The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 20 Issue 17

Weds 20 January 1999

Contents

o Remarkable French announcement on crypto policy
Enzo Michalangeli and John Young via Steve Bellovin from cryptography newsgroup
o Deep Crack cracks RSA's DES challenge in less than one day
PGN
o The RISKS of Web links
Daniel R. Tobias
o Virginia online sex offender database
Joe Thompson
o China solves the Millennium bug
Pete Mellor
o Computer crash blew up radio listener's request messages
Kenji Rikitake
o REVIEW: "Stopping Spam", Alan Schwartz/Simson Garfinkel
Rob Slade
o Info on RISKS (comp.risks)

Remarkable French announcement on crypto policy

Steve Bellovin <smb@research.att.com>
Tue, 19 Jan 1999 17:59:22 -0800
Date: Wed, 20 Jan 1999 08:50:53 +0800
From: "Enzo Michelangeli" <em@who.net>
To: "John Young" <jya@pipeline.com>, <cryptography@c2.net>
Subject: Re: France allows 128-bit crypto

The third legislative initiative concerns cryptography. With the development
of electronic espionage instruments, cryptography appears as an essential
instrument of privacy protection.

We had, one year ago, made a first step towards liberalization of
cryptographic instruments. At that time I had announced that we were going
to make one further. The Government has, since then, heard the players,
questioned the experts and consulted its international partners. We have
today become convinced that the legislation of 1996 is no longer suitable.
In fact, it strongly restricts the usage of cryptography in France, on the
other hand, for all that, without allowing the public powers to fight
effectively against criminal actions of which encryption could facilitate
the dissimulation.

In order to change the orientation of our legislation, the Government has
thus retained the following orientations, that I have discussed with the
President of the Republic:

- - To offer a complete freedom of use of cryptography

- - To remove the compulsory nature or third-party escrow of encryption keys

- - To supplement the current legal framework by the introduction of
obligations, together with penal sanctions, concerning the handing-over
to the legal authorities, when they require it, of the cleartext
version of encrypted documents.  At the same time, the technical
skills of the public authorities will be significantly improved.

Changing the law will take many months. The Govenment has decided
that the main obstacles holding up the citizens from protecting the
confidentiality of their communications and the development of
electronic commerce be lifted without waiting. Also, waiting
for the announced legislative changes, the Government has decided
to raise the the the threshold of cryptology the use of which is
free, from 40 bit to 128 bit, considered by the experts a level
suitable to ensure durably a very high security.
- ---

Time to sing the Marseillaise again? :-)

Enzo

- -----Original Message-----
From: John Young <jya@pipeline.com>
To: cryptography@c2.net <cryptography@c2.net>
Date: Wednesday, January 20, 1999 7:11 AM
Subject: France Allows 128 Bit Crypto

The French Prime Minister today announced that due to the threat of
espionage and invasion of privacy France will allow encryption
strength up to 128 bits:

http://www.premier-ministre.gouv.fr/PM/D190199.HTM

(c) Le troisième chantier législatif concerne la cryptologie.
Alors que se développent les moyens d'espionnage électronique, la
cryptologie apparaît comme un moyen essentiel pour protéger la
confidentialité des échanges et la protection de la vie privée.

Nous avions, il y a un an, franchi un premier pas vers la
libéralisation des moyens de cryptologie. J'avais annoncé alors que
nous en franchirions un autre ultérieurement. Le Gouvernement a,
depuis, entendu les acteurs, interrogé les experts et consulté ses
partenaires internationaux. Nous avons aujourd'hui acquis la
conviction que la législation de 1996 n'est plus adaptée. En effet,
elle restreint fortement l'usage de la cryptologie en France, sans
d'ailleurs permettre pour autant aux pouvoirs publics de lutter
efficacement contre des agissements criminels dont le chiffrement
pourrait faciliter la dissimulation.

Pour changer l'orientation de notre législation, le Gouvernement a
donc retenu les orientations suivantes dont je me suis entretenu
avec le Président de la République :

- - offrir une liberté complète dans l'utilisation de la cryptologie ;

- - supprimer le caractère obligatoire du recours au tiers de confiance
pour le dépôt des clefs de chiffrement ;

- - compléter le dispositif juridique actuel par l'instauration
d'obligations, assorties de sanctions pénales, concernant la remise
aux autorités judiciaires, lorsque celles-ci la demandent, de la
transcription en clair des documents chiffrés. De même, les capacités
techniques des pouvoirs publics seront significativement renforcées.

Changer la loi prendra plusieurs mois. Le Gouvernement a voulu que
les principales entraves qui pèsent sur les citoyens pour protéger la
confidentialité de leurs échanges et sur le développement du commerce
électronique soient levées sans attendre. Ainsi, dans l'attente des
modifications législatives annoncées, le Gouvernement a décidé de
relever le seuil de la cryptologie dont l'utilisation est libre, de
40 bits à 128 bits, niveau considéré par les experts comme assurant
durablement une très grande sécurité.


Deep Crack cracks RSA's DES challenge in less than one day

Neumann@CSL.sri.com <"Peter G. Neumann">
Wed, 20 Jan 1999 11:00:17 PST
On Monday morning around 9am when this year's RSA DES challenge was
announced by Jim Bidzos at this week's RSA Data Security Conference in San
Jose, John Gilmore set Deep Crack to work.  (See RISKS-19.87 for
background.)  About 22:25 hours later, Deep Crack had found the 56-bit DES
key, capturing the $10,000 prize by breaking the 24-hour mark.  This latest
event further dramatizes the inherent risks of relying on cryptography.
(In three hours, Matt Blaze, Steve Bellovin, and I (with Jeff Schiller
unfortunately in absentia) tackle the question "Is Cryptography Enough?"
RISKS readers know well that the answer is NO.)


The RISKS of Web links

"Daniel R. Tobias" <dan@softdisk.com>
Sat, 16 Jan 1999 11:20:21 -0600
I received a message this morning from somebody complaining about my
inclusion of a link to a pornographic Web site from a page that would
otherwise have been a suitable resource for him to refer to scholars and
students interested in the topic of my page.  This came as news to me, as I
had no knowledge of having any direct "porn" links from my site.  Some
pretty extreme politics and philosophical stuff, yes, but no dirty pictures.
So I checked the page in question and tried the links from it, and found
that one of them did indeed go to a porn site.

It turned out that what had happened was that the domain name of the site I
had linked to was either sold by its former owner or allowed to expire at
InterNIC due to nonpayment of renewal fees, and the domain was picked up by
a new owner who's in the business of online pornography.  This new owner set
up the server so that links to any page on the old site would bring up the
X-rated home page of the porn site, instead of just resulting in a "404 Not
Found" error.

This illustrates a big risk for anyone who maintains links to other Web
sites; places you link to can radically change their character, especially
if domain names expire and get acquired by different parties.  This may have
a highly damaging effect on the reputation of a site that winds up with such
a link, and the use of automated link-checking programs to weed out "404 Not
Founds" won't find this sort of problem.

--Dan
http://www.softdisk.com/comp/dan/

  [This does remind us of the Intuit 800 number case "Risks of old
  documentation" that Richard C. Wolber contributed in RISKS-20.15.  PGN]


Virginia online sex offender database

Joe Thompson <joe@orion-com.com>
Tue, 19 Jan 1999 15:37:07 -0500
Virginia recently (December 29) released an online sex-offender database:

http://sex-offender.vsp.state.va.us/Images/Search.htm

In its first three weeks of operation, besides glitches involving names of
offenders, two of 49 local residents whose addresses were published in a
local weekly contacted them to say that the offender listed as living at
that address has moved.  The Virginia State Police have promised to update
the database "swiftly".

Needless to say, the Virginia chapter of the ACLU is pointing to these
errors as the exact reason they oppose the website. -- Joe

Joe Thompson  Charlottesville, VA    joe@orion-com.com
http://kensey.home.mindspring.com/


China solves the Millennium bug

Pete Mellor <pm@csr.city.ac.uk>
Sat, 16 Jan 1999 19:47:13 GMT
According to the BBC World Service yesterday, and various
items in newspapers, China has solved its Millennium problems
(at least where air transport is concerned) at a stroke.

The chief executives of all of its airlines are ordered to be
airborne at midnight on 31st December 1999.

Peter Mellor, Centre for Software Reliability, City University, Northampton
Square, London EC1V 0HB, UK. Tel: +44 (171) 477-8422, Fax: +44 (171) 477-8585

  [Apparently "only under consideration", not established.  PGN]


Computer crash blew up radio listener's request messages

Kenji Rikitake <kenji@k2r.org>
Sun, 17 Jan 1999 13:54:57 +0900 (JST)
About 11:30pm EST, January 16, 1998, on CBC Radio One, Holger Petersen,
the host of the program called Saturday Night Blues, said that he lost
his listener's request voice messages due to "a computer crash" in CBC
office in Edmonton, Alberta, Canada.  Another proof of taking risk of
NOT making backup data.

Kenji Rikitake <kenji.rikitake@acm.org>, Toyonaka City, Osaka, JAPAN


REVIEW: "Stopping Spam", Alan Schwartz/Simson Garfinkel

"Rob Slade, doting grandpa of Ryan and Trevor" <rslade@sprint.ca>
Mon, 18 Jan 1999 11:44:23 -0800
BKSTPSPM.RVW   981030

"Stopping Spam", Alan Schwartz/Simson Garfinkel, 1998, 1-56592-388-X,
U$19.95/C$29.95
%A   Alan Schwartz alansz@araw.mede.uic.edu
%A   Simson Garfinkel simsong@vineyard.net
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   1998
%G   1-56592-388-X
%I   O'Reilly & Associates, Inc.
%O   U$19.95/C$29.95 800-998-9938 fax: 707-829-0104 nuts@ora.com
%P   208 p.
%T   "Stopping Spam"

Eternal vigilance is the price of junk free email.  Therefore, readers
expecting to find a quick fix for spam in this book are possibly going
to be disappointed.  Those who persevere, however, will find much
useful material that is both interesting, and valuable in the fight
against unsolicited and commercial mass mail bombing.

Chapter one details the problem with a definition of spam, the
functionally differing types of spam, the different intention of spam
(including reputation attacks), and the reasons why spam should be
combatted, rather than merely tolerated and deleted.  A historical
background to the situation is provided in chapter two.  This includes
mention of viral programs (plus a repetition of the myth that CHRISTMA
EXEC caused a mass shutdown of VNET).  the primary emphasis, though,
is on the Green Card Lawyers, Cyberpromotions, and others of that ilk.
(A warning against vigilante actions is also germane.)  The current
position is described very briefly in chapter three.  Groups of
spammers and spamming tools are noted.  (Perhaps the authors do not
want to give anyone ideas, but the technology section is very terse
indeed.)  In closing, a nightmare future spam scenario is provided.

Chapter four provides a solid technical background for further
discussion of spam, covering mail agents and the mail and news
protocols.  A number of steps that the average computer user can take
are listed in chapter five.  The range from hiding your identity or
preventing address "harvesting" (not all the suggestions are
convenient), to the more active detecting of spammers behind spoofing
techniques, and reporting to authorities.  Similar advice for
newsgroups is given in chapter six, emphasizing specific programs like
NoCeM.

Chapter seven moves into larger areas of responsibility with advice on
both policy and practical configuration settings to reduce both
incoming and outgoing spam.  The larger net community is addressed in
chapter eight.

An appendix lists a wide variety of resources, but the annotations may
not always give you the complete picture.  For example, the Spam Media
Tracker Web site is listed, but at a relatively old address.  This, of
course, happens all the time on the net, but it is stranger that there
is no mention of the spam-news mailing list, the original (and
ongoing) source for the site.

It would, or course, be prohibitive to identify all international
agencies dealing with spam.  However, do note that only US government
offices are noted as departments to report to.

While understandable, the tone of moral outrage that colours the
initial chapters may not be as helpful as a calmer precis.  As the
book hits its stride, though, it provides a good deal of helpful and
useful information.  All ISPs (Internet Service Providers), corporate
network administrators, and net help desks should have a copy of this
reference handy.  Any serious Internet user will also find it well
worth the price.  As the authors put it, in slightly different words,
the only thing necessary for the triumph of spammers is that good
users do nothing.

copyright Robert M. Slade, 1998   BKSTPSPM.RVW   981030
rslade@vcn.bc.ca  rslade@sprint.ca  robertslade@usa.net  p1@canada.com
Find virus, book info http://victoria.tc.ca/int-grps/techrev/rms.html

Please report problems with the web pages to the maintainer