Security-Related News Items from Security-Related Mailing Lists

by Mary Ellen Zurko, OSF Research Institute (

This issue's highlights are from e$pam, http-wg, privacy, tbtf, www-security, risks, and www-buyinfo.

The IPSEC working group of the IETF remains unable to come to consensus about a key management standard. A design group tried to merge SKIP, ISAKMP, and OAKLEY, and failed. Since people are fielding encryption solutions that require key management, the concern is that the lack of a standard will cause interoperability headaches, and slow down the dissemination of encryption support.

A popular pseudonmyous server in Finland ( with over half a million users was shut down by its owner. The owner is closing it down for the time being "because the legal issues governing the whole Internet in Finland are yet undefined." A Finnish court's preliminary decision was that the privacy remailers could be violated by court order. The owner is collecting reactions for and against this sort of service, and stories about why anyone would need such a service, at support@anon.penet,, and, respectively.

In the HTTP working group of the IETF, Digest Authentication (which cryptographically hashes passwords instead of passing them in the moral equivalent of the clear) is slated for inclusion in HTTP 1.1, which is on its way to Proposed Standard. There has always been a tension between getting a cheap replacement for Basic Authentication out there fast, and making it a better protocol. Issues about man-in-the-middle attacks are being raised again (servers can protect against them, but don't have to). Netscape was taken to task for not supporting Digest, while representatives of Netscape said that they would not integrate something that was not stable.

We're getting closer to the penny-a-page vision on the Web. Clickshare ( is getting close to announcing services that track movements and settle charges down to as little as 10 cents per query.

US Bank is beginning to thumb-print non-customers who cash checks. Statistics indicate this is more of a deterrent than a way to catch someone cashing a bad check.

A member of cypherpunks was interested in a good steganography program for communicating with a friend in a country that is not crypto-friendly. Someone has software that forms Mad-Lib style sentences of the form "The _THING _VERBs to the _PLACE." Another pointed to a program that can hide information in .gifs. A third has worked on software that has a dictionary of pairs of synonyms (each representing 1 or 0), that will scan freeform text and embed a bit in each of the dictionary words it finds.

An interesting quote from DefCon founder Dark Tangent, a.k.a. Jeff Moss: "Hacking as we know it is dying. Everything is specialized today. There's wireless, IP, ISDN, NT -- it gets crazy."

Baruch Awerbuch, a professor of computer science at The Johns Hopkins University, is studying the economics of sharing computer power over the Internet (and calling it metacomputing). He acknowledges that there are security issues, and "it will also require a change in the close attachment most people feel toward their computers."

A CD full of all sorts of crypto share and freeware may soon be available. See

A fair trading office in London found that mondex is not truly anonymous (they were claiming it for a while until the complaint was filed by PI director Simon Davies). See

The folks at Princeton who found so many Java holes (including two news ones in early August that allow full read/write access to files) are turning their attention to Internet Explorer. They found a way to run any DOS command on the machine of someone using IE that visits a malicious page.

A U.S. Army private faces spying charges, but his lawyer claims that he had broken into a supposedly impenetrable system after advising his superiors of defects in the security system. He seems to have also given a Chinese friend of his a password on an unclassified system. See [sorry -- this link seems to be out of date -- Ed.].

In mid-August, the Department of Justice's Web site was broken into and altered. Luckily for them, the alteration was fairly obvious (it involved nudity and racism, as well as anti-CDA sentiments). Various sites backed up the hacked site before the DoJ yanked it.

ActiveX's security model (or lack thereof) has been getting discussion, since it might turn out to be Microsoft's answer to Java. They plan on moving to signed signed applets, much like Java is discussing signed classes. However, they have no encompassing sandbox like Java's VM that provides additional restrictions. There's an ActiveX control on the web that gracefully shuts down your Windows95 system (

The possibility of encrypting information for 100 years was discussed on cypherpunks. The hottest issue seemed to be how to protect a key for 100 years (in space, at the bottom of the ocean, escrowed with long-lived institutions like the Catholic church, the Chinese government, and Oxford).

The Communication Security Corporation announced a telephone security device supporting triple-DES.

Both Netscape and Microsoft have 128-bit US versions of their browsers available. Netscape uses the service to determine if you can receive the software electronically. It directly connects with a mapping service so you can get a direct map for the person's exact location. The original risks poster has an unlisted phone number, but found himself. I have a phone number listed under my husband's name, and did not find myself. They have a separate business lookup, but I found my family's business in the personal lookup (they don't pay for a business phone listing).

John Gilmore is trying to get 5% of the Internet encrypting "opportunistically" by December. He's planning on putting IPSEC into Linux, then using Linux gateways to encrypt all traffic when it's going to a site behind another of the gateways (

In early August, the Sunday Times reported that American intelligence agents hacked into European Parliament computers.

Oregon will sell you a tape with license plate information on it. Someone put a search engine into that data on the web, but then suspended the service pending consideration of the ruckus raised. There seems to be nothing illegal about it.

MasterCard and VISA have chosen their CA's (GTE and Verisign, respectively), and are planning on testing their SET implementations in the fourth quarter of this year (in time for Xmas?).

In, the author posits that encrypted email would be necessary to maintain attorney-client confidentiality for all email concerning a client.

It's the end of a Web era; www-buyinfo is shutting down. Dave Kristol was the first to get many of us talking about electronic commerce on the Web, and www-buyinfo spawned a bunch of email distribution lists and working groups in the area.