RISKS-LIST: RISKS-FORUM Digest Wednesday 19 May 1993 Volume 14 :

RISKS-LIST: RISKS-FORUM Digest Wednesday 19 May 1993 Volume 14 :
Issue 64

FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED
SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann,
moderator

Contents: [The Clipper Discussions Take on a Life of Their Own.]
A Risk of Risks Elided (or no news not always best) (Mike Coleman)
Rewards offered for finding bugs in Japanese encryption methods
(Forman)
Re: Clipper (Jim Bidzos, Eric Raymond, Dorothy Denning, Pyramid??,
Doug Rand)
Re: Clipper "destroyed keys" and Spycatcher (Roger Crew)
Re: Clipper/Capstone: Expectations of privacy? (Henry Burdett
Messenger)
Re: Clipper and the "Man in the Middle" (Stephen G. Smith)
Re: Epilepsy and video games (David Honig)
Re: makedepend problem - a real world example (Conrad Hughes)
Re: Cut and Paste risks (Robert L Krawitz)
Re: CHI & the Color-blind? (Flint Pellett)

The RISKS Forum is a moderated digest discussing risks; comp.risks
is its
Usenet counterpart. Undigestifiers are available throughout the
Internet,
but not from RISKS. Contributions should be relevant, sound, in
good taste,
objective, cogent, coherent, concise, and nonrepetitious.
Diversity is
welcome. CONTRIBUTIONS to [email protected], with appropriate,
substantive
"Subject:" line. Others may be ignored! Contributions will not
be ACKed.
The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET
FROM: ADDRESS,
especially .UUCP folks. REQUESTS please to
[email protected].

Vol i issue j, type "FTP CRVAX.SRI.COM<CR>login
anonymous<CR>AnyNonNullPW<CR>
CD RISKS:<CR>GET RISKS-i.j<CR>" (where i=1 to 14, j always TWO
digits). Vol i
summaries in j=00; "dir risks-*.*<CR>" gives directory; "bye<CR>"
logs out.
The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" =
"128.18.10.1".
<CR>=CarriageReturn; FTPs may differ; UNIX prompts for username,
password.

For information regarding delivery of RISKS by FAX, phone
310-455-9300
(or send FAX to RISKS at 310-455-2364, or EMail to
[email protected]).

ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL
DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular
issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state
otherwise.

-----------------------------------------------------------------
-----

Date: Tue, 18 May 93 21:07:18 PDT
From: [email protected] (Mike Coleman)
Subject: A Risk of Risks Elided (or no news not always best)
Cc: [email protected]

The default behavior of the popular newsreader 'nn' is to split
(undigestify)
digests such as RISKS. Unfortunately, nn seems to omit included
articles,
such as the Jim Bidzos inclusion in Ed Roback's submission in RISKS
14.62.

Until this is fixed, nn users can include this line in their
~/.nn/init:

set split false

This should put an end to many unhappy non sequiturs.

------------------------------

Date: Thu, 13 May 93 10:22:19 -0700
From: [email protected]
Subject: Rewards offered for finding bugs in Japanese encryption
methods

In RISKS-14.60 Klaus Brunnstein implies that "Security by
Obscurity" (not
making an encryption method public) is a poor way to get a secure
encryption
method. Both the USA's Clipper Chip and Europe's A5 standards use
Security by
Obscurity.

Japan doesn't seem to rely on this arcane method:

Professor Shigeo Tsujii of the Tokyo Institute of Technology is
offering $3000
to anyone who can find a bug in his new encryption method called
"NIKS-TA".
(Described in his 15-page thesis.)

Similarly, in 1989 NTT offered $9100 (1M yen) for finding a bug in
their
encryption method.

[This could be RISKy if the reward is not big enough,
and someone on the "other side" is offering more? PGN]

------------------------------

Date: Wed, 19 May 93 10:17:16 PDT
From: [email protected] (Jim Bidzos)
Subject: Re: Clipper (Denning, RISKS-14.63)

Dorothy Denning wrote in RISKS-14.63, with respect to the key
management
advantage of RSA over DSS, that the Capstone chip makes the key
management
advantage "disappear."

I believe that trust is a very significant part of the advantage
RSA enjoys
over DSS/Capstone, whether for signatures or key management. The
scrutiny RSA
has withstood in the 17 years since its discovery contributes to
that trust.
The only way to make that advantage "disappear" is to publish
everything about
Capstone, including the algorithm that the keys you manage are used
with, and
wait a few years and a few hundred papers before proposing it as a
standard.
(Since DES has withstood similar scrutiny, RSA and triple-DES have
an
advantage to users both in and out of the US that is likely never
to disappear
as it appears the government will never publish Clipper/Capstone
details.)

------------------------------

Date: Wed, 19 May 1993 16:32:46 -0400 (EDT)
From: [email protected] (Eric S. Raymond)
Subject: Re: Clipper (Denning, RISKS-14.60; Rotenberg, RISKS-14.62)

In <[email protected]> Marc Rotenberg
wrote:
> Denning has to be kidding. The comments on the proposed DSS were
uniformly
> critical. Both Marty Hellman and Ron Rivest questioned the
desirability of
> the proposed standard.

Mr. Rotenberg, as a public figure operating in the political arena,
has to
exercise a certain diplomatic restraint in responding to Ms.
Denning's claims.
I am, thankfully, under no such requirement.

As a long-time RISKS reader and contributor, I observe that that
this is not
the first time that Ms. Denning has apparently operated as a
mouthpiece for
the NSA's anti-privacy party line on DES and related issues.

I believe Ms. Denning's remarks must be understood as part of a
continuing
propaganda campaign to marginalize and demonize advocates of
electronic
privacy rights. Other facets of this campaign have attempted to
link privacy
advocates to terrorists and drug dealers by suggesting that only
criminals
need fear wiretapping.

These are serious charges. I make them because, in the wake of the
Clipper
proposal, I do not believe civil libertarians can afford any longer
to assume
that their opponents are persons of good will with whom they can
simply debate
minor differences of institutional means in a collegial way.

It's time for someone to say, in public and on this list, what I
know many
of us have been thinking. The future is *now*. Electronic privacy
issues
are no longer a parlor game for futurologists; they are the focus
of a
critical political struggle, *and the opponents of privacy are
fighting their
war with all the tools of force, deception, and propaganda they can
command*.

The histories of the DES, the FBI wiretap proposal, and now the
Clipper
proposal must be considered against a wider background of abuses
including
the Steve Jackson case, "Operation Longarm", and the routine
tapping of U.S.
domestic telecommunications by NSA interception stations located
outside the
geographic borders of the United States.

These form a continuing pattern of attempts by agencies of the U.S.
government
to pre-empt efforts to extend First and Fourth Amendment privacy
protections
to the new electronic media. In each case, the attempt was made to
present
civil libertarians with a fait accompli, invoking "national
security" (or the
nastiness of "kiddie porn") to justify legislative, judicial and
practical
precedents prejudicial against electronic privacy rights.

While I would not go so far as to claim that these efforts are
masterminded by
a unitary conspiracy, I believe that the interlocking groups of
spies,
bureaucrats and lawmen who have originated them recognize each
other as
cooperating fellow-travelers in much the same way as opposing
groups like the
EFF, CPSR and the Cypherpunks do. Their implicit agenda is to make
the new
electronic communications media transparent to government
surveillance and
(eventually) pliant to government control.

One of the traits of this culture of control is the belief that
manipulative
lying and dissemblage can be justified for a `higher good'.

I believe that Ms. Denning's disingenuous claim that the DSS "is
now
considered to be just as strong as RSA" is no mere technical
misapprehension.
I believe it is propaganda aimed at making objectors non-persons in
the
debate. I cannot know whether Ms. Denning actually believes this
claim, but
it reminds me all too strongly of the classic "Big Lie" technique.

It is important for us to recognize that the propaganda lie is not
an
aberration, but a routine tool of the authoritarian mindset. And
the
authoritarian mindset is, ultimately, what we are confronting here
--- the
mindset that regards the fighting of elastically-defined `crime' as
more
important than privacy, that presumes guilt until innocence is
proven, that
demands for government a license to override any individual's
natural rights
at political whim.

We cannot trust representatives of an institutional culture that
was
*constructed* to deal in information control, lies, secrecy,
paranoia and
deception to tell us the truth.

We cannot accept the authoritarians' unverified assurances that the
sealed
interior of the Clipper chip contains no `trapdoor' enabling the
NSA to
eavesdrop at will.

We cannot trust the authoritarians' assertions that they have no
intention of
outlawing cryptographic technologies potentially more secure than
the Clipper
chip.

We cannot believe the authoritarians' claims that `independent' key
registries
will prevent abuse of decryption keys by government and/or corrupt
individuals.

We cannot --- we *must not* --- cede control of encryption
technology to
the authoritarians. To do so would betray our children and their
descendants,
who will work and *live* in cyberspace to an extent we can barely
imagine.

We cannot any longer afford the luxury of treating the
authoritarians as honest
dealers with whom compromise is morally advisable, or even
possible. Whatever
their own valuation of themselves, the thinly-veiled power grab
represented by
the Clipper proposal reveals a desire to institutionalize means
which a free
society, wishing to remain free, *cannot tolerate*.

Big Brother must be stopped *here*. *Now.* While it is still
possible.

Eric S. Raymond <[email protected]>

------------------------------

Date: Wed, 19 May 93 18:37:24 EDT
From: [email protected] (Dorothy Denning)
Subject: Re: Clipper (Raymond, RISKS-14.64)

Eric Raymond has accused me of being part of a propaganda campaign
and
a "Big Lie." Among his wild speculations, he wrote:

I believe that Ms. Denning's disingenuous claim that the DSS "is
now
considered to be just as strong as RSA" is no mere technical
misapprehension.
I believe it is propaganda aimed at making objectors non-persons
in the
debate. I cannot know whether Ms. Denning actually believes this
claim, but
it reminds me all too strongly of the classic "Big Lie"
technique.

Frankly, I don't know how to respond his allegations other than by
saying that
I am not and have never been on the payroll of NIST, NSA, or the
FBI and that
every word I have published has been completely on my own
initiative. While I
frequently speak with people in these agencies (mainly to ask them
questions
so that I can be informed) and have considerable respect for them,
I am
operating on my own initiative and making my own independent
evaluations based
on all the evidence I can find. I try to avoid pure speculation as
much as
possible.

My objective in responding to Sobel in the first place was to point
out that,
in my best judgement, the DSS as revised is as secure as RSA. I
did that so
that readers would not be led to believe the contrary. Let me
elaborate more.

The security of the DSS is based on the difficulty of computing the
discret
log. (The Diffie-Hellman key exchange, invented in 1976, is
likewise so
based.) The security of the RSA is based on factoring. My
understanding is
that the computational difficulty of these two problems is about
the same for
comparable key lengths, and indeed, the fastest solutions with both
come using
the same basic technique, namely the number field sieve. If I'm
wrong here, I
am happy to be corrected by someone who knows more than I do about
this.

There are other factors, of course, that must be taken into
account. With
both schemes, you have to make sure you get good primes. In the
case of the
DSS, you want really random ones so that you don't get ones with
"trapdoors."
This is readily done and the chances of getting a trapdoor one are
minuscule.
For a reference, see Daniel Gordon's paper from Crypto '92.

I still remember the day when George Davida called me up to say
that he had
cracked RSA. It turned out that he had found a way of exploiting
the digital
signatures to get access to plaintext (but not keys). I
generalized his
mathematics and published a paper in CACM (April 84). The solution
is to hash
messages before they are signed, which has other advantages anyway.
I also
remember various articles by people pointing other potential
vulnerabilities
with RSA if the primes weren't picked right.

There are potential weaknesses in all of these public-key methods,
but they
can be resolved. As near as I can tell, NIST has resolved the
potential
problems with the DSS, and I am confident that if new ones are
found, they
will resolve them too.

Dorothy Denning

------------------------------

Date: Tue, 18 May 93 22:06:24 -0700
From: [email protected] (Pyramid UUCP Manager)
Subject: Re: Clipper (Raymond, RISKS-14.64)

The histories of the DES, the FBI wiretap proposal, and now the
Clipper
proposal must be considered against a wider background of abuses
including
the Steve Jackson case, "Operation Longarm", and the routine
tapping of U.S.
domestic telecommunications by NSA interception stations located
outside the
geographic borders of the United States.

These form a coherent pattern of attempts by agencies of the U.S.
government
to pre-empt efforts to extend First and Fourth Amendment privacy
protections
to the new electronic media. In each case, the attempt was made to
present
civil libertarians with a fait accompli, invoking "national
security"

------------------------------

Date: Mon, 17 May 93 17:55:43 EDT
From: [email protected]
Subject: Clipper chip

I've just read one of the longer tirades in risks about the clipper
chip and
feel like putting my foot into the whirling blades :)

Have the naysayers totally forgotten the point of making crypto
gear available
to individuals? Right now I cannot lift my portable phone without
assuming
I'm talking to several people aside from the person I call. I
treat it as I
would a contact on ham radio.

The crooks can listen to us, the government has always been able
to. Now, for
the first time, there would be some control. Perhaps it isn't
perfect. This
is irrelevant. It is so many orders of magnitude more secure than
any phone
system today.

Without the chip being ubiquitous, we cannot have this capability
in every one
of perhaps a billion phones (guesstimate) in the country. It would
be too
expensive and totally useless. Both parties must have the same
gear.

That the crooks could always create more effective crypto gear is
also a red
herring. Maybe they could. But the law is being structured so
that this
itself would be considered probable cause of a crime. We'll have
to see if
(how much) this is abused. One hopes that just the unlicensed
crypto gear
would not be sufficient to indict honest people.

Doug Rand [email protected]

------------------------------

Date: Tue, 18 May 1993 13:05:14 -0700
From: Roger Crew <[email protected]>
Subject: Re: Clipper - "destroyed" keys

> Even if you *know* that an instrument has been decoded, in many
> cases management will simply accept the government's word that
the
> keys were destroyed rather than replace the instrument(s).

The following excerpt from Peter Wright's _Spycatcher_ comes to
mind:

Jagger was the MI5 odd-job technical man... [He] had an
extraordinary array of skills, of which the most impressive was
his lockpicking. Early on in training I attended one of the
regular classes he ran for MI5 and MI6 in his lockpicking
workshop. The cellar room was dominated by a vast array of
keys,
literally thousands of them, numbered and hung in rows on each
wall. Jagger explained that as MI5 acquired or made secret
imprints of keys of offices, hotels, or private houses, each
one
was carefully indexed and numbered. Over the years they had
developed access in this way to premises all over Britain.

``You'll never know when you might need a key again,''
explained
Jagger as I stared in astonishment at his collection.

``The first rule if you are entering premises is only pick
the
lock as the last resort,'' said Jagger, beginning his lecture.
``It's virtually impossible to pick a lock without scratching
it---and that'll almost certainly give the game away to the
trained intelligence officer... What you have to do is get
hold
of the key---either by measuring the lock or taking an imprint
of
the key.''

Though this incident dates from the mid 50's, Peter Wright held his
post
in MI5 (British domestic intelligence) until 1976, and there's no
reason
to believe that their procedures (w.r.t. keys and locks) changed
significantly
during that period. And evidently people changed their locks
sufficiently
infrequently that MI5 felt it worth the expense of maintaining a
key farm...

Roger Crew [email protected]

------------------------------

Date: Wed, 19 May 93 09:42:12 PDT
From: [email protected]
Subject: Re: Clipper/Capstone: No reasonable expectation of
privacy?

Nobody has mentioned a risk of the Clipper/Capstone proposal that
I thought of
last weekend.

You see, we aren't supposed to use Clipper; it will cost too much
for ordinary
telecommunications usage. Furthermore, there will be no great
demand from
the citizenry to encrypt their telephones: after all, the ones they
already
have work perfectly well.

The Supreme Court has already ruled that conversations held over
cordless
telephones can be intercepted and used as evidence against you
without any
wiretap warrants*. You have "no reasonable expectation of privacy"
on a
cordless telephone. How long until the Supremes rule that telephone
conversations on wire phones in the clear are also fair game? After
all, the
Government has given you Clipper; it's your fault if you're not
using it...

Therefore, I fear that this will become a class issue: those who
can afford
Clipper can afford (limited) privacy, but it's open season on those
who can't.
How *convenient* for our friends in law enforcement!

* Contrast this with early rulings on party lines, where you were
not allowed
to disclose the content of conversations overheard on a party line.

Henry B. Messenger [email protected]

------------------------------

Date: Sat, 1 May 93 01:36:27 -0400
From: [email protected] (Stephen G. Smith)
Subject: Re: Clipper and the "Man in the Middle"

One thing that I have not seen in the discussion of the Clipper is
that
it seems to be totally vulnerable to a "man in the middle" attack.

Take two Clipper chips. Connect them back-to-back. Add some
"glue" to
pass dialing/routing signals. Insert in the line, either by
actually
cutting the wire, or by diverting the call in the switch. Now when
the
victim makes a call, the data is in clear between the two chips.
The
result is that the tapper now has a clear conversation, the victim
has
no way of telling if he has been tapped, and there is no need for
the
song and dance with "escrow agencies".

Note that this attack will work with any protocol that uses "zero
knowledge" key exchange. The actual encryption method is
completely
irrelevant. The only defense is to be able to recognize your
caller's
key. Something tells me this may be very difficult ....

The only place where the Clipper can provide even minimal security
is in
mobile communications, where the communications line cannot be cut.

The giveaway that something is fishy, of course, is that the
Government
will not use the Clipper chip for classified communication. If
it's so
good, why won't they use it?

Steve Smith Agincourt Computing
[email protected] (301) 681 7395

------------------------------

Date: Tue, 18 May 1993 20:01:01 -0700
From: David Honig <[email protected]>
Subject: Re: Epilepsy and video games (Culver, RISKS-14.63)

"Larry Hunter and others were asking about seizures induced by
video games.
Not being a neurologist, I wonder if these are similar to those
caused by
"photic stimulation", which has been implicated in some aircraft
accidents.

Some people, when exposed to flickering or flashing lights will
have seizures
which are quite similar to epileptic seizures. In aircraft, this
can be a
problem for general aviation pilots, who look through the propeller
disk.
During most of the flight, the frequency is too high to cause
problems, but
during a landing, especially into the setting sun, the propeller
may cause
flickering sufficient to induce a seizure. There are, apparently,
degrees of
severity: some people will seize from a single flash of the right
duration."

Yes, the seizure-risk from video games is exactly that from any
flashing
light ---whether from propeller, CRT, or LCD.

------------------------------

Date: Wed, 19 May 93 14:31:12 BST
From: [email protected] (Conrad Hughes)
Subject: Re: makedepend problem - a real world example (Worthman,
RISKS-14.62)

>... makedepend chokes on one of X11 include files (as distributed
by Sun)...

On the machine I use (running MIPS RISC/os) makedepend chokes under
such
circumstances, but doesn't die. The problem arises when you
proceed to
compile it, and compilation fails because this file doesn't exist
and can't be
built, yet there is a dependency on it. This consequently doesn't
result in a
risk, as rather than being built incorrectly, the software cannot
be built -
typically software should be installed by someone with enough
experience to
fix such include problems (and what with the nightmarish mess that
is the MIPS
header file directory tree I've garnered more than my fair share of
_that_
experience recently). So - I can't see this bug producing risks
other than
compilation failure: all it can do is produce too extensive a
dependency list,
in which case unnecessary parts of the program may be built during
compilation, _but_ since the real make process will correctly
evaluate all
conditional expressions which makedepend assumes are true, the
unnecessary
parts will not be linked in or installed if you use the supplied
"make
install"..

[Thinks a bit more] On second thoughts - if someone is guilty of
what
I'd term bad practice and has an explicit make line for an included
file
which also modifies some other already-built part of the source
beyond
just building the required file then a risk does arise. A makefile
which
does this kind of thing is guilty of fairly poor practice anyway I
think..

conrad hughes ([email protected])

------------------------------

Date: Wed, 19 May 93 10:14:35 EDT
From: Robert L Krawitz <[email protected]>
Subject: Re: Cut and Paste risks (Cook, RISKS-14.63)

We should identify the main source of the risk, which in my
opinion
is general access to super-user privileged shells. ...

Yes, but that still doesn't eliminate problems, since most of these
accidents
are caused by accidentally hitting the mouse buttons rather than
carelessness
as to what window the mouse is in. The design of most mice makes
it very easy
to inadvertently hit buttons (this seems to be true on Suns, it was
true with
both the 1985-style and the current DEC mice, and even with Lisp
Machine
mice).

The problem is that it's very easy to brush a mouse button while
reaching for
the mouse, or while moving it. Looking at the way I hold the
mouse, my index
finger is practically on top of the middle button and my middle
finger nearly
touches the right button, making an accident of this nature
practically
inevitable.

Cut and paste is most definitely very useful, and getting rid of it
is an
overreaction. However, by requiring two independent actions to
perform it (e.
g. the shift key on the keyboard along with a mouse button), the
risk of such
an accident is reduced.

I've changed the mouse actions in my xterm windows to use shift
bindings for
the mouse keys. It's very rare that my left hand is camped on the
shift key
while my right hand is reaching for the mouse.

Robert Krawitz, Thinking Machines Corp, 245 First St., Cambridge,
MA 02142
<[email protected]> (617)234-2116 Member of the League for Programming
Freedom

------------------------------

Date: 19 May 93 14:42:53 GMT
From: [email protected] (Flint Pellett)
Subject: Re: CHI & the Color-blind? (Yu, RISKS-14.62)

> ...

It seems to me that the answer to that is simple, and it isn't
merely color/no
color that it relates to: Don't place an over-reliance on icons to
convey
meaning because they don't always do so (whether colored or not),
and the old
saying that a picture is worth a thousand words isn't always true.
Consider
in the example above, if the words "No contact", "Contacted",
"Promised", and
"Called Us" were displayed instead of the icons, (or under each
icon) how much
clearer it all would be. (If I had to use the system above, I see
myself
having to refer constantly to an explanation sheet that says what
each icon
means, and I would expect to often make mistakes.) Too often
people have been
creating icon symbols to replace words when the word they replace
is one that
everyone would understand (at least if they speak that language),
and the icon
they come up with is one nobody recognizes. You'll find that even
people who
don't speak the language can learn a word just as easily as they
can learn an
icon. Icons tend to fail to convey meaning most often when they
are trying to
replace verbs.

You can make it an option in your interface to let the user choose
between use
icons/use words/use both, but don't force "only icons" on people.
Then you
won't have to worry about color-blindness issues.

Flint Pellett, Global Information Systems Technology, Inc., 100
Trade Centre
Drive, Suite 301, Champaign, IL 61820 (217) 352-1165
uunet!gistdev!flint

------------------------------

End of RISKS-FORUM Digest 14.64

Downloaded From P-80 International Information Systems 304-744-2253