Listwatch (3/27/00) by Mary Ellen Zurko ( =================================================

This issue's highlights are from cypherpunks, risks, tbtf, and crypto-gram.

Members of wrote and published a program (cphack.exe) that breaks the encryption in Cyber Patrol, a "censorware" Internet filtering application, displaying the list of sites it blocks, and displaying the password used to enable and disable the filtering. Cyber Patrol has obtained a restraining order against the authors to prevent them from distributing it, accusing them of illegal reverse engineering. The counts include copyright infringement and theft of trade secrets. Mirror sites have sprung up for distributing an essay on the program and the program itself ( There seems to be an injunction against the mirror sitest too, which was mass emailed to them so that they all now have a list of all the known mirror sites. It does not work against the latest version of Cyber Patrol, which has changed its encryption. Cyber Patrol (and Mattel, their parent company) claims the suit is about disabling the software (though publishing the password). Pro-cphack spin says that programs like this have been around for 2 years and nobody sued anybody; that it's the publishing of the sites that are blocked that is making Cyber Patrol mad, and not because their competitive edge depends on it, but because of the large number of sites that are claimed to be mistakenly blocked. Peacefire has released programs that decrypt the lists of two competitors; X-Stop and I-Gear. Of the first 50 working .edu sites on those lists, Peacefire claims a 68% and 76% error rate, respectively (too bad they didn't do a random sample from the list to come up with a real, overall error rate instead). Examples of errors include: (1) a diagram of a milk pasteurization system written in Portuguese, (2) a page with 75 K of Latin, (3) two PowerPoint slides about network setup, and (4) volumes 4 and 6 of "The Decline and Fall of the Roman Empire".,1283,35038,00.html, In an exciting escalation, Mattel has not only sent mass mailings to all mirrors of the the critical webpages, they have allegedly added these mirror sites (and the author's homepages) to their blacklist under all categories (after all, just what category would they use? :-). 

A laptop computer containing sensitive information on Northern Ireland was stolen from an MI5 intelligence agent on March 4 when the Security Service worker stopped to help a passer-by in the ticket hall at Paddington Underground station in Central London. On March 23, a government source confirmed the theft and said: "We believe that the information on the laptop is secure. The theft is currently being investigated by the police." No word on whether the encryption key is stored on the laptop. 

The Korean Advanced Institute of Science and Technology (KAIST) will reportedly hold an international hacking contest. Hackers will attempt to break into a firewall the Protection Education Research Center has built for prize money totaling W100 million. The contest aims to test the capacity of Korean information protection technology, and find out the international standard of hackers. (I was just reading an article on how public competitions aimed at amateurs was how the US's earliest memorials were commissioned.)

The French national assembly has voted to ban anonymous web hosting. One more vote will make it a law. Users must declare their identity to their hosting service, with a six month jail penalty if they provide false information. The hosting service must give the identities to the court, otherwise its owner faces a six month jail penalty. Voted text from the French national assembly on March 22 (pdf, in french).

An annual survey by the FBI and the Computer Security Institute said that total verifiable losses in 1999 more than doubled to $266 million, while more than 90 percent of respondents reported detecting some form of security breach. The survey covered 643 corporations, banks and government organizations. CSI estimates that total losses attributable to computer crime are around $10 billion annually. Only one company in four surveyed reported the crimes in 1999, down 32% from 1998. 59% of the companies said the computer attacks initiated from the Internet, while 38% said they initiated from internal company computers. At least 74 percent of respondents reported security breaches including theft of proprietary information, financial fraud, system penetration by outsiders, data or network sabotage, or denial of service attacks. Information theft and financial fraud caused the most severe financial losses, put at $68 million and $56 million respectively. Losses traced to denial of service attacks were only $77,000 in 1998, and by 1999 had risen to just $116,250 (the survey occurred before the recent spat of high profile DDOS attacks). The survey showed quantified losses up at more than $8.2 million.

Stolen data on 485,000 credit cards was discovered on a U.S. government agency's Web site. Many of the credit cards remain in use today because there has been no evidence that any of the cards have been used in fraud, and credit-card companies and card-issuing credit unions decided that it would be too much trouble to shut down the accounts and issue new numbers, or even to tell the credit card holders about the potential leak.

Dave Kormann and Avi Rubin evaluated Microsoft's Passport single signon protocol and examined the risks. Their paper will be presented at WWW9, which runs at the same time as Oakland this year, and where I will be chairing the Security session .

Actor Jerry Orbach is suing eBay for allegedly allowing a user to auction two of his old acting contracts. Reportedly, the scanned images of the contracts that advertised the sale showed his Social Security number, which allegedly resulted in credit card fraud.

The NSA holds a patent on a holographic storage device

Two of the three defendants in the New York MPAA DeCSS case have withdrawn under consent agreements, leaving only the magasine 2600, which succeeds its publisher, Emmanuel Goldstein, as defendant. A trial date was set for December 5.

DoveBid, WebbitTown, and the Libertarian party all have a policy of digitally signing their press releases.

Is credit card fraud higher or lower? MasterCard is imposing a fine on merchants whose chargebacks are one per cent or higher of total sales, or 2.5 per cent or higher of total sales volume for more than two consecutive months. Conversely, Visa International announced last week that fees for lost or stolen cards will now be waived in view of card fraud losses reaching an all-time low during 1999. The move was prompted by fraud losses dropping to 6 cents for every USD 100 in 1999, compared to 7 cents per USD 100 in 1998, and 18 cents per USD 100 in 1992.

Microsoft Windows 2000 is using the usually blank "data authorization field" in Kerberos (which DCE also used), and not publishing how they're using it (impeding certain forms of interoperability). They did not follow the IETF procedure for deviating from a standard, which they do by overwriting, instead of copying through, any information in that field from the request to the ticket (DCE did not deviate).

Eben Moglen, of Columbia Law School, makes the ultimate statement on the new US crypto export regulations: "It used to be that giving export control advice consisted of helping clients to comprehend unbelievably ridiculous statements in the present tense. Giving such advice now largely consists of helping clients to comprehend unbelievably ridiculous statements in the future conditional subjunctive. That's some kind of progress."

The Arizona Democratic Primary had the first binding election in the US with votes cast over the Internet. According to the website, each voter receives a PIN via postal mail that gets them access to the voting web page. A voter also has to answer "several questions" to confirm their identity. The instructions also remind the potential voter that " [...] it is a Class 5 felony offense to knowingly vote at an election when not entitled to do so." Voting Integrity Project, raised concerns over unequal access.

Verisign agreed to acquire Web domain-name registrar Network Solutions in an all-stock transaction the companies valued at $21 billion.

Wondering what cypherpunks look like? Declan MucCullagh has a photo archive ( I imagined Tim May much meaner, with fangs and a pointy tail :-).

President Clinton said that he considered cyberspace too insecure for him to correspond privately by e-mail with his daughter, Chelsea, who is away at college

Finally, two older exerpts. The first is Spaf on the 2/8 White House Infosecurity meeting. I don't understand how the hacker suggestion is different from Tiger Teaming, and I don't understand most of the references to CERIAS, which seems to be Spaf's baby. Otherwise, a fine report:


[Note: you may post this account or forward it to mailing lists, provided you pass the account and this notice in its entirety.]

Infosecurity at the White House Gene Spafford


Last week (ca. 2/8/00), a massive distributed denial of service attack was committed against a number of Internet businesses, including e-Bay, Yahoo,, and others. This was accomplished by breaking into hundreds (thousands?) of poorly-secured machines around the net and installing packet generation "slave" programs. These programs respond by remote control to send packets of various types to target hosts on the network. The resulting flood effectively shut those target systems out of normal operation for periods ranging up to several hours.

The press jumped all over this as if it was something terribly new (it isn't -- experienced security researchers have known about this kind of problem for many years) and awful (it can be, but wasn't as bad as they make it out to be). One estimate in one news source speculated that over a billion dollars had been lost in lost revenue, downtime, and preventative measures. I'm skeptical of that, but it certainly is the case that a significant loss occurred.

Friday, Feb 11, I got a call from someone I know at OSTP (Office of Science and Technology Policy) inquiring if I would be available to meet with the President as part of a special meeting on Internet security. I said "yes." I was not provided with a list of attendees or an agenda. Initially, I was told it would be a meeting of security experts, major company CEOs, and some members of the Security Council, but that was subject to change.

The Meeting

I arrived at the Old Executive Office Building prior to the meeting to talk with some staff from OSTP. These are the people who have been working on the Critical Infrastructure issues for some time, along with some in the National Security Council. They really "get it" about the complexity of the problem, and about academia's role and needs, and this may be one reason why this was the first Presidential-level meeting on information security that included academic faculty.

After a few minutes, I was ushered into Dr. Neal Lane's office where we spent about 15 minutes talking. (As a scientist and polymath, I think Lane has one of the more fascinating jobs in the Executive Branch: that of Assistant to the President for Science and Technology and Director of OSTP. For instance, on his table he had some great photos of the Eros asteroid that had been taken the day before.) We then decided to walk over to the White House (next door) where we joined the other attendees who were waiting in a lobby area.

Eventually, we were all escorted upstairs to the Cabinet Room. It was a tight fit, as there were over 30 of us, staff and guests (invitee list at the end). We then spent a half hour mingling and chatting. There were a lot of people I didn't know, but that's because normally I don't get to talk to CEOs. Most notably, there were people present from several CERIAS sponsor organizations (AT&T, Veridian/Trident, Microsoft, Sun, HP, Intel, Cisco). I also (finally!) got to meet Prof. David Farber in person. We've "known" each other electronically for a long time, but this was our first in-person meeting.

After a while, some more of the government folk joined the group: Attorney General Reno; Commerce Secretary Daley; Richard Clarke, the National Coordinator for Security, Infrastructure Protection and Counter-terrorism; and others. After some more mingling, I deduced the President was about to arrive -- several Secret Service agents walked through the room giving everyone a once-over. Then, without any announcement or fanfare, the President came into the room along with John Podesta, his chief of staff.

President Clinton worked his way around the room, shaking everyone's hand and saying "hello." He has a firm handshake. In person, he looks thinner than I expected, and is not quite as tall as I expected, either.

We all then sat down at assigned places. I had the chair directly opposite the President. Normally, it is the chair of the Secretary of State. To my left was Whit Diffie of Sun, and to my right was John Podesta. I was actually surprised that I had a seat at the table instead of in the "overflow" seats around the room.

The press was then let into the room. It was quite a mass. The President made a statement, as did Peter Solvik of Cisco. The press then asked several questions (including one about oil prices that had nothing to do with the meeting). Then, they were ushered out and the meeting began.

The President asked a few individuals (Podesta, Daley, Reno, Pethia, Noonan) to make statements on behalf of a particular segment of industry of government, and then opened it up for discussion. The next hour went by pretty quickly. Throughout, the President listened carefully, and seemed really involved in the discussion. He asked several follow-up questions to things, and steered the discussion back on course a few times. He followed the issues quite well, and asked some good follow-up questions.

During the discussion, I made two short comments. The first was about how it was important that business and government get past using cost as the primary deciding factor in acquiring computer systems, because quality and safety were important. I went on to say that it was important to start holding managers and owners accountable when their systems failed because of well-known problems. I observed that if the government could set a good example in these regards, others might well follow.

My second comment was on the fact that everyone was talking about "business and government" at the meeting but that there were other players, and that academia in particular could play an important part in this whole situation in cooperation with everyone else. After all, academia is where much of the research gets done, and where the next generation of leaders, researchers, and businesspeople are coming from!

Overall, the bulk of the comments and interchange were reasoned and polite. I only remember two people making extreme comments (to which the rest of us gave polite silence or objections); I won't identify the people here, but neither were CERIAS sponsors :-). One person claimed that we were in a crisis and more restrictions should be placed on publishing vulnerability information, and the other was about how the government should fund "hackers" to do more offensive experimentation to help protect systems. My summary of the major comments and conclusions is included below.

After considerable discussion, the meeting concluded with Dick Clarke reminding everyone that the President had submitted a budget to Congress with a number of new and continuing initiatives in information security and cybercrime investigation, and it would be up to Congress to provide the follow-through on these items.

We then broke up the meeting, and the President spent a little more time shaking hands and talking with people present. Buddy (his dog) somehow got into the room and "met" several of us, too -- I got head-butt in the side of my leg as he went by. :-) The official photographer got a picture of the President shaking my hand again.

The President commented to Vint Cerf how amazed he was that the group had been so well-behaved --- we listened to each other, no one made long rambling speeches, and there was very little posturing going on. Apparently, similar groups from other areas are quite noisy and contentious.

We (the invitees) then went outside where there was a large crowd of the press. Several of us made short statements, and then broke up into groups for separate interviews. After that was done, I left and returned home to teach class on Wednesday.

My interview with the local news station didn't make it on the 6pm news, and all the print accounts seemed make a big deal of the fact that "Mudge" was at the meeting. Oh well, I thought "Spaf" was a way-cool "handle", better than "Mudge" but it doesn't go over as well with the press for some reason. I'll have to find some other way to develop a following of groupies. :-)

On Friday, I was back in DC at the White House conference center to participate in a working session with the PCAST (President's Committee of Advisors on Science & Technology) to discuss the structure and organization of the President's proposed Institute for Information Infrastructure Protection. This will have a projected budget of $50 million per year. CERIAS is already doing a significant part of what the IIIP is supposed to address (but at a smaller scale). Thus, we may have a role to play in that organization, as will (I hope) many of the other established infosec centers. The outcome of that meeting was that the participants are going to draft some "strawman" documents on the proposed IIIP organization for consideration. I am unsure whether this is significant progress or not.


I didn't enter the meeting with any particular expectations. However, I was pleasantly surprised at the sense of cooperation that permeated the meeting. I don't think we solved any problems, or even set an agenda of exactly what to do. There was a clear sense of resistance from the industry participants to any major changes in regulations or Internet structure. In fact, most of the companies represented did not send CEOs so that (allegedly) there would be no one there who could make a solid commitment for their firms should the President press for some action.

Nonetheless, there were issues discussed, some subsets of those present did agree to meet and pursue particular courses of action, and we were reminded about the President's info protection plan. To be fair, this is an area that has been getting attention from the Executive Branch for several years, so this whole event shouldn't be seen as a sudden reaction to specific events. Rather, from the PCCIP on, there has been concern and awareness of the importance of these issues. This was simply good timing for the President to again demonstrate his concern, and remind people of the national plan that was recently released.

I came away from the meeting with the feeling that a small, positive step had been made. Most importantly, the President had made it clear that information security is an area of national importance and that it is taken seriously by him and his administration. By having Dave Farber and myself there, he had also made a statement to the industry people present that his administration takes the academic community seriously in this area. (Whether many of the industry people got that message -- or care -- remains to be seen.)

I recall that there were about 7 major points made that no one disputed:

  1. The Internet is international in scope, and most of the companies present have international operations. Thus, we must continue to think globally. US laws and policies won't be enough to address all our problems.
  2. Privacy is a big concern for individuals and companies alike. Security concerns should not result in new rules or mechanisms that result in significant losses of privacy.
  3. Good administration and security hygiene are critical. The problems of the previous week were caused by many sites (including, allegedly, some government sites) being compromised because they were not maintained and monitored. This, more than any perceived weakness in the Internet, led to the denial of service.
  4. There is a great deal of research that yet needs to be done.
  5. There are not enough trained personnel to deal with all our security needs.
  6. Government needs to set a good example for everyone else, by using good security, employing standard security tools, installing patches, and otherwise practicing good infosec.
  7. Rather than new structure or regulation, broadly-based cooperation and information sharing is the near-term approach best suited to solving these kinds of problems.
Let's see what happens next. I hope there is good follow-though by some of the parties in attendance, both within and outside government.


Rich Pethia of CERT, Alan Paller of SANS, and I have drafted a short list of near-term actions that sites can implement to help prevent a recurrence of the DDOS problems. Alan is going to coordinate input from a number of industry people, and then we will publicize this widely. It isn't an agenda for research or long-term change, but we believe it can provide a concrete set of initial steps. This may serve as a good model for future such collaborative activities.

I was asked by several people if I was nervous. Actually, no. I've been on national television many times, and I've spoken before crowds of nearly a thousand people. Actually, *he* should have been nervous -- I have tenure, and he clearly does not. :-)

The model we have at CERIAS with the partnership of industry and academia is exactly what is needed right now. Our challenge is to find some ways to solve our faculty needs and space shortage. In every other way, we're ideally positioned to continue to make a big difference in the coming years.

  • Of the 29 invited guests, there was only one woman and one member of a traditional minority. I wonder how many of the people in the room didn't even notice?
  • Attendees
    Douglas F. Busch
    Vice President of Information Technology, Intel
    Clarence Chandran
    President, Service Provider & Carrier Group, Nortel Networks
    Vinton Cerf
    Senior Vice President, Internet & Architecture & Engineering, MCI Worldcom
    Christos Costakos
    Chief Executive Officer, E-Trade Group, Inc.
    Jim Dempsey
    Senior Staff Counsel, Center for Democracy and Technology
    Whitfield Diffie
    Corporate Information Officer, Sun Microsystems
    Nick Donofrio
    Senior Vice President and Group Executive, Technology & Manufacturing, IBM
    Dave Farber
    University of Pennsylvania
    Elliot Gerson
    Chief Executive Officer,
    Adam Grosser
    President, Subscriber Networks, Excite@home
    Stephen Kent
    BBN Technologies (GTE)
    David Langstaff
    Chairman and Chief Executive Officer, Veridan
    Michael McConnell
    Mary Jane McKeever
    Senior Vice President, World Markets, AT&T
    Roberto Medrano
    Senior Vice President, Hewlett Packard
    Harris N. Miller
    President, Information Technology Association of America (ITAA)
    Terry Milholland
    Chief Information Officer, EDS
    Tom Noonan
    Internet Security Systems (ISS)
    Ray Oglethorpe
    President, AOL Technologies, America Online
    Allan Paller
    Chairman, SANS Institute
    Rich Pethia
    CERT/CC, SEI at Carnegie-Mellon University
    Geoff Ralston
    Vice President for Engineering, Yahoo!
    Howard Schmidt
    Chief Information Security Officer, Microsoft
    Peter Solvik
    Chief Information Officer, Cisco Systems
    Gene Spafford
    CERIAS at Purdue University
    David Starr
    Chief Information Officer, 3Com
    Charles Wang
    Chief Executive Officer, Computer Associates International
    Maynard Webb
    President, Ebay
    Peiter Zatko a.k.a. "Mudge"
    -- COMPASS [for the CDC-6000 series] is the sort of assembler one expects from a corporation whose president codes in octal. -- J.N. Gray


    The second older excerpt, from back in early February, when privacy was hot, here's what TBTF had to say about the two biggest issues:

    ..DoubleClick flip-flops, gets sued

    DoubleClick has insisted since 1996 that, while it tracks 100 mil- lion Internet users' browsing and buying habits across 11,500 Web sites, it does not identify users personally. But last June the company purchased Abacus Direct Corp., a direct-marketing services company with a database of names, addresses, phone numbers, and catalog purchasing habits of 90% of American households.

    Queue the loud bassoon.

    On 31 January Will Rodger of USA Today broke the news [16] that since December, at the latest, DoubleClick has been merging its anonymous, cookie-borne, unique-user-ID data with the personal data from Aba- cus. DoubleClick's move moved Lauren Weinstein, the ever-dependable voice of reason on privacy issues, to flights of prose and heights of alarm that have rarely been seen on the PRIVACY Forum [17].

    In a massively lame attempt at damage control, DoubleClick asked Slashdot [18] to take down a link to the USA Today story. The story's poster, Hemos, refused.

    Three days later a California woman sued DoubleClick for illegally collecting and selling consumers' personal information [19]. Her lawyer said she wants to represent the California general public in the suit.

    DoubleClick replies, in effect, "What's the big deal? We let cus- tomers opt out of the tracking." How very generous. The instructions [20] for opting out will make your eyes cross. Be easy on yourself: edit your cookie file and delete all but one of the cookies for Replace that one with: TRUE / FALSE 1920499172 id OPT_OUT
    Be sure to use a single tab, not spaces, for each whitespace in this line.

    Or do like I do [21]: before you start your browser -- every time -- overwrite its cookie file with one containing only the innocuous and helpful cookies you want. [Since the time of this story, Doubleclick has backed down from its plans to link its cookie and meatspace data. Mez]



    ..Texas company accuses Yahoo of privacy violations

    In a considerably more complicated case, a Texas company called Uni-versal Image has taken Yahoo to court [22] to test the legal theory that, under Texas law, using cookies to track visitors constitutes electronic stalking and eavesdropping. Universal Image has a long- standing beef with, which Yahoo inherited when it bought the streaming-media company last year. Universal might be accused of jumping on the privacy bandwagon to aid their ongoing legal quarrel, and perhaps of cynicism as well. The original point of their complaint was that wasn't turning over to them as much customer data as it should be doing. Cynicism or no, the case could still set legal precedent.