LISTWATCH (7/10/98)

by Mary Ellen Zurko

This issue's highlights are from cypherpunks, risks, tbtf and e$

I've taken a new job, so there's been some churn in the lists I watch. I signed up for TBTF immediately, cypherpunks as soon as I got mail agents working, and Risks as soon as I could. I also follow pkix, dcsb, and shaksper :-). As before, the list may change as my interests, work, or bandwidth varies. I'd be interested in hearing if there are other lists that people think are worth watching.

The Junger decision caused a lot of discussion on cypherpunks. Junger is a law professor in Ohio who wants to post examples of crypto on the web for teaching purposes. He has been challenging current export laws that prohibit that, mostly on the basis of the First Amendment. The judge found that "the Export Regulations are constitutional because encryption source code is inherently functional, because the Export Regulations are not directed at source code's expressive elements, and because the Export Regulations do not reach academic discussions of software, or software in print form." In addition, source code is "all but unintelligible to most people". Discussion on cypherpunks has pointed out that the basis of software patents is similar to the judges' findings and the difficulty in defining just which speech is protected, encouraged people to get involved in the appeals process (financially, testifying as experts, attending hearings, and so on), and explored ways to point up the similarities between source code and more obviously protected forms of speech, such as making it part of a book title or using English recognition instead of C to drive a computer. There is serious discussion of producing a flood of newspaper ads on a chosen date with the infamous 3 lines of RSA in Perl.

The National Security Agency has declassified its 80-bit-length Skipjack encryption algorithm and its 1,024-bit-length key exchange algorithm, and made them publicly available ( The motivation is said to be enabling industry to write products that are interoperable with Fortezza. A cypherpunk reposted the almost 5 year old Skipjack review which claimed that while the algorithm was strong, its release would "jeopardize law enforcement and national security objectives." I'd love for someone to comment on why it no longer does, but I suppose that would still be protected. Within 48 hours of the algorithms being posted, several reference implementations were available, timing tests were being done, and one group had posted an initial analysis. [Cf. newsitem on analysis below -ed.]

A researcher at Lucent found a flaw in many implementations of SSL V3 based on PKCS#1 padding checks that allows recovery of a specific session key after sending about one million carefully malformed messages to the server of interest. I really hope that attacks like this one generate an increased interest in auditing Internet based applications.

The NY Times reported that a small gang tapped public phones at airports and stole a bunch of calling-card number. In a success story for human auditing "The Secret Service was tipped off by AT&T, Bell Atlantic and MCI after they received an unusually high number of complaints from customers who had recently used their calling cards in airports.".

The 22-member U.S. government Technical Advisory Committee to Develop a Federal Information Processing Standard for the Federal Key Management Infrastructure (TACDFIPSFKMI) (who names these things???) has failed in a two-year effort to design a federal computer security system that escrows keys. The panel wrote that it "encountered some significant technical problems that, without resolution, prevent the development of a useful FIPS. ... Because the focus of this work is security, we feel that it is critically important that we produce a document that is complete, coherent, and comprehensive in addressing the many facets of this complex security technology.. The attached document does not satisfy these criteria." Administration officials said that the panel had simply needed more time. See for details.

A story from Wired posted on cypherpunks announced that Compaq is going to start shipping Fingerprint Identification Technology for PCs. They point out that it won't completely replace passwords for things like mobile network access (but of course don't say why). Privacy advocates are concerned that people will be pressured into using biometrics. A fake rubber finger might spoof the system, and "Toe prints [...] have not been tested". Perhaps not formally ... :-).

Walmart is in negotiations for check cashing machines that use biometric facial recognition.

A NY Times editorial said the government should stop encouraging weak crypto, and suggested that law enforcement pursue other methods, such as surreptitiously logging information before it was encrypted. Cypherpunks pointed out that keystroke logging is possible because of the poor reliability of commercial OSes (a sentiment I'd bet that most of us share) and theorized that someone was testing public reaction to this idea. One anonymous correspondent reminded folks about Intel's ability to download and run digitally signed software before control is transferred to the OS.

The BXA announced it was loosening export restrictions on certain large multinational financial institutions. They would only need a single approval for the use of crypto throughout their company (except for branch offices in terrorist states). This was of course greeted with derision on cypherpunks, as it does nothing for the general populace and it attempts to silence concerns about financial security and to pacify a major lobby.

The CIA is starting the "largest recruitment drive for new spies in its history" in order to rebuild that area and in response to over reliance on technical intelligence (satellites and listening devices). However, they also state that they need greater technical support for agent operations, so they're looking for computer expertise. One cypherpunk commented that this would be a good time to plant a mole.

The CIA director is warning that Y2K problems "provides all kinds of opportunities for someone with hostile intent".

A lawyer turned entrepreneur has patented a bracelet for monitoring parolees that sounds like an extension of Active Badge technology. It receives and transmits radio signals. It is aimed at determining if any are in the vicinity of a crime in progress, and cutting it off is thought to be discouraged by the suspicion it would arouse.

NY City is planning on installing cameras that would allow them to fine motorists that block busy intersections.

Metrorail [Washington D.C. area commuter rail system-ed.] is going to test smart cards, but promises not to sell any of the data they collect. They're looking at uses of these cards beyond just the Metro. They expect to get a much better picture of the traffic flow, and are guessing most people won't mind giving out their names and addresses for them (which, of course, you wouldn't need to track just traffic flow). The card is passed within three inches of the reader. "Riders can pass their entire wallet or purse over the disk." (Whoever wrote that never used a purse. How many purses have you owned where you could be sure that something in it was within 3 inches of some external point of the purse?)

A coalition of right and left organizations in New Jersey turned back the governor's proposal for a smart card drivers license that would have been required for all government programs as well as allowing a wide range of businesses and services to store information on it.

The U.S. Department of Transportation's proposed "Driver's License/SSN/National Identification Document" guidelines would compel all states to link drivers licenses and state IDs to SSNs.

[On the other hand, the Michigan Jobs Commission decided to stop using SSNs entirely, after exposure on the Web. Full details at Thanks to Glen Roberts for this pointer -ed.]

Gingrich has announced that he will work on easing encryption restrictions. Yet, he is credited with derailing recent bills in Congress that would have done just that. It's hard to know who your friends are ...

Bruce Schneier announced a monthly email newsletter on cryptography. I've signed up for it. Details are available at

Paul Kocher and his consulting firm announced they were able to crack certain smart cards based on inferences from fluctuating power consumption. [More information available at -ed] The VP of marketing for Bull Smart Cards said they had been aware of this attack for more than 4 years and were immune.

There's an OLE bug in Word 98 for Macintosh (and maybe others) that will send also send some of the uncleared contents of memory when a document is emailed as an attachment.

The Post Office is worried about losing its monopoly on first class mail. In a speech, a retiring postmaster general said that "Research tells us that within the next 10 years, the infrastructure, security, and public acceptance issues that now limit electronic diversion (of communications currently sent as first class mail) will be solved,"

Black Unicorn has some fun definitions related to security:

Security through Obscurity - Housekey under the doormat Obscurity through Security - Blinded Digital Cash Securely Obscure - Mixmaster Remailers Obscurely Secure - Rivest's Chaffing and Winnowing / ECC Secure the Obscure - Invasion of Granada Obscure the Secure - RSA's Propoganda page Secured and then Obscured - Common White House black bag team coverup tactic Obscured and then Secured - Hillary's billing records Secure but not Obscure - Digicash Obscure but not Secure - RSAs SecurPC Neither Secure, nor Obscure - CIA budget figures Secured - Iridium's deployment date (Last satellites up already) Obscured - Iridium's deployment rate (uses GSM for billing) Unsecured - Whitewater Loan Unobscured - Whitewater Loan