Subject: RISKS DIGEST 14.64 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Wednesday 19 May 1993 Volume 14 : Issue 64 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: [Corrected] A Risk of Risks Elided (or no news not always best) (Mike Coleman) Rewards offered for finding bugs in Japanese encryption methods (Forman) Re: Clipper (Jim Bidzos, Eric Raymond, Dorothy Denning, Doug Rand) Re: Clipper "destroyed keys" and Spycatcher (Roger Crew) Re: Clipper/Capstone: Expectations of privacy? (Henry Burdett Messenger) Re: Clipper and the "Man in the Middle" (Stephen G. Smith) Re: Epilepsy and video games (David Honig) Re: makedepend problem - a real world example (Conrad Hughes) Re: Cut and Paste risks (Robert L Krawitz) Re: CHI & the Color-blind? (Flint Pellett) The RISKS Forum is a moderated digest discussing risks; comp.risks is its Usenet counterpart. Undigestifiers are available throughout the Internet, but not from RISKS. Contributions should be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with appropriate, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 14, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. For information regarding delivery of RISKS by FAX, phone 310-455-9300 (or send FAX to RISKS at 310-455-2364, or EMail to risks-fax@vortex.com). ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Tue, 18 May 93 21:07:18 PDT From: coleman@twinsun.com (Mike Coleman) Subject: A Risk of Risks Elided (or no news not always best) Cc: nn-bugs@dkuug.dk The default behavior of the popular newsreader 'nn' is to split (undigestify) digests such as RISKS. Unfortunately, nn seems to omit included articles, such as the Jim Bidzos inclusion in Ed Roback's submission in RISKS 14.62. Until this is fixed, nn users can include this line in their ~/.nn/init: set split false This should put an end to many unhappy non sequiturs. ------------------------------ Date: Thu, 13 May 93 10:22:19 -0700 From: forman@cs.washington.edu Subject: Rewards offered for finding bugs in Japanese encryption methods In RISKS-14.60 Klaus Brunnstein implies that "Security by Obscurity" (not making an encryption method public) is a poor way to get a secure encryption method. Both the USA's Clipper Chip and Europe's A5 standards use Security by Obscurity. Japan doesn't seem to rely on this arcane method: Professor Shigeo Tsujii of the Tokyo Institute of Technology is offering $3000 to anyone who can find a bug in his new encryption method called "NIKS-TA". (Described in his 15-page thesis.) Similarly, in 1989 NTT offered $9100 (1M yen) for finding a bug in their encryption method. [This could be RISKy if the reward is not big enough, and someone on the "other side" is offering more? PGN] ------------------------------ Date: Wed, 19 May 93 10:17:16 PDT From: jim@RSA.COM (Jim Bidzos) Subject: Re: Clipper (Denning, RISKS-14.63) Dorothy Denning wrote in RISKS-14.63, with respect to the key management advantage of RSA over DSS, that the Capstone chip makes the key management advantage "disappear." I believe that trust is a very significant part of the advantage RSA enjoys over DSS/Capstone, whether for signatures or key management. The scrutiny RSA has withstood in the 17 years since its discovery contributes to that trust. The only way to make that advantage "disappear" is to publish everything about Capstone, including the algorithm that the keys you manage are used with, and wait a few years and a few hundred papers before proposing it as a standard. (Since DES has withstood similar scrutiny, RSA and triple-DES have an advantage to users both in and out of the US that is likely never to disappear as it appears the government will never publish Clipper/Capstone details.) ------------------------------ Date: Wed, 19 May 1993 16:32:46 -0400 (EDT) From: esr@snark.thyrsus.com (Eric S. Raymond) Subject: Re: Clipper (Denning, RISKS-14.60; Rotenberg, RISKS-14.62) In Marc Rotenberg wrote: > Denning has to be kidding. The comments on the proposed DSS were uniformly > critical. Both Marty Hellman and Ron Rivest questioned the desirability of > the proposed standard. Mr. Rotenberg, as a public figure operating in the political arena, has to exercise a certain diplomatic restraint in responding to Ms. Denning's claims. I am, thankfully, under no such requirement. As a long-time RISKS reader and contributor, I observe that that this is not the first time that Ms. Denning has apparently operated as a mouthpiece for the NSA's anti-privacy party line on DES and related issues. I believe Ms. Denning's remarks must be understood as part of a continuing propaganda campaign to marginalize and demonize advocates of electronic privacy rights. Other facets of this campaign have attempted to link privacy advocates to terrorists and drug dealers by suggesting that only criminals need fear wiretapping. These are serious charges. I make them because, in the wake of the Clipper proposal, I do not believe civil libertarians can afford any longer to assume that their opponents are persons of good will with whom they can simply debate minor differences of institutional means in a collegial way. It's time for someone to say, in public and on this list, what I know many of us have been thinking. The future is *now*. Electronic privacy issues are no longer a parlor game for futurologists; they are the focus of a critical political struggle, *and the opponents of privacy are fighting their war with all the tools of force, deception, and propaganda they can command*. The histories of the DES, the FBI wiretap proposal, and now the Clipper proposal must be considered against a wider background of abuses including the Steve Jackson case, "Operation Longarm", and the routine tapping of U.S. domestic telecommunications by NSA interception stations located outside the geographic borders of the United States. These form a continuing pattern of attempts by agencies of the U.S. government to pre-empt efforts to extend First and Fourth Amendment privacy protections to the new electronic media. In each case, the attempt was made to present civil libertarians with a fait accompli, invoking "national security" (or the nastiness of "kiddie porn") to justify legislative, judicial and practical precedents prejudicial against electronic privacy rights. While I would not go so far as to claim that these efforts are masterminded by a unitary conspiracy, I believe that the interlocking groups of spies, bureaucrats and lawmen who have originated them recognize each other as cooperating fellow-travelers in much the same way as opposing groups like the EFF, CPSR and the Cypherpunks do. Their implicit agenda is to make the new electronic communications media transparent to government surveillance and (eventually) pliant to government control. One of the traits of this culture of control is the belief that manipulative lying and dissemblage can be justified for a `higher good'. I believe that Ms. Denning's disingenuous claim that the DSS "is now considered to be just as strong as RSA" is no mere technical misapprehension. I believe it is propaganda aimed at making objectors non-persons in the debate. I cannot know whether Ms. Denning actually believes this claim, but it reminds me all too strongly of the classic "Big Lie" technique. It is important for us to recognize that the propaganda lie is not an aberration, but a routine tool of the authoritarian mindset. And the authoritarian mindset is, ultimately, what we are confronting here --- the mindset that regards the fighting of elastically-defined `crime' as more important than privacy, that presumes guilt until innocence is proven, that demands for government a license to override any individual's natural rights at political whim. We cannot trust representatives of an institutional culture that was *constructed* to deal in information control, lies, secrecy, paranoia and deception to tell us the truth. We cannot accept the authoritarians' unverified assurances that the sealed interior of the Clipper chip contains no `trapdoor' enabling the NSA to eavesdrop at will. We cannot trust the authoritarians' assertions that they have no intention of outlawing cryptographic technologies potentially more secure than the Clipper chip. We cannot believe the authoritarians' claims that `independent' key registries will prevent abuse of decryption keys by government and/or corrupt individuals. We cannot --- we *must not* --- cede control of encryption technology to the authoritarians. To do so would betray our children and their descendants, who will work and *live* in cyberspace to an extent we can barely imagine. We cannot any longer afford the luxury of treating the authoritarians as honest dealers with whom compromise is morally advisable, or even possible. Whatever their own valuation of themselves, the thinly-veiled power grab represented by the Clipper proposal reveals a desire to institutionalize means which a free society, wishing to remain free, *cannot tolerate*. Big Brother must be stopped *here*. *Now.* While it is still possible. Eric S. Raymond ------------------------------ Date: Wed, 19 May 93 18:37:24 EDT From: denning@cs.cosc.georgetown.edu (Dorothy Denning) Subject: Re: Clipper (Raymond, RISKS-14.64) Eric Raymond has accused me of being part of a propaganda campaign and a "Big Lie." Among his wild speculations, he wrote: I believe that Ms. Denning's disingenuous claim that the DSS "is now considered to be just as strong as RSA" is no mere technical misapprehension. I believe it is propaganda aimed at making objectors non-persons in the debate. I cannot know whether Ms. Denning actually believes this claim, but it reminds me all too strongly of the classic "Big Lie" technique. Frankly, I don't know how to respond his allegations other than by saying that I am not and have never been on the payroll of NIST, NSA, or the FBI and that every word I have published has been completely on my own initiative. While I frequently speak with people in these agencies (mainly to ask them questions so that I can be informed) and have considerable respect for them, I am operating on my own initiative and making my own independent evaluations based on all the evidence I can find. I try to avoid pure speculation as much as possible. My objective in responding to Sobel in the first place was to point out that, in my best judgement, the DSS as revised is as secure as RSA. I did that so that readers would not be led to believe the contrary. Let me elaborate more. The security of the DSS is based on the difficulty of computing the discret log. (The Diffie-Hellman key exchange, invented in 1976, is likewise so based.) The security of the RSA is based on factoring. My understanding is that the computational difficulty of these two problems is about the same for comparable key lengths, and indeed, the fastest solutions with both come using the same basic technique, namely the number field sieve. If I'm wrong here, I am happy to be corrected by someone who knows more than I do about this. There are other factors, of course, that must be taken into account. With both schemes, you have to make sure you get good primes. In the case of the DSS, you want really random ones so that you don't get ones with "trapdoors." This is readily done and the chances of getting a trapdoor one are minuscule. For a reference, see Daniel Gordon's paper from Crypto '92. I still remember the day when George Davida called me up to say that he had cracked RSA. It turned out that he had found a way of exploiting the digital signatures to get access to plaintext (but not keys). I generalized his mathematics and published a paper in CACM (April 84). The solution is to hash messages before they are signed, which has other advantages anyway. I also remember various articles by people pointing other potential vulnerabilities with RSA if the primes weren't picked right. There are potential weaknesses in all of these public-key methods, but they can be resolved. As near as I can tell, NIST has resolved the potential problems with the DSS, and I am confident that if new ones are found, they will resolve them too. Dorothy Denning ------------------------------ Date: Mon, 17 May 93 17:55:43 EDT From: drand@osf.org Subject: Clipper chip I've just read one of the longer tirades in risks about the clipper chip and feel like putting my foot into the whirling blades :) Have the naysayers totally forgotten the point of making crypto gear available to individuals? Right now I cannot lift my portable phone without assuming I'm talking to several people aside from the person I call. I treat it as I would a contact on ham radio. The crooks can listen to us, the government has always been able to. Now, for the first time, there would be some control. Perhaps it isn't perfect. This is irrelevant. It is so many orders of magnitude more secure than any phone system today. Without the chip being ubiquitous, we cannot have this capability in every one of perhaps a billion phones (guesstimate) in the country. It would be too expensive and totally useless. Both parties must have the same gear. That the crooks could always create more effective crypto gear is also a red herring. Maybe they could. But the law is being structured so that this itself would be considered probable cause of a crime. We'll have to see if (how much) this is abused. One hopes that just the unlicensed crypto gear would not be sufficient to indict honest people. Doug Rand drand@osf.org ------------------------------ Date: Tue, 18 May 1993 13:05:14 -0700 From: Roger Crew Subject: Re: Clipper - "destroyed" keys > Even if you *know* that an instrument has been decoded, in many > cases management will simply accept the government's word that the > keys were destroyed rather than replace the instrument(s). The following excerpt from Peter Wright's _Spycatcher_ comes to mind: Jagger was the MI5 odd-job technical man... [He] had an extraordinary array of skills, of which the most impressive was his lockpicking. Early on in training I attended one of the regular classes he ran for MI5 and MI6 in his lockpicking workshop. The cellar room was dominated by a vast array of keys, literally thousands of them, numbered and hung in rows on each wall. Jagger explained that as MI5 acquired or made secret imprints of keys of offices, hotels, or private houses, each one was carefully indexed and numbered. Over the years they had developed access in this way to premises all over Britain. ``You'll never know when you might need a key again,'' explained Jagger as I stared in astonishment at his collection. ``The first rule if you are entering premises is only pick the lock as the last resort,'' said Jagger, beginning his lecture. ``It's virtually impossible to pick a lock without scratching it---and that'll almost certainly give the game away to the trained intelligence officer... What you have to do is get hold of the key---either by measuring the lock or taking an imprint of the key.'' Though this incident dates from the mid 50's, Peter Wright held his post in MI5 (British domestic intelligence) until 1976, and there's no reason to believe that their procedures (w.r.t. keys and locks) changed significantly during that period. And evidently people changed their locks sufficiently infrequently that MI5 felt it worth the expense of maintaining a key farm... Roger Crew rfc@research.microsoft.com ------------------------------ Date: Wed, 19 May 93 09:42:12 PDT From: Henry_Burdett_Messenger@cup.portal.com Subject: Re: Clipper/Capstone: No reasonable expectation of privacy? Nobody has mentioned a risk of the Clipper/Capstone proposal that I thought of last weekend. You see, we aren't supposed to use Clipper; it will cost too much for ordinary telecommunications usage. Furthermore, there will be no great demand from the citizenry to encrypt their telephones: after all, the ones they already have work perfectly well. The Supreme Court has already ruled that conversations held over cordless telephones can be intercepted and used as evidence against you without any wiretap warrants*. You have "no reasonable expectation of privacy" on a cordless telephone. How long until the Supremes rule that telephone conversations on wire phones in the clear are also fair game? After all, the Government has given you Clipper; it's your fault if you're not using it... Therefore, I fear that this will become a class issue: those who can afford Clipper can afford (limited) privacy, but it's open season on those who can't. How *convenient* for our friends in law enforcement! * Contrast this with early rulings on party lines, where you were not allowed to disclose the content of conversations overheard on a party line. Henry B. Messenger henry_burdett_messenger@cup.portal.com ------------------------------ Date: Sat, 1 May 93 01:36:27 -0400 From: sgs@grebyn.com (Stephen G. Smith) Subject: Re: Clipper and the "Man in the Middle" One thing that I have not seen in the discussion of the Clipper is that it seems to be totally vulnerable to a "man in the middle" attack. Take two Clipper chips. Connect them back-to-back. Add some "glue" to pass dialing/routing signals. Insert in the line, either by actually cutting the wire, or by diverting the call in the switch. Now when the victim makes a call, the data is in clear between the two chips. The result is that the tapper now has a clear conversation, the victim has no way of telling if he has been tapped, and there is no need for the song and dance with "escrow agencies". Note that this attack will work with any protocol that uses "zero knowledge" key exchange. The actual encryption method is completely irrelevant. The only defense is to be able to recognize your caller's key. Something tells me this may be very difficult .... The only place where the Clipper can provide even minimal security is in mobile communications, where the communications line cannot be cut. The giveaway that something is fishy, of course, is that the Government will not use the Clipper chip for classified communication. If it's so good, why won't they use it? Steve Smith Agincourt Computing sgs@grebyn.com (301) 681 7395 ------------------------------ Date: Tue, 18 May 1993 20:01:01 -0700 From: David Honig Subject: Re: Epilepsy and video games (Culver, RISKS-14.63) "Larry Hunter and others were asking about seizures induced by video games. Not being a neurologist, I wonder if these are similar to those caused by "photic stimulation", which has been implicated in some aircraft accidents. Some people, when exposed to flickering or flashing lights will have seizures which are quite similar to epileptic seizures. In aircraft, this can be a problem for general aviation pilots, who look through the propeller disk. During most of the flight, the frequency is too high to cause problems, but during a landing, especially into the setting sun, the propeller may cause flickering sufficient to induce a seizure. There are, apparently, degrees of severity: some people will seize from a single flash of the right duration." Yes, the seizure-risk from video games is exactly that from any flashing light ---whether from propeller, CRT, or LCD. ------------------------------ Date: Wed, 19 May 93 14:31:12 BST From: chughes@maths.tcd.ie (Conrad Hughes) Subject: Re: makedepend problem - a real world example (Worthman, RISKS-14.62) >... makedepend chokes on one of X11 include files (as distributed by Sun)... On the machine I use (running MIPS RISC/os) makedepend chokes under such circumstances, but doesn't die. The problem arises when you proceed to compile it, and compilation fails because this file doesn't exist and can't be built, yet there is a dependency on it. This consequently doesn't result in a risk, as rather than being built incorrectly, the software cannot be built - typically software should be installed by someone with enough experience to fix such include problems (and what with the nightmarish mess that is the MIPS header file directory tree I've garnered more than my fair share of _that_ experience recently). So - I can't see this bug producing risks other than compilation failure: all it can do is produce too extensive a dependency list, in which case unnecessary parts of the program may be built during compilation, _but_ since the real make process will correctly evaluate all conditional expressions which makedepend assumes are true, the unnecessary parts will not be linked in or installed if you use the supplied "make install".. [Thinks a bit more] On second thoughts - if someone is guilty of what I'd term bad practice and has an explicit make line for an included file which also modifies some other already-built part of the source beyond just building the required file then a risk does arise. A makefile which does this kind of thing is guilty of fairly poor practice anyway I think.. conrad hughes (chughes@maths.tcd.ie) ------------------------------ Date: Wed, 19 May 93 10:14:35 EDT From: Robert L Krawitz Subject: Re: Cut and Paste risks (Cook, RISKS-14.63) We should identify the main source of the risk, which in my opinion is general access to super-user privileged shells. ... Yes, but that still doesn't eliminate problems, since most of these accidents are caused by accidentally hitting the mouse buttons rather than carelessness as to what window the mouse is in. The design of most mice makes it very easy to inadvertently hit buttons (this seems to be true on Suns, it was true with both the 1985-style and the current DEC mice, and even with Lisp Machine mice). The problem is that it's very easy to brush a mouse button while reaching for the mouse, or while moving it. Looking at the way I hold the mouse, my index finger is practically on top of the middle button and my middle finger nearly touches the right button, making an accident of this nature practically inevitable. Cut and paste is most definitely very useful, and getting rid of it is an overreaction. However, by requiring two independent actions to perform it (e. g. the shift key on the keyboard along with a mouse button), the risk of such an accident is reduced. I've changed the mouse actions in my xterm windows to use shift bindings for the mouse keys. It's very rare that my left hand is camped on the shift key while my right hand is reaching for the mouse. Robert Krawitz, Thinking Machines Corp, 245 First St., Cambridge, MA 02142 (617)234-2116 Member of the League for Programming Freedom ------------------------------ Date: 19 May 93 14:42:53 GMT From: flint@gistdev.gist.com (Flint Pellett) Subject: Re: CHI & the Color-blind? (Yu, RISKS-14.62) > ... It seems to me that the answer to that is simple, and it isn't merely color/no color that it relates to: Don't place an over-reliance on icons to convey meaning because they don't always do so (whether colored or not), and the old saying that a picture is worth a thousand words isn't always true. Consider in the example above, if the words "No contact", "Contacted", "Promised", and "Called Us" were displayed instead of the icons, (or under each icon) how much clearer it all would be. (If I had to use the system above, I see myself having to refer constantly to an explanation sheet that says what each icon means, and I would expect to often make mistakes.) Too often people have been creating icon symbols to replace words when the word they replace is one that everyone would understand (at least if they speak that language), and the icon they come up with is one nobody recognizes. You'll find that even people who don't speak the language can learn a word just as easily as they can learn an icon. Icons tend to fail to convey meaning most often when they are trying to replace verbs. You can make it an option in your interface to let the user choose between use icons/use words/use both, but don't force "only icons" on people. Then you won't have to worry about color-blindness issues. Flint Pellett, Global Information Systems Technology, Inc., 100 Trade Centre Drive, Suite 301, Champaign, IL 61820 (217) 352-1165 uunet!gistdev!flint ------------------------------ End of RISKS-FORUM Digest 14.64 ************************