Computer underground Digest Sun Aug 9, 1998 Volume 10 : Issue 45

Computer underground Digest Sun Aug 9, 1998 Volume 10 : Issue 45
ISSN 1004-042X

Editor: Jim Thomas ([email protected])
News Editor: Gordon Meyer ([email protected])
Archivist: Brendan Kehoe
Shadow Master: Stanton McCandlish
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Ian Dickinson
Field Agent Extraordinaire: David Smith
Cu Digest Homepage: http://www.soci.niu.edu/~cudigest

CONTENTS, #10.45 (Sun, Aug 9, 1998)

File 1--Security Researchers oppose pending copyright legislation
File 2--WIPO Letter From the InfoSec Community []
File 3--Cu Digest Header Info (unchanged since 25 Apr, 1998)

CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION ApPEARS IN
THE CONCLUDING FILE AT THE END OF EACH ISSUE.

---------------------------------------------------------------------

Date: Sat, 1 Aug 1998 12:04:30 -0500
From: Gene Spafford <[email protected]>
Subject: File 1--Security Researchers oppose pending copyright legislation

Sat, Aug 1, 1998

LEADING SECURITY RESEARCHERS URGE CONGRESS TO RECONSIDER
PENDING COPYRIGHT LEGISLATION

Washington, DC - A group of nearly 50 of the nation's top security
researchers and practitioners have delivered a letter to Congressional
leaders urging them to reconsider provisions of controversial legislation
concerning copyright protection. Several versions of the bill, H.R. 2281
(the "Digital Millennium Act"), are currently under consideration by the
House of Representatives, and one version has already passed the Senate.
The bill would make it illegal to circumvent "technological protection
measures" that could be used to protect digital works on the Internet.
However, those same technologies are also employed to protect users against
computer viruses, perform security tests of commercial network
installaions, and conduct basic security education and research in
universities and government labs. The experts assert that if the bill is
passed in its current form, many vital forms of security testing may be
rendered illegal.

Realizing that scientists need to circumvent systems to conduct effective
research, the House Commerce Committee recently amended the bill to permit
circumvention for the puposes of encryption research. However, according to
security experts, such a provision simply does not go far enough.

"[The Commerce Committee bill] fails to further recognize that encryption
research is simply one aspect of security research, and that research is
different from actual practice. While [the bill] may exempt encryption
research, it still criminalizes other crucial techniques used in security
research and practice," wrote Eugene Spafford, the author of the letter,
and a world-leading expert in information security. "If passed in anything
similar to its present form, [the Digital Millenium Copyright Act] has the
potential to imperil computer systems and networks throughout the United
States, criminalize many current university courses and research in
information security, and severely disrupt a growing American industry in
information security technology. The result would be grave damage to the
U.S. economy and to national security."

Ironically, the letter comes at a time when security researchers are
working to alert the public to a significant security flaw found in three
of the most popular e-mail systems in use in the Internet. On Tuesday, the
U.S. Energy Department's security team issued an emergency bulletin,
confirming reports that Microsoft Outlook Express, Outlook 98, and
Netscape's Messenger Mail all contain serious security flaws. Identified,
in part, through processes of reverse engineering -- one of the techniques
that would be prohibited by the pending legislation -- the security hole
allows booby-trapped e-mail messages to cause havoc on a user's computer
system. Security researchers have noted that such serious security flaws
are often uncovered only because the public is able to freely test the
security of such programs. Public scrutiny and outcry are sometimes the
only way that such security flaws are identified and quickly fixed before
criminals can identify and exploit the flaw themselves. However, the
Digital Millenium Copyright Act could very well prohibit the processes of
public scrutiny. reverse engineering, and public notice that have
successfully identified these flaws to date.

Bruce Schneier, noted cryptography expert and author, described the
situation as "In our country there is a long tradition of consumer
advocacy. Organizations like Consumer Reports regularly evaluate products
and make those evaluations available to buyers. The WIPO provision against
encryption research would make it illegal for companies to evaluate
security products. If a company asked me which firewall was good, it would
be illegal for me to tell them. This is like the meat industry getting a
law passed making it illegal for someone to publicize that a particular
brand of hamburger has rat hair in it."

Spafford drafted the letter on Wednesday, July 29, after becoming aware of
the full import of the pending legislation. Within hours, 48 experts agreed
to act as co-signers. Spafford noted "If we had more time to solicit
supporters, we might have doubled the number of prominent names on the
letter. The community is gravely concerned that this legislation will
endanger information security in the U.S. Although we are against
violation of valid copyrights, we believe that legislation should be
designed to punish the violators rather than criminalize tools that are
also necessary to the protectors."

An electronic copy of the security researchers' letter is available at:
<http://www.cs.purdue.edu/homes/spaf/WIPO/>. Contact details and pointers
to background information are also present at this location.

------------------------------

Date: Mon, 3 Aug 1998 23:57:08 -0500
From: [email protected](Jim Thomas)
Subject: File 2--WIPO Letter From the InfoSec Community []

SOURCE - http://www.cs.purdue.edu/homes/spaf/WIPO/

[] WIPO Letter From the InfoSec Community []

What this is about

The World Intellectual Property Organization (WIPO) produced a new
treaty in 1996 for the protection of intellectual property. The U.S.
signed the treaty, and Congress has been considering enabling
legislation to bring U.S. law into alignment with treaty provisions.

As part of this legislative process, a number of major trade groups
and industry lobbyists have weighed in with their desires for the
legislation. It appears as if only content producers and providers
(e.g., entertainment companies and software publishers) have had
significant influence, and the resulting law is very biased in their
favor.

In particular, the law in its current form appears to:

[] Ban reverse engineering of software in almost all cases
[] Restricts or eliminates traditional fair-use provisions on
intellectual property
[] Prohibits research and production of technology that might
be used to defeat copyright protection measures
[] Criminalizes many currently accepted practices in
information security.

Thus, either directly or as unintended (?) consequences, the bill
could severely restrict what professionals can do in education,
research, and the practice of information security.

The biggest problem with the bill is that it outlaws technology and
research rather than simply criminalizing violations of copyright.
This is roughly analogous to outlawing automobiles and research into
engine design to prevent the possibility of drunk driving.

A number of prominent lawyers have reviewed this bill and communicated
their findings to me: they all agree (as much as any group of lawyers
can agree) that the bill is as dismal as I have outline here.

The bill has passed the Senate. In the House, it has passed two major
committees: Judiciary and Commerce. The Judiciary version is basically
the version that passed the Senate. The version that passed the
Commerce committee has had a few small amendments attached, including
one that exempts some encryption research from the law -- but no
general exemptions exist for other work in security.

What I Have Done About It

After consulting with personnel on the ACM's Public Policy committee
(of which I am a member), and staff of the Computing Research
Association's Washington office (I am on the board of CRA), I wrote a
letter to several members of Congress -- including the Speaker of the
House, the chairs and ranking minority members of several involved
House committees, and some key Senators. This is not a letter from
either ACM or CRA, but a letter from me as a senior security
professional.

The letter outlines why I think the law is damaging to the profession,
and encourages the Congressmen to do what they can to either have the
bill reconsidered or simply not considered on the floor of the House
this term.

I decided to ask other security professionals if they wanted to be
co-signers. 48 leading professionals agreed to add their names to the
letter, despite there being only a few days to respond.

What You Can Do

You can read my letter. If you agree with what I wrote in the letter,
then you can write your own letter to your representative and senators
expressing your opinion on the legislation. A phone call, or a
personal visit to their local offices might also be beneficial.

More Information

You can obtain more information on the Digital Millennium Act, H.R.
2281, by consulting these pages:

[] A PCWeek article on the bill
[] Background material at dfc.org
[] Material from the EFF on the bill
[] For actual text of the bill, go to Thomas and search for
'Digital Millennium Act'
[] Article from the current issue of the Chicago Lawyer

Letter Recipients Who Why

Representative Newt Gingrich Speaker

Representative Richard Armey Majority Leader

Representative Tom DeLay Majority Whip

Representative Richard Gephardt Minority Leder

Representative David E. Bonior Minority Whip

Representative Gerald B.H. Solomon Rules Committee Chair

Representative Joe Moakley Rules Committee Ranking Member

Representative Thomas J. Bliley Commerce Committee Chair

Representative John D. Dingell Commerce Committee Ranking Member

Representative W.J. "Billy" Tauzin Subcommittee on Telecommunications, Trade,
and Consumer Protection Chair

Representative Edward J. Markey Subcommittee on Telecommunications, Trade, and
Consumer Protection Ranking Member

Representative Edward Pease Representative of my District in Indiana

Representative Henry J. Hyde Judiciary Committee Chair

Representative John Conyers, Jr. Judiciary Committee Ranking Member

Representative Howard Coble Subcommittee on Courts and Intellectual Property
Chair

Representative Barney Frank Subcommittee on Courts and Intellectual Property
Ranking Member

Representative F. James Sensenbrenner, Jr. Science Committee Chair

Representative George E. Brown, Jr. Science Committee Ranking Member

Senator Orrin G. Hatch Judiciary Committee Chair

Senator Patrick J. Leahy Judiciary Committee Ranking Member

The Text of the Letter

August 1, 1998

Dear Representative/Senator X:

We, the undersigned, are a group of the nation's leading scientists
and technologists in computer and network security with (collectively)
hundreds of years of service in academia, industry and government. We
are writing to express our profound concerns about both versions of
H.R. 2281, the Digital Millennium Act. If passed in anything similar
to its present form, H.R. 2281 has the potential to imperil computer
systems and networks throughout the United States, criminalize many
current university courses and research in information security, and
severely disrupt a growing American industry in information security
technology. The result would be grave damage to the U.S. economy and
to national security. We recently became aware of provisions of this
legislation, and we are now seeking to have H.R. 2281 recast to
address our concerns, or prevented from being passed into law.

The growing use of network-based information sources does indeed
create new opportunities that require updated protections. As
producers ourselves of articles, books and software, we are in favor
of appropriate copyright regulations. However, H.R. 2281 takes an
approach that has damaging side-effects: rather than criminalizing
inappropriate actions, it would restrict technology and techniques
that have legitimate and vital uses in information security, such as
reverse-engineering. By analogy, the approach taken in 2281 is akin to
banning the development and sale of automobiles to curtail drunk
driving, or criminalization of the sale of paper and ink to prevent
the possibility of libel. While sometimes of potential use to
infringers, most information security-related technologies are also
essential for security practitioners to maintain the protection of the
public. Ironically, the provisions of H.R. 2281 may actually hinder
researchers in developing and deploying future copyright protection
technologies.

We believe that the damage that would be wrought by H.R. 2281 is
unintentional. For instance, by amending H.R. 2281 to permit
encryption research, the Commerce Committee evidenced recognition of
the great importance of that sub-field of research. However, their
version of the bill fails to further recognize that encryption
research is simply one aspect of security research, and that research
is different from actual practice. While that version of H.R. 2281 may
exempt encryption research, it still criminalizes other crucial
techniques used in security research and practice.

Here are four examples of how security practice and research consists
of much more than encryption research and depends on technologies and
techniques that H.R. 2281 would prohibit:
* When a new computer virus is discovered, it is necessary to
reverse-engineer the programs that are affected to discover how
the virus spreads, how to remove it to disinfect the programs, and
how to build defenses against future encounters with the same
virus. However, H.R. 2281 only allows reverse engineering for the
purposes of interoperability. This legislation would thus
criminalize anti-virus efforts because they include examination of
copyrighted code for other than the "sole purpose" of
interoperability. Furthermore, it would criminalize the
development, refinement, and sale of any software tools that would
make such virus analysis more effective.
* Penetration analysis is a time-tested method of examining networks
and computers for unnoticed security flaws. Regularly used by
major accounting firms, government agencies, and independent
consultants in assessing security, penetration analysis is the
practice of breaking into a system to see if it resists attack.
Because penetration analysis is not encryption research, H.R. 2281
might criminalize the teaching, the performance, and the
development of supporting technology for many forms of this
valuable approach to security research and practice.
* Several universities offer detailed coursework in software
disassembly, reverse-engineering, penetration analysis, and
related fields as a means of training information security
professionals. This is not done to violate the property rights of
any software owners but to provide an appropriate education in an
area of critical national need; this is similar to medical
students learning dissection and anatomy on real bodies to hone
fundamental skills. H.R. 2281 could be interpreted as prohibiting
such education, labeling it as "trafficking in certain
technologies... that can be used to circumvent a technological
protection measure."
* Major vendors are often unable (or unwilling) to adequately test
mass-market software packages. When these packages are released
into the marketplace, they are adopted by thousands of businesses.
With the significant emphasis on cost-cutting and
interoperability, these "COTS" (commercial, off-the-shelf)
packages are also widely adopted by U.S. government agencies and
the military. Upon release, these packages are intensely
scrutinized by hackers, spies, and criminals throughout the world
as they search for flaws they can exploit. The same packages are
also examined by hundreds of computer users, searching for flaws
so as to protect their own systems. When these "good guys" find
flaws, they report them to the vendors and the user community so
that the flaws can be fixed. While real criminals will not be
dissuaded, H.R. 2281, in any of its forms, will almost certainly
restrict those who wish to search and report flaws in "good
faith."

We are law-abiding citizens who work in a leading-edge area of science
and technology; we are not seeking to infringe others' valid economic
interests protected by copyright. However, to advance the state of the
art, it is necessary for us to have freedom of inquiry and
experimentation. It is essential that we be able to freely conduct
security research so that stronger and more robust technology
protection measures will be developed. Thereafter, professionals need
the freedom to apply the results of our research to protect the
interests of copyright owners, the privacy of citizens, and the
security of U.S. business and government.

We urge Congress to reconsider H.R. 2281 -- both the version passed by
the Committee on the Judiciary and the Commerce Committee. We believe
the best approach is to criminalize inappropriate behavior and intent,
and not ban technology with multiple uses in this fast-moving field of
critical, national importance. If such a reconsideration is not
possible, we strongly recommend that the bill not be passed this
legislative session. Several of us are willing to assist Congress in
developing an appropriate replacement or modification of the
legislation, if asked.

(N.B. Titles. affiliations and city of residence below are provided
for identification only; the material presented in this letter is the
personal and professional opinion of the people listed, and not
necessarily the official position of their employers or
organizations.)

Signed,

Eugene H. Spafford, Ph.D., FACM
Professor of Computer Sciences
Director, Center for Education and Research in
Information Assurance and Security (CERIAS)
Director, the COAST Laboratory
Purdue University
West Lafayette, IN 47907-1398
(765) 494-7825
<[email protected]>

Co-Signers

Ronald L. Rivest, Ph.D.
Edwin S. Webster Professor of Electrical Engineering and Computer
Science
EECS Dept., MIT
Associate Director of the MIT's Laboratory for Computer Science
Member, National Academy of Engineering
Arlington, Mass

Peter S. Browne
Senior Vice President and Division Head
First Union Corporation
Information Technology Services and Information Security
Charlotte, NC

Howard O. Halpin III
Vice President, Information Technology
Motorola Computer Group
Tempe, Arizona

Peter J. Denning, PhD, FACM, FIEEE, FAAAS
Past President, Association for Computing Machinery
George Mason University
Fairfax, VA

Lance J. Hoffman, Ph. D., FACM
Professor of Computer Science
Director, Cyberspace Policy Institute
The George Washington University
Washington, D. C.

Thomas A. Berson, Ph.D.
President, Anagram Laboratories
Past-President, International Association for Cryptologic Research
Chair-Elect, IEEE Computer Society Technical Committee on Security and
Privacy
Palo Alto, CA

Joan Feigenbaum, PhD
Editor-in-Chief, Journal of Cryptology
Division Manager, Algorithms and Distributed Data Research
AT&T Labs - Research
New York, NY

Andrew W. Appel, Ph.D., FACM
Professor of Computer Science
Princeton University
Princeton, NJ

Keith A. Marzullo, Ph.D.
Associate Editor, IEEE Transactions on Software Engineering
Associate Professor, Dept. of Computer Science and Engineering
University of California, San Diego
La Jolla, CA

William J. Cook
Intellectual Property Attorney & Co-Chair of ABA Science & Technology
Global Network Committee
Winston & Strawn
Chicago, IL

Daniel E. Geer, Jr., Sc.D.
Vice President & Senior Strategist
CertCo, LLC
55 Broad Street
New York, N.Y.

Virgil D. Gligor, Ph.D.
Professor of Electrical Engineering
University of Maryland
College Park, Maryland

J. Douglas Tygar, PhD
Professor of Computer Science and Information Management
University of California,
Berkeley, CA

Kevin S. McCurley, Ph.D.
President, International Association for Cryptologic Research
and Research Staff Member, IBM Research
San Jose, CA

Dr. J. Thomas Haigh, Ph.D.
Vice Presidant and Chief Technologist
The Secure Computing Corporation
Minneapolis, MN

Ross Stapleton-Gray, Ph.D.
President, TeleDiplomacy, Inc.
Adjunct Professor, Georgetown University
Arlington, VA

Edward W. Felten, Ph.D.
Assistant Professor of Computer Science
Director, Secure Internet Programming Laboratory
Princeton University

Bruce Schneier
President, Counterpane Systems
Author, Applied Cryptography
Minneapolis, MN

David P. Maher, Ph.D.
Division Manager and Head, Secure Systems Research Department
AT&T Labs
Livermore, CA

Bennet S. Yee, PhD
Assistant Professor of Computer Science
Co-director, Cryptography and Security Laboratory
University of California
San Diego, CA

Karen F. Worstell
Principal, SRI Consulting
Director, Research and Technology
International Information Integrity Institute (I-4)
Houston, TX

Michael Merritt, PhD
Division Manager, Specification and Algorithm Research Department
AT&T Labs -- Research
Mendham, NJ

Stuart Haber, Ph.D.
Chief Scientist,
Surety Technologies
New York, N.Y.

Jack V. Leifel
Senior Director, Information Technology Services
Cellular Infrastructure Group, Communications Enterprise
Motorola, Inc.
Arlington Hts., Il.

Gary Garb,
Director, Corporate Computer & Information Security
Unisys Corporation
Bensalem, PA

Jonathan K. Millen, Ph.D.
Senior Computer Scientist
SRI International
Palo Alto, CA

Susan Swope, CISSP
Deputy Program Director,
International Information Integrity Institute (I-4)
Senior Consultant
SRI Consulting
Menlo Park, CA

Barbara J. Pease
Senior Scientist
Information Warfare and Secure Systems Engineering
MITRE Corporation
Somerville, MA

Hilary H. Hosmer
President
Data Security, Inc.
Bedford, MA

Michael K. Reiter, Ph.D.
Principal Technical Staff Member
AT&T Labs - Research
Raritan, NJ

Jonathan Trostle, PhD
Senior Software Engineer
Cisco Systems
Cupertino, CA

John J. Kinyon
Manager, Corporate Information Security and Risk Management
Motorola, Inc.
Lake Zurich, IL

Becky Bace
President/CEO Infidel, Inc.
Security Engineering Services
Scott Valley, CA

Douglas R. Steinbaum
Electronics Engineer
Network Security Section, Naval Research Laboratory
Alexandria, VA

James Cannady
Research Scientist
Georgia Institute of Technology
Atlanta, GA

Julie L. Connolly
Lead Information Systems Security Engineer
The MITRE Corporation
Nashua NH

Daylan Darby
Lead Software Engineer
Information Warfare - The Boeing Company
Seattle, WA

Joseph C. Konczal
Computer Scientist
National Institute of Standards and Technology
Mount Airy, MD

William Hill
Lead INFOSEC Engineer
The MITRE Corporation
Vienna, VA

Daniel Thomas Grove
HP Software Security Team Coordinator
Hewlett-Packard Company
San Jose, CA

Steven W. Lodin
Manager, Information Security Services
Ernst & Young LLP
Indianapolis, IN

Robert H. Bagwill
Computer Specialist
National Institute of Standards and Technology
Montgomery Village, MD

Roger A. Safian
Information Security Coordinator
Northwestern University
Evanston, Il

Carl M. Ellison
Senior Security Architect
(organization withheld)
Portland, OR

David R. Campbell, CNE
CIO
WireX Communications, Inc.
Vancouver, WA

Puck-Fai
Senior INFOSEC Engineer
The MITRE Corporation
Mitchellville, MD

Amgad Fayad
Sr. INFOSEC Engineer
The MITRE Corporation
Springfield, VA

David Wagner
Founding Member, ISAAC Security Research Group
University of California, Berkeley
Berkeley, CA Return to the top

[]

Gene Spafford
[email protected]
Date Last Modified: 7/30/98

------------------------------

Date: Thu, 25 Apr 1998 22:51:01 CST
From: CuD Moderators <[email protected]>
Subject: File 3--Cu Digest Header Info (unchanged since 25 Apr, 1998)

Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost electronically.

CuD is available as a Usenet newsgroup: comp.society.cu-digest

Or, to subscribe, send post with this in the "Subject:: line:

SUBSCRIBE CU-DIGEST
Send the message to: [email protected]

DO NOT SEND SUBSCRIPTIONS TO THE MODERATORS.

The editors may be contacted by voice (815-753-6436), fax (815-753-6302)
or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL
60115, USA.

To UNSUB, send a one-line message: UNSUB CU-DIGEST
Send it to [email protected]
(NOTE: The address you unsub must correspond to your From: line)

CuD is readily accessible from the Net:
UNITED STATES: ftp.etext.org (206.252.8.100) in /pub/CuD/CuD
Web-accessible from: http://www.etext.org/CuD/CuD/
ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/
aql.gatech.edu (128.61.10.53) in /pub/eff/cud/
world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/
wuarchive.wustl.edu in /doc/EFF/Publications/CuD/
EUROPE: nic.funet.fi in pub/doc/CuD/CuD/ (Finland)
ftp.warwick.ac.uk in pub/cud/ (United Kingdom)

The most recent issues of CuD can be obtained from the
Cu Digest WWW site at:
URL: http://www.soci.niu.edu/~cudigest/

COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views. CuD material may be reprinted for non-profit as long
as the source is cited. Authors hold a presumptive copyright, and
they should be contacted for reprint permission. It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified. Readers are encouraged to submit reasoned articles
relating to computer culture and communication. Articles are
preferred to short responses. Please avoid quoting previous posts
unless absolutely necessary.

DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Digest contributors assume all
responsibility for ensuring that articles submitted do not
violate copyright protections.

------------------------------

End of Computer Underground Digest #10.45
************************************