Security-Related News Items from Security-Related Mailing Lists

by Mary Ellen Zurko, OSF Research Institute (

This issue's highlights are from fv-users, www-security, sig-security, risks, tbtf, ietf-tls, and e$pam.

The difference between technology-based controls and organizational guarantees of privacy came up when Community ConneXion (C2) explicitly posted the reasons why it would not accept First Virtual payments. First Virtual (FV) attempts to explicitly document the pros and cons of its use by sellers and buyers, and some of the reasons given by C2 are old FV issues (buyers assume full risk of non-payment, inappropriate for hard goods). The also cited the continuing issue of whether or not FV is anti-cryptography (while FV publicly always states that they support the implementation of usable crypto systems, they are in a position to continually explain why their system should be considered secure, particularly compared to systems that do use crypto). However, the privacy issue they cite was new to me. It turns out that a buyer's identity could easily be determined from her FV ID (available in all transactions) through the use of finger.

CERT has put out yet another advisory warning people not to put interpreters into their Web server's CGI bin directory.

A draft white paper on Clipper III has been leaked. One difference seems to be the promise that any limit on encryption key length on exports will be increased (or removed?) when escrow is used.

The Java-bug hunters at Princetom found a bug in Netscape Navigator 2.02 that allows an applet to generate and execute arbitrary machine code. Netscape has hired one member of the team for the summer. Other holes announced by other people include the ability to read and write the file system (under certain configurations), Trojan horse applets that effect their servers, and learning the browser's launch path.

Various vendors, including IBM, Microsoft, and Novell, are announcing plans to integrate Java into their OSes.

Now anyone can "see" where you live on the map, given your address. Check out For some reason, I find this really creepy, even though I know there's no new information available here.

Becoming an international arms traffficker has never been so easy! (Although some of us have long appreciated just how easy it can be ...) At, clicking on a button causes three lines of perl code to be sent to an ISP in Antigua; the code implements a patented RSA encryption algorithm.

A new on-line privacy initiative, called the Internet Privacy Coalition, is working towards the relaxation of laws banning the export of strong crypto.

A new IETF working group is working on Transport Layer Security. It's rumored to be inspired by work in SSL and PCT.

A member of the W3C team saw a demonstration of a successful cryptanalitic attack against a slightly modified MD5 compressor function. This attack allows an attacker to create a message that has a given MD5 value. Attacking unmodifed MD5 may merely be a matter of CPU. The demo'ed attack takes about 50 MIPS days.