LISTWATCH: items from security-related mailing lists (August 1, 2000) by Mary Ellen Zurko (

This issue's highlights are from cypherpunks, risks, dcsb, ACM technews, and TBTF.


It's DefCon week, and direct from there is the announcement of Mojo Nation, the beta version of a distributed file sharing system that uses agents, micro payments, it's own currency (Mojo), reputation capital, and relay chaining for some amount of anonymity. It's goal is to create a file sharing economy.


John Young published a secret CIA overview of the U.S. intelligence community prepared for Japanese intelligence officials who visited the agency's headquarters in 1998 at his Cryptome site He received this from a source in Japan, who was originally anonymous but has since been self-identified. He was contacted by two FBI agents who asked him to remove the material. He refused. They asked him to not identify them on his web site. He agreed, then changed his mind and did so. Debate raged over whether he as making government employees targets of harassment needlessly, or merely publishing information on government activities that he has a right to publish. He was so heavily referenced by sites such as slashdot and Drudge that his server was unreachable (the Drudge URL was munged, which generated a large error log which contributed to the problem). There was a suspicion of a denial of service attack (in fact, how is that different from a distributed denial of service attack? :-), but that doesn't seem to be the case. A CIA spokesman said "Public disclosure of that information is troubling. In terms of the information (in the briefing), it is not insignificant. We're always concerned when classified information is disclosed publicly." John got many kudos on cypherpunks for publishing information, and there was discussion of the best way to send him money anonymously to help him out. Discussion of how to cut the plastic or metal thread in US currency ensued.


A story in USA Today gave statistics on the number of search warrants served on AOL (according to court logs in Loudoun County, Va. where AOL is based): 33 in 1997, 167 in 1998 and 301 in 1999. House Majority Leader Richard Armey's (R-Texas) reaction was that, minimally, police need to tell Congress when, why and how they perform electronic searches. The most extensive search warrants ask for subscriber identity, billing data, payment history, e-mail, the online "handles" and names of people cataloged in members' "buddy lists", all files attached to e-mail, and all other information contained about the subscriber in the America Online databases. There is no official statement from AOL about whether or not it retains chat information.


Debate rages on Carnivore, the FBI's real time email interception tool that is installed in an ISP's network (with a court order). Is email like a phone call, or like a document? It seems that the current legal protections on the former are stricter than on the latter and the FBI would like to claim the latter. Yet Carnivore is said to collect only information from the To and From fields of targeted communication. That gives law enforcement the equivalent of the telephone world's "pen register" and "trap and trace" data--the origin and destination of all calls related to the subject. There's little hard information on the functions and capabilities in Carnivore. It's been pointed out that there are few technical restrictions on what Carnivore does and it could easily do more later. It needs to be on the ISP premises, physically hooked up to the ISP's backbone. Someone suggested that an ISP be recruited to lure the FBI into a Carnivore hookup then have a "breakin" and lose the box (to people who would reverse engineer it). Some folks argue it's not the technical details, but the right to do this at all that should be attacked. There seems to be no ISP review of the data collected, to validate it. The FBI has said that Carnivore will only be directed at specific targets of a wiretap order, yet brings up "anonymous, encrypted communications" as a threat that motivates its use. The FBI does plan "an independent verification and validation" of the system.


The British government passed a new Act of Parliament in which ISP's are required to fit interception devices to allow the Secret Services and other UK government departments to intercept and read emails. If emails are encrypted, the authorities may demand the key from the originator on pain of 5 years jail for informing anyone else that this demand has been made. Refusing to hand a key over is another 2 years in jail, but individuals will not be required to prove they do not hold the keys to encrypted material. Internet service providers will be required to set up secure channels to the Government Technical Assistance Center so they can transmit information about Internet traffic (now there's a target!). Law enforcers who ask to see records of Internet traffic will not be able to read the content of the messages. Web page logs (lists of Internet sites browsed) also may not be obtained without a warrant. Internet security experts are publishing some ways around the bill, including using free, anonymous ISP accounts, and cutting out the ISP altogether by running your own mail server.


Yet another buffer overflow bug, this one in the date field in Outlook, so that it can be exploited without the user needing to open the mail message.


Electronic signatures used to sign documents on the internet are now legally admissible in a court of law in the UK as handwritten signatures, according to the the Department of Trade and Industry


There has been much speculation on exactly when the RSA patent runs out. Consensus seems to be that it's one minute after midnight on Sept 20, 2000, in the US patent office's time zone. Coincidentally, that will be smack in the middle of NSPW 2000, which I am general chair of this year.


ZKS released the source code of its Freedom Linux kernel interface for public review, but the amount released is small and getting dissed by cypherpunks because of that. Neither the source code to the Freedom clients nor the Freedom servers has been released, nor any of the crypto.


EyeTicket Corp. in McLean, Va., has begun using iris scanning when registering passengers at Charlotte/ Douglas International Airport in North Carolina and Flughafen Frankfurt Airport in Germany. EyeTicket has been scanning Charlotte/Douglas airport employees and U.S. Airways Group Inc. flight staffs since May.


At the O'Reilly Open Source Convention, Astrophysics professor Gregory Benford said that he wrote and documented the first computer virus in the late 1960s on DARPANet. At the time, he predicted the rise of counter-agent software to combat viruses. "This is another story about how I lost $100 million in my spare time by not patenting any of this.",1294,37610,00.html.


Steven King is going to offer a novel on web at $1 an installment. He will stop the installment if he doesn't get money from 75% of the downloads (I imagine this means he'll look at the web logs for the number of downloads, multiply that by .75, and see if that much money comes in).,2084,47159|entertainment|07-20-2000::19:55|reuters,00.html.


The MIT Women's League (617.253.3656 or is holding a panel on "PRIVACY IN THE AGE OF INFORMATION" on TUESDAY, OCTOBER 24, 2000, from 10 am to Noon, in MIT's WONG AUDITORIUM in the TANG CENTER (Building E51). Panelists are CHRISTINE VARNEY, RON RIVEST, PETER SZOLOVITS, and JOHN DEUTCH (a great lineup!).


Amir Herzberg is putting his demo-money where his mouth is. He's put the .pdf foils for the course `Introduction to Cryptography and Electronic Commerce` at Downloading is free, but most documents require `paying` using IBM Micro Payments demo money.


Researchers at AT&T Labs are working on a system called Publius, that provides anonymous, censorship-resistant publishing on the web. It encrypts files and divides them into smaller pieces to be distributed over a number of servers, making it hard to trace the original transaction or eradicate the information from the Net.


Haven Co. announced "the world's most secure managed co-location facility based in the world's smallest sovereign territory, the Principality of Sealand." It generated a ton of buzz around June, and it does seem to have considered all the bases.


And finally, a four bits from the 7/20 TBTF:


..A perfect privacy storm

Advertising industry is warned to shore up its house

You know the topic of privacy has arrived on the public agenda when the New York Times writes about the issue's nuanced implications for electoral politics [1] and CNN reports that the latest hot corporate title is Chief Privacy Officer [2]. / New York surveyed [3] the kinds of advice lawyers are now giving their corporate clients about privacy in light of these recent developments:

- 2000-04-21: The Children's Online Privacy Protection Act [4] went into effect, requiring Net companies that market to children to obtain verifiable parental consent and to follow other strict rules.

- 2000-05-22: The FTC, which previously had favored industry self- regulation, reversed field [5] and recommended to Congress that it enact legislation to protect online privacy.

- 2000-07-05: The European Parliament rejected [6] a proposed "safe harbor" data-protection agreement, two years in the making, between the Commerce Department and the European Union.

- 2000-07-10: The FTC sued to prevent bankrupt from selling its customer database [7].

The Internet advertising industry is justifiably nervous about the public's rising concern over online privacy. Wired reports [8] on a meeting last week of the Internet Advertising Bureau at which a TRUSTe spokesman warned attendees that a "perfect privacy storm" is brewing. He noted that Al Gore had recently gone on record as favoring opt-in solutions to Net privacy concerns, and that George W. Bush had soon hopped onboard that bandwagon. Opt-in is anathema to the Net advertising crowd.

Steve Gibson is exceptionally ticked-off at this crowd, especially the subset that peddles adbots and spyware [9]. Savor his impassioned and articulate call for ethics in data collection [10].

> I consider the actions of companies that hide behind their
> fine print, take advantage of consumer trust and ignorance,
> and deliberately leverage complex hidden technology, to be
> the lowest form of personal privacy exploitation.



..France: unintended consequences

In the wake of the ILOVEYOU virus, France moved to stamp out online anonymity within its borders [11], [12]. (The French distaste for anonymity predates the Internet by at least 150 years, as the note at [11] explains.) Now it appears that open-source development may suffer as a result of the proposed law. John Fremlin was quoted in a Freshmeat article [13]:
> As written, [the law] would unambiguously prohibit hosting of
> content of unspecified provenance; that is, sites on which
> users could post material would be legally obligated to some-
> how determine the true identities and postal addresses of
> their users.

Open Source projects never have such information about all of their far-flung contributors, and gathering it would be next to impossible. Under the proposed law, open-source projects currently hosted on French servers would have to move outside the country's borders.

This unintended consequence is particularly twisted given France's expressed preference [14] for open-source software over that from Microsoft.


..Poking at Echelon

French pot to examine Anglo-American kettle

A French prosecutor announced [37] he has launched a preliminary investigation into the workings of Echelon, the rumored worldwide spy system run by intelligence agencies in the US, UK, Canada, Australia, and New Zealand. (The announcement came on July 4th, the American Independence Day holiday -- that must have been intentional.) The French probe will focus on allegations that the members of the UKUSA Alliance have used Echelon's intercept capabilities for economic espionage. Both the US and Britain have denied this charge without admitting officially that Echelon exists.

Those inclined to cheer the French for their courageous probe into UKUSA snooping ought to cast an eye over this excellent ZDNet collection of new Echelon material [38]. It includes details on France's copycat system, unfortunately dubbed "Frenchelon" [39].

Separately, the European Union voted to empanel an investigation into Echelon [40]. But to the consternation of this probe's supporters, the panel was denied any investigatory powers. (It was set up as a "temporary committee" rather than as an "inquiry committee.") A member of Germany's Green Party, possibly with help from the Babelfish, called the resulting body a "toothless talkingshop."


..What if smart people wrote computer viruses?

Now THAT's a virus

Security experts were not much surprised when the Morris worm [41] dragged down 10% of the Internet overnight in 1998. Security experts in recent days have been unsurprised by Melissa, ILOVEYOU, DDoS attacks, and the thousands of other manmade ills to which the Net is heir. And I doubt they will be overly surprised when a truly nasty and devious piece of malware slouches toward Bethlehem to be born.

Remember the Central Park scene in "Crocodile Dundee" [42]? Mick and his love interest are accosted by a gang of punks, one of whom whips out a switchblade. The girl shouts, "Mick, watch out! He's got a knife!" Mick examines the switchblade with pursed lips then says dismissively, "Naah. That's not a knife." Reaching behind his back, he withdraws and displays his 12-by-4-inch blade. "THAT'S a knife."

Melissa? ILOVEYOU? That's not a virus.

For a glimpse of how bad it could be, scan these two thought experiments [43], [44]. The first is a conceptual design for the most elusive and versatile trojan horse the author could think up. It's bad enough. The second describes an actual project to design and build a worm of truly staggering stealthiness and damage potential.

Michal Zalewski and a few friends prototyped a worm the team called "Samhain." It was designed to:
- run on multiple platforms
- secrete itself invisibly
- employ a distributed library of system exploits to obtain privileges on the compromised system
- communicate in encrypted packets with other similar worms in a Freenet-like [45] "wormnet"
- spread automatically without user interaction

Its payload would be a plug-in module. The wormnet would discover new exploits and spread them immediately. The worm's code would morph constantly to defeat anti-virus signature checks. It would employ active countermeasures against debuggers and other nosy processes that might be capable of uncovering it.

If such a worm were competently developed released into the world, the fate of the Internet would be in the hands of those who controlled it.

To discuss these or other proposed uber-viruses, please visit this Quick Topic forum [46].