LISTWATCH: items from security-related mailing lists (September 7, 2001)

by Mary Ellen Zurko (

This issue's highlights are from Privacy Forum Digest, ACM TechNews, dcsb, and Risks.


Fact Squad, set up by People for Internet Responsibility (PFIR) is set up to provide jargon free information about technology and its effects on society. Topics currently listed include Privacy and Digital Copyright and other Rights Issues.


The title of the article ("In a Dangerous World, Internet Security Cannot Be Left to Technologists Alone", is dopey and self serving (consultants say that they should be called in more). But the first part is an interesting read for those of us interested in the continuing debate of PKI's place in the universe. Are current problems from the economic slowdown, an architecture over hyped as a solution, over centralization, lack of consultants, lack of applications integration, or lack of web services standards? I've been hearing all these and more lately.


DMCA tidbits:

The DMCA can be used to shut down any web site for at least 10 days A British medical research firm shut down an animal-rights group that has been protesting the firm's treatment of animals by sending a letter claiming that the protest site violates the DMCA to the ISP. The ISP can be cleared of any legal responsibility if they shut down the site, and don't bring it up until they're provided with a counter-notification swearing under penalty of perjury that the person accused of violating DMCA believes the site not to be a copyright violation. After the ISP waits 10 days.

A US cryptography expert has broken Microsoft's e-book encryption, to get around it's 2 persona limit, but is staying anonymous and not publishing how to do it

Russia warned its computer experts of the dangers of visiting the US, since Sklyarov was arrested while visiting a hackers' convention in the United States.

The US Copyright Office says the DMCA is just fine (in part because its early days), though the law should be amended to allow backups and archiving

Dimitri Sklyarov and his employer ElcomSoft of Moscow pleaded not guilty to the charges of conspiracy and trafficking in technology for use in copyright circumvention.

The EFF has been gathering stories about the lawful use of the program.

At the USENIX security symposium, one student asked the SDMI panel, "Can I get in trouble with the DMCA for summarizing this session for my thesis advisor?" The panel unanimously agreed, "Yes" because the SDMI group only authorized presentation of Felten's paper at USENIX. No where else.

Fred Cohen is canceling the aspects of his research covered by DMCA and has withdrawn his forensic products from the market. His products were previously sold to law enforcement. He is discussing whether he needs to cancel classes that teach forensics and cryptanalysis.

A Risks reader posited that a blind person could sue the publisher under the Americans with Disabilities Act.

Matt Blaze's declaration regarding the Felton DMCA case is a good, straightforward read that makes a compelling case


From pgp-users: "A vulnerability in PGP's display of key validity has been discovered that could allow an attacker to fool users into thinking that a valid signature was created by what is actually an invalid user ID. If the attacker can obtain a signature on their key from a trusted third party, they can then add a second user ID to their key which is unsigned. The attacker must then switch the unsigned false user ID to primary and convince the victim to place the key on their key ring. In such a case, some of the displays in PGP do not properly identify the false user ID as invalid [unsigned? Mez] because the second user ID is fully valid. Whenever PGP displays validity information on a per-user ID basis [a different display mode? Mez], the display is correct. Thus, attentive users who examine the user IDs of all public keys which they import to their key rings will immediately notice this problem before it could have any impact [and how easy/likely is that to happen? Mez]." has the thesis and a picture of the exploit, though I can't quite match the picture to the description. Am I supposed to be looking at the "Unsigned" toggle as opposed to the nice green ball under "Validity" or the nice date under "Signed"?


Legal scholars say that lawsuits suing the companies and network providers of vandalized web sites for damages may be coming


Cross scripting techniques were used to demonstrate breaking Hotmail and stealing Passport IDs and credit card data.


Surveys sez:

A Computer Security Institute study reports a large increase in cybercrime reports.  The increase is attributed to the tightening economy and the lack of resources to pursue these breaks.  There is also a claim of greater cooperation between private companies and law enforcement agencies

The Confederation of British Industry (CBI) survey said that 2/3 of the companies responding had fallen victim to cybercrime in the past year. 69 percent said the financial loss was negligible.  The companies still fear their reputations could be tarnished.  53 percent of businesses felt safe trading online with other businesses, but confidence dropped to 32 percent when it came to dealing with consumers via the web.


Sitting in the Morristown (N.J.) Memorial Hospital, AT&T Labs' Avi Rubin noticed that his laptop wireless connection card was blinking, and then discovered that the hospital's wireless network was open to his laptop, using 802.11b (Wi-Fi) and automatically granting him access.  My favorite quote from Avi:  "Fortunately, I'm married to a lawyer, who advised me against looking [at the hospital traffic]."   When he alerted the hospital, they said that it was a "temporary situation" during an overhaul.


Almost a month after the SirCam virus was first spotted, the virus is still pouring into e-mail inboxes.  According to Sophos, an antiviral software company, SirCam accounted for a whopping 65 percent of all reported virus infections in July, a record unmatched by any other virus since Sophos started tracking them in 1998.  I got more copies of this virus than any other, and most I viruses I never even saw a copy of.  For others, they were caught at our routers and support notified me that I been the target recipient of one (usually through the cypherpunks mailing list :-).,1282,46087,00.html

I also felt the effects of the variants of Code Red for several days while I and others had various web based services disabled. I was shocked to see claims of over-hype targeted at the virus, since it had been many virus iterations since one disrupted my work life. Maybe it struck enterprises the hardest.


Pompiliu Donescu, Virgil D. Gligor, and David Wagner, in  "A Note on NSA's Dual Counter Mode of Encryption,'' (  show that both variants of the Dual Counter Mode of encryption (DCM) submitted for consideration as an AES mode of operation to NIST by NSA staffers are insecure with respect to both secrecy and integrity in the face of chosen-plaintext attacks.