News Items from Security-Related Mailing Lists

by Mary Ellen Zurko, Open Group Research Institute (

This issue's highlights are from cryptography, e$pam, tbtf, and dcsb.

Federal judge Marilyn Hall Patel ruled (12/18) that government restrictions on the export of computer encryption programs are an unconstitutional interference with freedom of speech. The case was brought by Illinois professor of mathematics, Daniel Bernstein, who had been told that programs and academic papers required licenses to communicate abroad.

A personal computer with several hundred thousand credit card accounts stored in it was stolen from a Visa office.

The classic man-in-the-middle attack is being repackaged as "Web spoofing" by the Princeton team. Their report on how an attacker can imitate a Web site to a user, and a user to a Web site, is at

A group of Social Security Administration employees was arrested for passing confidential information on at least 1,000 people to credit card theives, for bribes of as little as $10. The theives were able to activate credit cards stolen from the mail with the holder's mother's maiden name. This report caused comment on how safe escrowed keys might be, and how much it might take to steal them.

There was a lot of discussion of HP's crypto framework announcement (, mostly because there was a lot of confusion about just what it is, what it's meant to accomplish, and what it means to the recent key escrow initiatives. It is designed to be flexible enough to support any governmental encryption policy. A hardware or software token activates the encryption support. They're using Microsoft's CAPI and Intel will build some hardware for it.

Germany passed a Cyberspace law that, amoung other things, will outlaw cookies. Cookies are used both to maintain session state in the stateless HTTP protocol and to track user's movements on the Web.

RSA Laboratories are inviting comments and for their next generation of the Public-Key Cryptography Standards. The current generation is available at Suggestions should be sent either to the mailing list (subscribe by sending email with "subscribe pkcs-tng" in the message body to or to, whichever is deemed more appropriate.

Ross Anderson and Markus Kuhn put out a report on how they cracked a smart card with a small amount of equipment and some hacking. They built equipment to send bad data to the card and observe the results.

There are rumors that Digicash is going to hire a new CEO, and Chaum will become chief technology officer.