Sorry for the inconvenience on RISKS-16.11 for those of you who got a truncated original, and apologies for the duplicate in case any of you actually got an untruncated original copy. Our gateway was timing out on even moderately sized outgoing mail and FTPed files (also preventing me from updating the CRVAX archive copy).
Our local newspaper, The Herald Times, had a several page spread on the problems relating to a switchover of the local prison to a new control system. Given the length of the spread, and considering that most of it was human interest and not technical, I summarize it here. The prison is being switched from a mechanical to a fully automated system, and this is being done while it contains prisoners. The jailers are complaining about huge amounts of overtime, and spending the whole day "on a dead run". One incident of a technology breakdown was especially insightful. The lights are going to be controlled by this new system, and the wiring for the new system must be run through some of the old wire traces. In order to safely install the new wiring, the existing wiring had to be disconnected, for both the lights and an intercom system so that inmates can contact the guards for requests. To maintain functionality, temporary wiring was used to replace the existing wiring for the lights. To save money, no on-off switches were included. The prisoners must sleep with the lights on. One of the prisoners has sued, requesting release because of cruel and unusual punishment. This has been rejected. A more serious incident occurred with another prisoner. A light had started to burn out, but since it couldn't be turned off, it couldn't be changed, and it started blinking rapidly. One of the prisoners had epilepsy, and the blinking light triggered a seizure. The inmates injuries were exacerbated by the other prisoners not being able to call for help. Pounding on the cells did no good, as this is a common sound in the prison. A lawsuit is in progress. Another prisoner is now using this as grounds for his immediate release. He has a heart condition, and is claiming that this situation puts him too much at risk. No ruling yet. I see one more lawsuit from this. The best defence in a criminal case is frequently delay. I can see what may be a very valid comment from the a defendent's lawer. "I must request a continuance on the basis of temporary incompetence of my client. The county has been illegally depriving my client of sleep, and he is now too sleepy of competently participate in his own defence." Under the right circumstances, I would say this might be worth about a two-month delay.
I encourage everyone to have a look at an issue of the magazine "Campaigns and Elections". It's a monthly, sold at many newsstands (in the US anyway), for the people who run political campaigns. Every issue includes numerous references to the growing role of computers in campaigning. Now I'm sure that this trend has its good sides and its neutral sides and its complicated sides. But inside the back cover of the May 1994 issue is an advertisement from a political software company whose headline is "The age of individual targeting is upon us". In other words, everyone gets their own personalized direct-mail pitch, based on a detailed database of information relevant to your likely political leanings. One use of such databases is basic demographics for choosing issues to emphasize; another is deciding who should be approached personally and urged to vote. But a scarier use of such databases, not mentioned in the ad, is the tailoring of messages to individual voters. For example, a group of land developers in San Diego is promoting an initiative for tomorrow's primary election that would open up the last parcel of wild land in San Diego to development. Their campaign has been incredibly sophisticated, including numerous tactics that aren't relevant here. The part that *is* relevant here is a letter I received over the weekend encouraging me to vote Yes on the initiative. Along with the letter were two inserts containing endorsements from the leader of the local AFL-CIO and a Hispanic city council member from another district. Did the guy around the corner with the "Rush is Right" bumper sticker get the same inserts? He didn't have to, if the developers had access to a suitably "enriched" database. In the future you won't even have to bother putting together a coherent coalition; just find out what everybody's hot issues are and make them all whatever promises you need to make, one by one, the Saturday before the election, so nobody has time to compare notes. Campaigns and Elections, 1511 K St NW #1020, Washington DC 20005, USA. Subscriptions $30/year in the US, write for prices elsewhere. Phil Agre, UCSD
>From an article by Rebecca Bryant in the Los Angeles Times Valley Section, Thursday May 19th: The Los Angeles City library system is sending out overdue notices for books that had been checked out before the January 17th earthquake. The only problem is that readers have been told that they can hang on to their books until the damaged branches reopen. "Now wait a minute," writes Bryant. "Who[m] do you believe? The library? Or, uh, the library?" The problem arose because the computer system used to generate the notices does not allow notices to be selectively disabled based on the branch at which the book was originally checked out. The only way to stop the notices would be to stop sending notices for all branches. But many branches remain open, and of course there are always delinquent readers. According to Robert Reagan, a library spokesman, the system is due to be replaced soon. Although the article does not state this explicitly, there is an implication that the new system will support better per-branch control. This is in many ways not just a computer risk. The original programmers, designing an integrated system, can be forgiven for failing to predict the day when their customers would want to shut down only half of it, based on unforeseen criteria. Furthermore, it is easy to imagine an integrated manual system with the same (if you will excuse the expression) fault. Nevertheless, readers are confused and the library is embarrassed. I guess it's a pretty minor, though amusing, footnote to a major disaster. Geoff Kuenning email@example.com geoff@ITcorp.com
RISKS readers might find John Seabrook's article in the June 6, 1994 issue of the New Yorker interesting. He had previously written a profile of Bill Gates, chairman of Microsoft (January 10, 1994) and received an obscene and obnoxious message from "a technology writer who does a column about personal computers for a major newspaper." In true New Yorker tradition, Seabrook used this message as a vehicle to comment on network etiquette and on the possibility that some strange aspects of the message might indicate that the message contained a "worm" or "virus." (My own reading of the evidence presented is that there is nothing to worry about.) Of particular interest to Risks readers might be Seabrook's fear that any strangeness in the message might indicate an attack, and on the general way in which extending the net to "an estimate twenty-three million users ... ten million of which have come on-line in the last nine months" has affected the culture of network communications. RISKS readers — at least those of us who have been around since the net was a self-regulated anarchy — will find his comments on the way this anarchy is, or soon will be, dying away very interesting. Martin Minow firstname.lastname@example.org
>From a Canadian newspaper, _The Globe and Mail_, 28 May 1994, p. D1: <<Stay out of the laundry room, son, your mother is playing Tetris: Computer software houses want to know why grown women are transfixed by one particular video game. Psychologists have been hired.<> by Jim Carlton of the Wall Street Journal <<Nintendo Co., master peddler of cyberpuzzles to young boys, has a riddle of its own: Why are so many grown women hooked on Tetris, the geometric video game? Fourteen-year-old Bobby Meade would certainly like to know. "Almost 24 hours a day she plays Tetris," the Johnstown, Ohio boy writes of his mother in a letter to Nintendo. "I can't hardly play more than one game a day." Peggy Rudden's family would also like to know. "My husband thinks I'm hooked on it," says 46-year-old mother of six in Englewood, Colo., who plays in her laundry room, away from the kids.<> The author continues with the following key points: <
Re: Closed Doors in Glasgow - Trapped Guard Dies in FireJohn Vilkaitis <email@example.com> Sat, 4 Jun 1994 00:37:06 -0700Failure to provide a reliable emergency exit is usually a violation of local fire and other ordinances. The RISK is civil and criminal prosecution, not MERELY lost sales. This, and many other seemingly senseless problems have at their root, a failure of the analyst to IMAGINE HIMSELF using the system. Sometimes this is the fault of the analyst, often it is simply because management refused to give the analyst (or the programmer) time to calmly "daydream" himself using the system and encountering typical situations and problems. If you cannot imagine in your head what you are building, you RISK building trash, often dangerous trash. "Imagination is more important than facts" - Albert Einstein It takes both FACTS and IMAGINATION to build good systems, but no one seems to teach us to use the broader power of our imagination, insisting we use the far narrower term "THINKING". -JVV- (J. Vilkaitis, firstname.lastname@example.org, 408-983-0518 voice/fax) [John, I guess you have to be THIN-KING to slip through the emergency exit. See my article, Psychosocial Implications of Computer System Development and Use: Zen and the Art of Computing, in Theory and Practice of Software Technology, D. Ferrari, M. Bolognani, and J. Goguen, eds., North-Holland, 1983, for a discussion of how both left-brain and right-brain activities must be used and properly integrated. PGN]
Re: Risks of too-simple responses (UK ATM Spoof) (RISKS-16.10)"Henry J. Cobb" <email@example.com> Wed, 1 Jun 1994 19:52:49 -0700Jerry Leichter suggests that ATMs be "hardened" to spoofery by reading the "noise" built into the card during manufacture rather than the digital signals encoded on them. The risk to this is once the scanner that detects the noise is out in the field in large numbers, it becomes just another fixed system to spoof. Before you counter with "We'll just push down to the quantum level!" consider if you'd want real people in the real world walking around with cards depending on this. (And please no "Are you displeased to see me, or is that just a quantum in your pocket?" jokes from the moderator.) Digitally secure smartcards are not only the geek thing to do, they're the right thing to do. As for the installed base of "dumb" cards, this can be wiped clean by proper legislation or simple liability. All that is needed is to abolish the NSA and go back to being a free nation.
Re: Risks of too-simple responses (UK ATM Spoof) (RISKS-16.10)Mathew Lodge <firstname.lastname@example.org> Fri, 3 Jun 94 17:22:47 BSTPerhaps Jerry has never been to France. All French credit cards are smart cards, and have been in mass use for several years now. The French don't seem to be having any problems with fragility or expense. As to backward compatibility, this is solved by the extraordinarily simple measure of allowing the card readers to deal with both smart cards and ordinary magnetic stripe cards. Thus I can use my Visa card in France with no problem (the only difference is that there is no immediate validation using my PIN as there is for smart cards). > In practice, my bet is that we will *never* see the replacement of magnetic > stripe cards by smart cards. I think this is a little too pessimistic. Mathew Lodge, Software Engineer, Schlumberger Technologies, Ferndown, Dorset, UK, BH21 7PP email@example.com) +44 (0)202 893535 x404
Re: UK ATM Spoof (Cobb, Lodge, RISKS-16.12)Jerry Leichter <firstname.lastname@example.org> Fri, 3 Jun 94 22:07:00 EDTOn Henry J. Cobb's fixed system to spoof: We've been using pin-tumbler and mechanical combination locks for many, many years. In fact, that's exactly what protects the money actually stored inside of ATM's - along with fairly simple electrical alarms, which haven't changed much in many years either. All "just another fixed system to spoof". Clearly the only hope is "digitally secure smartcards", a technology that has seen all of 20 years worth of development and testing in the real world, against real attackers. By all means, let's convert everything immediately. After all, these new systems are based on *digital computers*! Clearly they are better, more secure! Computers never make mistakes, after all! On Mathew Lodge's response to my statement ("In practice, my bet is that we will *never* see the replacement of magnetic stripe cards by smart cards."), saying that he thinks this is "a little too pessimistic": As Mark Twain said, it's a difference of opinion that gives us horse races. (Well, he said it better, but I don't recall the exact words.) We've both made our predictions. I'll sharpen mine: Five years from now, smart cards will represent no more than 5% of the US market for bank and charge/debit cards; some variation of magnetic stripe technology will make up essentially all the remaining 95%. Shall we revisit this in 1999?
ClipperGene Spafford <email@example.com> Fri, 03 Jun 94 19:20:45 -0500In today's mail I got a glossy brochure extolling Clipper. It promises to "Expand your creative universe with real-world solutions." Is it a new ploy by the government to subvert our privacy? No, it's an advertisement by a company named Dynamic Graphics for their CD-ROM clip art magazine. "Clipper" is their registered trademark. I wonder if they registered the trademark recently? I would have pitched the flier immediately had I not noticed the word "Clipper" in large letters. I can't recall hearing about them before, either.... Has "Capstone" been registered yet, or "Tessera"? :-) On the other hand, it might be they had the name picked out over a year ago and their business will go south as a result of recent events. The risk? Naming a product something catchy just before a government agency nicknames something unpopular the same name. (Alternatively, there's a risk in trying to avoid this — naming a product "Facist Thought Control" is likely safe from collision, but won't help sales. :-)
Details of flaw in ClipperSidney Markowitz <firstname.lastname@example.org> Fri, 3 Jun 1994 20:14:29 -0700I have seen lots of discussion about the New York Times report on Matt Blaze's discovery of a flaw in Clipper's key escrow system, with more confusion than anything else. Here is the best article that I have seen on the net explaining exactly what Dr. Blaze has found. There's also confusion about the implications. My understanding is that this method might allow someone with a Clipper chip device to have a secure communication with another person with a Clipper device that could not be decrypted by law enforcement *and* it does not require the cooperation of the second person. That last part is what makes this significant, since two people can agree to just encrypt their messages with, say PGP, if they want to be secure from law enforcement decryption. But if Blaze's method is practical, the widespread use of Clipper would make it harder on law enforcement by making it easier than it is now for someone to have secure communication with people without having to plan with them to do so. — sidney markowitz <email@example.com> [begin quote of Message-ID: <PERRY.94Jun3182655@snark.imsi.com> crossposted to sci.crypt, talk.politics.crypto, alt.policy.clipper] [Run in RISKS with permission of "Perry E. Metzger" <firstname.lastname@example.org>. PGN] Many people have misconceptions about what Matt did. Based on his paper (no, you can't have a copy since he told me not to distribute it; I'm sure he'll release it when its ready for prime time) and discussions with him, the trick is this. [The Escrowed Encryption Standard is abbreviated as EES.] The LEAF acts much as an key to tell the EES unit that it should function. It contains three elements: 1) the 32 bit unit id of the EES unit generating the LEAF 2) the 80 bit session key, encrypted in the escrowed key for that unit. 3) a 16 bit checksum based on the unencrypted session key and the initialization vector (IV) for the session. All three components are concatenated to form a 128 bit unit, which is encrypted in the family key in order to produce the LEAF, reportedly using a unique mode of Skipjack. The remote unit takes in the LEAF, decrypts it with the family key, and checks the cleartext session key and IV to see if they produce the proper 16 bit checksum. If so, it accepts the LEAF and functions properly. Note that the encrypted key inside the LEAF is useless to the remote EES since it doesn't have the other EES's escrowed key. It has to rely on the cleartext session key and IV alone to check that the checksum looks right. Sadly for the NSA, the checksum is only 16 bits long. Given a session key and initialization vector, I can fairly quickly generate a large number of fake LEAFs (chosen at random) and find one that a captive EES unit will accept as being the right LEAF for a given session key/IV. The contents of the LEAF will be garbage, but the remote unit will not know that, and will happily go along with using it. I needn't know the family key, or even the checksum algorithm. The point here is, of course, that I can freely interoperate with non-rogue EES units — I can communicate with non-subverted units without revealing my privates hidden beneath the LEAF. (sorry for the pun.) [*] By the way, Matt had to figure out the components of the checksum on his own -- the mechanism for calculating it and where it came from were not documented. BTW, for those who have asked, in case the preceding didn't make it clear, can't you just reuse an old LEAF or a stolen LEAF because the session key/IV won't correspond and the checksum won't be right — you have to generate and test. Perry Metzger email@example.com [end quoted message] [*] [Turning over a new LEAF is better than if you LEAF well enough alone, he suggested FIGuratively. PGN]
Blaze's Clipper paper available via ftpSidney Markowitz <firstname.lastname@example.org> Mon, 6 Jun 1994 19:29:45 -0700Matt Blaze is the AT&T researcher who has made the news recently for discovering a flaw in the Clipper protocol. I saw an announcement from him that a preliminary draft of his paper "Protocol Failure in the Escrowed Encryption Standard" is available via anonymous ftp from resarch.att.com in the file /dist/mab/eesproto.ps in PostScript format. He cautions that there will be a final version of the paper which will likely include additional material on the production version of the PCMCIA card, and that this draft is based on his examination of a prototype card. — sidney markowitz <email@example.com>
Flaw ? in ClipperA. Padgett Peterson <firstname.lastname@example.org> Sat, 4 Jun 94 22:35:29 -0400This has already gotten out of hand on the Usenet. In simplest terms, what Matt Blaze found is that is is possible to spoof a CLIPPER LEAF (law enforcement access field). IMHO this is almost meaningless since *both* ends will need to do this (AFAIR each side sends a LEAF. If only one LEAF is spoofed, it will just be necessary for a legal tapper to use the other one). Thus to be effective, both ends will need special spoofing equipment and in that case they might as well use something other than Clipper. Even better use something different but prefix a valid Clipper LEAF. Right. Remember Occam's Gillette. Dr. Blase also mentioned that it would take about 20 minutes to come up with a valid checksum. Much easier would simply be to record a valid LEAF from another chip and use that. The most important element is that the SKIPJACK algorithm is in no way affected by this and is as strong as ever, only the government's ability to use the LEAF may be compromised. I still expect the government to drop key escrow when the hardware is ready and that there will still be two means available to defeat Clipper available to the government - without using any backdoor/trapdoor and without any weakness in SKIPJACK (see my earlier postings - one is similar to the way GSM can be tapped now). Personally, I feel that Clipper is a valuable mid-range low-announced- cost device that is "good enough for government work". PGP or triple DES used in combination with Clipper is a viable next step up. Padgett P.S. Anyone notice Enigma-Logic's announcement of a one-time-password-token emulation for the PC @ US$10/user (maybe less) ? Certainly an answer to sniffers.
Re: Flaw in Clipper detected (Huggins, RISKS-16.11)Paul Carl Kocher <kocherp@leland.Stanford.EDU> Tue, 7 Jun 1994 03:19:55 -0700Although I doubt people will modify devices with hard-wired Clipper chips, this is seems to be a very serious blow to Tessera (the government's PCMCIA card with a Clipper chip). Tessera has a standard programming interface that passes the programmer's calls to the encryption card. Any experienced assembly language programmer could easily add "support" for Blaze's technique for bypassing the LEAF (Law Enforcement Access Field) validation check. This could be done transparently and without significantly impacting performance. It could also fix up the side effects of the attack (e.g. the first block is bad in CBC mode, etc). Under MSDOS this could be done with a TSR that would intercept calls to the card directly, so it would work with all Tessera applications. The same TSR could also substitute pre-computed and/or brute-forced LEAFs for interoperability with non-cheating users. We were told that the reason for having escrowed keys and a secret algorithm was to keep terrorists from having strong crypto. Now the bad guys have full-strength SkipJack, the public has a flawed "standard," and because the algorithm is classified we can't look for other problems. I'm also wondering what's going on inside NSA — DSS originally had alarmingly-small keys and has been widely criticized, SHA was defective, and now this... -- Paul Kocher email@example.com
Please report problems with the web pages to the maintainerTop