The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 19 Issue 52

Weds 24 December 1997

Contents

o The Swedes discover Lotus Notes has key escrow!
Win Treese
o Strong crypto code for authentication published online
John Gilmore
o New Internet law attacks non-profit pirating
Edupage
o Electric deregulation grid-lock
PGN
o Has Microsoft already infected itself?
Nick Brown
o Beware of diploma mills on the Net
Edupage
o Risks of modern PABXs and digital phones
Nick Brown
o Hackers attack game site
Stevan Milunovic
o Adjust your defibrillator today!
Gary McGraw
o Mobil Speedpass
Philip Koopman
o Tufte and Information Density
Jeff Gruszynski
o Re: KC power outage
William Hugh Murray
o Info on RISKS (comp.risks)

The Swedes discover Lotus Notes has key escrow!

Win Treese <treese@OpenMarket.com>
Tue, 23 Dec 1997 22:15:31 -0500
My colleague Bill Nilson brought this to my attention.  Below is his
translation of a story from a Swedish newspaper.   [Original Swedish
truncated, but is available on request.    PGN]

The article describes the reaction when various people in the Swedish
government learned that the Lotus Notes system they were using includes key
escrow.   They were apparently unaware of this until Notes was in use by
thousands of people in government and industry.

Besides being an interesting reaction to key escrow systems, this incident
reminds us that one should understand the real security of a system....

  Secret Swedish E-Mail Can Be Read by the U.S.A.
  Fredrik Laurin, Calle Froste, *Svenska Dagbladet*, 18 Nov 1997

One of the world's most widely used e-mail programs, the American Lotus
Notes, is not so secure as most of its 400,000 to 500,000 Swedish users
believe.  To be sure, it includes advanced cryptography in its e-mail
function, but the codes that protect the encryption have been surrendered to
American authorities.  With them, the U.S. government can decode encrypted
information.  Among Swedish users are 349 parliament members, 15,000 tax
agency employees, as well as employees in large businesses and the defense
department.  ``I didn't know that our Notes keys were deposited (with the
U.S.).  It was interesting to learn this,'' says Data Security Chief Jan
Karlsson at the [Swedish] defense department.  Gunnar Grenfors, Parliament
director and daily e-mail user, says, ``I didn't know about this--here we
handle sensitive information concerning Sweden's interests, and we should
not leave the keys to this information to the U.S. government or anyone
else.  This must be a basic requirement.''

Sending information over the Internet is like sending a postcard--it's that
simple to read these communications.  When e-mail is encrypted, it becomes
unintelligible for anyone who captures it during transport.  Only those who
have the right codes or raw computer power to break the encryption can read
it.  For crime prevention and national security reasons, the United States
has tough regulations concerning the level of crytography that may be
exported.  Both large companies and intelligence agencies can already--in a
fractions of a second--break the simpler cryptographic protections.  For the
world-leading American computer industry, cryptographic export controls are
therefore an ever greater obstacle.  This slows down utilization of the
Internet by businesses because companies outside the U.S.A. do not dare to
send important information over the Internet.  On the other hand, the
encryption that may be used freely within the U.S.A. is substantially more
secure.

Lotus, a subsidiary of the American computer giant IBM, has negotiated a
special solution to the problem.  Lotus gets to export strong cryptography
with the requirement that vital parts of the secret keys are deposited with
the U.S. government.  ``The difference between the American Notes version
and the export version lies in degrees of encryption.  We deliver 64 bit
keys to all customers, but 24 bits of those in the version that we deliver
outside of the United States are deposited with the American government.
That's how it works today,'' says Eileen Rudden, vice president at Lotus.

Those 24 bits are critical for security in the system.  40-bit encryption is
broken by a fast computer in several seconds, while 64 bits is much more
time-consuming to break if one does not have the 24 bits [table omitted].
Lotus cannot answer as to which authorities have received the keys and what
rules apply for giving them out.  The company has confidence that the
American authorities responsible for this have full control over the keys
and can ensure that they will not be misused.

On the other hand, this (assurance) does not matter to Swedish companies.
On the contrary, there is a growing understanding that it would be an
unacceptable security risk to place the corporation's own ``master key'' in
the hands of foreign authorities.  Secret information can leak or be spread
through, for example, court decisions in other countries.  These concerns
are demonstrated clearly in a survey by the SAF Trade and Industry security
delegation.  Some 60 companies answered the survey.  They absolutely do not
want keys deposited in the U.S.A.  It is business secrets they are
protecting.  These corporations fear that anyone can get a hold of this
information, states Claes Blomqvist at SAF.

Swedish businesses are also afraid of leaks within the American authorities.
The security chief at SKF, Lars Lungren, states: ``If one has a lawful
purpose for having control over encryption, it isn't a problem.  But the
precept is flawed: They ought to monitor (internally), but the Americans now
act as if there are no crooks working within their authorities.''

In some countries, intelligence agencies clearly have taken a position on
their country's trade and industry.  Such is the case in France.  One
example, which French authorities chose to publicize, was in 1995 when five
CIA agents were deported after having spied on a French telecommunications
company.

Win Treese <treese@openmarket.com>

  [The Lotus Notes crypto scheme is one that I have familiarly been
  calling ``64 40 or fight!'' (in a reference to a slogan for an early
  U.S. election campaign border-dispute issue many years ago.  PGN]


Strong crypto code for authentication published online

John Gilmore <gnu@toad.com>
Tue, 23 Dec 1997 15:18:55 -0800
One of the risks of controlling privacy technology is that these controls
spill over into other areas that the government doesn't wish to control.
Freedom of speech is one such area, which is giving the Government headaches
right now.  But another such area is authentication.

To build networks that are secure against mischief requires that people
prove their authenticity in a way that can be verified across distance and
time.  This requires cryptography.  The complexity of the export regulations
on cryptography, and the harsh penalties for mistakes, have discouraged many
people, including myself, from deploying good authentication because of fear
of government retaliation.

I've now spent some four years in close contact with lawyers, who dissected
the export controls to prove them unconstitutional to Federal judges.  That
experience has reduced the "uncertainty and doubt" that accompanies such
fear.  I now know pretty exactly what the export controls allow and
disallow.

There's long been a disconnect between what NSA tells people is legal, and
what is actually legal.  NSA tends to serve its own interests, and operates
on the principle that they're unlikely to get caught.  For example, they
told Dan Bernstein it might be illegal to put his software into a
U.S. library if his intent was that foreigners could read it.  They told the
Apache team that their software was illegal to publish because it contained
hooks that could call a separate PGP program.  (Both of these are fully
documented in declarations in the Bernstein case web site; see
http://www.eff.org/bernstein/Legal/960726_filing/, behlendorf.decl and
bernstein.decl.)  And they've been telling people that authentication object
code is not export-controlled, but that authentication source code is.

Fortunately for network security, the regulations do not support their
statement.  Authentication is authentication is authentication.  You can
read the full legal analysis at my web site (see below).  Software that's
published in source code is still authentication software.  And software
that is publicly available, and wasn't transferred from the State Dept as an
"EI" item, is not subject to the export controls.

Given this new freedom from fear, uncertainty and doubt, the first piece of
infrastructure I want to authenticate is the Domain Name System; thus this
software release.  But there are many other opportunities: authentic email
(a version of PGP that doesn't encrypt, only authenticates?), authentic IP
packets (IPSEC with AH only), authentic remote login (ssh or kerberos with
privacy missing), authentic routing updates, authentic web pages, authentic
public records, authentic network file access; the list is endless.

Here's the press release.  John

      Strong Crypto Code Published Online for Authentication

San Francisco, December 23, 1997 - Civil libertarian John Gilmore
today published strong authentication source code on the Internet,
making it available for worldwide access, despite U.S. National
Security Agency attempts to restrict such software.  He is publishing
Domain Name System Security software that contains a complete copy of
RSAREF, well-known cryptography software that is a predecessor to the
DNSsafe software released in October by RSA Data Security, Inc.

Mr Gilmore explains, "Internet publication of cryptography software is
considered an export by the US Government, and often requires
government permission under the Export Administration Regulations
(EAR).  But those regulations specifically exempt programs which
merely prove that information is authentic (authentication), rather
than hiding the information (privacy)."

The export regulations were amended in 1989 to exclude authentication
software.  Since that time, however, the National Security Agency has
been telling people privately that the exclusion only applies to
ready-to-run "binary" programs.  They have reportedly claimed that the
regulations still require government permission to export the
human-readable "source code" of authentication programs.  The plain
text of the regulations makes no such distinction, though; all
authentication programs are exempt.

Readers can obtain the software from Mr. Gilmore's web site for Domain
Name System Security, at http://www.toad.com/~dnssec or at
http://www.flash.net/~dnssec.  Future releases will be available from
the Internet Software Consortium, http://www.isc.org/bind.html.

The Electronic Frontier Foundation, which Mr. Gilmore co-founded, is
sponsoring a lawsuit to have the entire cryptography software export
control regime overturned.  In the three-year suit, Bernstein v. State,
Judge Marilyn Hall Patel has invalidated export controls administered by
both the State Department and the Commerce Department.  She ruled they
are an unconstitutional prior restraint against our First Amendment
right to speak and publish about cryptography.  The case is now in the
Ninth Circuit Court of Appeals.

Domain Name System Security:        http://www.toad.com/~dnssec
                or  http://www.flash.net/~dnssec
Internet Software Consortium:       http://www.isc.org
RSA Data Security:          http://www.rsa.com
Electronic Frontier Foundation:         http://www.eff.org

Press Contacts:

    John Gilmore, Founding Board Member, EFF
    +1 415 221 6524, gnu@toad.com

    Shari Steele, Staff Attorney, Electronic Frontier Foundation
    +1 301 375 8856, ssteele@eff.org

    More press background is available at:
    http://www.toad.com/~dnssec/pressrel1.background.txt

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."  - Ben Franklin, ~1784


New Internet law attacks non-profit pirating

Edupage Editors <educom@educom.unc.edu>
Sun, 21 Dec 1997 12:48:54 -0500
President Bill Clinton signed into law a controversial bill imposing
criminal penalties on copyright violators who do not profit from their
actions.  The No Electronic Theft Act, passed by Congress last month, was
strongly backed by the software and entertainment industries, but opposed by
science and academic groups.  Under the new law, a person who "willfully"
infringes on copyrighted material worth at least $1,000 could be subject to
criminal prosecution even if he does not profit by it.  Under the previous
law, copyright violators could not be charged with criminal misconduct
unless they profited from the violation.  Software and entertainment groups,
including the Business Software Alliance, the Motion Picture Association and
the Association of American Publishers, said the change was essential to
protect software, music recordings and other creative products easily
pirated over the Internet.  (*Toronto Financial Post*, 18 Dec 1997;
Edupage, 21 Dec 1997)


Electric deregulation grid-lock

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 23 Dec 97 14:12:26 PST
California's 1 Jan 1998 scheduled deregulation of electric power received a
shock when it was realized that the new software system is not ready to
monitor who puts power into the grid and where it goes.  Everything else is
apparently ready to go.  (You supposedly will then be able to get your
electricity from competitive operators.  Competition is supposed to lower
prices, which by law must be reduced by at least 10%.)  [Source: AP item, 23
Dec 1997]

The length of the delay is unpredictable, with estimates ranging around 3,
4, or even 5 months.  The Independent System Operators estimate their losses
from the unavailability of the computer system at about $300,000 a day,
whereas the Utility Reform Network watchdog estimates costs of up to
$1,000,000 daily.  The system development effort evidently could not
properly address many of the complexities long familiar to RISKS readers --
including the necessity of getting out all the bugs, getting performance up
to snuff, and adequately training people for use of the system, all within
the allotted 11-month schedule.  The ISO chief executive noted that this
``probably would have been a two- or three-year project'' and you just
cannot cram all that into 11 months.  [Source: Jamie Beckett, *San Francisco
Chronicle*, 24 Dec 1997, A1]


Has Microsoft already infected itself?

BROWN Nick <Nick.BROWN@coe.fr>
Fri, 19 Dec 1997 17:42:03 +0100
Can anyone explain what this string is doing in WWINTL32.DLL, the DLL which
converts Word 97's language neutral version into (in this case) the
International English version ?  My version is dated August 13, 1997 at 3:59
pm, has 1158416 bytes, and is marked as version 8.0, although it comes from
Office Service Release 1.

Here's the string:

   "AutoClose macro virus is already installed in NORMAL.DOT"

Does Microsoft know something we don't ?

Nick Brown, Strasbourg, France (Nick.Brown@coe.fr)


Beware of diploma mills on the Net

Edupage Editors <educom@educom.unc.edu>
Sun, 21 Dec 1997 12:48:54 -0500
A number of would-be students have fallen victim to the dark side of
distance learning on the Internet -- fraudulent schemes that claim to offer
accredited degrees in as little as 27 days.  In many of these cases, a Web
site is about all these "institutions" have to offer, says the co-author of
"Bears' Guide to Earning College Degrees Nontraditionally."  And while some
people assume that a ".edu" suffix guarantees the authenticity of an
educational institution, Network Solutions (the company that registers
Internet domain names) says it gives a ".edu" name to anyone who requests
it.  So far, the Accrediting Commission of the Distance Education and
Training Council is the only nationally recognized accrediting body for
distance-learning programs, while the Global Alliance for Transnational
Education focuses on evaluating and certifying international institutions.
(Chronicle of Higher Education 19 Dec 97; Edupage, 21 Dec 1997)


Risks of modern PABXs and digital phones

BROWN Nick <Nick.BROWN@coe.fr>
Fri, 19 Dec 1997 18:18:40 +0100
We have just received our introductory training for our new PABX.  Everyone
will have a digital phone with a two-line alphanumeric display.

The possibilities for mischief and accidents will be immediately obvious to
regular RISKS readers, but apparently the engineers and marketing people
from the PABX manufacturer haven't spotted anything wrong.

1) Anyone can send a text message to anyone else from any phone to which
they have physical access.  There is a function to "lock" the phone, which
many users will probably (incorrectly) imagine protects them; in fact,
"locking" the phone only prevents outside calls from being made.  So I can
go to my colleague's phone and send "Eat my shorts" (readers may like to
fill in their own message here) to my local sexual harassment
representative.  Or, being in competition with another person for a
promotion, I can make a number of "mistakes" on their behalf.  Etc., etc.

Solution: Lock your office every time you leave it.  For people who have an
open plan office: be on VERY good terms with all of your colleagues.  Even
the extreme measure of taking your phone with you doesn't help: the phones
have no personality module, so they are all identical, and all the
parameters (such as your name) are associated with your line in the PABX.

2) When you finally do send a legitimate text message to someone, you get
"message sent OK" flashed up on your display, for a full second.  If the
send fails (eg because the mailbox is full - it has a capacity of about 4
messages), you get "message not sent" flashed up for a second.  That's it.
No other confirmation, no acknowledgement required.  "Didn't you get my
vital message ?  I'm sure I sent it."

3) The phones have a cute "permanent hands free" function.  This is
activated by pressing a button, and the only indication that it is on is a
very small blinking LED.  When this is in place, the phone "answers" a call
after one ring, saving you all those calories you wasted up to now reaching
to press a button.  This function is a great way to listen in on a meeting
to which you haven't been invited: visit the meeting room and switch "hands
free" on some hours before the meeting.  Wait till everyone is sitting round
the table.  Phone the number.  People will groan and look at each other -
who's going to answer it ?  But after one ring it stops - sighs of relief,
the person on the other end realised their mistake and rang off.  Well, not
quite - they're listening to the entire meeting.

4) You can program a function key with frequently used sequences - for
example, the one to read your voice mail.  This sequence contains your
personal identification code; the same code used to charge personal calls to
your account.  I don't suppose it will come as a surprise to anybody to
learn that this code is plainly visible to anyone who browses the
programmable keys, which of course are not protected by a code of any kind.

5) Not that the code would help for most people: it has a minimum length
of two (2) digits, a maximum length of 6, and a default of "00".
Naturally, the PABX has no mechanism for expiring this code over time,
logging failed attempts to guess the code, etc etc etc.

There are many others.  Two colleagues and I came up with all of these
during the training course.  The instructor said "nobody has ever
pointed any of this out before" - she has trained several thousand
people on this system in the last couple of years.

Nick Brown, Strasbourg, France.


Hackers attack game site (from www.news.com)

Stevan Milunovic <stevan@netscape.com>
Tue, 23 Dec 1997 08:12:29 -0800
Hackers broke into the Sierra On-Line gaming site and took down the front
page for three hours over the weekend.  The hacker(s?) did not access any
sensitive data such as credit card information.


Adjust your defibrillator today!

Gary McGraw <gem@rstcorp.com>
Mon, 22 Dec 1997 10:17:01 -0500 (EST)
In *The Washington Post* "DigitalFlubs" column (22 Dec 1997), there is a
small article about a bug in 2000 installed defibrillators manufactured by
Ventak AV (sold by Guidant Corp out of Indy).  There is some debate over
whether the bug could ever be life-threatening.  Here's my favorite line
from the article (and why I am writing this up for RISKS):

  "Surgery isn't necessary; doctors can adjust the devices'
  programming with a small radio transmitter."

The obvious risk is that somebody else will opt to reprogram defibrillators
by broadcast.  One would hope there are controls and authentication
mechanisms... righto.  The press never seems to be aware of the downside of
automatic adjustment schemes.

Dr. Gary McGraw, Research Scientist, Reliable Software Technologies (RST),
Sterling, VA <http://www.rstcorp.com/~gem> gem@rstcorp.com


Mobil Speedpass

Philip Koopman <koopman@cmu.edu>
Mon, 22 Dec 1997 01:10:40 GMT
Mobil is promoting the Speedpass program in which you get a radio
frequency transponder and use that to pay for fuel at the pump in a
service station.  They are apparently using TIRIS technology from Texas
Instruments.  The key-ring version uses fairly short-range low frequency
energy, and I'd have to guess that the car-mounted version is using
their 915 MHz battery-powered transponder.  This is a neat application,
especially for fleet vehicles, especially since no PIN is required.
But, I worked with RF transmitter and transponder security in my
previous job, and this application rings minor alarm bells in my mind.

Now for the Risks -- TIRIS (and, in general, any cheap RF) technology is not
terribly secure against interception and theft of your identification
number.  It seems to me that the car-mounted device would present the
greater risk, since it is pretty much the same technology that is also being
sold for electronic tollbooth collection.  So, if you "ping" a vehicle with
a mounted Speedpass transponder you can get its code and potentially use it
to buy fuel until the code is reported stolen.  The risk is analogous to
someone reading your telephone credit card at an airport without you knowing
it.  Yes, the 915 MHz TIRIS device is encrypted, but unless they've improved
their crypto in the year or so since I checked up them I wouldn't consider
it truly secure.  (For crypto geeks -- the TIRIS device I looked into used
rolling-code transmissions with a fixed-feedback LFSR using the same
polynomial for *all* devices; each device simply starts with a different
seed number.  So, once you trivially determine the polynomial from one
transponder you only need one interception to crack any other unit.  Maybe
they've improved recently -- they don't advertise that level of detail at
their web site.)

To their credit, Mobil reassured me that the TIRIS code isn't the same as
your credit card number (so they're not broadcasting your credit card number
over the airwaves, which is good) and that someone would have to know your
date of birth and social security number to retrieve the credit card number
from their information system (well, maybe I'm not so re-assured after all).
The real risk is that ultra-low-cost devices usually don't have enough room
for strong cryptography, and often use pretty weak cryptography; but to a
lay-person saying it is "encrypted" conveys a warm, fuzzy feeling of
security.  Perhaps theft of a bit of vehicle fuel isn't a big deal (although
for long-haul trucks a full tank isn't cheap), and certainly pales by
comparison to cell phone ID theft.  But, you'd think they would have learned
the lesson about RF broadcast of ID information.  I wonder how long it will
be until the key-ring Speedpass is accepted as equivalent to a credit card
for other purchases... and considered indisputable because it is encrypted.

Information sources:
  TIRIS http://www.ti.com/mc/docs/tiris/docs/mobil.htm
  Speedpass http://www.mobil.com/speedpass/html/questions.html
  A customer supervisor at the Speedpass enrollment center confirmed
  that they were using Texas Instruments technology, and provided
  numerous well-intentioned but vague assurances about security.

Phil Koopman -- koopman@cmu.edu -- http://www.ece.cmu.edu/koopman


Tufte and Information Density (Re: Potential nightmare, RISKS-19.50)

Jeff Gruszynski <jeffg@webtmo.ptp.hp.com>
Mon, 22 Dec 1997 14:13:37 PST
In his seminars, Edward R. Tufte compares the visual information density of
various media technologies.  He ranks most Powerpoint-generated corporate
viewcharts and and Excel-generated graphs as typically ranking at or below
the level of Soviet-era communist or Nazi-era propaganda posters.

Technologies like the web are only marginally better compared to paper (72
dpi vs 1000+ dpi for quality paper publishing).  If you do web publishing,
keeping this in mind helps keep you appropriately humble.

Jeff


Re: KC power outage (PGN, RISKS-19.51)

William Hugh Murray <whmurray@sprynet.com>
Mon, 22 Dec 1997 22:26:36 -0500
> ... ``brief and supposedly impossible power failure''  ...
> ... the latest in an improbable series of problems.

Not improbable at all; rather, it is measurable.  As with any such
"protective" mechanism, for every n problems that it prevents, a UPS will
cause m.  As the UPS ages, the ratio of m to n tends to rise and may even
approach one.  (Since this is counter-intuitive, the ratio has even been
known to rise above one before the UPS is replaced.) A large number of these
events are associated with maintenance of the UPS.  Indeed, the switch used
to take the UPS off line for maintenance is often a single point of failure.

The life of a UPS is usually several times longer than the computers with
which it is used and may be longer than the life of the technology from
which it is built.  Thus, when a UPS approaches end of life, it may no
longer be possible to get parts with which to maintain it.

The battery of a UPS requires a great deal of maintenance, can be fully
tested only under load, and may fail just when it is required.

William Hugh Murray, New Canaan, Connecticut

Please report problems with the web pages to the maintainer