News Items from Security-Related Mailing Lists

by Mary Ellen Zurko, The Open Group Research Institute (

This issue's highlights are from risks, www-security, cryptography, e$pam, cypherpunks, tbtf, and ietf-announce.

The RSA RC5 40-bit challenge was cracked in 3.5 hours by Berkeley graduate student Ian Goldberg. He got $1,000 for finding the challenge message "This is why you should use a longer key." He used about 250 idle machines, and found the key after exhausting about 30% of the keyspace.

ActiveX attacks made the television and newspaper in Berlin. Hackers from the Chaos Computer Club demonstrated an ActiveX application which automatically checks to see if Quicken is on the machine it has been downloaded to. If so, Quicken is given a transfer order which is saved by Quicken in its pile of pending transfer orders. The next time the victim sends off the pending transfer orders to the bank all the orders are executed. The Berlin newspaper "Tagespiegel" quotes various officials at Microsoft et al expressing disbelief or outrage or saying "we're working on it". Some members of www-security thought people would catch the attack by checking outgoing transactions or balancing their checkbook. Others thought that it could be easily missed if the transactions were small with nondescript names.

There's been a lot of talk about the new cryptography regulations (EAR). A quote from the EAR says that printed material is not subject to the EAR. One comment was that only 40 bit RC4 is exempt, and the EARs even have RSA's phone number so you can license it. Security fixes, firewall products, and virus-protection programs may be export-controlled now, even if they do not involve cryptography.

Digital, Cylink, and TIS have been granted permission to export 56bit encryption software under the new rules. All three firms have agreed that they will add "key recovery" by 1999. [For news releases from various sources, see URLs: -- CEL]

Nordic Post Security Service hopes to provide secure email for every Nordic citizen. They plan on using PGP, with no "third-party" key holder, and RSA-algorithm encryption with a 1024-bit key.

An NT denial of service bug was found. If you telnet, type a few characters, and disconnect to certain ports (perhaps unused ports; 135 was given as an example), CPU usage goes to 100% until rebooted. The workaround is to use the control panel to filter out unused ports.

The Simple Public Key Infrastructure (spki) working group was formed in the IETF. Subscribe by sending e-mail to with "subscribe spki [email address]" in the body.

The end of December holidays brought on several spam attacks on email lists, include cypherpunks. There was discussion of various technical solutions, but most required extra person effort.

In an unrelated move, cypherpunks went over to a moderated list on a temporary basis. Members with a strong anarchic/libertarian bent have problems with "censoring" the main line. Alternatives may include providing an alternate censored list.

A Georgia law meant to punish a state legislator for the success of his partisan web page is being challenged by the ACLU. Part of this law punishes anyone who "uses any individual name... to falsely identify the person" (the legislator used an official seal without official sanction on his web page). The ACLU sees this suit as a defense of anonymous and pseudonymous speach on-line.

A Maryland bill would make it illegal to send "annoying" or "embarrassing" e-mail. I wonder if I could go to jail if I was embarrassed about e-mail I sent out ...