precedence: bulk Subject: RISKS DIGEST 19.52 RISKS-LIST: Risks-Forum Digest Weds 24 December 1997 Volume 19 : Issue 52 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** Contents: [Happy Holidays!] The Swedes discover Lotus Notes has key escrow! (Win Treese) Strong crypto code for authentication published online (John Gilmore) New Internet law attacks non-profit pirating (Edupage) Electric deregulation grid-lock (PGN) Has Microsoft already infected itself? (Nick Brown) Beware of diploma mills on the Net (Edupage) Risks of modern PABXs and digital phones (Nick Brown) Hackers attack game site (Stevan Milunovic) Adjust your defibrillator today! (Gary McGraw) Mobil Speedpass (Philip Koopman) Tufte and Information Density (Jeff Gruszynski) Re: KC power outage (William Hugh Murray) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 23 Dec 1997 22:15:31 -0500 From: Win Treese Subject: The Swedes discover Lotus Notes has key escrow! My colleague Bill Nilson brought this to my attention. Below is his translation of a story from a Swedish newspaper. [Original Swedish truncated, but is available on request. PGN] The article describes the reaction when various people in the Swedish government learned that the Lotus Notes system they were using includes key escrow. They were apparently unaware of this until Notes was in use by thousands of people in government and industry. Besides being an interesting reaction to key escrow systems, this incident reminds us that one should understand the real security of a system.... Secret Swedish E-Mail Can Be Read by the U.S.A. Fredrik Laurin, Calle Froste, *Svenska Dagbladet*, 18 Nov 1997 One of the world's most widely used e-mail programs, the American Lotus Notes, is not so secure as most of its 400,000 to 500,000 Swedish users believe. To be sure, it includes advanced cryptography in its e-mail function, but the codes that protect the encryption have been surrendered to American authorities. With them, the U.S. government can decode encrypted information. Among Swedish users are 349 parliament members, 15,000 tax agency employees, as well as employees in large businesses and the defense department. ``I didn't know that our Notes keys were deposited (with the U.S.). It was interesting to learn this,'' says Data Security Chief Jan Karlsson at the [Swedish] defense department. Gunnar Grenfors, Parliament director and daily e-mail user, says, ``I didn't know about this--here we handle sensitive information concerning Sweden's interests, and we should not leave the keys to this information to the U.S. government or anyone else. This must be a basic requirement.'' Sending information over the Internet is like sending a postcard--it's that simple to read these communications. When e-mail is encrypted, it becomes unintelligible for anyone who captures it during transport. Only those who have the right codes or raw computer power to break the encryption can read it. For crime prevention and national security reasons, the United States has tough regulations concerning the level of crytography that may be exported. Both large companies and intelligence agencies can already--in a fractions of a second--break the simpler cryptographic protections. For the world-leading American computer industry, cryptographic export controls are therefore an ever greater obstacle. This slows down utilization of the Internet by businesses because companies outside the U.S.A. do not dare to send important information over the Internet. On the other hand, the encryption that may be used freely within the U.S.A. is substantially more secure. Lotus, a subsidiary of the American computer giant IBM, has negotiated a special solution to the problem. Lotus gets to export strong cryptography with the requirement that vital parts of the secret keys are deposited with the U.S. government. ``The difference between the American Notes version and the export version lies in degrees of encryption. We deliver 64 bit keys to all customers, but 24 bits of those in the version that we deliver outside of the United States are deposited with the American government. That's how it works today,'' says Eileen Rudden, vice president at Lotus. Those 24 bits are critical for security in the system. 40-bit encryption is broken by a fast computer in several seconds, while 64 bits is much more time-consuming to break if one does not have the 24 bits [table omitted]. Lotus cannot answer as to which authorities have received the keys and what rules apply for giving them out. The company has confidence that the American authorities responsible for this have full control over the keys and can ensure that they will not be misused. On the other hand, this (assurance) does not matter to Swedish companies. On the contrary, there is a growing understanding that it would be an unacceptable security risk to place the corporation's own ``master key'' in the hands of foreign authorities. Secret information can leak or be spread through, for example, court decisions in other countries. These concerns are demonstrated clearly in a survey by the SAF Trade and Industry security delegation. Some 60 companies answered the survey. They absolutely do not want keys deposited in the U.S.A. It is business secrets they are protecting. These corporations fear that anyone can get a hold of this information, states Claes Blomqvist at SAF. Swedish businesses are also afraid of leaks within the American authorities. The security chief at SKF, Lars Lungren, states: ``If one has a lawful purpose for having control over encryption, it isn't a problem. But the precept is flawed: They ought to monitor (internally), but the Americans now act as if there are no crooks working within their authorities.'' In some countries, intelligence agencies clearly have taken a position on their country's trade and industry. Such is the case in France. One example, which French authorities chose to publicize, was in 1995 when five CIA agents were deported after having spied on a French telecommunications company. Win Treese [The Lotus Notes crypto scheme is one that I have familiarly been calling ``64 40 or fight!'' (in a reference to a slogan for an early U.S. election campaign border-dispute issue many years ago). PGN] ------------------------------ Date: Tue, 23 Dec 1997 15:18:55 -0800 From: John Gilmore Subject: Strong crypto code for authentication published online One of the risks of controlling privacy technology is that these controls spill over into other areas that the government doesn't wish to control. Freedom of speech is one such area, which is giving the Government headaches right now. But another such area is authentication. To build networks that are secure against mischief requires that people prove their authenticity in a way that can be verified across distance and time. This requires cryptography. The complexity of the export regulations on cryptography, and the harsh penalties for mistakes, have discouraged many people, including myself, from deploying good authentication because of fear of government retaliation. I've now spent some four years in close contact with lawyers, who dissected the export controls to prove them unconstitutional to Federal judges. That experience has reduced the "uncertainty and doubt" that accompanies such fear. I now know pretty exactly what the export controls allow and disallow. There's long been a disconnect between what NSA tells people is legal, and what is actually legal. NSA tends to serve its own interests, and operates on the principle that they're unlikely to get caught. For example, they told Dan Bernstein it might be illegal to put his software into a U.S. library if his intent was that foreigners could read it. They told the Apache team that their software was illegal to publish because it contained hooks that could call a separate PGP program. (Both of these are fully documented in declarations in the Bernstein case web site; see http://www.eff.org/bernstein/Legal/960726_filing/, behlendorf.decl and bernstein.decl.) And they've been telling people that authentication object code is not export-controlled, but that authentication source code is. Fortunately for network security, the regulations do not support their statement. Authentication is authentication is authentication. You can read the full legal analysis at my web site (see below). Software that's published in source code is still authentication software. And software that is publicly available, and wasn't transferred from the State Dept as an "EI" item, is not subject to the export controls. Given this new freedom from fear, uncertainty and doubt, the first piece of infrastructure I want to authenticate is the Domain Name System; thus this software release. But there are many other opportunities: authentic email (a version of PGP that doesn't encrypt, only authenticates?), authentic IP packets (IPSEC with AH only), authentic remote login (ssh or kerberos with privacy missing), authentic routing updates, authentic web pages, authentic public records, authentic network file access; the list is endless. Here's the press release. John Strong Crypto Code Published Online for Authentication San Francisco, December 23, 1997 - Civil libertarian John Gilmore today published strong authentication source code on the Internet, making it available for worldwide access, despite U.S. National Security Agency attempts to restrict such software. He is publishing Domain Name System Security software that contains a complete copy of RSAREF, well-known cryptography software that is a predecessor to the DNSsafe software released in October by RSA Data Security, Inc. Mr Gilmore explains, "Internet publication of cryptography software is considered an export by the US Government, and often requires government permission under the Export Administration Regulations (EAR). But those regulations specifically exempt programs which merely prove that information is authentic (authentication), rather than hiding the information (privacy)." The export regulations were amended in 1989 to exclude authentication software. Since that time, however, the National Security Agency has been telling people privately that the exclusion only applies to ready-to-run "binary" programs. They have reportedly claimed that the regulations still require government permission to export the human-readable "source code" of authentication programs. The plain text of the regulations makes no such distinction, though; all authentication programs are exempt. Readers can obtain the software from Mr. Gilmore's web site for Domain Name System Security, at http://www.toad.com/~dnssec or at http://www.flash.net/~dnssec. Future releases will be available from the Internet Software Consortium, http://www.isc.org/bind.html. The Electronic Frontier Foundation, which Mr. Gilmore co-founded, is sponsoring a lawsuit to have the entire cryptography software export control regime overturned. In the three-year suit, Bernstein v. State, Judge Marilyn Hall Patel has invalidated export controls administered by both the State Department and the Commerce Department. She ruled they are an unconstitutional prior restraint against our First Amendment right to speak and publish about cryptography. The case is now in the Ninth Circuit Court of Appeals. Domain Name System Security: http://www.toad.com/~dnssec or http://www.flash.net/~dnssec Internet Software Consortium: http://www.isc.org RSA Data Security: http://www.rsa.com Electronic Frontier Foundation: http://www.eff.org Press Contacts: John Gilmore, Founding Board Member, EFF +1 415 221 6524, gnu@toad.com Shari Steele, Staff Attorney, Electronic Frontier Foundation +1 301 375 8856, ssteele@eff.org More press background is available at: http://www.toad.com/~dnssec/pressrel1.background.txt "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Ben Franklin, ~1784 ------------------------------ Date: Sun, 21 Dec 1997 12:48:54 -0500 From: Edupage Editors Subject: New Internet law attacks non-profit pirating President Bill Clinton signed into law a controversial bill imposing criminal penalties on copyright violators who do not profit from their actions. The No Electronic Theft Act, passed by Congress last month, was strongly backed by the software and entertainment industries, but opposed by science and academic groups. Under the new law, a person who "willfully" infringes on copyrighted material worth at least $1,000 could be subject to criminal prosecution even if he does not profit by it. Under the previous law, copyright violators could not be charged with criminal misconduct unless they profited from the violation. Software and entertainment groups, including the Business Software Alliance, the Motion Picture Association and the Association of American Publishers, said the change was essential to protect software, music recordings and other creative products easily pirated over the Internet. (*Toronto Financial Post*, 18 Dec 1997; Edupage, 21 Dec 1997) ------------------------------ Date: Tue, 23 Dec 97 14:12:26 PST From: "Peter G. Neumann" Subject: Electric deregulation grid-lock California's 1 Jan 1998 scheduled deregulation of electric power received a shock when it was realized that the new software system is not ready to monitor who puts power into the grid and where it goes. Everything else is apparently ready to go. (You supposedly will then be able to get your electricity from competitive operators. Competition is supposed to lower prices, which by law must be reduced by at least 10%.) [Source: AP item, 23 Dec 1997] The length of the delay is unpredictable, with estimates ranging around 3, 4, or even 5 months. The Independent System Operators estimate their losses from the unavailability of the computer system at about $300,000 a day, whereas the Utility Reform Network watchdog estimates costs of up to $1,000,000 daily. The system development effort evidently could not properly address many of the complexities long familiar to RISKS readers -- including the necessity of getting out all the bugs, getting performance up to snuff, and adequately training people for use of the system, all within the allotted 11-month schedule. The ISO chief executive noted that this ``probably would have been a two- or three-year project'' and you just cannot cram all that into 11 months. [Source: Jamie Beckett, *San Francisco Chronicle*, 24 Dec 1997, A1] ------------------------------ Date: Fri, 19 Dec 1997 17:42:03 +0100 From: BROWN Nick Subject: Has Microsoft already infected itself? Can anyone explain what this string is doing in WWINTL32.DLL, the DLL which converts Word 97's language neutral version into (in this case) the International English version ? My version is dated August 13, 1997 at 3:59 pm, has 1158416 bytes, and is marked as version 8.0, although it comes from Office Service Release 1. Here's the string: "AutoClose macro virus is already installed in NORMAL.DOT" Does Microsoft know something we don't ? Nick Brown, Strasbourg, France (Nick.Brown@coe.fr) ------------------------------ Date: Sun, 21 Dec 1997 12:48:54 -0500 From: Edupage Editors Subject: Beware of diploma mills on the Net A number of would-be students have fallen victim to the dark side of distance learning on the Internet -- fraudulent schemes that claim to offer accredited degrees in as little as 27 days. In many of these cases, a Web site is about all these "institutions" have to offer, says the co-author of "Bears' Guide to Earning College Degrees Nontraditionally." And while some people assume that a ".edu" suffix guarantees the authenticity of an educational institution, Network Solutions (the company that registers Internet domain names) says it gives a ".edu" name to anyone who requests it. So far, the Accrediting Commission of the Distance Education and Training Council is the only nationally recognized accrediting body for distance-learning programs, while the Global Alliance for Transnational Education focuses on evaluating and certifying international institutions. (Chronicle of Higher Education 19 Dec 97; Edupage, 21 Dec 1997) ------------------------------ Date: Fri, 19 Dec 1997 18:18:40 +0100 From: BROWN Nick Subject: Risks of modern PABXs and digital phones We have just received our introductory training for our new PABX. Everyone will have a digital phone with a two-line alphanumeric display. The possibilities for mischief and accidents will be immediately obvious to regular RISKS readers, but apparently the engineers and marketing people from the PABX manufacturer haven't spotted anything wrong. 1) Anyone can send a text message to anyone else from any phone to which they have physical access. There is a function to "lock" the phone, which many users will probably (incorrectly) imagine protects them; in fact, "locking" the phone only prevents outside calls from being made. So I can go to my colleague's phone and send "Eat my shorts" (readers may like to fill in their own message here) to my local sexual harassment representative. Or, being in competition with another person for a promotion, I can make a number of "mistakes" on their behalf. Etc., etc. Solution: Lock your office every time you leave it. For people who have an open plan office: be on VERY good terms with all of your colleagues. Even the extreme measure of taking your phone with you doesn't help: the phones have no personality module, so they are all identical, and all the parameters (such as your name) are associated with your line in the PABX. 2) When you finally do send a legitimate text message to someone, you get "message sent OK" flashed up on your display, for a full second. If the send fails (eg because the mailbox is full - it has a capacity of about 4 messages), you get "message not sent" flashed up for a second. That's it. No other confirmation, no acknowledgement required. "Didn't you get my vital message ? I'm sure I sent it." 3) The phones have a cute "permanent hands free" function. This is activated by pressing a button, and the only indication that it is on is a very small blinking LED. When this is in place, the phone "answers" a call after one ring, saving you all those calories you wasted up to now reaching to press a button. This function is a great way to listen in on a meeting to which you haven't been invited: visit the meeting room and switch "hands free" on some hours before the meeting. Wait till everyone is sitting round the table. Phone the number. People will groan and look at each other - who's going to answer it ? But after one ring it stops - sighs of relief, the person on the other end realised their mistake and rang off. Well, not quite - they're listening to the entire meeting. 4) You can program a function key with frequently used sequences - for example, the one to read your voice mail. This sequence contains your personal identification code; the same code used to charge personal calls to your account. I don't suppose it will come as a surprise to anybody to learn that this code is plainly visible to anyone who browses the programmable keys, which of course are not protected by a code of any kind. 5) Not that the code would help for most people: it has a minimum length of two (2) digits, a maximum length of 6, and a default of "00". Naturally, the PABX has no mechanism for expiring this code over time, logging failed attempts to guess the code, etc etc etc. There are many others. Two colleagues and I came up with all of these during the training course. The instructor said "nobody has ever pointed any of this out before" - she has trained several thousand people on this system in the last couple of years. Nick Brown, Strasbourg, France. ------------------------------ Date: Tue, 23 Dec 1997 08:12:29 -0800 From: stevan@netscape.com (Stevan Milunovic) Subject: Hackers attack game site (from www.news.com) Hackers broke into the Sierra On-Line gaming site and took down the front page for three hours over the weekend. The hacker(s?) did not access any sensitive data such as credit card information. ------------------------------ Date: Mon, 22 Dec 1997 10:17:01 -0500 (EST) From: Gary McGraw Subject: Adjust your defibrillator today! In *The Washington Post* "DigitalFlubs" column (22 Dec 1997), there is a small article about a bug in 2000 installed defibrillators manufactured by Ventak AV (sold by Guidant Corp out of Indy). There is some debate over whether the bug could ever be life-threatening. Here's my favorite line from the article (and why I am writing this up for RISKS): "Surgery isn't necessary; doctors can adjust the devices' programming with a small radio transmitter." The obvious risk is that somebody else will opt to reprogram defibrillators by broadcast. One would hope there are controls and authentication mechanisms... righto. The press never seems to be aware of the downside of automatic adjustment schemes. Dr. Gary McGraw, Research Scientist, Reliable Software Technologies (RST), Sterling, VA gem@rstcorp.com ------------------------------ Date: Mon, 22 Dec 1997 01:10:40 GMT From: Philip Koopman Subject: Mobil Speedpass Mobil is promoting the Speedpass program in which you get a radio frequency transponder and use that to pay for fuel at the pump in a service station. They are apparently using TIRIS technology from Texas Instruments. The key-ring version uses fairly short-range low frequency energy, and I'd have to guess that the car-mounted version is using their 915 MHz battery-powered transponder. This is a neat application, especially for fleet vehicles, especially since no PIN is required. But, I worked with RF transmitter and transponder security in my previous job, and this application rings minor alarm bells in my mind. Now for the Risks -- TIRIS (and, in general, any cheap RF) technology is not terribly secure against interception and theft of your identification number. It seems to me that the car-mounted device would present the greater risk, since it is pretty much the same technology that is also being sold for electronic tollbooth collection. So, if you "ping" a vehicle with a mounted Speedpass transponder you can get its code and potentially use it to buy fuel until the code is reported stolen. The risk is analogous to someone reading your telephone credit card at an airport without you knowing it. Yes, the 915 MHz TIRIS device is encrypted, but unless they've improved their crypto in the year or so since I checked up them I wouldn't consider it truly secure. (For crypto geeks -- the TIRIS device I looked into used rolling-code transmissions with a fixed-feedback LFSR using the same polynomial for *all* devices; each device simply starts with a different seed number. So, once you trivially determine the polynomial from one transponder you only need one interception to crack any other unit. Maybe they've improved recently -- they don't advertise that level of detail at their web site.) To their credit, Mobil reassured me that the TIRIS code isn't the same as your credit card number (so they're not broadcasting your credit card number over the airwaves, which is good) and that someone would have to know your date of birth and social security number to retrieve the credit card number from their information system (well, maybe I'm not so re-assured after all). The real risk is that ultra-low-cost devices usually don't have enough room for strong cryptography, and often use pretty weak cryptography; but to a lay-person saying it is "encrypted" conveys a warm, fuzzy feeling of security. Perhaps theft of a bit of vehicle fuel isn't a big deal (although for long-haul trucks a full tank isn't cheap), and certainly pales by comparison to cell phone ID theft. But, you'd think they would have learned the lesson about RF broadcast of ID information. I wonder how long it will be until the key-ring Speedpass is accepted as equivalent to a credit card for other purchases... and considered indisputable because it is encrypted. Information sources: TIRIS http://www.ti.com/mc/docs/tiris/docs/mobil.htm Speedpass http://www.mobil.com/speedpass/html/questions.html A customer supervisor at the Speedpass enrollment center confirmed that they were using Texas Instruments technology, and provided numerous well-intentioned but vague assurances about security. Phil Koopman -- koopman@cmu.edu -- http://www.ece.cmu.edu/koopman ------------------------------ Date: Mon, 22 Dec 1997 14:13:37 PST From: Jeff Gruszynski Subject: Tufte and Information Density (Re: Potential nightmare, RISKS-19.50) In his seminars, Edward R. Tufte compares the visual information density of various media technologies. He ranks most Powerpoint-generated corporate viewcharts and and Excel-generated graphs as typically ranking at or below the level of Soviet-era communist or Nazi-era propaganda posters. Technologies like the web are only marginally better compared to paper (72 dpi vs 1000+ dpi for quality paper publishing). If you do web publishing, keeping this in mind helps keep you appropriately humble. Jeff ------------------------------ Date: Mon, 22 Dec 1997 22:26:36 -0500 From: William Hugh Murray Subject: Re: KC power outage (PGN, RISKS-19.51) > ... ``brief and supposedly impossible power failure'' ... > ... the latest in an improbable series of problems. Not improbable at all; rather, it is measurable. As with any such "protective" mechanism, for every n problems that it prevents, a UPS will cause m. As the UPS ages, the ratio of m to n tends to rise and may even approach one. (Since this is counter-intuitive, the ratio has even been known to rise above one before the UPS is replaced.) A large number of these events are associated with maintenance of the UPS. Indeed, the switch used to take the UPS off line for maintenance is often a single point of failure. The life of a UPS is usually several times longer than the computers with which it is used and may be longer than the life of the technology from which it is built. Thus, when a UPS approaches end of life, it may no longer be possible to get parts with which to maintain it. The battery of a UPS requires a great deal of maintenance, can be fully tested only under load, and may fail just when it is required. William Hugh Murray, New Canaan, Connecticut ------------------------------ Date: 1 Apr 1997 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Or use Bitnet LISTSERV. Alternatively, (via majordomo) DIRECT REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] => The INFO file (submissions, default disclaimers, archive sites, .mil/.uk subscribers, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 18" for volume 18] or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. The ftp.sri.com site risks directory also contains the most recent PostScript copy of PGN's comprehensive historical summary of one liners: get illustrative.PS ------------------------------ End of RISKS-FORUM Digest 19.52 ************************