LISTWATCH (March 11, 1999)

by Mary Ellen Zurko

This issue's highlights are from cypherpunks, dcsb, risks, tbtf, privacy, and CRYPTO-GRAM.

Microsoft uses DCE UUIDs to uniquely identify OLE objects. What could be wrong with an engineering decision like that? It has turned into a major privacy problem. GUIDs (which is what they're now called by Microsoft) include the machine's Ethernet address. They're put into Office97 documents, and also reported by the registration wizard that collects the user's name and other demographic information. So, in theory, any document created with Microsoft tools can be traced to its creator. Microsoft's group product manager for Windows said the registration program shouldn't be sending that information without the user's consent (why would a user think to not let it send a GUID?), and that Microsoft technicians would look through the company's databases and expunge information that had already been collected. Phar Lap Software Inc. initially reported the problem.

Intel's Pentium III includes a unique serial number that can identify the processor (and perhaps indirectly the user). The stated purpose is to help corporations track and manage their PC inventory, and to provide another level of security for online banking and e-commerce applications. Conversation on this feature keeps going on, and on, in part because it neither seems extrodinarily effective for its stated purpose, nor seems to be something that can be securely turned off to keep it from doing any ancillary damage. Schneier points out that because of the untrusted software that runs on the box, "the only positive usage for processor IDs is the one usage that Intel said they would not do: stolen processor tracking." Discussion on cypherpunks pointed out Ethernet cards and Sun Unix boxes also have serial numbers that are accessible. There was also a bit of debate about how much privacy is already lost and how innocuous this feature is. You can expect to see conversations like this last one for some time to come, in part inspired by Scott McNealy's (Sun CEO) quote: "You have zero privacy anyway. Get over it." In a priceless another quote, David Aucsmith, security architect for chip maker Intel said "This is a new focus for the security community...The actual user of the PC -- someone who can do anything they want -- is the enemy." The Intel Developers Forum he spoke at spawned the rumor that the ID is really there for copy protection. Intel has announced several changes since some threatened boycotts, including moving the default to disabling the ID. Major PC vendors say they will disable the ID in the basic input/output system (BIOS) software. A quotable quote from Gateway's VP of product management & planning: "We know that the BIOS mechanism is completely secure." A cypherpunk pointed out that a trojan could flip the appropriate bit in CMOS, then cause the PC to reboot to enable it. Zero Knowledge Systems published an ActiveX program that bypasses Intel's Pentium Serial Number (PSN) Control Utility. It puts the serial number in a cookie file even when the Intel utility indicates the ID number is turned off.

An article on patent problems states that U.S. Patent 5848161 covers the practice of using encryption functions to hide credit card account numbers on the Internet.

The White House has a new privacy czar (first chief counselor for privacy), Peter Swire. He says he's going to review federal, private-sector and international privacy issues created by new information technologies.

A British government report has given the IT community 3 weeks to come up with an alternative to key escrow. The Department of Trade and Industry's policy had proposed licensing of encryption providers that would require them to hold copies of users' encryption keys for law-enforcement access to electronic communications. Interested parties have indicated the time is too short for meaningful dialog.

In more excitment from the UK, news reports had said that hackers had seized control of one of Britain's Defense Ministry's military communications satellites and issued blackmail threats. After a few days of speculation on the veracity of the report, the Ministry dismissed the story as "not true". In a humorous aside, someone tried to anonymously send email to cypherpunks indicating that they had done this sort of thing before. Unfortunately, they cc'ed the list directly, so it came with full headers. Anonymity isn't easy.

A sudden (small) spate of announcements came for "infomediaries" who want to provide privacy by managing customers' personal profiles (I'm sure it's only my choice of phrasing that makes this sound like "War is Peace" :-). PersonaXpress by PrivaSeek will provide a free service to maintain, update, and control the type and amount of personal information that marketers and advertisers draw from their customers they browse the Web. Their profiles will be encrypted and stored in Persona Vault. Companies accessing the information will be "screened" then asked to sign a contract "stating that they will adhere to a set of privacy practices". Another venture, Lumeria, will release an open-source version of their system so that other infomediaries can support it. This will also help to build trust, a big issue in this market-to-be.

One the same theme as infomediaries, ", a leading consumer healthcare network led by Dr. C. Everett Koop, former U.S. Surgeon General, announced [2/19] it is developing a Web-based personal medical record for consumers. The Personal Medical Record (PMR) will be introduced in the second quarter of 1999 and will be free to all Americans. It will enable consumers to create a lifelong record of their health that is secure and private."

Continuing with medical information, somehow private patient information found its way to the search area of the University of Michigan Health System. This was reported anonymously to Lauren Weinstein, PRIVACY Forum Moderator. The data was primarily names, addresses, phone numbers, and patient IDs (which in this case, and contrary to the norm, were *not* equivalent to Social Security Numbers). The problem was fixed rapidly after Lauren reported it. Although the URLs were publicly accessible, U Mich believes that only an insider could have found them.

From Peter G. Neumann and risks: "Sean Trifero was sentenced to one year in prison by a U.S. District Judge for intentionally damaging computer systems (Harvard, Amherst, a Florida ISP, and Alliant Technologies, including planting sniffers and denial-of-service attacks) and unauthorizedly accessing others (Arctic Slope Regional Corp. and Barrows Cable, Alaska), three years subsequent probation, 150 hours of community service, and $31,650 restitution. [Source: PRNewswire, 23 Feb 1999]"

Discussion of the UPS signature pads that trap your signature while you write it brought out a story from someone who said that UPS had claimed a suspect delivery had been made and signed for. When they pushed UPS and asked for a copy of the signature, they got it. It was the recipient's name, but it clearly was not in their hand. The theory was the delivery person had signed for it.

And now listwatch quotes TBTF reporting on CRYPTO-GRAM (with the URLs to go straight to the source :-):

..The long reach of the NSA

US spy agency has been reading other nations' cable traffic as if it were the morning paper

RSA opened an Australis office, staffing with with well known SSLeay developers. "Australia's Defence Department had awarded Security Dynamics a licence -- thought to be the first of its type in Australia -- to export uncrackable, commercial versions of SSLeay from the Brisbane centre, and Security Dynamics would use the office as its global export centre for SSL technology, bypassing US military bans." Freedom software was announced by Zero Knowledge Systems. It is based on a number of Cypherpunks inspired techologies, including anonymity, nyms, mixing, and traffic analysis defense. The shocker back in January was that the French Government abandoned its effort to control domestic use of encryption. Prime Minister Jospin announced they would abandon most aspects of the encryption legislation adopted in 1996. They anticipation proposed legislation allowing complete freedom in the use of all cryptography, abolishing the requirement to use trusted third parties, and providing instead increase funding for the police, combined with enhanced authority to demand plaintext in the course of an investigation. Recognizing that it would take several months to modify the legislation, he announced that the level for free use of encryption inside France would be raised administratively from the current 40-bit level to 128 bits. Shortly before that announcement, the NSA banned Furbies from the offices in case they could record parts of classified conversations. While there was discussion about whether or not Furbies actually record any new utterances, no one addressed the potential for covert channels based on how Furbies might adapt to time at the NSA... Lonne Allen Jaffe ( and others of Harvard University is working on a research paper on the use of ciphers by scientists to prove the authenticity of their work from the 16th century onward. If you have any information on the subject, they'd like to hear it.