List Watch by Mary Ellen Zurko. IEEE Cipher Issue E40, December 19, 2000

LISTWATCH: items from security-related mailing lists (December 15, 2000)

by Mary Ellen Zurko (mzurko@iris.com)

This issue's highlights are from DCSB, cypherpunks, risks, ACM TechNews, and Crypto-Gram. This is a rather light issue of ListWatch. I'm in the middle of the paper review cycle of WWW10 (www10.org.hk), which is adding a lot to the standard responsibilities of job, family, the end of the year, and the holiday season.

____________________
The moderator of the Bugtraq list is beginning to refuse to post advisories from companies who send out minimal information on the problem and point readers to their web site for useful information. Both Microsoft and @Stake posted advisories that summarized a particular flaw and directed readers back to the companies' Web sites. Steve Lipner, manager of Microsoft's Security Response Center (and well known to this community), said "If we post an advisory with an error in it, we would have to go out and get the information changed where ever else it may be mirrored." Weld Pond of @stake says "I think everyone out there knows that we are committed to full disclosure and the concept of freely available security advisories. What we are doing is adding more information than we have in the past and we are adding it on our Web site."

____________________
A computer hacker stole credit card numbers from CreditCards.com and has been trying to extort the company. A representative said that none of the numbers were compromised. Some consumers were told that web pages with credit card numbers had been published. MSNBC verified this. A possible victim did get asked for confirmation for an order she never placed. CreditCards.com has not contacted any of its customers.

____________________
Zero Knowledge Systems has come under a lot of fire on cypherpunks (which seems to happen any time they put out a press advisory). It started with concerns about their support of split key encryption (charges that that is a tool for third party holding of keys), kibitzing about their business strategy (privacy consultants to enterprises), and the NymIP effort (a pre-IETF BOF-like meeting to promote open standards for pseudonym protocols).

___________________
The progress of the latest US presidential election has caused more pundits to posit that computer-based voting would work better. There have been postings that smell of snake oil about tested and totally security mechanisms for Internet voting on some lists. Peter Neumann, Rebecca Mercuri, and Lauren Weinstein wrote a sensible caution which includes the inability of public "tests" to prove much of anything security-wise, and the raft of system level issues involved in producing a secure system, including environmental concerns.

____________________
There's a lot of activity in the cybercrime law space. Hong Kong has proposed new laws that draw strong parallels between online and offline crime. A draft Council of Europe treaty would each the cross-border constraints on tracking cybercrime. The US Justice Department has endorsed the main principles of the pact. A 27-member coalition including the ACLU, Privacy International, and Internet Society has urged the Justice Department not to follow through on the international pact for fear it will enable police agencies and other private interests to include the redesign of system architecture to facilitate surveillance. The US Chamber of Commerce are concerned that it could undermine economic growth. Other concerns about the treaty are that it could require ISPs to keep customer data around for a specified time period, and that it could restrict the distribution of certain kinds of security tools.

____________________
Internet privacy legislation is predicted to have a good chance of being passed in some form in next year's US Congress, as it's one of the issues with bipartisan support.

____________________
An article in the Wall Street Journal claims that online stock traders are beginning to use digital signatures now that they are explicitly legal.

____________________
Class action lawsuits against MatchLogic and Avenue A charge that the companies violated the Electronic Communications Privacy Act (ECPA) and the Computer Fraud and Abuse Act by placing cookies on the hard drives of consumers' computers.

____________________
The IITRI report on Carnivore is in, and so are the comments on the report. Bellovin, Blaze, Farber, Neumann, and Spafford (www.crypto.com/papers/carnivore_report_comments.html) are concerned about the limitations of the analysis: a lack of analysis of operational and "systems" issues, no evidence of a systematic search for bugs, exclusion from analysis or testing of RADIUS, and inadequate discussion of audit and logging. They say "the Department of Justice must consider an on-going process to maintain confidence in the system. One such approach is to publish the Carnivore source code for public review."

____________________
Stephen King has discontinued his self-publishing experiment. He had said that if he got $1 from at least 75% of the downloads, he'd continue. The most recent chapter only yielded a 46% payment rate.

____________________
The Digital Commerce Society of Boston is looking for speakers. If you are in Boston on the first Tuesday of some month, are a principal in digital commerce, and would like to make a presentation to the Society, please send e-mail to the DCSB Program Committee, care of Robert Hettinga (rah@shipwright.com). It's a fun and stimulating group of people.

____________________
There has been a lot of digital signature backlash going on. Bruce Schneier wrote an essay on "Why Digital Signatures are not Signatures". One wag commented that 'The standards he applies to digital signatures are much too severe. I think that even pen-and-ink signatures wouldn't pass, a conclusion that would lead to the strange sentence, "Signatures aren't signatures and they can't fulfill their promise."' Some of the problems called out about digital signatures have to do with the intentions of the signer and the linkage between a person and the signing key (Bruce strongly emphasizes the former).

____________________
MIT's Technology Review magazine has a special issue looking at 10 technologies it thinks will soon have a profound impact on the economy and how we live and work. One of them is digital rights management (www.techreview.com/articles/jan01/TR10_toc.html). Various people on various lists have argued you can't do DRM without a TCB. Maybe it's time to dust off that copy of the Orange Book :-).

____________________
In a move that reminds me of a lot of the community and security discussions that occurred in NSPW 2000, Visa has announced plans that it will oblige Web merchants to protect credit card numbers and customer data from hack attacks. It will begin monitoring sites that allow transactions with Visa to ensure that the online merchants are complying with their own privacy and security policies.
( www.theregister.co.uk/content/1/14625.html).

____________________
Sprint's wireless division said it will put global-positioning-system chips in its cell phones.

____________________
A security breach has forced New Jersey officials to temporarily shut down a service that allows E-ZPass users to get monthly statements via e-mail. It seems that they send a URL which is easy to guess (probably some standard format with name and month in it).
____________________

12/15/00