Security-Related News Items from Security-Related Mailing Lists

by Mary Ellen Zurko, OSF Research Institute (

This issue's highlights are from e$ and e$pam.

Privacy continues to get a lot of attention on the Net. A Los Angeles television reporter used the name of a convicted child killer, Richard Allen Davis, and sent off a money order for $277 to the Metromail Corporation, which is owned by publishing giant R. R. Donnelly & Sons and is the nation's largest compiler and seller of consumer data. The reporter received a list of more than 5,000 children's names, addresses, phone numbers and ages. One can imagine other sorts of experiments targeting single women, gays and lesbians, and other group whose members are targets of attacks by virtue of their group membership.

Cookies are also getting their share of air time. Subscribers to put a request for a doubleclick cookie on their home page, allowing doubleclick to collect statistics on visitors to their subscriber base, and target advertising to those visitors, based on other home pages they've visited. A poster claimed that and the Internet Fast Forward netscape plugin for Windows can selectively filter cookie transmissions to web servers (as well as filtering out unwanted images, including but not limited to advertisements).

The big news this month was NTT's announcement of an encryption chip made in Japan (which therefore does not have the restrictions that US-made crypto does). They did not have the licenses to sell RSA in the US, but they're negotiating with RSA to get them.

A mailing list created by the US Federal Trade Commission to allow interested parties to discuss the issues surrounding the privacy interests of consumers visiting web sites. The address to subscribe to it is PRIVACY-REQUEST@FTC.GOV. The discussion topic centers on whether the FTC should regulate consumer web information.

There is also a new email list called hackerpunks, that is totally anonymous. The subscription address is, but only pseudonyms from may subscribe and post to the list.

Information warfare has also been getting a lot of attention. The director of the CIA announced plans for a center concerned with "very, very large" scale attacks to information infrastructures. In addition, the London Times published a story about attacks on financial institutions involving blackmailing and threats of suspended computer service. None of the sources in the story were named.

Drawing an analogy with encryption and US ITAR, a poster reported that A piper is being taken to court for practicing on Hampstead Heath, which has a bye-law forbidding music. Mr Brooks, the piper, has denied the charge. He claims he wasn't playing a musical instrument, but practicing with a weapon. In 1746 in England, bagpipes were declared to be instruments of war, not musical weapons, and a subsequent Act of Parliament specifically stated that they were weapons.

An article in the Financial Times discusses face recognition technology. The state of Massachusetts is going to be using a system based on work at MIT's Media Lab, to identify people using multiple id's for fraud. The MIT work breaks up pictures of a face into pixels, normalizes for factors such as distance and lighting, and selects facial features that can most easily distinguish one face from another.

A Florida bill ( ( was introduced that supports digital signatures as a form of legal signature. While current laws do not preclude this use, the bill is meant to further legitimize their use.

On Java security, Sun announced that Java would implement SKIP (Simple Key Management for Internet Protocol) for secure distribution of applets. SKIP is a sessionless key management protocol, and the product of an IETF working group.

The International Cryptography Experiment (ICE) at is concerned with evolving standards in CAPIs that promote international cryptography.

Micropayments got a lot of discussion on several mailing lists, as well as a list of their own. They're interesting from a security point of view for their cost/security trade-offs. Each item needing protection has a very small value, but the aggregation of the items can turn into "real money." A bunch of time has been spent discussing just what is a micropayment (under $1 and above 1 cent seems to be the consensus, although there are systems that can cover part of this range in use already). Concerns about UI were raised (users don't want to be bothered with small payments vs. users want control of their money), as well as the economic impact of having to pay for what we get free today.

There are few things I'd pay for that I get free today, but one of them is e$pam. It's Bob Hettinga's write-only electronic commerce channel, and it's where most of what I send to Cipher comes from. He's living proof of many of his favorite issues; that reputation capital can be built up, and that content selection is an increasingly important service. The subscription address is e$ It puts out about 20 mail messages a day. It covers the security aspects of electronic commerce, as well as the economic theory, and everything in between.