LISTWATCH (January 20, 2000)

by Mary Ellen Zurko

This issue's highlights are from dcsb, risks, privacy, cypherpunks, and tbtf.

On 1/19 the DVD Copy Control Association and the EFF met in court to argue for and against the ordering of a Preliminary Injunction against the entire Internet, forbidding further dissemination of DeCSS, the source code module that decrypts DVD MPEG streams. Declan McCullagh has an excellent article at <http://slashdot.org/comments.pl?sid=00/01/18/2111232&threshold=0&commentsort=0&mode=flat&cid=330>. The event follows the first in-court meeting on 12/29 where DVD CCA asked for a Temporary Restraining Order (TRO) against named and unnamed operators of websites and other individuals distributing copies of DeCSS source code. There's a sense that if EFF and one of the defendants hadn't stepped up to the bar at the first court date, the TRO would have been issued. On 1/19, DVD CCA argued that the shrink wrap license forbade the extraction of the trade secrets that enabled DeCSS, and was in force from the time the software (Xing's DVD player) was installed and used. Early work on DeCSS was supposed to enable the building of a DVD player for Linux. Xing was used to reverse engineer a software DVD player, as it seems to have forgotten to decrypt it's key, but the keys are only 40 bits anyway. DVD CCA wants to enjoin both hosting of the DeCSS code and linking to copies of it. The EFF argued that there was only one defendant so that an injunction should not apply to the entire Internet (interestingly, the defendant is a 15 year old from Norway). An analogy with Coca cola was used by both sides; the plaintiff arguing that DeCSS had been created by a process akin to breaking into the offices and stealing the formula, the defense arguing it was created in a manner similar to taking Coke to a laboratory for analysis. Both sides made a number of other arguments, both legal and technical. [On 1/20 Federal Judge Lewis Kaplan granted a preliminary injunction against three of the defendants, firmly endorsing, point by point, the claims of MPAA made under provisions of the Digital Millennium Copyright Act (DMCA) for protecting intellectual property. -ed.]

The new US crypto regulations are out <http://www.eff.com/pub/Privacy/ITAR_export/2000_export_policy/20000112_cryptoexport_regs.html> and the reactions are coming in. Retail products are exportable to all but the terrorist nations, regardless of strength, after a one-time technical review and subject to some reporting requirements. There are some restrictions on selling non-products to foreign governments, ISPs and telcos. You can't knowingly email freeware crypto code to someone in a terrorist nation (what this means to sending it to email lists remains murky) but you can post it to the web with no restrictions on downloading. You just have to sent the BXA the URL. They seem to want everyone exchanging crypto to register. There may be restrictions on source code for open cryptographic interfaces. The regulations are seen as complex (requiring lawyers to interpret) and don't address the first amendment issues (you wouldn't have to tell the BXA before shipping a book on crypto). John Young posted the PGP sources to the web and couldn't get an official response from the BXA on Friday, Jan 14 as to whether or not he was breaking the law, but by Tuesday the 18th, Jim Lewis of the BXA stated that all Young had to do was notify them of the URL <http://cryptome.org/pgpfree/> to be in compliance. Kerberos is posted at <http://cryptography.org/source/kerbnet/> (with appropriate BXA notification given). A free crypto archive <http://www.shmoo.com/crypto/> is available at ; submissions can be sent to crypto@shmoo.com. NAI seems to have taken advantage of the coming change in mid-December by getting a license to export PGP everywhere (excepting the terrorist states).

A secure, multi-platform, open-source chat system called Gale is available <http://www.gale.org/>. They are making much of the authentication and confidentiality features. Gale uses public-key signatures and encryption of individual private messages and uses public-key signatures on public messages.

A 19-year-old from NY has been sentenced to one year in jail for cracking into America Online computers and causing an estimated $50,000 in damages. He had been an AOL technical support volunteer. He replaced some AOL programs with his own. <http://www.usatoday.com/life/cyber/tech/ctg955.htm>.

<http://www.anybirthday.com/> reveals the birthday, city, zip code and gender information for what they claim is approaching 150 million U.S. adults. They claim that the majority of U.S. adults not under the age of 21 are listed. The privacy issues seem largely overlooked. Some people simply don't want their birthday and/or age known. For example, I've heard of problems with ageism on job searches. This site could also be used to find gender and age information from a list of names (many scams target the elderly). Attempts to get removed from the database have met with varying success.

There's more and more about PKIs out there:

The Australian Taxation Office plans to issue up to 2.1 million businesses with digital certificates that allow secure online dealings with the Tax Office and other government agencies. So far only Baltimore has gotten approval to issue certificates, but others are seeking accreditation.

Carl Ellison and Bruce Schneier wrote a critique of PKIs, "Ten Risks of PKI: What You're Not Being Told About Public Key Infrastructure" <http://www.counterpane.com/pki-risks.html>. It seems targeted at the overselling of PKIs to fix all your security woes (and of course no security solution can do that). Their targeting causes them to underplay the utility of PKIs where only the server authenticates to the client (as with many SSL connections today), the utility of the certificate checks done today (DNS name in the certificate), and intranet PKIs.

Peter Cassidy <pcassidy@triarche.com> is looking for the killer PKI application, Nato is setting up a PKI <http://nra.nacosa.nato.int/pki/documents.html> (without full mutual trust, of course), and JCP E-commerce and Security Newsletter, Issue 15 discussed when not to use a PKI (for small value transactions, for example). VeriSign, Inc., the largest provider of digital certificates for PKI operations, is purchasing the second largest provider, Thawte, Inc. <http://www.verisign.com/press/1999/corporate/1220_thawte.html>.

A Dallas County judge signed a temporary restraining order that would have required Yahoo to notify users that its privacy policy was being retracted until a lawsuit was resolved between Yahoo and Universal Image Inc. of Dallas. A day later, a different county court-at-law judge had dissolved the order. Universal has a contract with Broadcast.com Inc., which was acquired by Yahoo. It gave Broadcast.com the right to distribute over the Internet certain instructional programs in exchange for providing registration data about the customers. Universal asserted that Yahoo has neglected to provide all of the customer information that is specified under the agreement. Yahoo's privacy policy promises not to disclose its customers' personally identifiable information without their permission. Advocates for stronger privacy regulations are using this as an example of why they're needed. <http://dallasnews.com/business/10334_yahoo24.html>

CDNow has options to use either SSL or PGP for security of the transactions <http://www.cdnow.com/cgi-bin/mserver/SID=0/pagename=/RP/HELP/order.html#8q>. A Children's Hospice in Wales also uses PGP as a security option for payments <http://www.tyhafan.org/donations/>.

There was discussion on Cypherpunks about DIRT, a program that monitors keystrokes and anonymously emails them every minute or so to the party conducting the surveillance. It also provides a server for making files available, running programs, and so on on the target host. DIRT actually surfaced about a year ago, and is meant to be used by Law Enforcement Agencies.

If you have a few idle CPUs, you may want to participate in this: Robert Harley, a PhD student at INRIA is leading an effort to crack the 7th ECDL challenge of Certicom <http://www.certicom.com/chal/index.htm>.

The IETF has published a new Internet Draft on Use of HTTP State Management <http://www.ietf.org/internet-drafts/draft-iesg-http-cookies-02.txt>. It describes recommended uses of cookies and problematic uses of cookies and makes some recommendations about browser user interfaces.

Freedom, from Zero Knowledge Systems (ZKS) <www.freedom.net>, offers 5 pseudonyms for Internet activities (surfing, emailing) at one low price. One of their target customer bases is providing protection for children on the web. Extensive discussions on cypherpunks indicate that it's technically quite sound. The biggest question is what would happen if/when governmental pressure is brought to bear on ZKS (or on Canada, where they are). Freedom cannot run without ZKS (unlike Eternity services, which are designed to run even when host organizations are taken down). There's also the secondary issue that it currently only runs on Wintel configurations.

Alex Biryukov and Adi Shamir announced that they have a practical cryptanalytic attack against the A5/1 algorithm (which is the "strong" GSM privacy cipher) <http://www.crypto.com/papers/others/a5.ps>.

The Bubbleboy virus (not found in the wild) can be triggered by highlighting an email's title in Outlook if you're using its Preview Pane feature. Bubbleboy uses VBScript in an HTML page.

And finally, two excellent articles from a December TBTF:

____________

..Backflip and the limitations of privacy policies

Two privacy clauses we need to start seeing more of

A reader pointed me to a new Web service offered by the newly launched Backflip [7], which had been operating in stealth mode as The iTixs Project. Backflip's founders were early employees at Netscape. They offer a free service that personalizes Web searches. For them to do this you need to entrust Backflip with your entire browsing history and ongoing clickstream.

It'll probably be popular. Not for me though. In my view a site that offers services whose price is extremely sensitive and personal data ought to offer the strongest possible guarantees of user privacy. (On Thanksgiving day the New York Times ran an article titled "Stor- ing your life in a Virtual Desktop" [8] at the top of their "Circuits" section. I was interviewed for this piece and the reporter quoted my extreme skepticism about the whole idea, on grounds of privacy and security.)

I read through Backflip's privacy policy [9] and it's fine as far as it goes, but here are two promises I wanted to see that are nowhere to be found.

1. [The Poison Pill.] If we sell the company, it will only be on terms that bind the purchaser in perpetuity to apply the same or stronger privacy policies to Backflip's data.

2. [The Divorce.] You have the right, when cancelling your account with Backflip, to request that we destroy all data collected as part of our business relationship. We will email you a confirmation that we have done so. Our data-lifecycle policies and practices are audited by the Better Business Bureau.

I have seen no discussion of the need for privacy policies that provide customers this level of assurance. Of all the privacy statements I've read, only that of Junkbusters [10] offers The Divorce.

If a database ever exists that catalogs every page I've visited, it will be on my own hard disk, and nowhere else.

[7] http://www.backflip.com/
[8] http://www.nytimes.com/library/tech/99/11/circuits/articles/25desk.html
[9] http://www.backflip.com/help/gh_privacy_out.html
[10] http://www.junkbusters.com/ht/en/aboutus.html

____________

..A systematic model for selecting cryptographic key sizes

How long a key will you need?

Bruce Schneier's excellent newsletter CRYPTO-GRAM (see TBTF Sources [21]) alerted me to the work of Arjen Lenstra and Eric Verheul, who have produced a model [22] by which you can calculate how strong your cryptographic keys need to be. The authors claim that this is the first uniform, properly documented treatment of the subject.

> The model, which formulates a series of explicit hypotheses about
> future developments and applies these to existing data about the
> cryptosystems, will enable organisations to arrive at a balanced
> evaluation of key size aspects when purchasing or developing
> cryptographic applications. The resulting key size recommendations
> are thus unbiased and not influenced by non-scientific consider-
> ations.

The bulk of Lenstra and Verheul's conclusions are contained in a single table [23]. I've excerpted the most salient data into a graph [24] -- use it to read off the key length you'll need in 2015 to fend off an adversary who will devote $40M over a year's time to the task of breaking your key.

[21] http://tbtf.com/sources.html
[22] http://www.cryptosavvy.com/
[23] http://www.cryptosavvy.com/table.htm
[24] http://tbtf.com/pics/lenstra-verheul.gif