precedence: bulk Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: Risks Digest 20.17 RISKS-LIST: Risks-Forum Digest Weds 20 January 1999 Volume 20 : Issue 17 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and at ftp.sri.com/risks/ . Contents: Remarkable French announcement on crypto policy (Enzo Michelangeli and John Young via Steve Bellovin from cryptography newsgroup) Deep Crack cracks RSA's DES challenge in less than one day (PGN) The RISKS of Web links (Daniel R. Tobias) Virginia online sex offender database (Joe Thompson) China solves the Millennium bug (Pete Mellor) Computer crash blew up radio listener's request messages (Kenji Rikitake) REVIEW: "Stopping Spam", Alan Schwartz/Simson Garfinkel (Rob Slade) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 19 Jan 1999 17:59:22 -0800 From: Steve Bellovin Subject: Remarkable French announcement on crypto policy Date: Wed, 20 Jan 1999 08:50:53 +0800 >From: "Enzo Michelangeli" To: "John Young" , Subject: Re: France allows 128-bit crypto The third legislative initiative concerns cryptography. With the development of electronic espionage instruments, cryptography appears as an essential instrument of privacy protection. We had, one year ago, made a first step towards liberalization of cryptographic instruments. At that time I had announced that we were going to make one further. The Government has, since then, heard the players, questioned the experts and consulted its international partners. We have today become convinced that the legislation of 1996 is no longer suitable. In fact, it strongly restricts the usage of cryptography in France, on the other hand, for all that, without allowing the public powers to fight effectively against criminal actions of which encryption could facilitate the dissimulation. In order to change the orientation of our legislation, the Government has thus retained the following orientations, that I have discussed with the President of the Republic: - - To offer a complete freedom of use of cryptography - - To remove the compulsory nature or third-party escrow of encryption keys - - To supplement the current legal framework by the introduction of obligations, together with penal sanctions, concerning the handing-over to the legal authorities, when they require it, of the cleartext version of encrypted documents. At the same time, the technical skills of the public authorities will be significantly improved. Changing the law will take many months. The Govenment has decided that the main obstacles holding up the citizens from protecting the confidentiality of their communications and the development of electronic commerce be lifted without waiting. Also, waiting for the announced legislative changes, the Government has decided to raise the the the threshold of cryptology the use of which is free, from 40 bit to 128 bit, considered by the experts a level suitable to ensure durably a very high security. - --- Time to sing the Marseillaise again? :-) Enzo - -----Original Message----- >From: John Young To: cryptography@c2.net Date: Wednesday, January 20, 1999 7:11 AM Subject: France Allows 128 Bit Crypto The French Prime Minister today announced that due to the threat of espionage and invasion of privacy France will allow encryption strength up to 128 bits: http://www.premier-ministre.gouv.fr/PM/D190199.HTM (c) Le troisième chantier législatif concerne la cryptologie. Alors que se développent les moyens d'espionnage électronique, la cryptologie apparaît comme un moyen essentiel pour protéger la confidentialité des échanges et la protection de la vie privée. Nous avions, il y a un an, franchi un premier pas vers la libéralisation des moyens de cryptologie. J'avais annoncé alors que nous en franchirions un autre ultérieurement. Le Gouvernement a, depuis, entendu les acteurs, interrogé les experts et consulté ses partenaires internationaux. Nous avons aujourd'hui acquis la conviction que la législation de 1996 n'est plus adaptée. En effet, elle restreint fortement l'usage de la cryptologie en France, sans d'ailleurs permettre pour autant aux pouvoirs publics de lutter efficacement contre des agissements criminels dont le chiffrement pourrait faciliter la dissimulation. Pour changer l'orientation de notre législation, le Gouvernement a donc retenu les orientations suivantes dont je me suis entretenu avec le Président de la République : - - offrir une liberté complète dans l'utilisation de la cryptologie ; - - supprimer le caractère obligatoire du recours au tiers de confiance pour le dépôt des clefs de chiffrement ; - - compléter le dispositif juridique actuel par l'instauration d'obligations, assorties de sanctions pénales, concernant la remise aux autorités judiciaires, lorsque celles-ci la demandent, de la transcription en clair des documents chiffrés. De même, les capacités techniques des pouvoirs publics seront significativement renforcées. Changer la loi prendra plusieurs mois. Le Gouvernement a voulu que les principales entraves qui pèsent sur les citoyens pour protéger la confidentialité de leurs échanges et sur le développement du commerce électronique soient levées sans attendre. Ainsi, dans l'attente des modifications législatives annoncées, le Gouvernement a décidé de relever le seuil de la cryptologie dont l'utilisation est libre, de 40 bits à 128 bits, niveau considéré par les experts comme assurant durablement une très grande sécurité. ------------------------------ Date: Wed, 20 Jan 1999 11:00:17 PST From: "Peter G. Neumann" (Neumann@CSL.sri.com) Subject: Deep Crack cracks RSA's DES challenge in less than one day On Monday morning around 9am when this year's RSA DES challenge was announced by Jim Bidzos at this week's RSA Data Security Conference in San Jose, John Gilmore set Deep Crack to work. (See RISKS-19.87 for background.) About 22:25 hours later, Deep Crack had found the 56-bit DES key, capturing the $10,000 prize by breaking the 24-hour mark. This latest event further dramatizes the inherent risks of relying on cryptography. (In three hours, Matt Blaze, Steve Bellovin, and I (with Jeff Schiller unfortunately in absentia) tackle the question "Is Cryptography Enough?" RISKS readers know well that the answer is NO.) [This is not acccurate enough. More in the next issue. PGN] ------------------------------ Date: Sat, 16 Jan 1999 11:20:21 -0600 From: "Daniel R. Tobias" Subject: The RISKS of Web links I received a message this morning from somebody complaining about my inclusion of a link to a pornographic Web site from a page that would otherwise have been a suitable resource for him to refer to scholars and students interested in the topic of my page. This came as news to me, as I had no knowledge of having any direct "porn" links from my site. Some pretty extreme politics and philosophical stuff, yes, but no dirty pictures. So I checked the page in question and tried the links from it, and found that one of them did indeed go to a porn site. It turned out that what had happened was that the domain name of the site I had linked to was either sold by its former owner or allowed to expire at InterNIC due to nonpayment of renewal fees, and the domain was picked up by a new owner who's in the business of online pornography. This new owner set up the server so that links to any page on the old site would bring up the X-rated home page of the porn site, instead of just resulting in a "404 Not Found" error. This illustrates a big risk for anyone who maintains links to other Web sites; places you link to can radically change their character, especially if domain names expire and get acquired by different parties. This may have a highly damaging effect on the reputation of a site that winds up with such a link, and the use of automated link-checking programs to weed out "404 Not Founds" won't find this sort of problem. --Dan http://www.softdisk.com/comp/dan/ [This does remind us of the Intuit 800 number case "Risks of old documentation" that Richard C. Wolber contributed in RISKS-20.15. PGN] ------------------------------ Date: Tue, 19 Jan 1999 15:37:07 -0500 From: Joe Thompson Subject: Virginia online sex offender database Virginia recently (December 29) released an online sex-offender database: http://sex-offender.vsp.state.va.us/Images/Search.htm In its first three weeks of operation, besides glitches involving names of offenders, two of 49 local residents whose addresses were published in a local weekly contacted them to say that the offender listed as living at that address has moved. The Virginia State Police have promised to update the database "swiftly". Needless to say, the Virginia chapter of the ACLU is pointing to these errors as the exact reason they oppose the website. -- Joe Joe Thompson Charlottesville, VA joe@orion-com.com http://kensey.home.mindspring.com/ ------------------------------ Date: Sat, 16 Jan 1999 19:47:13 GMT From: Pete Mellor Subject: China solves the Millennium bug According to the BBC World Service yesterday, and various items in newspapers, China has solved its Millennium problems (at least where air transport is concerned) at a stroke. The chief executives of all of its airlines are ordered to be airborne at midnight on 31st December 1999. Peter Mellor, Centre for Software Reliability, City University, Northampton Square, London EC1V 0HB, UK. Tel: +44 (171) 477-8422, Fax: +44 (171) 477-8585 [Apparently "only under consideration", not established. PGN] ------------------------------ Date: Sun, 17 Jan 1999 13:54:57 +0900 (JST) From: Kenji Rikitake Subject: Computer crash blew up radio listener's request messages About 11:30pm EST, January 16, 1998, on CBC Radio One, Holger Petersen, the host of the program called Saturday Night Blues, said that he lost his listener's request voice messages due to "a computer crash" in CBC office in Edmonton, Alberta, Canada. Another proof of taking risk of NOT making backup data. Kenji Rikitake , Toyonaka City, Osaka, JAPAN ------------------------------ Date: Mon, 18 Jan 1999 11:44:23 -0800 From: "Rob Slade, doting grandpa of Ryan and Trevor" Subject: REVIEW: "Stopping Spam", Alan Schwartz/Simson Garfinkel BKSTPSPM.RVW 981030 "Stopping Spam", Alan Schwartz/Simson Garfinkel, 1998, 1-56592-388-X, U$19.95/C$29.95 %A Alan Schwartz alansz@araw.mede.uic.edu %A Simson Garfinkel simsong@vineyard.net %C 103 Morris Street, Suite A, Sebastopol, CA 95472 %D 1998 %G 1-56592-388-X %I O'Reilly & Associates, Inc. %O U$19.95/C$29.95 800-998-9938 fax: 707-829-0104 nuts@ora.com %P 208 p. %T "Stopping Spam" Eternal vigilance is the price of junk free email. Therefore, readers expecting to find a quick fix for spam in this book are possibly going to be disappointed. Those who persevere, however, will find much useful material that is both interesting, and valuable in the fight against unsolicited and commercial mass mail bombing. Chapter one details the problem with a definition of spam, the functionally differing types of spam, the different intention of spam (including reputation attacks), and the reasons why spam should be combatted, rather than merely tolerated and deleted. A historical background to the situation is provided in chapter two. This includes mention of viral programs (plus a repetition of the myth that CHRISTMA EXEC caused a mass shutdown of VNET). the primary emphasis, though, is on the Green Card Lawyers, Cyberpromotions, and others of that ilk. (A warning against vigilante actions is also germane.) The current position is described very briefly in chapter three. Groups of spammers and spamming tools are noted. (Perhaps the authors do not want to give anyone ideas, but the technology section is very terse indeed.) In closing, a nightmare future spam scenario is provided. Chapter four provides a solid technical background for further discussion of spam, covering mail agents and the mail and news protocols. A number of steps that the average computer user can take are listed in chapter five. The range from hiding your identity or preventing address "harvesting" (not all the suggestions are convenient), to the more active detecting of spammers behind spoofing techniques, and reporting to authorities. Similar advice for newsgroups is given in chapter six, emphasizing specific programs like NoCeM. Chapter seven moves into larger areas of responsibility with advice on both policy and practical configuration settings to reduce both incoming and outgoing spam. The larger net community is addressed in chapter eight. An appendix lists a wide variety of resources, but the annotations may not always give you the complete picture. For example, the Spam Media Tracker Web site is listed, but at a relatively old address. This, of course, happens all the time on the net, but it is stranger that there is no mention of the spam-news mailing list, the original (and ongoing) source for the site. It would, or course, be prohibitive to identify all international agencies dealing with spam. However, do note that only US government offices are noted as departments to report to. While understandable, the tone of moral outrage that colours the initial chapters may not be as helpful as a calmer precis. As the book hits its stride, though, it provides a good deal of helpful and useful information. All ISPs (Internet Service Providers), corporate network administrators, and net help desks should have a copy of this reference handy. Any serious Internet user will also find it well worth the price. As the authors put it, in slightly different words, the only thing necessary for the triumph of spammers is that good users do nothing. copyright Robert M. Slade, 1998 BKSTPSPM.RVW 981030 rslade@vcn.bc.ca rslade@sprint.ca robertslade@usa.net p1@canada.com Find virus, book info http://victoria.tc.ca/int-grps/techrev/rms.html ------------------------------ Date: 23 Sep 1998 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 19" for volume 19] or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. PostScript copy of PGN's comprehensive historical summary of one liners: illustrative.PS at ftp.sri.com/risks . ------------------------------ End of RISKS-FORUM Digest 20.17 ************************