precedence: bulk
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Subject: Risks Digest 20.17
RISKS-LIST: Risks-Forum Digest Weds 20 January 1999 Volume 20 : Issue 17
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <URL:
http://catless.ncl.ac.uk/Risks/20.17.html>
and at ftp.sri.com/risks/ .
Contents:
Remarkable French announcement on crypto policy (Enzo Michelangeli and
John Young via Steve Bellovin from cryptography newsgroup)
Deep Crack cracks RSA's DES challenge in less than one day (PGN)
The RISKS of Web links (Daniel R. Tobias)
Virginia online sex offender database (Joe Thompson)
China solves the Millennium bug (Pete Mellor)
Computer crash blew up radio listener's request messages (Kenji Rikitake)
REVIEW: "Stopping Spam", Alan Schwartz/Simson Garfinkel (Rob Slade)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Tue, 19 Jan 1999 17:59:22 -0800
From: Steve Bellovin <
[email protected]>
Subject: Remarkable French announcement on crypto policy
Date: Wed, 20 Jan 1999 08:50:53 +0800
>From: "Enzo Michelangeli" <
[email protected]>
To: "John Young" <
[email protected]>, <
[email protected]>
Subject: Re: France allows 128-bit crypto
The third legislative initiative concerns cryptography. With the development
of electronic espionage instruments, cryptography appears as an essential
instrument of privacy protection.
We had, one year ago, made a first step towards liberalization of
cryptographic instruments. At that time I had announced that we were going
to make one further. The Government has, since then, heard the players,
questioned the experts and consulted its international partners. We have
today become convinced that the legislation of 1996 is no longer suitable.
In fact, it strongly restricts the usage of cryptography in France, on the
other hand, for all that, without allowing the public powers to fight
effectively against criminal actions of which encryption could facilitate
the dissimulation.
In order to change the orientation of our legislation, the Government has
thus retained the following orientations, that I have discussed with the
President of the Republic:
- - To offer a complete freedom of use of cryptography
- - To remove the compulsory nature or third-party escrow of encryption keys
- - To supplement the current legal framework by the introduction of
obligations, together with penal sanctions, concerning the handing-over
to the legal authorities, when they require it, of the cleartext
version of encrypted documents. At the same time, the technical
skills of the public authorities will be significantly improved.
Changing the law will take many months. The Govenment has decided
that the main obstacles holding up the citizens from protecting the
confidentiality of their communications and the development of
electronic commerce be lifted without waiting. Also, waiting
for the announced legislative changes, the Government has decided
to raise the the the threshold of cryptology the use of which is
free, from 40 bit to 128 bit, considered by the experts a level
suitable to ensure durably a very high security.
- ---
Time to sing the Marseillaise again? :-)
Enzo
- -----Original Message-----
>From: John Young <
[email protected]>
To:
[email protected] <
[email protected]>
Date: Wednesday, January 20, 1999 7:11 AM
Subject: France Allows 128 Bit Crypto
The French Prime Minister today announced that due to the threat of
espionage and invasion of privacy France will allow encryption
strength up to 128 bits:
http://www.premier-ministre.gouv.fr/PM/D190199.HTM
(c) Le troisi�me chantier l�gislatif concerne la cryptologie.
Alors que se d�veloppent les moyens d'espionnage �lectronique, la
cryptologie appara�t comme un moyen essentiel pour prot�ger la
confidentialit� des �changes et la protection de la vie priv�e.
Nous avions, il y a un an, franchi un premier pas vers la
lib�ralisation des moyens de cryptologie. J'avais annonc� alors que
nous en franchirions un autre ult�rieurement. Le Gouvernement a,
depuis, entendu les acteurs, interrog� les experts et consult� ses
partenaires internationaux. Nous avons aujourd'hui acquis la
conviction que la l�gislation de 1996 n'est plus adapt�e. En effet,
elle restreint fortement l'usage de la cryptologie en France, sans
d'ailleurs permettre pour autant aux pouvoirs publics de lutter
efficacement contre des agissements criminels dont le chiffrement
pourrait faciliter la dissimulation.
Pour changer l'orientation de notre l�gislation, le Gouvernement a
donc retenu les orientations suivantes dont je me suis entretenu
avec le Pr�sident de la R�publique :
- - offrir une libert� compl�te dans l'utilisation de la cryptologie ;
- - supprimer le caract�re obligatoire du recours au tiers de confiance
pour le d�p�t des clefs de chiffrement ;
- - compl�ter le dispositif juridique actuel par l'instauration
d'obligations, assorties de sanctions p�nales, concernant la remise
aux autorit�s judiciaires, lorsque celles-ci la demandent, de la
transcription en clair des documents chiffr�s. De m�me, les capacit�s
techniques des pouvoirs publics seront significativement renforc�es.
Changer la loi prendra plusieurs mois. Le Gouvernement a voulu que
les principales entraves qui p�sent sur les citoyens pour prot�ger la
confidentialit� de leurs �changes et sur le d�veloppement du commerce
�lectronique soient lev�es sans attendre. Ainsi, dans l'attente des
modifications l�gislatives annonc�es, le Gouvernement a d�cid� de
relever le seuil de la cryptologie dont l'utilisation est libre, de
40 bits � 128 bits, niveau consid�r� par les experts comme assurant
durablement une tr�s grande s�curit�.
------------------------------
Date: Wed, 20 Jan 1999 11:00:17 PST
From: "Peter G. Neumann" (
[email protected])
Subject: Deep Crack cracks RSA's DES challenge in less than one day
On Monday morning around 9am when this year's RSA DES challenge was
announced by Jim Bidzos at this week's RSA Data Security Conference in San
Jose, John Gilmore set Deep Crack to work. (See RISKS-19.87 for
background.) About 22:25 hours later, Deep Crack had found the 56-bit DES
key, capturing the $10,000 prize by breaking the 24-hour mark. This latest
event further dramatizes the inherent risks of relying on cryptography.
(In three hours, Matt Blaze, Steve Bellovin, and I (with Jeff Schiller
unfortunately in absentia) tackle the question "Is Cryptography Enough?"
RISKS readers know well that the answer is NO.)
[This is not acccurate enough. More in the next issue. PGN]
------------------------------
Date: Sat, 16 Jan 1999 11:20:21 -0600
From: "Daniel R. Tobias" <
[email protected]>
Subject: The RISKS of Web links
I received a message this morning from somebody complaining about my
inclusion of a link to a pornographic Web site from a page that would
otherwise have been a suitable resource for him to refer to scholars and
students interested in the topic of my page. This came as news to me, as I
had no knowledge of having any direct "porn" links from my site. Some
pretty extreme politics and philosophical stuff, yes, but no dirty pictures.
So I checked the page in question and tried the links from it, and found
that one of them did indeed go to a porn site.
It turned out that what had happened was that the domain name of the site I
had linked to was either sold by its former owner or allowed to expire at
InterNIC due to nonpayment of renewal fees, and the domain was picked up by
a new owner who's in the business of online pornography. This new owner set
up the server so that links to any page on the old site would bring up the
X-rated home page of the porn site, instead of just resulting in a "404 Not
Found" error.
This illustrates a big risk for anyone who maintains links to other Web
sites; places you link to can radically change their character, especially
if domain names expire and get acquired by different parties. This may have
a highly damaging effect on the reputation of a site that winds up with such
a link, and the use of automated link-checking programs to weed out "404 Not
Founds" won't find this sort of problem.
--Dan
http://www.softdisk.com/comp/dan/
[This does remind us of the Intuit 800 number case "Risks of old
documentation" that Richard C. Wolber contributed in RISKS-20.15. PGN]
------------------------------
Date: Tue, 19 Jan 1999 15:37:07 -0500
From: Joe Thompson <
[email protected]>
Subject: Virginia online sex offender database
Virginia recently (December 29) released an online sex-offender database:
http://sex-offender.vsp.state.va.us/Images/Search.htm
In its first three weeks of operation, besides glitches involving names of
offenders, two of 49 local residents whose addresses were published in a
local weekly contacted them to say that the offender listed as living at
that address has moved. The Virginia State Police have promised to update
the database "swiftly".
Needless to say, the Virginia chapter of the ACLU is pointing to these
errors as the exact reason they oppose the website. -- Joe
Joe Thompson Charlottesville, VA
[email protected]
http://kensey.home.mindspring.com/
------------------------------
Date: Sat, 16 Jan 1999 19:47:13 GMT
From: Pete Mellor <
[email protected]>
Subject: China solves the Millennium bug
According to the BBC World Service yesterday, and various
items in newspapers, China has solved its Millennium problems
(at least where air transport is concerned) at a stroke.
The chief executives of all of its airlines are ordered to be
airborne at midnight on 31st December 1999.
Peter Mellor, Centre for Software Reliability, City University, Northampton
Square, London EC1V 0HB, UK. Tel: +44 (171) 477-8422, Fax: +44 (171) 477-8585
[Apparently "only under consideration", not established. PGN]
------------------------------
Date: Sun, 17 Jan 1999 13:54:57 +0900 (JST)
From: Kenji Rikitake <
[email protected]>
Subject: Computer crash blew up radio listener's request messages
About 11:30pm EST, January 16, 1998, on CBC Radio One, Holger Petersen,
the host of the program called Saturday Night Blues, said that he lost
his listener's request voice messages due to "a computer crash" in CBC
office in Edmonton, Alberta, Canada. Another proof of taking risk of
NOT making backup data.
Kenji Rikitake <
[email protected]>, Toyonaka City, Osaka, JAPAN
------------------------------
Date: Mon, 18 Jan 1999 11:44:23 -0800
From: "Rob Slade, doting grandpa of Ryan and Trevor" <
[email protected]>
Subject: REVIEW: "Stopping Spam", Alan Schwartz/Simson Garfinkel
BKSTPSPM.RVW 981030
"Stopping Spam", Alan Schwartz/Simson Garfinkel, 1998, 1-56592-388-X,
U$19.95/C$29.95
%A Alan Schwartz
[email protected]
%A Simson Garfinkel
[email protected]
%C 103 Morris Street, Suite A, Sebastopol, CA 95472
%D 1998
%G 1-56592-388-X
%I O'Reilly & Associates, Inc.
%O U$19.95/C$29.95 800-998-9938 fax: 707-829-0104
[email protected]
%P 208 p.
%T "Stopping Spam"
Eternal vigilance is the price of junk free email. Therefore, readers
expecting to find a quick fix for spam in this book are possibly going
to be disappointed. Those who persevere, however, will find much
useful material that is both interesting, and valuable in the fight
against unsolicited and commercial mass mail bombing.
Chapter one details the problem with a definition of spam, the
functionally differing types of spam, the different intention of spam
(including reputation attacks), and the reasons why spam should be
combatted, rather than merely tolerated and deleted. A historical
background to the situation is provided in chapter two. This includes
mention of viral programs (plus a repetition of the myth that CHRISTMA
EXEC caused a mass shutdown of VNET). the primary emphasis, though,
is on the Green Card Lawyers, Cyberpromotions, and others of that ilk.
(A warning against vigilante actions is also germane.) The current
position is described very briefly in chapter three. Groups of
spammers and spamming tools are noted. (Perhaps the authors do not
want to give anyone ideas, but the technology section is very terse
indeed.) In closing, a nightmare future spam scenario is provided.
Chapter four provides a solid technical background for further
discussion of spam, covering mail agents and the mail and news
protocols. A number of steps that the average computer user can take
are listed in chapter five. The range from hiding your identity or
preventing address "harvesting" (not all the suggestions are
convenient), to the more active detecting of spammers behind spoofing
techniques, and reporting to authorities. Similar advice for
newsgroups is given in chapter six, emphasizing specific programs like
NoCeM.
Chapter seven moves into larger areas of responsibility with advice on
both policy and practical configuration settings to reduce both
incoming and outgoing spam. The larger net community is addressed in
chapter eight.
An appendix lists a wide variety of resources, but the annotations may
not always give you the complete picture. For example, the Spam Media
Tracker Web site is listed, but at a relatively old address. This, of
course, happens all the time on the net, but it is stranger that there
is no mention of the spam-news mailing list, the original (and
ongoing) source for the site.
It would, or course, be prohibitive to identify all international
agencies dealing with spam. However, do note that only US government
offices are noted as departments to report to.
While understandable, the tone of moral outrage that colours the
initial chapters may not be as helpful as a calmer precis. As the
book hits its stride, though, it provides a good deal of helpful and
useful information. All ISPs (Internet Service Providers), corporate
network administrators, and net help desks should have a copy of this
reference handy. Any serious Internet user will also find it well
worth the price. As the authors put it, in slightly different words,
the only thing necessary for the triumph of spammers is that good
users do nothing.
copyright Robert M. Slade, 1998 BKSTPSPM.RVW 981030
[email protected] [email protected] [email protected] [email protected]
Find virus, book info
http://victoria.tc.ca/int-grps/techrev/rms.html
------------------------------
Date: 23 Sep 1998 (LAST-MODIFIED)
From:
[email protected]
Subject: Abridged info on RISKS (comp.risks)
The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. Alternatively, via majordomo,
SEND DIRECT E-MAIL REQUESTS to <
[email protected]> with one-line,
SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or
INFO [for unabridged version of RISKS information]
.MIL users should contact <
[email protected]> (Dennis Rears).
.UK users should contact <
[email protected]>.
=> The INFO file (submissions, default disclaimers, archive sites,
copyright policy, PRIVACY digests, etc.) is also obtainable from
http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info
The full info file will appear now and then in future issues. *** All
contributors are assumed to have read the full info file for guidelines. ***
=> SUBMISSIONS: to
[email protected] with meaningful SUBJECT: line.
=> ARCHIVES are available:
ftp://ftp.sri.com/risks or
ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
[volume-summary issues are in risks-*.00]
[back volumes have their own subdirectories, e.g., "cd 19" for volume 19]
or
http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue].
PostScript copy of PGN's comprehensive historical summary of one liners:
illustrative.PS at ftp.sri.com/risks .
------------------------------
End of RISKS-FORUM Digest 20.17
************************
