The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 14 Issue 64

Wednesday 19 May 1993

Contents

o A Risk of Risks Elided (or no news not always best)
Mike Coleman
o Rewards offered for finding bugs in Japanese encryption methods
Forman
o Re: Clipper
Jim Bidzos
Eric Raymond
Dorothy Denning
Doug Rand
o Re: Clipper "destroyed keys" and Spycatcher
Roger Crew
o Re: Clipper/Capstone: Expectations of privacy?
Henry Burdett Messenger
o Re: Clipper and the "Man in the Middle"
Stephen G. Smith
o Re: Epilepsy and video games
David Honig
o Re: makedepend problem - a real world example
Conrad Hughes
o Re: Cut and Paste risks
Robert L Krawitz
o Re: CHI & the Color-blind?
Flint Pellett
o Info on RISKS (comp.risks)

A Risk of Risks Elided (or no news not always best)

Mike Coleman <coleman@twinsun.com>
Tue, 18 May 93 21:07:18 PDT
The default behavior of the popular newsreader 'nn' is to split (undigestify)
digests such as RISKS.  Unfortunately, nn seems to omit included articles,
such as the Jim Bidzos inclusion in Ed Roback's submission in RISKS 14.62.

Until this is fixed, nn users can include this line in their ~/.nn/init:

    set split false

This should put an end to many unhappy non sequiturs.


Rewards offered for finding bugs in Japanese encryption methods

<forman@cs.washington.edu>
Thu, 13 May 93 10:22:19 -0700
In RISKS-14.60 Klaus Brunnstein implies that "Security by Obscurity" (not
making an encryption method public) is a poor way to get a secure encryption
method.  Both the USA's Clipper Chip and Europe's A5 standards use Security by
Obscurity.

Japan doesn't seem to rely on this arcane method:

Professor Shigeo Tsujii of the Tokyo Institute of Technology is offering $3000
to anyone who can find a bug in his new encryption method called "NIKS-TA".
(Described in his 15-page thesis.)

Similarly, in 1989 NTT offered $9100 (1M yen) for finding a bug in their
encryption method.

         [This could be RISKy if the reward is not big enough,
         and someone on the "other side" is offering more?  PGN]


Re: Clipper (Denning, RISKS-14.63)

Jim Bidzos <jim@RSA.COM>
Wed, 19 May 93 10:17:16 PDT
Dorothy Denning wrote in RISKS-14.63, with respect to the key management
advantage of RSA over DSS, that the Capstone chip makes the key management
advantage "disappear."

I believe that trust is a very significant part of the advantage RSA enjoys
over DSS/Capstone, whether for signatures or key management.  The scrutiny RSA
has withstood in the 17 years since its discovery contributes to that trust.
The only way to make that advantage "disappear" is to publish everything about
Capstone, including the algorithm that the keys you manage are used with, and
wait a few years and a few hundred papers before proposing it as a standard.
(Since DES has withstood similar scrutiny, RSA and triple-DES have an
advantage to users both in and out of the US that is likely never to disappear
as it appears the government will never publish Clipper/Capstone details.)


Re: Clipper (Denning, RISKS-14.60; Rotenberg, RISKS-14.62)

Eric S. Raymond <esr@snark.thyrsus.com>
Wed, 19 May 1993 16:32:46 -0400 (EDT)
In <CMM.0.90.1.737688970.risks@chiron.csl.sri.com> Marc Rotenberg wrote:
> Denning has to be kidding.  The comments on the proposed DSS were uniformly
> critical.  Both Marty Hellman and Ron Rivest questioned the desirability of
> the proposed standard.

Mr. Rotenberg, as a public figure operating in the political arena, has to
exercise a certain diplomatic restraint in responding to Ms. Denning's claims.
I am, thankfully, under no such requirement.

As a long-time RISKS reader and contributor, I observe that that this is not
the first time that Ms. Denning has apparently operated as a mouthpiece for
the NSA's anti-privacy party line on DES and related issues.

I believe Ms. Denning's remarks must be understood as part of a continuing
propaganda campaign to marginalize and demonize advocates of electronic
privacy rights.  Other facets of this campaign have attempted to link privacy
advocates to terrorists and drug dealers by suggesting that only criminals
need fear wiretapping.

These are serious charges.  I make them because, in the wake of the Clipper
proposal, I do not believe civil libertarians can afford any longer to assume
that their opponents are persons of good will with whom they can simply debate
minor differences of institutional means in a collegial way.

It's time for someone to say, in public and on this list, what I know many
of us have been thinking.  The future is *now*.  Electronic privacy issues
are no longer a parlor game for futurologists; they are the focus of a
critical political struggle, *and the opponents of privacy are fighting their
war with all the tools of force, deception, and propaganda they can command*.

The histories of the DES, the FBI wiretap proposal, and now the Clipper
proposal must be considered against a wider background of abuses including
the Steve Jackson case, "Operation Longarm", and the routine tapping of U.S.
domestic telecommunications by NSA interception stations located outside the
geographic borders of the United States.

These form a continuing pattern of attempts by agencies of the U.S. government
to pre-empt efforts to extend First and Fourth Amendment privacy protections
to the new electronic media.  In each case, the attempt was made to present
civil libertarians with a fait accompli, invoking "national security" (or the
nastiness of "kiddie porn") to justify legislative, judicial and practical
precedents prejudicial against electronic privacy rights.

While I would not go so far as to claim that these efforts are masterminded by
a unitary conspiracy, I believe that the interlocking groups of spies,
bureaucrats and lawmen who have originated them recognize each other as
cooperating fellow-travelers in much the same way as opposing groups like the
EFF, CPSR and the Cypherpunks do.  Their implicit agenda is to make the new
electronic communications media transparent to government surveillance and
(eventually) pliant to government control.

One of the traits of this culture of control is the belief that manipulative
lying and dissemblage can be justified for a `higher good'.

I believe that Ms. Denning's disingenuous claim that the DSS "is now
considered to be just as strong as RSA" is no mere technical misapprehension.
I believe it is propaganda aimed at making objectors non-persons in the
debate.  I cannot know whether Ms. Denning actually believes this claim, but
it reminds me all too strongly of the classic "Big Lie" technique.

It is important for us to recognize that the propaganda lie is not an
aberration, but a routine tool of the authoritarian mindset.  And the
authoritarian mindset is, ultimately, what we are confronting here --- the
mindset that regards the fighting of elastically-defined `crime' as more
important than privacy, that presumes guilt until innocence is proven, that
demands for government a license to override any individual's natural rights
at political whim.

We cannot trust representatives of an institutional culture that was
*constructed* to deal in information control, lies, secrecy, paranoia and
deception to tell us the truth.

We cannot accept the authoritarians' unverified assurances that the sealed
interior of the Clipper chip contains no `trapdoor' enabling the NSA to
eavesdrop at will.

We cannot trust the authoritarians' assertions that they have no intention of
outlawing cryptographic technologies potentially more secure than the Clipper
chip.

We cannot believe the authoritarians' claims that `independent' key registries
will prevent abuse of decryption keys by government and/or corrupt individuals.

We cannot --- we *must not* --- cede control of encryption technology to
the authoritarians.  To do so would betray our children and their descendants,
who will work and *live* in cyberspace to an extent we can barely imagine.

We cannot any longer afford the luxury of treating the authoritarians as honest
dealers with whom compromise is morally advisable, or even possible.  Whatever
their own valuation of themselves, the thinly-veiled power grab represented by
the Clipper proposal reveals a desire to institutionalize means which a free
society, wishing to remain free, *cannot tolerate*.

Big Brother must be stopped *here*.  *Now.*  While it is still possible.

                Eric S. Raymond <esr@snark.thyrsus.com>


Re: Clipper (Raymond, RISKS-14.64)

Dorothy Denning <denning@cs.cosc.georgetown.edu>
Wed, 19 May 93 18:37:24 EDT
Eric Raymond has accused me of being part of a propaganda campaign and
a "Big Lie." Among his wild speculations, he wrote:

  I believe that Ms. Denning's disingenuous claim that the DSS "is now
  considered to be just as strong as RSA" is no mere technical misapprehension.
  I believe it is propaganda aimed at making objectors non-persons in the
  debate.  I cannot know whether Ms. Denning actually believes this claim, but
  it reminds me all too strongly of the classic "Big Lie" technique.

Frankly, I don't know how to respond his allegations other than by saying that
I am not and have never been on the payroll of NIST, NSA, or the FBI and that
every word I have published has been completely on my own initiative.  While I
frequently speak with people in these agencies (mainly to ask them questions
so that I can be informed) and have considerable respect for them, I am
operating on my own initiative and making my own independent evaluations based
on all the evidence I can find.  I try to avoid pure speculation as much as
possible.

My objective in responding to Sobel in the first place was to point out that,
in my best judgement, the DSS as revised is as secure as RSA.  I did that so
that readers would not be led to believe the contrary.  Let me elaborate more.

The security of the DSS is based on the difficulty of computing the discret
log.  (The Diffie-Hellman key exchange, invented in 1976, is likewise so
based.)  The security of the RSA is based on factoring.  My understanding is
that the computational difficulty of these two problems is about the same for
comparable key lengths, and indeed, the fastest solutions with both come using
the same basic technique, namely the number field sieve.  If I'm wrong here, I
am happy to be corrected by someone who knows more than I do about this.

There are other factors, of course, that must be taken into account.  With
both schemes, you have to make sure you get good primes.  In the case of the
DSS, you want really random ones so that you don't get ones with "trapdoors."
This is readily done and the chances of getting a trapdoor one are minuscule.
For a reference, see Daniel Gordon's paper from Crypto '92.

I still remember the day when George Davida called me up to say that he had
cracked RSA.  It turned out that he had found a way of exploiting the digital
signatures to get access to plaintext (but not keys).  I generalized his
mathematics and published a paper in CACM (April 84).  The solution is to hash
messages before they are signed, which has other advantages anyway.  I also
remember various articles by people pointing other potential vulnerabilities
with RSA if the primes weren't picked right.

There are potential weaknesses in all of these public-key methods, but they
can be resolved.  As near as I can tell, NIST has resolved the potential
problems with the DSS, and I am confident that if new ones are found, they
will resolve them too.

Dorothy Denning


Clipper chip

<drand@osf.org>
Mon, 17 May 93 17:55:43 EDT
I've just read one of the longer tirades in risks about the clipper chip and
feel like putting my foot into the whirling blades :)

Have the naysayers totally forgotten the point of making crypto gear available
to individuals?  Right now I cannot lift my portable phone without assuming
I'm talking to several people aside from the person I call.  I treat it as I
would a contact on ham radio.

The crooks can listen to us, the government has always been able to.  Now, for
the first time, there would be some control.  Perhaps it isn't perfect.  This
is irrelevant.  It is so many orders of magnitude more secure than any phone
system today.

Without the chip being ubiquitous, we cannot have this capability in every one
of perhaps a billion phones (guesstimate) in the country.  It would be too
expensive and totally useless.  Both parties must have the same gear.

That the crooks could always create more effective crypto gear is also a red
herring.  Maybe they could.  But the law is being structured so that this
itself would be considered probable cause of a crime.  We'll have to see if
(how much) this is abused.  One hopes that just the unlicensed crypto gear
would not be sufficient to indict honest people.

Doug Rand drand@osf.org


Re: Clipper - "destroyed" keys

Roger Crew <rfc@research.microsoft.com>
Tue, 18 May 1993 13:05:14 -0700
>   Even if you *know* that an instrument has been decoded, in many
>   cases management will simply accept the government's word that the
>   keys were destroyed rather than replace the instrument(s).

The following excerpt from Peter Wright's _Spycatcher_ comes to mind:

    Jagger was the MI5 odd-job technical man... [He] had an
    extraordinary array of skills, of which the most impressive was
    his lockpicking.  Early on in training I attended one of the
    regular classes he ran for MI5 and MI6 in his lockpicking
    workshop.  The cellar room was dominated by a vast array of keys,
    literally thousands of them, numbered and hung in rows on each
    wall.  Jagger explained that as MI5 acquired or made secret
    imprints of keys of offices, hotels, or private houses, each one
    was carefully indexed and numbered.  Over the years they had
    developed access in this way to premises all over Britain.

      ``You'll never know when you might need a key again,'' explained
    Jagger as I stared in astonishment at his collection.

      ``The first rule if you are entering premises is only pick the
    lock as the last resort,'' said Jagger, beginning his lecture.
    ``It's virtually impossible to pick a lock without scratching
    it---and that'll almost certainly give the game away to the
    trained intelligence officer...  What you have to do is get hold
    of the key---either by measuring the lock or taking an imprint of
    the key.''

Though this incident dates from the mid 50's, Peter Wright held his post
in MI5 (British domestic intelligence) until 1976, and there's no reason
to believe that their procedures (w.r.t. keys and locks) changed significantly
during that period.  And evidently people changed their locks sufficiently
infrequently that MI5 felt it worth the expense of maintaining a key farm...

Roger Crew   rfc@research.microsoft.com


Re: Clipper/Capstone: No reasonable expectation of privacy?

<Henry_Burdett_Messenger@cup.portal.com>
Wed, 19 May 93 09:42:12 PDT
Nobody has mentioned a risk of the Clipper/Capstone proposal that I thought of
last weekend.

You see, we aren't supposed to use Clipper; it will cost too much for ordinary
telecommunications usage. Furthermore, there will be no great demand from
the citizenry to encrypt their telephones: after all, the ones they already
have work perfectly well.

The Supreme Court has already ruled that conversations held over cordless
telephones can be intercepted and used as evidence against you without any
wiretap warrants*. You have "no reasonable expectation of privacy" on a
cordless telephone. How long until the Supremes rule that telephone
conversations on wire phones in the clear are also fair game? After all, the
Government has given you Clipper; it's your fault if you're not using it...

Therefore, I fear that this will become a class issue: those who can afford
Clipper can afford (limited) privacy, but it's open season on those who can't.
How *convenient* for our friends in law enforcement!

* Contrast this with early rulings on party lines, where you were not allowed
to disclose the content of conversations overheard on a party line.

Henry B. Messenger  henry_burdett_messenger@cup.portal.com


Re: Clipper and the "Man in the Middle"

Stephen G. Smith <sgs@grebyn.com>
Sat, 1 May 93 01:36:27 -0400
One thing that I have not seen in the discussion of the Clipper is that
it seems to be totally vulnerable to a "man in the middle" attack.

Take two Clipper chips.  Connect them back-to-back.  Add some "glue" to
pass dialing/routing signals.  Insert in the line, either by actually
cutting the wire, or by diverting the call in the switch.  Now when the
victim makes a call, the data is in clear between the two chips.  The
result is that the tapper now has a clear conversation, the victim has
no way of telling if he has been tapped, and there is no need for the
song and dance with "escrow agencies".

Note that this attack will work with any protocol that uses "zero
knowledge" key exchange.  The actual encryption method is completely
irrelevant.  The only defense is to be able to recognize your caller's
key.  Something tells me this may be very difficult ....

The only place where the Clipper can provide even minimal security is in
mobile communications, where the communications line cannot be cut.

The giveaway that something is fishy, of course, is that the Government
will not use the Clipper chip for classified communication.  If it's so
good, why won't they use it?

Steve Smith                     Agincourt Computing
sgs@grebyn.com                  (301) 681 7395


Re: Epilepsy and video games (Culver, RISKS-14.63)

David Honig <honig@ruffles.ICS.UCI.EDU>
Tue, 18 May 1993 20:01:01 -0700
"Larry Hunter and others were asking about seizures induced by video games.
Not being a neurologist, I wonder if these are similar to those caused by
"photic stimulation", which has been implicated in some aircraft accidents.

Some people, when exposed to flickering or flashing lights will have seizures
which are quite similar to epileptic seizures.  In aircraft, this can be a
problem for general aviation pilots, who look through the propeller disk.
During most of the flight, the frequency is too high to cause problems, but
during a landing, especially into the setting sun, the propeller may cause
flickering sufficient to induce a seizure.  There are, apparently, degrees of
severity: some people will seize from a single flash of the right duration."

Yes, the seizure-risk from video games is exactly that from any flashing
light ---whether from propeller, CRT, or LCD.


Re: makedepend problem - a real world example (Worthman, RISKS-14.62)

Conrad Hughes <chughes@maths.tcd.ie>
Wed, 19 May 93 14:31:12 BST
>... makedepend chokes on one of X11 include files (as distributed by Sun)...

On the machine I use (running MIPS RISC/os) makedepend chokes under such
circumstances, but doesn't die.  The problem arises when you proceed to
compile it, and compilation fails because this file doesn't exist and can't be
built, yet there is a dependency on it.  This consequently doesn't result in a
risk, as rather than being built incorrectly, the software cannot be built -
typically software should be installed by someone with enough experience to
fix such include problems (and what with the nightmarish mess that is the MIPS
header file directory tree I've garnered more than my fair share of _that_
experience recently).  So - I can't see this bug producing risks other than
compilation failure: all it can do is produce too extensive a dependency list,
in which case unnecessary parts of the program may be built during
compilation, _but_ since the real make process will correctly evaluate all
conditional expressions which makedepend assumes are true, the unnecessary
parts will not be linked in or installed if you use the supplied "make
install"..

[Thinks a bit more]  On second thoughts - if someone is guilty of what
I'd term bad practice and has an explicit make line for an included file
which also modifies some other already-built part of the source beyond
just building the required file then a risk does arise.  A makefile which
does this kind of thing is guilty of fairly poor practice anyway I think..

conrad hughes (chughes@maths.tcd.ie)


Re: Cut and Paste risks (Cook, RISKS-14.63)

Robert L Krawitz <rlk@Think.COM>
Wed, 19 May 93 10:14:35 EDT
   We should identify the main source of the risk, which in my opinion
   is general access to super-user privileged shells.  ...

Yes, but that still doesn't eliminate problems, since most of these accidents
are caused by accidentally hitting the mouse buttons rather than carelessness
as to what window the mouse is in.  The design of most mice makes it very easy
to inadvertently hit buttons (this seems to be true on Suns, it was true with
both the 1985-style and the current DEC mice, and even with Lisp Machine
mice).

The problem is that it's very easy to brush a mouse button while reaching for
the mouse, or while moving it.  Looking at the way I hold the mouse, my index
finger is practically on top of the middle button and my middle finger nearly
touches the right button, making an accident of this nature practically
inevitable.

Cut and paste is most definitely very useful, and getting rid of it is an
overreaction.  However, by requiring two independent actions to perform it (e.
g. the shift key on the keyboard along with a mouse button), the risk of such
an accident is reduced.

I've changed the mouse actions in my xterm windows to use shift bindings for
the mouse keys.  It's very rare that my left hand is camped on the shift key
while my right hand is reaching for the mouse.

Robert Krawitz, Thinking Machines Corp, 245 First St., Cambridge, MA 02142
<rlk@think.com> (617)234-2116  Member of the League for Programming Freedom


Re: CHI & the Color-blind? (Yu, RISKS-14.62)

Flint Pellett <flint@gistdev.gist.com>
19 May 93 14:42:53 GMT
> ...

It seems to me that the answer to that is simple, and it isn't merely color/no
color that it relates to: Don't place an over-reliance on icons to convey
meaning because they don't always do so (whether colored or not), and the old
saying that a picture is worth a thousand words isn't always true.  Consider
in the example above, if the words "No contact", "Contacted", "Promised", and
"Called Us" were displayed instead of the icons, (or under each icon) how much
clearer it all would be.  (If I had to use the system above, I see myself
having to refer constantly to an explanation sheet that says what each icon
means, and I would expect to often make mistakes.)  Too often people have been
creating icon symbols to replace words when the word they replace is one that
everyone would understand (at least if they speak that language), and the icon
they come up with is one nobody recognizes.  You'll find that even people who
don't speak the language can learn a word just as easily as they can learn an
icon.  Icons tend to fail to convey meaning most often when they are trying to
replace verbs.

You can make it an option in your interface to let the user choose between use
icons/use words/use both, but don't force "only icons" on people.  Then you
won't have to worry about color-blindness issues.

Flint Pellett, Global Information Systems Technology, Inc., 100 Trade Centre
Drive, Suite 301, Champaign, IL 61820 (217) 352-1165  uunet!gistdev!flint

Please report problems with the web pages to the maintainer

Top