precedence: bulk Subject: Risks Digest 19.87 RISKS-LIST: Risks-Forum Digest Friday 17 July 1998 Volume 19 : Issue 87 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at http://catless.ncl.ac.uk/Risks/19.87.html Contents: ``Better DES challenge'' solved by John Gilmore and ``Deep Crack'' (Matt Blaze) "EFF DES Cracker" machine brings honesty to crypto debate (John Gilmore) Privacy vs. police convenience (George Dinwiddie) First results of SOHO investigation (Jan Vorbrueggen) AOL compounds security hole (David Cassel) Teen-age hacker break-in article was a hoax (Martin Minow) Gullibility Virus BEWARE! (Marc Salverson) Re: Navy software problems (Harlan Rosenthal) Re: Still more on TWA flight 800 (Greg Vistica) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 17 Jul 1998 03:31:45 -0400 From: Matt Blaze Subject: ``Better DES challenge'' solved by John Gilmore and ``Deep Crack'' On June 23 1997, I offered a prize of 56 bits ($7.00) for finding a DES key with a certain interesting property. In particular, I wanted a DES key such that some ciphertext block of the form decrypts to a plaintext block of the form , where X and Y represent any fixed eight-bit byte value repeated across each of the eight bytes of the 64 bit DES codebook block. Finding a key of this form would require either computational effort approximately equal to searching the DES keyspace or discovering a new cryptanalytic technique against DES. Knowing such a key would therefore demonstrate that it is feasible to mount an exhaustive search against the DES keyspace or that there is some weakness in DES that allows keys to be found analytically. This challenge, then, has the desirable property that a result ``speaks for itself'' in demonstrating the weakness of DES, without the need for an ``honest broker'' who must safeguard the solution. The solution keys could not be known to any people who haven't themselves searched the keyspace or found some other weakness. It would be just as much of an accomplishment for me to claim the prize as it would be for anyone else. I am pleased to announce that the prize has been claimed. On July 2, 1998, John Gilmore, of the Electronic Frontier Foundation, informed me that: With a (parity-padded) key of 0E 32 92 32 EA 6D 0D 73, the plaintext of 8787878787878787 becomes the ciphertext 0000000000000000 According to John, this solution was found after several days of work with the EFF ``Deep Crack'' hardware, a specialized parallel processor optimized for DES key search. Information on Deep Crack can be found at . I am especially gratified that this DES challenge problem was chosen as the first application of the Deep Crack hardware, and that the challenge has revealed data that might, perhaps, yield some additional analytic clues about the structure of the DES algorithm. A number of individuals and organizations generously pledged additional bits to supplement my original (quite modest) 56 bit prize, for a total over 10000 bits ($1250.00). I will be contacting these individuals privately to inform them that their pledges have come due. Note that although the prize has been claimed and the contest is now officially closed, there may be other solution keys (in fact, we'd expect to find about 255 more, if DES emulates a random permutation). I encourage the community to continue looking for solution keys. Indeed, it would be interesting to know how many such keys actually do exist in DES. Congratulations John! -matt ------------------------------ Date: Fri, 17 Jul 1998 03:23:32 -0700 (PDT) From: John Gilmore Subject: "EFF DES Cracker" machine brings honesty to crypto debate CONTACTS: Alexander Fowler, +1 202 462 5826, afowler@eff.org Barry Steinhardt, +1 415 436 9333 ext. 102, barrys@eff.org John Gilmore, +1 415 221 6524, gnu@toad.com "EFF DES CRACKER" MACHINE BRINGS HONESTY TO CRYPTO DEBATE ELECTRONIC FRONTIER FOUNDATION PROVES THAT DES IS NOT SECURE SAN FRANCISCO, CA -- The Electronic Frontier Foundation (EFF) today raised the level of honesty in crypto politics by revealing that the Data Encryption Standard (DES) is insecure. The U.S. government has long pressed industry to limit encryption to DES (and even weaker forms), without revealing how easy it is to crack. Continued adherence to this policy would put critical infrastructures at risk; society should choose a different course. To prove the insecurity of DES, EFF built the first unclassified hardware for cracking messages encoded with it. On Wednesday of this week the EFF DES Cracker, which was built for less than $250,000, easily won RSA Laboratory's "DES Challenge II" contest and a $10,000 cash prize. It took the machine less than 3 days to complete the challenge, shattering the previous record of 39 days set by a massive network of tens of thousands of computers. The research results are fully documented in a book published this week by EFF and O'Reilly and Associates, entitled "Cracking DES: Secrets of Encryption Research, Wiretap Politics, and Chip Design." "Producing a workable policy for encryption has proven a very hard political challenge. We believe that it will only be possible to craft good policies if all the players are honest with one another and the public," said John Gilmore, EFF co-founder and project leader. "When the government won't reveal relevant facts, the private sector must independently conduct the research and publish the results so that we can all see the social trade-offs involved in policy choices." The nonprofit foundation designed and built the EFF DES Cracker to counter the claim made by U.S. government officials that governments cannot decrypt information when protected by DES, or that it would take multimillion-dollar networks of computers months to decrypt one message. "The government has used that claim to justify policies of weak encryption and 'key recovery,' which erode privacy and security in the digital age," said EFF Executive Director Barry Steinhardt. It is now time for an honest and fully informed debate, which we believe will lead to a reversal of these policies." "EFF has proved what has been argued by scientists for twenty years, that DES can be cracked quickly and inexpensively," said Gilmore. "Now that the public knows, it will not be fooled into buying products that promise real privacy but only deliver DES. This will prevent manufacturers from buckling under government pressure to 'dumb down' their products, since such products will no longer sell." Steinhardt added, "If a small nonprofit can crack DES, your competitors can too. Five years from now some teenager may well build a DES Cracker as her high school science fair project." The Data Encryption Standard, adopted as a federal standard in 1977 to protect unclassified communications and data, was designed by IBM and modified by the National Security Agency. It uses 56-bit keys, meaning a user must employ precisely the right combination of 56 1s and 0s to decode information correctly. DES accounted for more than $125 million annually in software and hardware sales, according to a 1993 article in "Federal Computer Week." Trusted Information Systems reported last December that DES can be found in 281 foreign and 466 domestic encryption products, which accounts for between a third and half of the market. A DES cracker is a machine that can read information encrypted with DES by finding the key that was used to encrypt that data. DES crackers have been researched by scientists and speculated about in the popular literature on cryptography since the 1970s. The design of the EFF DES Cracker consists of an ordinary personal computer connected to a large array of custom chips. It took EFF less than one year to build and cost less than $250,000. This week marks the first public test of the EFF DES Cracker, which won the latest DES-cracking speed competition sponsored by RSA Laboratories (http://www.rsa.com/rsalabs/). Two previous RSA challenges proved that massive collections of computers coordinated over the Internet could successfully crack DES. Beginning Monday morning, the EFF DES Cracker began searching for the correct answer to this latest challenge, the RSA DES Challenge II-2. In less than 3 days of searching, the EFF DES Cracker found the correct key. "We searched more than 88 billion keys every second, for 56 hours, before we found the right 56-bit key to decrypt the answer to the RSA challenge, which was 'It's time for those 128-, 192-, and 256-bit keys,'" said Gilmore. Many of the world's top cryptographers agree that the EFF DES Cracker represents a fundamental breakthrough in how we evaluate computer security and the public policies that control its use. "With the advent of the EFF DES Cracker machine, the game changes forever," said Whitfield Diffie, Distinguished Engineer at Sun Microsystems and famed co-inventor of public key cryptography. "Vast Internet collaborations cannot be concealed and so they cannot be used to attack real, secret messages. The EFF DES Cracker shows that it is easy to build search engines that can." "The news is not that a DES cracker can be built; we've known that for years," said Bruce Schneier, the President of Counterpane Systems. "The news is that it can be built cheaply using off-the-shelf technology and minimal engineering, even though the department of Justice and the FBI have been denying that this was possible." Matt Blaze, a cryptographer at AT&T Labs, agreed: "Today's announcement is significant because it unambiguously demonstrates that DES is vulnerable, even to attackers with relatively modest resources. The existence of the EFF DES Cracker proves that the threat of "brute force" DES key search is a reality. Although the cryptographic community has understood for years that DES keys are much too small, DES-based systems are still being designed and used today. Today's announcement should dissuade anyone from using DES." EFF and O'Reilly and Associates have published a book about the EFF DES Cracker, "Cracking DES: Secrets of Encryption Research, Wiretap Politics, and Chip Design." The book contains the complete design details for the EFF DES Cracker chips, boards, and software. This provides other researchers with the necessary data to fully reproduce, validate, and/or improve on EFF's research, an important step in the scientific method. The book is only available on paper because U.S. export controls on encryption potentially make it a crime to publish such information on the Internet. EFF has prepared a background document on the EFF DES Cracker, which includes the foreword by Whitfield Diffie to "Cracking DES." See http://www.eff.org/descracker/. The book can be ordered for worldwide delivery from O'Reilly & Associates at http://www.ora.com/catalog/crackdes, +1 800 998 9938, or +1 707 829 0515. ********** The Electronic Frontier Foundation is one of the leading civil liberties organizations devoted to ensuring that the Internet remains the world's first truly global vehicle for free speech, and that the privacy and security of all on-line communication is preserved. Founded in 1990 as a nonprofit, public interest organization, EFF is based in San Francisco, California. EFF maintains an extensive archive of information on encryption policy, privacy, and free speech at http://www.eff.org. Alexander Fowler Director of Public Affairs Electronic Frontier Foundation E-mail: afowler@eff.org Tel/Fax: 202 462 5826 (East Coast) Tel: 415 436 9333; Fax 415 436 9993 (West Coast) You can find EFF on the Web at EFF supports the Global Internet Liberty Campaign ------------------------------ Date: Fri, 17 Jul 98 9:44:00 EDT From: gd@cen.com Subject: Privacy vs. police convenience FBI seeks access to cellphone locations According to *The New York Times*, FBI Director Louis Freeh has asked that the precise locations of cellular phone users be provided without a court order in "emergencies," including the suspicion of a felony, the pursuit of a fugitive or cases where human safety is deemed to be in jeopardy. The FBI has asked the Senate Appropriations Committee to add language to an appropriations bill to require phone companies to provide such information. The technology to be used allows the triangulation of any cell phone that is turned on within the cellular network; it does not have to be in the process of a call. The risks are obvious. What is not obvious is when a policeman might NOT have a suspicion that a felony is being or has been committed. Isn't such a suspicion a natural part of conducting the business of a policeman? http://www.nytimes.com/library/tech/98/07/biztech/articles/17tap.html George Dinwiddie, Century Computing, Inc., 8101 Sandy Spring Road, Suite 200 Laurel, MD 20707 http://www.cen.com/ (301) 953-3330 gdinwiddie@cen.com ------------------------------ Date: 17 Jul 1998 12:15:45 +0200 From: Jan Vorbrueggen Subject: First results of SOHO investigation ESA has just issued a press release with first results of why the SOHO satellite went out of control. It's a nice example of how apparently unconnected errors, including one of incorrect human interpretation of the situation, can conspire and lead to failure. In brief, a preprogrammed command sequence did not switch on a gyro (which senses changes in the spacecraft's attitude); this gyro, one of three, is usually off to conserve service life, but is required in specific situations as a backup and safeguard if something goes wrong. A second sequence erroneously did not reset the gain on another gyro, which was being used during a maintenance operation as a fault detector (basically checking, with increased sensitivity, that the attitude control system managed to hold SOHO stable during that operation). After the maintenance operation, the increased gain on the second gyro lead to the control system detecting a fault, as it interpreted the output from the gyro as a much larger change in attitude than it really was. During recovery from this fault, the wrong gain setting was noted and corrected, and the first gyro - unintentionally off - was being used to control SOHO. Now, the read-out of a gyro always has a bias when operating, i.e., zero actual change is read as a non-zero measured rate. This bias is a calibration constant and automatically subtracted by the control software from the measured values, as these are integrated over time to yield the actual attitude. Because this gyro was off, the measured value was zero; thus, the software kept integrating a constant, namely the negative of the bias, until it thought the satellite was off the commanded attitude, which triggered a second fault. During recovery from this fault, controllers thought the first, non-operational gyro was functioning, interpreted the data they were seeing as the second, functional gyro as being suspect, and switched it off! Shades of the crew shutting down the wrong engine on that British 737 some years ago. At this point, SOHO was still under control, albeit with an unintended slow spin. During the further recovery process, however, the attitude control system tried to compensate for what it thought was an attitude deviation (which in reality was only the first gyro's time-integrated bias), and the resulting spin soon exceeded the controller's ability to handle it, sending the satellite out of control. What I find astonishing is that the whole incident results from a single bit of misinformation, namely the operational status of the first gyro. Had the ground crew noted the fact that it wasn't in operation, the incident could have been avoided in spite of the previous operational errors. The press release does not indicate whether the ground crew did not have or did not consider this information, or whether, in the former case, it could or should have tried to obtain it before making any decision. Also, it seems likely that a more considered response to the second fault would have been to bring the third gyro up as a backup before turning off the second one and proceeding with recovery. Jan Vorbrueggen, Institut f. Neuroinformatik, Ruhr-Universitaet Bochum jan@neuroinformatik.ruhr-uni-bochum.de [Ben Hines also commented on the report, "SOHO Mission Interruption Preliminary Status and Background Report", which he noted can be found at http://umbra.nascom.nasa.gov/soho/prelim_and_background_rept.html] ------------------------------ Date: Fri, 17 Jul 1998 09:37:38 -0700 (PDT) From: David Cassel Subject: AOL compounds security hole Remember the flap when AOL leaked the real-life name behind the screen name of a navy sailor? 1363 real-life names were stolen last month when an attacker made off with a "duty roster" for AOL's remote staff. http://www.news.com/News/Item/0,4,23726,00.html The information ultimately found its way to reporters. Several of the staffers said they received taunting e-mail, including their name and screen name, which claimed the information had not only been kept on-line, but had been unnecessarily cc'd via e-mail to five different managers -- and that messages had lingered in one manager's inbox for over a month (instead of being read and deleted promptly.) C|Net interviewed the attacker, who says AOL has a "bad" customer service employee who granted access to the necessary manager's account. An AOL source told me that's their suspicion as well. http://www.news.com/Rumormill/Archives/1998/rum7_9_98.html http://www.aolsucks.org/list/0097.html AOL recently restricted the ability to re-set passwords to fewer people -- but the breach occurred just a few days before those changes went into effect. The attacker's warning is probably good advice. A breach can be made worse if sensitive e-mail isn't read and deleted quickly -- and if sensitive information is being distributed on-line to several accounts. David Cassel, Editor, AOL Watch - http://www.aolwatch.org ------------------------------ Date: Wed, 15 Jul 1998 20:38:17 -0700 From: Martin Minow Subject: Teen-age hacker break-in article was a hoax Remember that story in *The New Republic* about the 15-year-old kid who broke into a corporate database and posted employee salaries and pictures of naked women on its web site? According to an editor's note in Paul Krassner's newsletter, The Realist, "it turned out to have been a total invention of associate editor Stephen Glass, who was fired as a result." Disclaimer: as a matter of editorial policy, The Realist does not distinguish between its fictional and factual articles. In this way, Krassner may have anticipated the Internet by 30 years. Martin Minow, minow@pobox.com [People who thrive on Glass browses shouldn't know groans? PGN] ------------------------------ Date: Fri, 17 Jul 1998 12:52:17 -0500 From: "Salverson, Marc" Subject: Gullibility Virus BEWARE! This is what I send out when someone warns me about opening any e-mail with GOOD TIMES in the subject line. - Marc ************************************************************* WARNING, CAUTION, DANGER, AND BEWARE! Gullibility Virus Spreading over the Internet! ************************************************************* WASHINGTON, D.C.--The Institute for the Investigation of Irregular Internet Phenomena announced today that many Internet users are becoming infected by a new virus that causes them to believe without question every groundless story, legend, and dire warning that shows up in their inbox or on their browser. The Gullibility Virus, as it is called, apparently makes people believe and forward copies of silly hoaxes relating to cookie recipes, email viruses, taxes on modems, and get-rich-quick schemes. "These are not just readers of tabloids or people who buy lottery tickets based on fortune cookie numbers," a spokesman said. "Most are otherwise normal people, who would laugh at the same stories if told to them by a stranger on a street corner." However, once these same people become infected with the Gullibility Virus, they believe anything they read on the Internet. "My immunity to tall tales and bizarre claims is all gone," reported one weeping victim. "I believe every warning message and sick child story my friends forward to me, even though most of the messages are anonymous." Another victim, now in remission, added, "When I first heard about Good Times, I just accepted it without question. After all, there were dozens of other recipients on the mail header, so I thought the virus must be true." It was a long time, the victim said, before she could stand up at a Hoaxees Anonymous meeting and state, "My name is Jane, and I've been hoaxed." Now, however, she is spreading the word. "Challenge and check whatever you read," she says. Internet users are urged to examine themselves for symptoms of the virus, which include the following: The willingness to believe improbable stories without thinking. The urge to forward multiple copies of such stories to others. A lack of desire to take three minutes to check to see if a story is true. T. C. is an example of someone recently infected. He told one reporter, "I read on the Net that the major ingredient in almost all shampoos makes your hair fall out, so I've stopped using shampoo." When told about the Gullibility Virus, T. C. said he would stop reading email, so that he would not become infected. Anyone with symptoms like these is urged to seek help immediately. Experts recommend that at the first feelings of gullibility, Internet users rush to their favorite search engine and look up the item tempting them to thoughtless credence. Most hoaxes, legends, and tall tales have been widely discussed and exposed by the Internet community. Courses in critical thinking are also widely available, and there is online help from many sources, including Department of Energy Computer Incident Advisory Capability at http://ciac.llnl.gov/ciac/CIACHoaxes.html Symantec Anti Virus Research Center at http://www.symantec.com/avcenter/index.html McAfee Associates Virus Hoax List at http://www.mcafee.com/support/hoax.html Dr. Solomons Hoax Page at http://www.drsolomons.com/vircen/hoax.html The Urban Legends Web Site at http://www.urbanlegends.com Urban Legends Reference Pages at http://www.snopes.com Datafellows Hoax Warnings at http://www.Europe.Datafellows.com/news/hoax.htm Those people who are still symptom free can help inoculate themselves against the Gullibility Virus by reading some good material on evaluating sources, such as Evaluating Internet Research Sources at http://www.sccu.edu/faculty/R_Harris/evalu8it.htm Evaluation of Information Sources at http://www.vuw.ac.nz/~agsmith/evaln/evaln.htm Bibliography on Evaluating Internet Resources at http://refserver.lib.vt.edu/libinst/critTHINK.HTM Lastly, as a public service, Internet users can help stamp out the Gullibility Virus by sending copies of this message to anyone who forwards them a hoax. ------------------------------ Date: Fri, 17 Jul 1998 09:21:39 From: Harlan Rosenthal Subject: Re: Navy software problems (RISKS-19.86) > The Aegis Baseline 6 ... Engineers are having trouble getting > the new systems to work with each other and with the ships' legacy software. How about we draft the people who have made it possible to play Wing Commander, and Descent:Freespace, and Jane's F15, and Quake, and Diablo, cooperatively/competitively across the net? I always have this same reaction when issues of air traffic control come up, too; a Pentium or G3 dedicated to each plane in the air, and a 100baseT network, should be able to handle both the calculations and dataflow . . . combat would admittedly be harder. -harlan ------------------------------ Date: Fri, 17 Jul 1998 12:45:59 -0400 From: "Vistica, Greg" Subject: Re: Still more on TWA flight 800 (RISKS-19.85) This has not previously been reported to my knowledge, and occurred before the Scarry study: Last year, a reputable Pentagon investigator I know informed the FBI that the TWA 747 had been struck by high radiation and wondered if this could have set off a spark igniting the blast. The FBI said thanks and never called him back. Greg Vistica. ------------------------------ Date: 31 Mar 1998 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 18" for volume 18] or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. The ftp.sri.com site risks directory also contains the most recent PostScript copy of PGN's comprehensive historical summary of one liners: get illustrative.PS ------------------------------ End of RISKS-FORUM Digest 19.87 ************************