precedence: bulk
Subject: RISKS DIGEST 19.41
RISKS-LIST: Risks-Forum Digest Friday 17 October 1997 Volume 19 : Issue 41
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
***** See last item for further information, disclaimers, caveats, etc. *****
Contents:
New York air traffic slowed by Construction effluvia (PGN)
Union Pacific rolling (?) stock (Daniel P. B. Smith)
Indian satellite failure (Scott Lucero)
Paris police computer spares Corsican motorists (Gianfranco Boggio-Togna)
Another way to exploit local classes in Java (Andre L. Dos Santos)
Risks of installing Internet Explorer 4.0 (Bryan O'Sullivan)
Cold weather impairs fiber performance (Stig)
Stink-Bombed Computers (Stuart L. Anderson)
US West and 911: Silence Is OK (Scot E. Wilcoxon)
The risks of license servers (Dan Wallach)
Risk of not updating web pages (John Oliver)
Re: Possible breakthrough in NP-completeness (Mark Stalzer,
Michael A. Schatz via Gary McGraw)
Microsoft euphemisms (Matt Welsh)
Re: AOL may introduce ads on private e-mail (Matt Welsh)
Re: FBI wants to ban the Bible: steganography (Brian Clapper)
Re: FBI wants to ban the Bible: Linear A/B (Stephen Crane, Mike Williams)
The Electronic Privacy Papers: A new book by Schneier/Banisar (Bruce Schneier)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Thu, 16 Oct 97 10:40:17 PDT
From: "Peter G. Neumann" <
[email protected]>
Subject: New York air traffic slowed by Construction effluvia
Air contamination (dust? chemicals?) from an overnight renovation project at
the Westbury New York area air-traffic control center caused controllers to
have to leave their stations for almost 10 hours on 15 Oct 1997. Only a few
controllers were able to keep some air traffic going, with a spacing of 30
miles instead of five. Newark was hit the hardest of NY's airports, with
150 flights canceled and arrival delays up to five hours. [*San Francisco
Chronicle* News Services, 16 Oct 1997, and other sources]
------------------------------
Date: Tue, 14 Oct 1997 14:16:16 -0400 (EDT)
From: "Daniel P. B. Smith" <
[email protected]>
Subject: Union Pacific rolling (?) stock
Following Union Pacific's assimilation of Southern Pacific, to form the
nation's largest railroad, UP has been unable to accurately track its
freight cars, resulting in gridlocks and lost trains -- most visibly in the
southern corridor from LA to Texas, the Gulf Coast region, and the central
corridor from Oakland to Chicago. There are major bottlenecks in LA, North
Platte, Chicago, and Houston. Integrating the computer systems was
reportedly ``more difficult than anticipated.''
There are many horror stories, including a load of liquid gas that had
"virtually evaporated into thin air by the time it arrived;" it took 51 days
to ship a load of plastic resin from Dallas to Forth Worth; a shipment from
Memphis to California by way of Little Rock, _then Memphis, then Little
Rock, then Memphis, then Little Rock,_ then El Paso...
A Mr. Lundgren of Englin Cotton Oil Mill reported watching one of his own
freight cars on UP tracks barreling past his office. ``A few days later, he
saw it pass again in the opposite direction.''
[Culled by PGN from Daniel's submitted item by Anna Wilde Mathes and
Daniel Machalaba, *Wall Street Journal*, Monday, 13 Oct 1997, p. B1, and
another detailed item by Carl Nolte and Kenneth Howe, *San Francisco
Chronicle*, 11 Oct 1997, D1]
------------------------------
Date: Mon, 06 Oct 97 12:18:02 EST
From: "lucero" <
[email protected]>
Subject: Indian satellite failure
According to the 6 Oct 1997 *Daily Brief*, officials in India say the
country's most advanced communications satellite was abandoned yesterday due
to a power failure aboard the craft. The loss of the satellite reportedly
affected communications to remote parts of the nation and the operation of
satellite-dependent functioning of India's stock exchange. This appears to
be an example of the familiar RISK of having a single point of failure, or,
more colloquially, putting all your eggs in one basket.
Scott Lucero
------------------------------
Date: Sun, 5 Oct 97 22:27:40 ITA
From:
[email protected]
Subject: Paris police computer spares Corsican motorists
"For more than six years, Corsican motorists fined in Paris have not paid
their PV's [_Proces Verbal_]: the central police computer rejected the code
identifying the _departement_ because, with a digit and a letter ('2A' or
'2B'), it is different from the codes used on the mainland.
The anomaly, which resulted in the absence of prosecutions for nonpayment of
fines for all cars registered in Corsica, goes back to 1990. It has now
been removed and 'since May 1997 all PV's are correctly processed by the
program', said the _prefet de police_, Philippe Massoni. ... M. Massoni
explained that the error was introduced at the time of the changeover from
manual processing to a computer system. It was decided to implement 'some
checks' to verify agreement between the data in the PV (car model and type),
the information recorded in a database of all cars circulating in France and
the address of the driver as recorded in the database.
'The error was related to the last check'. There was confusion between the
city code (starting with '2A' or '2B') and the city postal code (starting
with '20'). For all other French _departements_, the first two characters
of the city code and of the postal code are the same, and numeric. Now, the
program installed in 1990 checked that the first two characters of the city
code were numeric. If the check failed, the record was rejected and the PV
was not processed."
Source: "Pas de PV a Paris pendant six ans pour les Corses"
NICE-MATIN, October 5th, 1997
According to a report on French radio ('France Info', October 3rd), the
reason for the rejection was actually the mismatch between city and postal
codes (which, as bugs go, sounds more likely).
Gianfranco Boggio-Togna, Ventimiglia (Italy)
------------------------------
Date: Wed, 8 Oct 1997 16:30:37 -0700 (PDT)
From: "Andre L. Dos Santos" <
[email protected]>
Subject: Another way to exploit local classes in Java
The attack described here is of interest because it uses the CLASSPATH
feature, which has been known to allow security breaches. However, it uses
it in a different way. The result is that the security enhancements that
have been introduced by Netscape to fix the previously known vulnerability
using this feature are ineffective in stopping this attack.
The danger of setting the CLASSPATH environment variable to a path where
malicious classes are located is well known. Because of this Netscape began
restricting what a class loaded from the local disk can do starting with
Navigator 2.x. In Navigator 3.x Netscape took it one step further with its
setScopePermission model, and Communicator 4.x has signed applets, where a
capability based model is enforced. Microsoft has not enhanced the model
suggested by Javasoft.
The security model implemented by Netscape and Microsoft considers any local
class as a "system" class. Therefore, when a class is needed the browser
searches the local disk before requesting a class from the net. Thus, if
the user has classes in his/her local disk that have the same name as
classes that are used by a site, these classes will be used instead of the
ones from the network. Because of this it is possible to implement an attack
on a user interacting with a target site, where classes on the local disk
implement the functionality desired by the attacker. Our attack is able to
proceed because the classes that are used in our attack do not need to
request or require special privileges. The attack uses only the privileges
granted to classes loaded using the classloader.
In order to understand the risks of this flaw we have implemented a demo of
the attack on the Reliable Software Group site. This demo has as a target
the site of a bank that uses Java for login. The results of this demo is
that although the bank site uses SSL, a user is able to verify that he/she
is interacting with the desired site, when being attacked. So there is no
indication of an attack, and the user can verify the bank's
certificate. However, in the demo, instead of the browser sending the login
information to the bank server, it sends it to our server, in plain text.
As is the case with most of the previously reported CLASSPATH attacks, for
our attack it is necessary for the user to load classes on the CLASSPATH.
One can not stress enough that there is a lot of trust involved with
downloading files onto your computer and pre-loading classes onto your
classpath. Therefore, if the user is following the procedure of installing
only files that he/she can be 100% sure will not do any harm, then this
CLASSPATH attack will not work. We believe, however, that it is likely that
one could trick a user into loading .zip files. One such file could have
the classes necessary for the attack in addition to a set of useful and
harmless classes.
We have notified Netscape and Microsoft about our attack. Microsoft
answered that this is the way that Java is supposed to work. Netscape said
that this problem can be partially solved using the function matchPrincipal
from their enhanced model. They also added that they are working on
improvements for this model and will consider a total solution to the
problem.
Andre Santos, Reliable Software Group, UCSB
[See a paper by Flavio De Paoli, Andre Santos, and Dick Kemmerer,
``Vulnerability of `Secure' Web Browsers, presented last week at
the National Computer Information Systems Security Conference in
Baltimore, pp. 476-487, which was presented by Dick. PGN]
------------------------------
Date: Fri, 10 Oct 1997 21:41:18 -0700 (PDT)
From: "Bryan O'Sullivan" <
[email protected]>
Subject: Risks of installing Internet Explorer 4.0
[See a subsequent message from Bryan in RISKS-19.42
before you read this. Note added in archive copy. PGN]
I just downloaded and installed Microsoft Internet Exploder 4.0 onto my PC
running Windows 95 at home. Among the optional features that come with this
release are a few tidbits that were included with Plus!, the mostly-useless
set of bells and whistles that was packaged separately from Windows 95.
Two of these features are opaque window manipulation (when you move or
resize a window, the entire window moves in real time, rather than a
rubberband representation being tweaked) and anti-aliasing of large fonts.
The anti-aliasing feature is quite useful; it makes fonts in large point
sizes noticeably less pixelated. However, in this feature lies a small, and
somewhat malicious, piece of code.
This snippet of code apparently checks to see whether it is being asked to
render a font by the Netscape Navigator browser (or, indeed, any component
of the Communicator 4.x suite). If it is, it gives back a plain old
jagged-edged font; otherwise, in every instance I have been able to check,
it gives back an anti-aliased font.
This appears to be a clear instance of discriminatory coding on the part of
Microsoft, and is intended, one presumes, to make Navigator look somewhat
cruddy in comparison with MSIE (not to mention all of the other software on
a system). It begs a troubling question: what other features were included
in MSIE 4.0 that were intended to, in some sense, impede the software of
Microsoft's competitors?
------------------------------
Date: 8 Oct 1997 19:09:39 -0000
From:
[email protected]
Subject: Cold weather impairs fiber performance
According to Interactive Week, Bellcore has recently been reminding the
world that things tend to shrink when they get cold. Including fiber optic
cables, which tend to pull themselves more tightly around corners when they
contract. This can interrupt signals in the fiber because the fiber isn't
engineered to do hairpin turns.
Add the move to DWDM (Dense Wave Division Multiplexing), which uses multiple
wavelengths of light on the same fiber to carry more data, and fiber that
worked before can suddenly start to go dead when the temperature drops. The
longer wavelengths of light (up to 1650nm instead of the older 1310nm), the
more intolerant those wavelengths are to tight bending of the fiber.
This problem was first noted in 1993 when Nynex was having problems, but
people still seem not to be aware of the problem.
Of course, Bellcore wants to sell you test equipment to see if your fiber
might have these sorts of problems.
I just think it's a particularly entertaining mode of failure...
Stig
------------------------------
Date: Fri, 10 Oct 1997 21:30:42 -0700 (PDT)
From: "Stuart L. Anderson" <
[email protected]>
Subject: Stink-Bombed Computers
According to the *South China Morning Post* Internet Edition of 10 Oct 1997,
the Hong Kong Government Flying Service will replace its two fixed-wing
search and rescue aircraft after the move from Kai Tak to the new airport.
Maintenance and spare parts on the two Super Kingair planes cost millions of
HK dollars (1US$ = 7.74 HK$). The aircraft computer systems were repeatedly
corroded by hydrogen sulphide gas (rotten egg smell) from sewage and
industrial waste in a nearby waterway.
Stu Anderson (
[email protected])
------------------------------
Date: Mon, 13 Oct 1997 10:16:12 -0500 (CDT)
From:
[email protected]
Subject: US West and 911: Silence Is OK
US West has pointed out that 911 phone lines are working too well. The 911
emergency reporting system in the largest cities in Minnesota was converted
to a digital phone system. There is less noise on the phone lines, and
apparently there was concern that people will hear complete silence before
the ringing starts, without the common hiss of static, and will think
there's a problem with the phone or their dialing.
http://www.uswest.com/com/aboutusw/newsreleases/comm/100897.html
Minneapolis/ St. Paul Metropolitan 9-1-1 Board Urges: When You Call 9-1-1,
Stay on the Line
Upgraded 9-1-1 Network Provides Quiet, Digital Connections and Improved
Reliability
MINNEAPOLIS/ST. PAUL, Minn., Oct. 8 -- It's an emergency. You need help
fast. You pick up the telephone and call 9-1-1 ... just like you have been
instructed many times. But there is no immediate sound on the line. No
immediate ringing and the line is absolutely noiseless. You begin to think
the call has not gone through.
Don't hang up, say the Metropolitan 9-1-1 Board, U S WEST and public
safety officials. New digital technology and an upgraded 9-1-1 network are
providing a noise-free 9-1-1 network. So, even though you don't hear the
typical call processing sounds, the call is being routed through the
network to a 9-1-1 answering point. So, if you call 9-1-1, stay on the
line. Do not hang up. Although the seconds can seem like an eternity
when help is needed, hanging up and redialing could cost valuable time.
U S WEST and the Metropolitan 9-1-1 Board have implemented a new digital
switching system and a redundant network for the 9-1-1 system serving the
seven-county metro area. The digital system provides state-of-the-art call
processing. The redundant network provides a backup call routing path that
tremendously enhances the reliability of the 9-1-1 system.
"This new digital technology and redundant network provide a highly
reliable 9-1-1 system that is one of the best in the country," said
Nancy Pollock, executive director for the Metropolitan 9-1-1 Board. "Our
upgraded 9-1-1 system also provides significantly improved call transfer
capabilities and clear, quiet connections."
Wally Abrahamson, chair of the Metropolitan 9-1-1 Board and former
Stillwater police chief said, "Some 911 Centers report an increase in the
number of callers who are hanging up before the 911 call taker has the
opportunity to answer the call. You should stay on the line, even if you
hear silence instead of an immediate ring. Hanging up to redial could
waste valuable time."
The Metropolitan 9-1-1 Board serves 26 public safety answering points
(PSAPs) in the seven-county metropolitan area.
------------------------------
Date: Wed, 15 Oct 1997 16:50:40 -0400
From: Dan Wallach <
[email protected]>
Subject: The risks of license servers
I recently got this message attempting to find out what's on TV at
www.tvguide.com.
login: FATAL ERROR:
Server message:
Message number: 18458, Severity 14, State 1, Line 0
Server 'Microsoft SQL Server'
Message String: Login failed- The maximum simultaneous user
count of 25 licenses for this server has been exceeded.
Additional licenses should be obtained and registered via the
Licensing application in the NT Control Panel.
The risks are sending your customers to other servers using software that
actually works, although you may get some strange calls from customers
wondering why they need to buy new licenses...
Dan
------------------------------
Date: Tue, 14 Oct 1997 09:02:00 GMT
From:
[email protected] (John Oliver)
Subject: Risk of not updating web pages
I have been trying to get information about courses at one of the major
Australian universities. The web site lists X as the contact person for the
Faculty of Arts. All mail to X bounces with a message that the mail spool is
full.
After weeks of trying, I finally found someone who would read my complaint
about it and check. It turns out that X is on maternity leave and no one
changed the web page.
I wonder how many enquires are backed up in the mail queue and how many have
bounced?
John (
[email protected])
------------------------------
Date: Wed, 1 Oct 1997 13:09:09 -0700
From:
[email protected] (Mark Stalzer)
Subject: Re: Possible breakthrough in NP-completeness (Hayward, RISKS-19.40)
I have quickly (15 min) reviewed the description of Jonathan Hayward's npc
algorithm in npc.tar.Z.uu. Using sets to represent collections of satisfying
states is clever. Unfortunately, it has been done before and it does not get
around a combinatorial explosion because the set representation (a tree) can
blow up. (Its size can in no way be bounded by the size of the formula parse
tree.) I have attached a list of references below. The reference bdd:survey
is probably the best general reference, and bdd:ordering deals with
combinatorial explosion of the data structures and the sensitivity to
variable ordering. My dissertation also contains a chapter on these
techniques. Mark
@ARTICLE{bdd:bryant,
AUTHOR = "R.E. Bryant",
TITLE = "Graph-based algorithms for boolean function manipulation",
JOURNAL = "IEEE Transactions on Computers",
YEAR = 1986,
VOLUME = "C-35",
NUMBER = 8}
@ARTICLE{bdd:survey,
AUTHOR = "R.E. Bryant",
TITLE = "Ordered binary-decision diagrams",
JOURNAL = "ACM Computing Surveys",
YEAR = 1992,
VOLUME = 24,
NUMBER = 3}
@INPROCEEDINGS{bdd:ite,
AUTHOR = "K.S. Brace and R.L Rudell and R.E. Bryant",
TITLE = "Efficient implementation of a {BDD} package",
BOOKTITLE = "27th ACM/IEEE Design Automation Conference",
YEAR = 1990}
@TECHREPORT{bdd:ucsc,
AUTHOR = "K. Karplus",
TITLE = "Representing Boolean Functions with {If-Then-Else DAGs}",
INSTITUTION = "University of California, Santa Cruz",
YEAR = 1988,
NUMBER = "UCSC-CRL-88-28"}
@ARTICLE{bdd:ordering,
AUTHOR = "H-T Liaw and C-S Lin",
TITLE = "On the {OBDD}-Representation of General Boolean Functions",
JOURNAL = "IEEE Transactions on Computers",
YEAR = 1992,
VOLUME = "C-41",
NUMBER = 6}
------------------------------
Date: Wed, 1 Oct 1997 17:14:31 -0400 (EDT)
From: Gary McGraw <
[email protected]>
Subject: P =? NP
One of our star research associates took a look at the Web pages the "NP
solution" blurb pointed to. Here's what he has to say. gem
Without a rigorous look at the algorithm, it appears to do some sort of
short-circuiting evaluation.
If you look at a short-circuited truth table with N expressions it can have
between N+1 and F(N+1) rows in it, where F(N) is our good friend Fibonacci.
(F(0) = 1, F(1) = 1, F(N+2) = F(N) + F(N+1) for N>=0) which has a NON
polynomial closed form.
Expressions that look like: ((((....(A || B) && C) || D) && E)....)
have the maximum number of rows in the truth table. After converting these
to the form of just AND's and NOT's I ran it through the given program.
Interestingly, the two functions: intersection and complement were each
called very close to F(N+4) when I used an expression with N variables.
This held true for 4<N<30. When I ran N > 30, the program core dumped.
While, I don't know for a fact that this relation continues to hold for
large N, the relation is very close for the N tried, which leads me to
believe that this is NOT a polynomial solution to the problem.
Michael A. Schatz, RST Corporation, 21515 Ridgetop Circle, Sterling, VA 20166
[email protected] (703) 404-9293
------------------------------
Date: 1 Oct 1997 23:12:48 GMT
From:
[email protected] (Matt Welsh)
Subject: Microsoft euphemisms (Re: Mellor, RISKS 19.40)
My favorite Microsoft euphemism at last week's Professional Developer
Conference in San Diego:
"Down-level browser": Any browser which isn't
Internet Explorer 4.0, including Netscape.
This is apparently part of Microsoft's strategy to pull the rug out from
underneath Java and JavaScript by introducing Dynamic HTML, VBScript, and
ActiveX as the "new cutting edge" of web scripting. Apparently Microsoft's
idea is that since their browser supports this technology and nobody else's
does, all other browsers are now immediately tagged "down-level browsers".
I guess since my own homebrew Foobar Explorer Web browser has the
lastest-and-greatest version of my own FrobnitzScript language and nobody
else has it, *both* Netscape and IE are "down-level browsers" as far as I'm
concerned!
M. Welsh, UC Berkeley,
[email protected]
------------------------------
Date: 1 Oct 1997 23:16:26 GMT
From:
[email protected] (Matt Welsh)
Subject: Re: AOL may introduce ads on private e-mail (Rothwell, 19.40)
>The German unit of AOL is planning to boost advertising revenues by
>including ads on private electronic mail, and AOL itself is considering it.
.. thus rendering _all_ electronic mail passed through AOL "commercial
e-mail", making it illegal (without appropriate header tags) under various
proposed anti-spam bills! I love it!
M. Welsh, UC Berkeley,
[email protected]
------------------------------
Date: Thu, 2 Oct 1997 10:49:11 -0400 (EDT)
From: Brian Clapper <
[email protected]>
Subject: Re: FBI wants to ban the Bible: steganography (Theunissen, RISKS-19.40)
I believe Mr. Theunissen is describing `steganography'--hiding secret
messages inside other messages.
According to the "International Cryptography" web page
<URL:
http://www.cs.hut.fi/ssh/crypto/>, there are a number of existing tools
to accomplish steganographic ends. I quote directly from
<URL:
http://www.cs.hut.fi/ssh/crypto/software.html#stego>
Steganography
- Stealth is a simple filter for PGP which strips of all identifying header
information to leave only the encrypted data in a format suitable for
steganographic use. It is available in
http://dcs.ex.ac.uk/~aba/stealth/.
- Stego converts a binary file into nonsense text.
http://www.fourmilab.ch/stego/.
- Stegodos is a set of DOS programs that encodes binaries into captured
images. It is available in ftp.funet.fi:/pub/crypt/steganography.
- MandelSteg and GIFExtract hide data in Mandelbrot GIFs. There is a home
page, and it is available in
idea.sec.dsi.unimi.it:/pub/security/crypt/code.
- Hide and Seek is a stego program for dos. It is available in
ftp://ftp.funet.fi/pub/crypt/steganography/hdsk41.zip.
- jpeg-jsteg hides data inside a JPEG file. It is available in
ftp.funet.fi:/pub/crypt/steganography as a diff to the standard jpeg-v4
distribution.
- Steganography Tools 4 encrypts the data with IDEA, MPJ2 (up to 512bits
key), DES, 3DES and NSEA in CBC, ECB, CFB, OFB and PCBC modes and hides
it inside graphics (BMP files), digital audio (WAV files) or unused
sectors of HD floppies.
ftp://idea.sec.dsi.unimi.it/pub/security/crypt/code/s-tools4.zip
Brian Clapper,
[email protected]
------------------------------
Date: Fri, 3 Oct 1997 14:30:39 +0100 (BST)
From: Stephen Crane <
[email protected]>
Subject: Re: FBI wants to ban the Bible: Linear A/B (Fenimore, RISKS-19.40)
Linear A is undeciphered (due to a lack of text, I would imagine).
Linear B was deciphered by Michael Ventris in 1952. I don't think
Linear-C exists; while there were 3 Minoan languages, the first of
these was hieroglyphic, not linear.
Of (potentially) greater relevance is this URL turned up by AltaVista,
http://raphael.math.uic.edu/~jeremy/crypt/LinearB.html
Unfortunately at the time of writing, raphael.math.uic.edu seems to be
asleep. Ho hum.
Steve
[Ventris also noted by Pete Mellor <
[email protected]>. PGN]
------------------------------
Date: Sun, 05 Oct 1997 16:27:20 -0400
From: Mike <
[email protected]>
Subject: Re: FBI wants to ban the Bible: Linear A/B (Fenimore, RISKS-19.40)
"Forgotten Scripts," Cyrus Gordon (revised and enlarged 1982, Dorset Press
Edition 1987) is a wonderful tutorial by a primary scholar on the
application of cryptanalysis and decipherment to Egyptian, Old Persian,
Sumerian, Akkadian, Cuneiform and Hittite, Ugaritic, (non-Greek, Semitic)
Minoan in Linear A script, (Greek) Mycenean written in Linear B script, and
Eblaite.
There are some uncertainties in all of these, awaiting more text to turn
up, but all have been deciphered.
------------------------------
Date: Wed, 1 Oct 1997 20:18:04 -0500
From: Bruce Schneier <
[email protected]>
Subject: The Electronic Privacy Papers: A new book by Schneier/Banisar
Bruce Schneier and David Banisar
The Electronic Privacy Papers:
Documents on the Battle for Privacy in the Age of Surveillance
John Wiley & Sons, 1997
ISBN: 0-471-12297-1; 747 pages
Retail: $60 hardcover
Info is at
http://www.counterpane.com.
Trying to keep up with the advancements in cryptography and digital
telephony, the government has advocated controversial new tools that will
allow them to monitor electronic communications. On the other side of the
spectrum, privacy advocates are vehemently opposed to any government
monitoring whatsoever.
The Electronic Privacy Papers is a collection of previously unreleased
documents dealing with privacy in the Information Age. Combining public
government pronouncement, public reactions, and previously classified
documents released under FOIA, this book paints a clear picture of
government policies towards encryption and privacy and how they will impact
individuals and companies involved with the Internet.
Issues covered include:
* The economic and political rationale for demanding digital wiretapping and
surveillance.
* The legal foundations, and limitations to, government surveillance.
* Government strategies for soliciting cooperation from telephone companies
and equipment manufacturers.
* Which policies industries and individuals can expect the government to
pursue in the future.
The Electronic Privacy Papers retails for $60 in hardcover. I am offering
it at the usual 15% discount. Bruce Schneier, Counterpane Systems,
101 E Minnehaha Parkway, Minneapolis, MN 55419
Table of Contents
PART 1: PRIVACY AND THE INFORMATION SNOOPERHIGHWAY
Introduction: Roadblocks on the Information Superhighway
PART 2: WIRETAPPING
Overview of Wiretapping
PART 3: LOBBYING FOR SURVEILLANCE: THE DIGITAL TELEPHONY PROPOSAL
Government Pronouncements: The Digital Telephony Proposal
Behind the Iron Curtain: Operation Root Canal
Digital Telephony: The Public Response
PART 4: CRYPTOGRAPHY
Cryptography - The Cure for the Common Bug
PART 5: THE BATTLE FOR CONTROL OF CRYPTOGRAPHY
The Field of Battle: An Overview
Early Skirmishes
The Clipper Chip Proposal
Unclassified: The Story Behind Clipper
Clipping the Clipper: Public Response to Desktop Surveillance
PART 6: PUTTING THE GENIE BACK IN THE BOTTLE: EXPORT CONTROLS ON
CRYPTOGRAPHY
Atom Bombs, Fighter Planes, Machines Guns and Cryptography: Export
Control
Untying the Gordian Knot: Efforts to Relax Export Controls
PART 7: BIG BROTHER AS THE KEEPER OF THE KEYS: WILL THE GOVERNMENT
TAKE OVER CRYPTO?
Banning Cryptography
Software Key Escrow
EPILOGUE: THE FUTURE OF CRYPTOGRAPHY
Bibliography of Books on Wiretapping, Cryptography and Privacy
Index.
------------------------------
Date: 1 Apr 1997 (LAST-MODIFIED)
From:
[email protected]
Subject: Abridged info on RISKS (comp.risks)
The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. Or use Bitnet LISTSERV. Alternatively,
(via majordomo) DIRECT REQUESTS to <
[email protected]> with one-line,
SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or
INFO [for unabridged version of RISKS information]
=> The INFO file (submissions, default disclaimers, archive sites, .mil/.uk
subscribers, copyright policy, PRIVACY digests, etc.) is also obtainable from
http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info
The full info file will appear now and then in future issues. *** All
contributors are assumed to have read the full info file for guidelines. ***
=> SUBMISSIONS: to
[email protected] with meaningful SUBJECT: line.
=> ARCHIVES are available:
ftp://ftp.sri.com/risks or
ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
[volume-summary issues are in risks-*.00]
[back volumes have their own subdirectories, e.g., "cd 18" for volume 18]
or
http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue].
The ftp.sri.com site risks directory also contains the most recent
PostScript copy of PGN's comprehensive historical summary of one liners:
get illustrative.PS
------------------------------
End of RISKS-FORUM Digest 19.41
************************
