Shari) Subject: Worst Computer Nightmare Contest COMPUTER NIGHTMARES The San Diego Computer Fair '93 is looking for the most awful, woeful tale of "abuse suffered by a human at the hands of a computer." The suffering human will win a weekend in beautiful San Diego to try and forget that horrible episode in his or her life. Send your 1,000 word submission to Computer Nightmare Contest, ComputerEdge Magazine, P.O. Box 83086, San Diego CA 92138. ----------------------------- Date: Mon, 3 May 93 13:13:06 EDT From: rlw@ida.org (Richard Wexelblat) Subject: IFIP resolution on demeaning games According to the "Newstrack" in CACM (2/93; p.13), IFIP has adopted a resolution condemning the production, distribution, and use of computer games that demean human beings and advocate malicious behavior by the players. The resolution points to the growth of brutal war games, sexist games, and games based on themes of racial, ethnic, or religious hatred. The document states: "IFIP appeals to everybody worldwide to censure harmful games, to raise awareness of the issues involved, and to support only computer games that respect human dignity." (Does anyone know the origin of the issue within IFIP or whether a more complete description exists.) [I hope everyone catches de meaning. PGN] ------------------------------ Date: Tue, 11 May 93 10:52:57 -0400 From: eric@cadkey.com Subject: Fake ATM Machine Steals PINs Everyone knows you're supposed to be VERY careful about not revealing your PIN number for your ATM card. How are you supposed to stop this new trick??? At the Buckland Hills Mall, in Manchester CT, last week, some scam artists installed a fake ATM machine. They had negotiated with the Mall officers, pretending to be Bank officials, and had gotten permission. Apparently, they even got the phone company to come in and lay down some lines. Then, they installed an ATM machine they had stolen. It was programmed to read off the account numbers, remember the PIN as it was typed, then claim some kind of error and refuse to give out money. They left the machine in the mall for a WEEK, collecting PINs, then they came back, took it machine back to "repair", and have since printed up new cards, and have been using the PINs to siphon off money..... Why didn't I think of that?? [New trick? This is one of the oldest scams going, but it still recurs. PGN] ------------------------------ Date: Mon, 10 May 93 12:52:56 PDT From: tapper@aero.org Subject: Teller Users Beware Any of you that use an automated telephone transaction system to do your banking (or to make balance inquiries, etc.) may be interested in an experience I had today. I dialed in and was connected to a session in progress that belonged to another user (who probably hung up after receiving whatever information he/she requested). I immediately transferred all their money into my account...no just kidding :) I would hate to think that might happen to me, especially since some of these services allow you to move money around. I would like to suggest to anyone using these type of services (including voice-mail services) to back all the way out of the system before hanging up. Some systems (like Aerospace voice-mail) allow you to disconnect via a command, before hanging up, but many do not. My banking system does not allow me to disconnect without hanging up, but it does allow me to back out of the menus until I reach the main menu which prompts for user password before proceeding. From now on I'm going to make sure I back out to that level before hanging up. Signed, Could-have-been-rich. [Another old classic. The TENEX undetected-hangup problem years ago had similar properties, leaving a dial-up port still active, waiting for the next dial-up to randomly stumble upon a logged-in user session. PGN] ------------------------------ Date: Mon, 10 May 93 12:32:57 -0400 From: George Entenman Subject: More on Census imposters invading Cary (RISKS-14.58) Saturday's News and Observer had a little article saying that the Census workers in Cary might really have been working for the US Census Bureau. [But George's item does suggest that there is a problem anyway! PGN] ------------------------------ Date: Tue, 11 May 93 13:42:18 EDT From: Clipper-Capstone Chip Info Organization: National Institute of Standards and Technology (NIST) Subject: NIST Advisory Board Seeks Comments on Crypto Note: This file has been posted to the following groups: RISKS Forum, Privacy Forum, Sci.crypt, Alt.privacy.clipper and will be made available for anonymous ftp from csrc.ncsl.nist.gov, filename pub/nistgen/cryptmtg.txt and for download from the NIST Computer Security BBS, 301-948-5717, filename cryptmtg.txt. Note: The following notice is scheduled to appear in the Federal Register this week. The notice announces a meeting of the Computer System Security and Privacy Advisory Board (established by the Computer Security Act of 1987) and solicits public and industry comments on a wide range of cryptographic issues. Please note that submissions due by 4:00 p.m. May 27, 1993. DEPARTMENT OF COMMERCE National Institute of Standards and Technology Announcing a Meeting of the COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD AGENCY: National Institute of Standards and Technology ACTION: Notice of Open Meeting SUMMARY: Pursuant to the Federal Advisory Committee Act, 5 U.S.C. App., notice is hereby given that the Computer System Security and Privacy Advisory Board will meet Wednesday, June 2, 1993, from 9:00 a.m. to 5:00 p.m., Thursday, June 3, 1993, from 9:00 a.m. to 5:00 p.m., and Friday, June 4, 1993 from 9:00 a.m. to 1:00 p.m. The Advisory Board was established by the Computer Security Act of 1987 (P.L. 100-235) to advise the Secretary of Commerce and the Director of NIST on security and privacy issues pertaining to Federal computer systems and report its findings to the Secretary of Commerce, the Director of the Office of Management and Budget, the Director of the National Security Agency, and the appropriate committees of the Congress. All sessions will be open to the public. DATES: The meeting will be held on June 2-4 1993. On June 2 and 3, 1993 the meeting will take place from 9:00 a.m. to 5:00 p.m. and on June 4, 1993 from 9:00 a.m. to 1:00 p.m. Public submissions (as described below) are due by 4:00 p.m. (EDT) May 27, 1993 to allow for sufficient time for distribution to and review by Board members. ADDRESS: The meeting will take place at the National Institute of Standards and Technology, Gaithersburg, MD. On June 2, 1993, the meeting will be held in the Administration Building, "Red Auditorium," on June 3 the meeting will be held in the Administration Building, "Green Auditorium," and on June 4, 1993 in the Administration Building, Lecture Room "B." Submissions (as described below), including copyright waiver if required, should be addressed to: Cryptographic Issue Statements, Computer System Security and Privacy Advisory Board, Technology Building, Room B-154, National Institute of Standards and Technology, Gaithersburg, MD, 20899 or via FAX to 301/948-1784. Submissions, including copyright waiver if required, may also be sent electronically to "crypto@csrc.ncsl.nist.gov". AGENDA: - Welcome and Review of Meeting Agenda - Government-developed "Key Escrow" Chip Announcement Review - Discussion of Escrowed Cryptographic Key Technologies - Review of Submitted Issue Papers - Position Presentations & Discussion - Public Participation - Annual Report and Pending Business - Close PUBLIC PARTICIPATION: This Advisory Board meeting will be devoted to the issue of the Administration's recently announced government-developed "key escrow" chip cryptographic technology and, more broadly, to public use of cryptography and government cryptographic policies and regulations. The Board has been asked by NIST to obtain public comments on this matter for submission to NIST for the national review that the Administration's has announced it will conduct of cryptographic-related issues. Therefore, the Board is interested in: 1) obtaining public views and reactions to the government-developed "key escrow" chip technology announcement, "key escrow" technology generally, and government cryptographic policies and regulations 2) hearing selected summaries of written views that have been submitted, and 3) conducting a general discussion of these issues in public. The Board solicits all interested parties to submit well-written, concise issue papers, position statements, and background materials on areas such as those listed below. Industry input is particularly encouraged in addressing the questions below. Because of the volume of responses expected, submittors are asked to identify the issues above to which their submission(s) are responsive. Submittors should be aware that copyrighted documents cannot be accepted unless a written waiver is included concurrently with the submission to allow NIST to reproduce the material. Also, company proprietary information should not be included, since submissions will be made publicly available. This meeting specifically will not be a tutorial or briefing on technical details of the government-developed "key escrow" chip or escrowed cryptographic key technologies. Those wishing to address the Board and/or submit written position statements are requested to be thoroughly familiar with the topic and to have concise, well-formulated opinions on its societal ramifications. Issues on which comments are sought include the following: 1. CRYPTOGRAPHIC POLICIES AND SOCIAL/PUBLIC POLICY ISSUES Public and Social policy aspects of the government-developed "key escrow" chip and, more generally, escrowed key technology and government cryptographic policies. Issues involved in balancing various interests affected by government cryptographic policies. 2. LEGAL AND CONSTITUTIONAL ISSUES Consequences of the government-developed "key escrow" chip technology and, more generally, key escrow technology and government cryptographic policies. 3. INDIVIDUAL PRIVACY Issues and impacts of cryptographic-related statutes, regulations, and standards, both national and international, upon individual privacy. Issues related to the privacy impacts of the government-developed "key escrow" chip and "key escrow" technology generally. 4. QUESTIONS DIRECTED TO AMERICAN INDUSTRY 4.A Industry Questions: U.S. Export Controls 4.A.1 Exports - General What has been the impact on industry of past export controls on products with password and data security features for voice or data? Can such an impact, if any, be quantified in terms of lost export sales or market share? If yes, please provide that impact. How many exports involving cryptographic products did you attempt over the last five years? How many were denied? What reason was given for denial? Can you provide documentation of sales of cryptographic equipment which were lost to a foreign competitor, due solely to U.S. Export Regulations. What are the current market trends for the export sales of information security devices implemented in hardware solutions? For software solutions? 4.A.2 Exports - Software If the U.S. software producers of mass market or general purpose software (word processing, spreadsheets, operating environments, accounting, graphics, etc.) are prohibited from exporting such packages with file encryption capabilities, what foreign competitors in what countries are able and willing to take foreign market share from U.S. producers by supplying file encryption capabilities? What is the impact on the export market share and dollar sales of the U.S. software industry if a relatively inexpensive hardware solution for voice or data encryption is available such as the government-developed "key escrow" chip? What has been the impact of U.S. export controls on COMPUTER UTILITIES software packages such as Norton Utilities and PCTools? What has been the impact of U.S. export controls on exporters of OTHER SOFTWARE PACKAGES (e.g., word processing) containing file encryption capabilities? What information does industry have that Data Encryption Standard (DES) based software programs are widely available abroad in software applications programs? 4.A.3 Exports - Hardware Measured in dollar sales, units, and transactions, what have been the historic exports for: Standard telephone sets Cellular telephone sets Personal computers and work stations FAX machines Modems Telephone switches What are the projected export sales of these products if there is no change in export control policy and if the government- developed "key escrow" chip is not made available to industry? What are the projected export sales of these products if the government-developed "key escrow" chip is installed in the above products, the above products are freely available at an additional price of no more than $25.00, and the above products are exported WITHOUT ADDITIONAL LICENSING REQUIREMENTS? What are the projected export sales of these products if the government-developed "key escrow" chip is installed in the above products, the above products are freely available at an additional price of no more than $25.00, and the above products are to be exported WITH AN ITAR MUNITIONS LICENSING REQUIREMENT for all destinations? What are the projected export sales of these products if the government-developed "key escrow" chip is installed in the above products, the above products are freely available at an additional price of no more than $25.00, and the above products are to be exported WITH A DEPARTMENT OF COMMERCE LICENSING REQUIREMENT for all destinations? 4.A.4 Exports - Advanced Telecommunications What has been the impact on industry of past export controls on other advanced telecommunications products? Can such an impact on the export of other advanced telecommunications products, if any, be quantified in terms of lost export sales or market share? If yes, provide that impact. 4.B Industry Questions: Foreign Import/Export Regulations How do regulations of foreign countries affect the import and export of products containing cryptographic functions? Specific examples of countries and regulations will prove useful. 4.C Industry Questions: Customer Requirements for Cryptography What are current and future customer requirements for information security by function and industry? For example, what are current and future customer requirements for domestic banking, international banking, funds transfer systems, automatic teller systems, payroll records, financial information, business plans, competitive strategy plans, cost analyses, research and development records, technology trade secrets, personal privacy for voice communications, and so forth? What might be good sources of such data? What impact do U.S. Government mandated information security standards for defense contracts have upon demands by other commercial users for information security systems in the U.S.? In foreign markets? What threats are your product designed to protect against? What threats do you consider unaddressed? What demand do you foresee for a) cryptographic only products, and b) products incorporating cryptography in: 1) the domestic market, 2) in the foreign-only market, and 3) in the global market? 4.D Industry Questions: Standards If the European Community were to announce a non-DES, non-public key European Community Encryption Standard (ECES), how would your company react? Include the new standard in product line? Withdraw from the market? Wait and see? What are the impacts of government cryptographic standards on U.S. industry (e.g., Federal Information Processing Standard 46-1 [the Data Encryption Standard] and the proposed Digital Signature Standard)? 5. QUESTIONS DIRECTED TO THE AMERICAN BUSINESS COMMUNITY 5.A American Business: Threats and Security Requirements Describe, in detail, the threat(s), to which you are exposed and which you believe cryptographic solutions can address. Please provide actual incidents of U.S. business experiences with economic espionage which could have been thwarted by applications of cryptographic technologies. What are the relevant standards of care that businesses must apply to safeguard information and what are the sources of those standards other than Federal standards for government contractors? What are U.S. business experiences with the use of cryptography to protect against economic espionage, (including current and projected investment levels in cryptographic products)? 5.B American Business: Use of Cryptography Describe the types of cryptographic products now in use by your organization. Describe the protection they provide (e.g., data encryption or data integrity through digital signatures). Please indicate how these products are being used. Describe any problems you have encountered in finding, installing, operating, importing, or exporting cryptographic devices. Describe current and future uses of cryptographic technology to protect commercial information (including types of information being protected and against what threats). Which factors in the list below inhibit your use of cryptographic products? Please rank: -- no need -- no appropriate product on market -- fear of interoperability problems -- regulatory concerns -- a) U.S. export laws -- b) foreign country regulations -- c) other -- cost of equipment -- cost of operation -- other Please comment on any of these factors. In your opinion, what is the one most important unaddressed need involving cryptographic technology? Please provide your views on the adequacy of the government-developed "key escrow" chip technological approach for the protection of all your international voice and data communication requirements. Comments on other U.S. Government cryptographic standards? 6. OTHER Please describe any other impacts arising from Federal government cryptographic policies and regulations. Please describe any other impacts upon the Federal government in the protection of unclassified computer systems. Are there any other comments you wish to share? The Board agenda will include a period of time, not to exceed ten hours, for oral presentations of summaries of selected written statements submitted to the Board by May 27, 1993. As appropriate and to the extent possible, speakers addressing the same topic will be grouped together. Speakers, prescheduled by the Secretariat and notified in advance, will be allotted fifteen to thirty minutes to orally present their written statements. Individuals and organizations submitting written materials are requested to advise the Secretariat if they would be interested in orally summarizing their materials for the Board at the meeting. Another period of time, not to exceed one hour, will be reserved for oral comments and questions from the public. Each speaker will be allotted up to five minutes; it will be necessary to strictly control the length of presentations to maximize public participation and the number of presentations. Except as provided for above, participation in the Board's discussions during the meeting will be at the discretion of the Designated Federal Official. Approximately thirty seats will be available for the public, including three seats reserved for the media. Seats will be available on a first-come, first-served basis. FOR FURTHER INFORMATION CONTACT: Mr. Lynn McNulty, Executive Secretary and Associate Director for Computer Security, Computer Systems Laboratory, National Institute of Standards and Technology, Building 225, Room B154, Gaithersburg, Maryland 20899, telephone: (301) 975-3240. SUPPLEMENTARY INFORMATION: Background information on the government-developed "key escrow" chip proposal is available from the Board Secretariat; see address in "for further information" section. Also, information on the government-developed "key escrow" chip is available electronically from the NIST computer security bulletin board, phone 301-948-5717. The Board intends to stress the public and social policy aspects, the legal and Constitutional consequences of this technology, and the impacts upon American business and industry during its meeting. It is the Board's intention to create, as a product of this meeting, a publicly available digest of the important points of discussion, conclusions (if any) that might be reached, and an inventory of the policy issues that need to be considered by the government. Within the procedures described above, public participation is encouraged and solicited. /signed/ Raymond G. Kammer, Acting Director May 10, 1993 ------------------------------ Date: Thu, 6 May 1993 19:24:06 EST From: Dave Banisar Subject: New NIST/NSA Revelations Less than three weeks after the White House announced a controversial initiative to secure the nation's electronic communications with government-approved cryptography, newly released documents raise serious questions about the process that gave rise to the administration's proposal. The documents, released by the National Institute of Standards and Technology (NIST) in response to a Freedom of Information Act lawsuit, suggest that the super-secret National Security Agency (NSA) dominates the process of establishing security standards for civilian computer systems in contravention of the intent of legislation Congress enacted in 1987. The released material concerns the development of the Digital Signature Standard (DSS), a cryptographic method for authenticating the identity of the sender of an electronic communication and for authenticating the integrity of the data in that communication. NIST publicly proposed the DSS in August 1991 and initially made no mention of any NSA role in developing the standard, which was intended for use in unclassified, civilian communications systems. NIST finally conceded that NSA had, in fact, developed the technology after Computer Professionals for Social Responsibility (CPSR) filed suit against the agency for withholding relevant documents. The proposed DSS was widely criticized within the computer industry for its perceived weak security and inferiority to an existing authentication technology known as the RSA algorithm. Many observers have speculated that the RSA technique was disfavored by NSA because it was, in fact, more secure than the NSA-proposed algorithm and because the RSA technique could also be used to encrypt data very securely. The newly-disclosed documents -- released in heavily censored form at the insistence of NSA -- suggest that NSA was not merely involved in the development process, but dominated it. NIST and NSA worked together on the DSS through an intra-agency Technical Working Group (TWG). The documents suggest that the NIST-NSA relationship was contentious, with NSA insisting upon secrecy throughout the deliberations. A NIST report dated January 31, 1990, states that The members of the TWG acknowledged that the efforts expended to date in the determination of a public key algorithm which would be publicly known have not been successful. It's increasingly evident that it is difficult, if not impossible, to reconcile the concerns and requirements of NSA, NIST and the general public through using this approach. The civilian agency's frustration is also apparent in a July 21, 1990, memo from the NIST members of the TWG to NIST director John W. Lyons. The memo suggests that "national security" concerns hampered efforts to develop a standard: THE NIST/NSA Technical Working Group (TWG) has held 18 meetings over the past 13 months. A part of every meeting has focused on the NIST intent to develop a Public Key Standard Algorithm Standard. We are convinced that the TWG process has reached a point where continuing discussions of the public key issue will yield only marginal results. Simply stated, we believe that over the past 13 months we have explored the technical and national security equity issues to the point where a decision is required on the future direction of digital signature standards. An October 19, 1990, NIST memo discussing possible patent issues surrounding DSS noted that those questions would need to be addressed "if we ever get our NSA problem settled." Although much of the material remains classified and withheld from disclosure, the "NSA problem" was apparently the intelligence agency's demand that perceived "national security" considerations take precedence in the development of the DSS. From the outset, NSA cloaked the deliberations in secrecy. For instance, at the March 22, 1990, meeting of the TWG, NSA representatives presented NIST with NSA's classified proposal for a DSS algorithm. NIST's report of the meeting notes that The second document, classified TOP SECRET CODEWORD, was a position paper which discussed reasons for the selection of the algorithms identified in the first document. This document is available at NSA for review by properly cleared senior NIST officials. In other words, NSA presented highly classified material to NIST justifying NSA's selection of the proposed algorithm -- an algorithm intended to protect and authenticate unclassified information in civilian computer systems. The material was so highly classified that "properly cleared senior NIST officials" were required to view the material at NSA's facilities. These disclosures are disturbing for two reasons. First, the process as revealed in the documents contravenes the intent of Congress embodied in the Computer Security Act of 1987. Through that legislation, Congress intended to remove NSA from the process of developing civilian computer security standards and to place that responsibility with NIST, a civilian agency. Congress expressed a particular concern that NSA, a military intelligence agency, would improperly limit public access to information in a manner incompatible with civilian standard setting. The House Report on the legislation noted that NSA's natural tendency to restrict and even deny access to information that it deems important would disqualify that agency from being put in charge of the protection of non-national security information in the view of many officials in the civilian agencies and the private sector. While the Computer Security Act contemplated that NSA would provide NIST with "technical assistance" in the development of civilian standards, the newly released documents demonstrate that NSA has crossed that line and dominates the development process. The second reason why this material is significant is because of what it reveals about the process that gave rise to the so- called "Clipper" chip proposed by the administration earlier this month. Once again, NIST was identified as the agency actually proposing the new encryption technology, with "technical assistance" from NSA. Once again, the underlying information concerning the development process is classified. DSS was the first test of the Computer Security Act's division of labor between NIST and NSA. Clipper comes out of the same "collaborative" process. The newly released documents suggest that NSA continues to dominate the government's work on computer security and to cloak the process in secrecy, contrary to the clear intent of Congress. On the day the Clipper initiative was announced, CPSR submitted FOIA requests to key agencies -- including NIST and NSA -- for information concerning the proposal. CPSR will pursue those requests, as well as the pending litigation concerning NSA involvement in the development of the Digital Signature Standard. Before any meaningful debate can occur on the direction of cryptography policy, essential government information must be made public -- as Congress intended when it passed the Computer Security Act. CPSR is committed to that goal. David L. Sobel, CPSR Legal Counsel, (202) 544-9240 dsobel@washofc.cpsr.org ------------------------------ End of RISKS-FORUM Digest 14.59 ************************