CRYPTO-GRAM, February 15, 2000

From Bruce Schneier <schneier@counterpane.com>
Date Tue, 15 Feb 2000 23:33:58 -0600


[: hacktivism :]

                  CRYPTO-GRAM

               February 15, 2000

               by Bruce Schneier
                Founder and CTO
       Counterpane Internet Security, Inc.
            schneier@counterpane.com
           http://www.counterpane.com


A free monthly newsletter providing summaries, analyses, insights, and 
commentaries on computer security and cryptography.

Back issues are available at http://www.counterpane.com.  To subscribe or 
unsubscribe, see below.


Copyright (c) 2000 by Counterpane Internet Security, Inc.


** *** ***** ******* *********** *************

In this issue:
      Distributed Denial-of-Service Attacks
      New Chinese Cryptography Regulations
      Counterpane Internet Security News
      Publicizing Vulnerabilities
      Counterpane -- Featured Research
      News
      Mitnick Case Yields New Crypto Twist
      The Doghouse:  X.com
      Cookies
      Comments from Readers


** *** ***** ******* *********** *************

     Distributed Denial-of-Service Attacks



Suddenly, distributed denial-of-service (DDS) attacks are big news.  The 
first automatic tools for these attacks were released last year, and CERT 
sent out an advisory in November.  But the spate of high-profile attacks in 
mid-February has put them on the front pages of newspapers everywhere.

Not much is new.  Denial-of-service attacks have been going on for 
years.  The recent attacks are the same, only this time there is no single 
source of the attack.  We've seen these for years, too.  The attacker first 
breaks into hundreds or thousands of random insecure computers (called 
"zombies") on the Internet and installs an attack program.  Then he 
coordinates them all to attack the target at the same time.  The target is 
attacked from many places at once; his traditional defenses just don't 
work, and he falls over dead.

It's very much like the pizza delivery attack: Alice doesn't like Bob, so 
she calls a hundred pizza delivery parlors and, from each one, has a pizza 
delivered to Bob's house at 11:00 PM.  At 11, Bob's front porch is filled 
with 100 pizza deliverers, all demanding their money.  It looks to Bob like 
the pizza Mafia is out to get him, but the pizza parlors are victims 
too.  The real attacker is nowhere to be seen.

This sounds like a complicated attack on the Internet, and it is.  But 
unfortunately, it only takes one talented programmer with a poor sense of 
ethics to automate and distribute the attacks.  Once a DDS tool is publicly 
available, an attacker doesn't need skill; he can use a simple 
point-and-click interface to infect the intermediate sites, as well as to 
coordinate and launch the attack.  This is what's new: easy-to-use DDS 
tools like Trin00 and Tribal Flood Network.

These attacks are incredibly difficult, if not impossible, to defend 
against.  In a traditional denial-of-service attack, the victim computer 
might be able to figure out where the attack is coming from and shut down 
those connections.  But in a distributed attack, there is no single 
source.  The computer should shut down all connections except for the ones 
it knows to be trusted, but that doesn't work for a public Internet site.

Other defenses also have problems.  I've seen proposals that force the 
client to perform an expensive calculation to make a connection.  (RSA 
pre-announced such a "solution.")  This works against standard 
denial-of-service attacks, but not against a distributed one.  Large-scale 
filtering at the ISPs can help, but that requires a lot of effort and will 
reduce network bandwidth noticeably.

At least one report has suggested that a lack of authentication on the 
Internet is to blame.  This makes no sense.  The packets did harm just by 
the attempt to deliver them; whether or not they were authenticatable is 
completely irrelevant.  Mandatory authentication would do nothing to 
prevent these attacks, or to track down the attackers.

There have been two academic conferences on DDS attacks in recent weeks, 
and the general consensus is that there is no way to defend against these 
attacks.  Sometimes the particular bugs exploited in the DDS attacks can be 
patched, but there are many that cannot.  The Internet was not designed to 
withstand DDS attacks.

Tracing the attacker is also incredibly difficult.  Going back to the pizza 
delivery example, the only thing the victim could do is to ask the pizza 
parlors to help him catch the attacker.  If all the parlors coordinated 
their phone logs, maybe they could figure out who ordered all the pizzas in 
the first place.  Something similar is possible on the Internet, but it is 
unlikely that the intermediate sites kept good logs.  Additionally, it is 
easy to disguise your location on the Internet.  And if the attacker is in 
some Eastern European country with minimal computer crime laws, a bribable 
police, and no extradition treaties, there's nothing you can do anyway.

So far, these attacks are strictly denial-of-service.  They do not affect 
the data on the Web sites.  These attacks cannot steal credit card numbers 
or proprietary information.  They cannot transfer money out of your bank 
account to trade stocks in your name.  Attackers cannot gain financially 
from these attacks.  Still, they are very serious.  And it is certainly 
possible that an attacker can use denial of service as a tool for a more 
complicated attack that IS designed to steal something.

This is not to say that denial-of-service attacks are not real, or not 
important.  For most big corporations, the biggest risk of a security 
breach is loss of income or loss of reputation, either of which is achieved 
by a conspicuous denial-of-service attack.  And for companies with more 
mission- or life-critical data online, a DOS attack can literally put a 
person's life at risk.

The real problem is that there are hundreds of thousands, possibly 
millions, of innocent naive computer users who are vulnerable to 
attack.  They're using DSL or cable modems, they're always on the Internet 
with static IP addresses, and they can be taken over and used as launching 
pads for these (and other) attacks.  The media is focusing on the mega 
e-corporations that are under attack, but the real story is the individual 
systems.

Similarly, the real solutions are of the "civic hygiene" variety.  Just as 
malaria was defeated in Washington, DC, by draining all the swamps, the 
only real way to prevent these attacks is to protect those millions of 
individual computers on the Internet.  Unfortunately, we are building 
swampland at an incredible rate, and securing everything is 
impracticable.  Even if personal firewalls had a 95% market penetration, 
and even if they were all installed and operated perfectly, there would 
still be enough insecure computers on the Internet to use for these attacks.

I believe that any long-term solution will involve redesigning the entire 
Internet.  Back in the 1960s, some people figured out that you could 
whistle, click, belch, or whatever into a telephone and make the system do 
things.  This was the era of phone phreaking: black boxes, blue boxes, 
Captain Crunch whistles.  The phone company did their best to defend 
against these attacks, but the basic problem was that the phone system was 
built with "in-band signaling": the control signal and the data signal 
traveled along the same wires.  In the 1980s, the phone company completely 
redesigned the phone system.  For example SS7, or Signaling System 7, was 
out-of-band.  The voice path and data path were separated.  Now it doesn't 
matter how hard you whistle into the phone system: the switch isn't 
listening.  The attacks simply don't work.  (Red boxes still work, against 
payphones, by mimicking the in-band tones that count the coins deposited in 
the phones.)

In the long term, out-of-band signaling is the only way to deal with many 
of the vulnerabilities of the Internet, DDS attacks among 
them.  Unfortunately, there are no plans to redesign the Internet in this 
way, and any such undertaking might be just too complicated to even consider.

Discussion of DDS attacks:
<http://staff.washington.edu/dittrich/talks/cert/>

CERT Advisory:
<http://www.cert.org/incident_notes/IN-99-07.html>

Tool to check if Tribal Flood Network or Trin00 is installed on your computer:
<http://www.nfr.net/updates/>

Tutorial on DOS attacks:
<http://www.hackernews.com/bufferoverflow/00/dosattack/dosattack.html>

Trin00 Analysis:
<http://staff.washington.edu/dittrich/misc/trinoo.analysis>

Tribal Flood Network Analysis:
<http://staff.washington.edu/dittrich/misc/tfn.analysis>

Stacheldraht Analysis:
<http://staff.washington.edu/dittrich/misc/stacheldraht.analysis>

Declan McCullagh's essay on the topic:
<http://www.wired.com/news/politics/0,1283,34294,00.html>


** *** ***** ******* *********** *************

      New Chinese Cryptography Regulations



Claiming that they are trying to prevent state secrets from being stolen, 
China has issued some strict Internet cryptography controls.  First, 
everyone who uses encryption has to register with the government and give 
the details of what software they are using and the algorithm, users' 
names, e-mail addresses, as well as the location of their 
computers.  Second, Chinese companies are prohibited from buying products 
containing encryption software that was designed overseas.  (So if a U.S. 
software company wants to sell encryption in its product, it needs to rip 
out whatever it has now and install something Chinese-made.)

This is a weird one, and I have a few observations.  One, China is probably 
afraid that foreign security products have back doors.  This is possible, 
and something that the U.S. has done before.  But I don't see how enforcing 
requirements on crypto algorithms help here.  Back doors are usually much 
more subtle than a broken crypto algorithm,

Two, this could easily be a prelude to key escrow.  Certainly the first 
step toward requiring people to give a copy of their encryption keys to the 
government is to find out who is using encryption, and what kind.

Three, even by itself this information is useful for Chinese 
espionage.  Traffic analysis is a very difficult problem, and knowing who 
is using encryption software (and where they are physically located) makes 
it a lot easier to know who to target.

People with a lot more political expertise than I have said that this is 
really nothing.  China demanded that all fax machines be registered a 
decade ago, and many didn't bother to comply.

<http://www.wired.com/news/print/0,1294,33910,00.html>
<http://www.usatoday.com/life/cyber/tech/cth217.htm>
<http://www.currents.net/newstoday/00/01/27/news6.html>


** *** ***** ******* *********** *************

      Counterpane Internet Security News



Lots of excitement; still lots of secrecy.  We're up to 45 employees and 
still growing.  If anyone knows of a good VP of Marketing who likes 
commuting to San Jose, send him my way.

The Counterpane Web site has a new look.  Visit it:
<http://www.counterpane.com>

Bruce Schneier is speaking at PC Forum, on March 15th:
<http://www.edventure.com/PC2000/>


** *** ***** ******* *********** *************

          Publicizing Vulnerabilities



Last month I discussed publicity attacks, and the tendency of vendors to 
hype security vulnerabilities as publicity for their products and 
services.  My essay generated a lot of commentary (see the end of the 
article for some URLs).  This is a complicated issue, with gray areas, 
slippery slopes, and a lot of room for debate.  My position has changed 
over time.  I'd like to revisit it.

There are really two issues here, intertwined.  If someone discovers a 
vulnerability in a product, should he quietly alert the vendor or should he 
make it public?  And when is a vulnerability important and when is it trivial?

The first issue involves some history.

In 1988, the Morris Worm illustrated how susceptible the Internet is to 
attack.  The Defense Advanced Research Projects Agency (DARPA) funded a 
group to coordinate responses to these kinds of attacks, increase security 
awareness, and generally do good things for Internet security.  The group 
is known as CERT -- more formally, the Computer Emergency Response Team -- 
and its response center is at Carnegie Mellon University in Pittsburgh.

Over the years CERT has acted as kind of a clearinghouse for security 
vulnerabilities.  People are supposed to send vulnerabilities they discover 
to CERT.  CERT then verifies that the vulnerability is real, quietly alerts 
the vendor, and publishes the details (and the fix) once the vendor has 
fixed the vulnerability.

This sounds good in theory, but worked less well in practice.  There were 
three main complaints.  First, CERT got a lot of vulnerabilities reported 
to it, and there were complaints about CERT being slow in verifying 
them.  Second, the vendors were slow about fixing the vulnerabilities once 
CERT told them.  Since CERT wouldn't publish until there was a fix, so 
there was no real urgency to fix anything.  And third, CERT was slow about 
publishing reports even after the fixes were implemented.

The "full disclosure" movement was born out of frustration with this 
process.  Internet mailing lists like Bugtraq (begun in 1993) and NT 
Bugtraq (begun in 1997) became forums for people who believe that the only 
way to improve security is to understand and publicize the problems.  This 
was a backlash against the ivory tower attitude of CERT.  As one hacker 
wrote: "No more would the details of security problems be limited to closed 
mailing lists of so-called security experts or detailed in long, 
overwrought papers from academia.  Instead, the information would be made 
available to the masses to do with as they saw fit."

Today, many researchers publish vulnerabilities they discover on these 
mailing lists, sometimes accompanied by press releases and the usual flurry 
of factoids.  The press trolls these mailing lists, and writes about the 
vulnerabilities in the computer magazines: both paper-based and 
online.  (This is why there have been so many more press stories about 
computer vulnerabilities over the past few years.)  The vendors scramble to 
patch these vulnerabilities as soon as they are publicized, so they can 
write their own press releases about how quickly and thoroughly they fixed 
things.  The full disclosure movement is improving Internet security.

At the same time, hackers use these mailing lists to learn about 
vulnerabilities and write attack programs (called "exploits").  Sometimes 
the researchers themselves write demonstration exploits.  Sometimes others 
do.  Some of these attacks are complicated; but as soon as someone writes a 
point-and-click exploit, anyone can exploit the vulnerability.

Those against the full-disclosure movement argue that publishing 
vulnerability details does more harm than good by arming the criminal 
hackers with tools they can use to break into systems.  Security is much 
better served, they counter, by not publishing vulnerabilities in all their 
gory details.

Full-disclosure proponents counter that this assumes that the researcher 
who publicizes the vulnerability is always the first one to discover it, 
which simply isn't true.  Sometimes, vulnerabilities have been known by 
attackers (sometimes passed about quietly in the hacker underground) for 
months or years before the vendor ever found out.  The sooner a 
vulnerability is publicized and fixed, the better it is for everyone.

That's the debate in a nutshell:  Is the benefit of publicizing an attack 
worth the increased threat of the enemy learning about it?  (In the 
language of the intelligence community, this is known as the "equities 
issue.")  If vulnerabilities are not published, then the vendors are slow 
(or don't bother) to fix them.  But if the vulnerabilities are published, 
then hackers write exploits to take advantage of them.

In general, I am in favor of the full-disclosure movement, and think it has 
done a lot more to increase security than it has to decrease 
it.  Publicizing a vulnerability doesn't cause it to come into existence; 
it existed even before it was publicized.  Given that most vendors don't 
bother fixing vulnerabilities that are not published, publicizing is the 
first step towards closing that vulnerability.  Punishing the publicizer 
feels a lot like shooting the messenger; the real blame belongs to the 
vendor that released software with the vulnerability in the first place.

The second issue -- the one that generated most of the discussion last 
month -- involves the agenda of the researcher.  Publishing a security 
vulnerability is a play for publicity; the researcher is looking to get his 
own name in the newspaper by successfully bagging his prey.  The publicizer 
often has his own agenda: he's a security consultant, or an employee of a 
company that offers security products or services.  This is especially true 
if the vulnerability is publicized in a press release.  Services like PR 
Newswire and Business Wire are expensive, and no one would do it unless 
they thought they were getting something in return.

All researchers are guilty of courting publicity.  I am guilty of this.  It 
was fun when my Microsoft PPTP break hit the press.  Calling the protocol 
"kindergarten cryptography" was a hoot.  On the other hand, I objected to 
nCipher's publication of their key finding attack last month.  The 
differences are subtle and there's a lot of gray area, but here are my rules.

First, I am opposed to attacks that primarily sow fear.  Publishing 
vulnerabilities that there's no real evidence for is bad.  Publishing 
vulnerabilities that are more smoke than fire is bad.  Publishing 
vulnerabilities in critical systems that cannot be easily fixed and whose 
exploitation will cause serious harm (e.g., the air traffic control system) 
is bad.

Second, I believe in giving the vendor advance notice.  CERT took this to 
an extreme, sometimes giving the vendor years to fix the problem.  I'd like 
to see the researcher tell the vendor that he will publish the 
vulnerability in a month, or three weeks (no fair giving the vendor just 
seven days to fix the problem).  Hopefully the vulnerability announcement 
can occur at the same time as the patch announcement.  This benefits 
everybody.  (Admittedly, I did not do this with Microsoft PPTP.)

Third, I believe that it is irresponsible, and possibly criminal, to 
distribute exploits.  Reverse-engineering security systems, discovering 
vulnerabilities, and writing research papers about them benefits research; 
it makes us smarter at designing secure systems.  Distributing exploits 
just make us more vulnerable.  For example, Mixter is a German hacker who 
wrote the Tribal Flood Network tool used in some of the distributed 
denial-of-service attacks.  I believe he has a lot to answer for.  His 
attack tool served no good.  It enabled criminals and cost a lot of 
companies a lot of money.  Its existence makes networks less secure.

This is not clear-cut: there are tools that do both good and 
bad.  Vulnerability assessment tools can be used both to increase security, 
and to break into systems.  Remote administration tools look a lot like 
Back Orifice.  Publishing tools can also help; Microsoft has lied to the 
press and denied that a published vulnerability is real, until an actual 
exploit appeared.

I like Marcus Ranum's "be part of the solution, not part of the problem" 
metric.  Full disclosure is part of the solution.  Convincing vendors to 
fix problems is part of the solution.  Sowing fear is part of the 
problem.  Handing computer weaponry to clueless teenagers is part of the 
problem.

These are my opinions; they have changed over time, and are probably still 
changing.  I came to this field via cryptography.  Cryptography is by 
nature adversarial, even in the ivory towers of academia.  Someone proposes 
a new scheme: an algorithm, a protocol, a technique.  Someone else breaks 
it.  A third person repairs it.  And so on.  It's all part of the fun, and 
this is how I learned.  I first came to network security with this 
philosophy.  But when it comes to fielded systems, things can get a lot 
trickier.  Publishing vulnerabilities can cause significant damage to 
networks, and considerable pain and suffering for network 
administrators.  If an announcement, product, or exploit makes things 
worse, it's bad.  If it makes things better, it's good.

My original essay:
<http://www.counterpane.com/crypto-gram-0001.html#KeyFindingAttacksandPublic 
ityAttacks>

One response:
<http://www.securityfocus.com/templates/forum_message.html?forum=2&head=754% 
20&id=754>

A response to that response:
<http://www.securityfocus.com/templates/forum_message.html?forum=2&head=754% 
20&id=789>

The discussion on SlashDot:
<http://slashdot.org/articles/00/01/17/0839211.shtml>

Marcus Ranum's essay on the topic:
<http://www.clark.net/pub/mjr/pubs/dark/>

See also the reader comments at the end of this issue.


** *** ***** ******* *********** *************

       Counterpane -- Featured Research



"A Twofish Retreat: Related-Key Attacks Against Reduced-Round Twofish"

Niels Ferguson, John Kelsey, Bruce Schneier, Doug Whiting

The Twofish AES submission document contains a partial chosen-key and a 
related-key attack against ten rounds of Twofish without whitening, using 
256-bit keys.  This attack does not work; it makes use of a postulated 
class of weak key pairs which has the S-box keys and eight successive round 
keys equal, but no such pairs exist.  In this report we analyze the 
occurrence of this kind of weak key pair and describe how such pairs may be 
used both to mount attacks on reduced-round Twofish and to find properties 
of reduced-round Twofish that are not present in an ideal cipher.  We find 
that related-key and chosen-key attacks are considerably less powerful 
against Twofish than was previously believed.

<http://www.counterpane.com/twofish-related.html>


** *** ***** ******* *********** *************

                     News



One of the nicer things about living in Minneapolis:
<http://www.ag.state.mn.us/home/files/news/pr_conspriv_011300.html>

GCHQ (the British NSA equivalent) is looking for recruits.  Take the test 
on their Web site.
<http://www.gchq.gov.uk/>

Various pundits have said that the government is still winning the crypto 
battle as long as Windows is shipping without strong crypto.  Guess what?
Microsoft has said that it would release Windows 2000 worldwide with strong
cryptography.
<http://www.wired.com/news/technology/0,1282,33745,00.html>

A brute-force machine for a combination lock:
<http://vv.carleton.ca/~neil/robotics/locraker.html>

Would you hire hackers?  Some backlash to the @stake announcement:
<http://www.zdnet.com/enterprise/stories/security/news/0,7922,2420340,00.html>

Why security policies fail:
<http://www.cdc.com/solutions/whitepapers/Why_Security_Policies_Fail.pdf>

Another distributed attack against a 56-bit cipher, one called the 
CS-Cipher.  This one took 62 days on about 38,000 machines, and happened to 
require searching 98% of the keyspace.
<http://www.wired.com/news/print/0,1294,33695,00.html>

Nice article on how easy it is to hack into Web sites:
<http://www.pcworld.com/current_issue/article/0,1212,14415,00.html>

The NSA has contracted with Secure Computing Corp. for a secure version of 
Linux.  Personally, I don't know if the Linux license allows the NSA to 
make a secure version of the operating system if they are not going to 
freely distribute the results.
<http://www.fcw.com/fcw/articles/web-nsalinux-01-17-00.asp>

The U.S. government and cyber crime:
<http://www.currents.net/newstoday/00/01/17/news4.html>
<http://www.fcw.com/fcw/articles/web-fbi-01-14-00.asp>
<http://www.computerworld.com/home/print.nsf/all/000111DBFE>
<http://washingtonpost.com/wp-srv/business/feed/a39572-2000jan13.htm>

The new export rules and the Bernstein case:
<http://www.wired.com/news/print/0,1294,33651,00.html>

In a nice piece of irony, the new U.S. crypto regulations will benefit 
federal agencies:
<http://www.fcw.com/fcw/articles/web-export-01-14-00.asp>
Other commentary on the new encryption regulations:
<http://www.computerworld.com/home/print.nsf/all/000113DD42>
<http://www.usatoday.com/life/cyber/tech/cth136.htm>

New service monitors what radio station you're listening to:
<http://www.wired.com/news/technology/0,1282,33799,00.html?tw=wn20000125>

Windows 2000 has its first virus:
<http://www.computerworld.com/home/print.nsf/all/000113DD52>
and its first security holes:
<http://dailynews.yahoo.com/h/zd/20000130/tc/20000130748.html>
Remember, it hasn't even been released yet.

I'm not the only one who thinks Internet voting is a dumb idea.  The 
"California Internet Voting Task Force" agrees.
<http://www.ss.ca.gov/executive/ivote/>

This is the most clever piece of credit-card fraud I've seen in a long time:
<http://www.zdnet.com/zdnn/stories/news/0,4586,2427490,00.html?chkpt=zdhpnew 
s01>

More information on the French smart card hack:
<http://www.msnbc.com/news/361936.asp>
<http://www.theregister.co.uk/000123-000005.html>
<http://www.parodie.com/english/smartcard.htm>

Someone is suing Yahoo for violating Texas's anti-stalking law by using 
cookies to track computer users' every move without their consent:
<http://news.cnet.com/category/0-1005-200-1533164.html>

Twofish on the AS/400:
<http://www.news400.com/features/newmf/Article.cfm?ArticleID=13333>

Snake-oil alert.  Remember, it is possible -- although unlikely -- that 
this is as good as NEC's PR department makes it sound.  But it will take 
years to know.
<http://www.theregister.co.uk/000127-000025.html>
<http://www.cnn.com/2000/TECH/computing/01/24/nec.strong.encrypt/index.html>

Good summaries of the DVD break and deCSS.  An important point is that DVDs 
can be copied and pirated without using deCSS or any other decryption, 
which certainly makes the original claim of "prevents piracy" look either 
astoundingly ignorant or brazenly deceptive.
<http://www.fool.com/portfolios/rulemaker/2000/rulemaker000127.htm>
<http://www.latimes.com/news/comment/20000207/t000012301.html>
<http://linuxtoday.com/stories/16556.html>

Recently declassified NSA documents.  9 and 12 mention ECHELON:
<http://www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB23/index2.html>
General information:
<http://www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB23/index.html>

Worth reading.  EPIC's testimony on digital infrastructure protection.
<http://www.epic.org/security/EPIC_testimony_0200.pdf>

House passes digital signature legislation:
<http://www.cnn.com/2000/TECH/computing/01/31/esignatures/>

France sues the U.S. and U.K. over ECHELON:
<http://www.the-times.co.uk/news/pages/tim/2000/02/10/timfgneur01007.html?999>

Former CIA director John Deutch brought classified information home on his 
unsecured laptop.
<http://www.fcw.com/fcw/articles/2000/0131/web-security-02-04-00.asp>
<http://www.wired.com/news/print/0,1294,34105,00.html>

New vulnerabilities in e-commerce.  Some shopping carts allow shoppers to 
alter fields in HTML forms and URLs to alter prices of items they are buying.
<http://www.computerworld.com/home/print.nsf/all/000202E636>
<http://www.usatoday.com/life/cyber/nb/nb2.htm>
<http://www.theregister.co.uk/000203-000006.html>

** *** ***** ******* *********** *************

      Mitnick Case Yields New Crypto Twist



When Kevin Mitnick was captured, federal agents seized two of his laptop 
computers.  Several files on those computers were encrypted.  During 
pre-trial discovery, the prosecution refused to give copies of the 
encrypted files to the defense unless Mitnick gave them the key.  The 
defense argued that the Constitution required the government to turn over 
any documents that might help Mitnick defend himself.  The prosecution 
argued that since they had no idea what was in the files, they could be 
potentially dangerous.  Unfortunately, the judge agreed with the prosecution.

<http://www.nytimes.com/library/tech/00/01/cyber/cyberlaw/28law.html>


** *** ***** ******* *********** *************

              The Doghouse:  X.com



A bank where you can withdraw money not just from your account, but from 
anyone's account.  My favorite quote from X.com's CEO: "I don't think a 
mistake was made."  Sadly, I believe him.

<http://www.zdnet.com/zdnn/stories/news/0,4586,2429999,00.html>
<http://www.currents.net/newstoday/00/01/31/news4.html>
<http://www.nytimes.com/library/tech/00/01/biztech/articles/28secure.html>


** *** ***** ******* *********** *************

                    Cookies



Cookies are a clever programming trick built into WWW browsers.  Basically, 
a cookie is a little bit of data that a Web server gives to a browser.  The 
browser stores the data on the user's computer, and returns it to the 
server whenever the browser returns to the server.  Cookies can do all 
sorts of useful and good things.  Unfortunately, they can also do all sorts 
of useful bad things.  First I'll explain how they work; then I'll talk 
about the problems.

The WWW is basically a stateless protocol.  This means that the server 
doesn't know who you are from one click to the next.  All the server does 
is serve up Web pages.  A browser asks for a Web page; the server gives it 
to it.  The server has no idea if this is the same browser as before or a 
different browser, nor does it care.  This works great for simple, static, 
Web sites that just contain informational pages.

More complex Web sites are dynamic.  Retail Web sites often have shopping 
carts, which travel with you as you browse the site.  Paid access 
informational sites have usernames and passwords, which travel with you as 
you go from page to page.  (I would find it annoying to have to type my 
username and password in every time I wanted to see another New York Times 
article.)  Cookies are a way to handle this.

Remember that the WWW protocols are stateless; there is no way for the 
server to remember who you are from one mouse click to the next.  By giving 
the browser a cookie and then asking for it back, the server can remember 
who you are.  "Oh yes, you're user 12345657; this is your shopping 
cart."  Cookies allow the browser to add state to the WWW protocols.  You 
can think of them as a large distributed database, with pieces stored on 
millions of browsers throughout user-land.

So far, so good.  And mostly, cookies are good, if the server placing the 
cookie plays by the rules.  The server can set how long the cookie lasts 
before it expires: a few days seems like a good number.  A server can set 
restrictions on who can access the cookie.  They usually limit access to 
servers in the same domain; this means that if your cookie comes from 
random-merchant.com, than only random-merchant.com can access the cookie.

The problems come when they are abused.  Some servers use cookies to track 
users from site to site, and some use them to uncover the identity of the 
user.  Here's an easy example: there are companies that resell advertising 
space on popular sites.  DoubleClick is a company that does that; often the 
ads you see are placed there by DoubleClick in arrangement with the 
site.  If you're browsing on sex-site.com, you're going to see a portion of 
that window that comes from DoubleClick.com.  DoubleClick.com gives you a 
cookie.  Later (that day, or maybe another day), when you're browsing on 
CDNow.com, there might be another DoubleClick-placed ad.  DoubleClick can 
request the cookie from your browser and, because the cookie says that it 
was created while you were visiting a sex site, send you targeted ads while 
you're browsing CDNow.  Because DoubleClick is on a bunch of commerce 
sites, its cookies can be used to track you across all of those sites.

Even worse, if you type your e-mail address in at any of those sites and 
DoubleClick gets it, DoubleClick can now attach an e-mail address to your 
browsing habits.  All it needs is for you to type that address in once -- 
that's ordering only one thing -- and it has it forever.  (Or, for as long 
as that cookie has not expired, which can be years.)

DoubleClick freely admits they collect data and use that data to target ads 
to users, but until recently they denied building an identity 
database.  Two weeks ago, USA Today exposed their duplicity.  They have 
since admitted that they try to collect names and attach cookies to 
off-line identities.  The implications for private Web browsing are profound.

There's more.  Sites can send you a cookie in e-mail that it can use to 
identify you if you later visit that site with your browser.  Here's how it 
works:  the site sends you a piece of HTML e-mail.  (This implies you're 
using an e-mail program that supports HTML messages, such as Microsoft's 
Outlook and Outlook Express, Netscape Messenger, or Eudora.)  The message 
contains a URL to a graphic, which the site can use to send you a 
cookie.  Now, when you browse the site at some later date, the site can use 
the cookie to link the browsing with the e-mail, and hence the e-mail 
address.  Supposedly this has been used by some sites to track Web surfers.

Some things cookies cannot do:  Cookies cannot steal information from your 
computer.  A cookie is simply some data that the server gives the browser, 
and the browser later returns.  A cookie cannot grab your passwords or 
files.  (ActiveX, Java, and JavaScript are much more dangerous in this 
regard.)  Cookies cannot steal your credit card numbers.

The lesson here is that cookies are not bad, but there are some very 
malevolent uses of them.  There are ways in most browsers to turn cookies 
off completely, and third-party programs that help you manage them 
better.  Managing is a better solution, since some Web sites refuse entry 
to people who don't accept cookies.

"Opt out" of DoubleClick.  They can't keep your personal information if you 
tell them not to.  DO THIS NOW.
<http://www.cdt.org/action/doubleclick.shtml>

Cookie blocking software:
<http://www.junkbusters.com/ht/en/cookies.html>
<http://www.ecst.csuchico.edu/~atman/spam/adblock.shtml>

Anonymous Web browsing:
<http://www.zeroknowledge.com>

Stories on DoubleClick's duplicity:
<http://www.usatoday.com/life/cyber/tech/cth211.htm>
<http://www.hackernews.com/arch.html?012600#1>
<http://news.cnet.com/news/0-1005-200-1531929.html?dtn.head>

Lawsuit against DoubleClick:
<http://www.wired.com/news/print/0,1294,33964,00.html>

CDT's testimony on online profiling:
<http://www.cdt.org/testimony/ftc/mulliganFTC.11.30.99.shtml>


** *** ***** ******* *********** *************

               Comments from Readers



From: Andrew D. Fernandes <andrew@cryptonym.com>
Subject: Publicity Attacks

I have a couple of comments regarding your "Publicity Attack" article in 
the January Crypto-Gram.

First, you insinuated that my company, Cryptonym, being a PKI vendor, had 
somehow profited by publicizing the Microsoft/NSA issue.  In fact, we 
didn't make a penny off of the information.  Heck, I couldn't sell you 
anything even if I wanted to.  We are at least a year from releasing any 
products whatsoever -- products that will be fully open source -- and we 
only take on a very limited amount of consulting.

We thought that we were doing the "Right Thing" by publicizing the fact 
that all US companies wanting to export crypto software had to involve 
themselves somehow with the NSA.  It was never our intention to make money 
off of our finding, and so far, we haven't.

Second, you discuss publicity attacks.  Apparently, we cannot trust nCipher 
or eEye to discuss security because they sell security products and 
consulting.  In fact, at the end of the Crypto-Gram is a note indicating 
that we should be wary of claims about elliptic curves made by Alfred 
Menezes because he has financial interest in Certicom.  I think that this 
is going too far.

Yes, perhaps nCipher and eEye (and maybe even Cryptonym) did a bad job 
publicizing security holes.  Maybe Alfred wants to fool everybody about the 
security of elliptic curves for his own nefarious gain.  But get real!

Everybody in this field -- including you and Counterpane -- has strong 
monetary ties to the industry, therefore everything everybody says has to 
be taken in context.  These financial ties do not mean that a company's 
advice or press releases cannot be trusted.  Taking advice about 
cryptography is no different than taking advice from your lawyer.  You have 
to know how your lawyer will benefit from you taking their advice.

But I think it's presumptuous to imply that we lack professional integrity 
if you disagree with us.  For instance, why are you advising people to use 
RSA over ECC? Why not ElGamal or Authenticated Diffie-Hellman? After all, 
RSA is patented, while ElGamal and ADH are not...  Wait! Does Counterpane 
hold any shares of RSA?! Could Counterpane be making money by advising 
people that ECC isn't as good as RSA?

I certainly hope not.  I don't agree with your ECC vs. RSA advice (and 
neither does Alfred Menezes).  However, I do believe in you and your 
company's professional integrity.


From: Geoff Thorpe <geoff@eu.c2.net>
Subject: nCipher's Key-Finding Attack

I was interested to read your thoughts on the nCipher-announced 
key-scanning attacks.  As someone who works for a company that produces an 
open-source based secure web-server I would have as much temptation as 
anyone to play down the importance of such attacks -- especially as the 
desired inference seems to be that the web-server can't be secure unless 
one shells out on hardware crypto too! However, I feel it's dangerous to 
disregard what the underlying work may have to tell us about our security 
and configurations, regardless of whether or not that involves taking it to 
the extent that press release may like us to (which is to conclude hardware 
crypto is the solution to the problem).

I do generally agree with the sentiment that these key-scanning attacks 
aren't nearly as sensational as the press might like (or be led) to believe 
-- key scanning is nothing new and this work has simply sped it up quite a 
bit, and there are only very specialized kinds of web-server usage where 
these attacks can be mounted against a server that has been set up 
competently.  However it is incompetently set up web-servers that are 
mostly likely to be discussed to illustrate and justify attacks so we're 
best to look under the hood to see what we can take and what we can discard 
from all this.

IMHO, the research behind the announcement is legitimate and worthy of a 
look -- if for no other reason, to get a more healthy respect for 
key-protection.  In particular, the research uses some interesting ideas on 
scanning large blocks of data for areas of high-entropy before using more 
refined search techniques to track down actual keys in the "haystack".  It 
rather effectively illustrates why one must have a keen eye for scenarios 
where unencrypted private keys lie in any media subject to brute-force 
scanning, no matter how impossibly resource intensive the scanning attacks 
may at first appear.  The research in question illustrates how a large 
hard-disk could be scanned quite quickly to search out a private key that 
may lie in it (e.g., a swap partition, a core dump, etc.).  Everyone knows 
an unencrypted private key is always a target -- but the research gives 
some considerable warning to those who might have previously thought 1 
private key in 2 Gb of data was too difficult a thing to find.

Also, the attack has at least led us to consider situations where this kind 
of attack is or is not an issue rather than allowing hackers to do it for 
us.  The truth is that this family of attacks, at least in the case of 
web-servers, is only a serious threat for multi-hosting servers that run 
multiple virtual hosts in the same web-server application that is running a 
secure virtual host (and does not use any setuid on the web-server child 
processes).  In that scenario, an administrator who can upload and activate 
native (e.g., CGI) programs in their virtual host can not only scan for and 
find their own private key (if they have one), but also the private keys of 
any other loaded virtual hosts running in the same processes (or as the 
same user).  By attaching to a running process (as debuggers do) or using 
some "/proc"-style mechanism to get direct access to a process's virtual 
memory, you can begin your scanning as you would on a regular file.  There 
are not many servers running in scenarios like this (where an 
"administrator" can compromise anyone except him/her-self), but the 
research has at least allowed to us to consider exactly who is and isn't 
vulnerable (helping the former, and providing some peace-of-mind to the 
latter) before the lessons are learnt the hard way.


From: Nicko van Someren <nicko@ncipher.com>
Subject: Re: Key Finding

First, I would like to point out a significant inaccuracy in your 
report.  You state in the penultimate paragraph that "[the] nCipher release 
included a hacker tool".  This is incorrect.  We have built a tool that 
efficiently finds SSL server keys and we have shown it to a limited number 
of web server vendors, but we have NEVER released the code; nor do we have 
any intention of doing so.

On the broader issue of what you call "publicity attacks," I feel I must 
defend nCipher's issuance of a press release on this topic.  An essential 
aspect of developing security solutions is finding the weaknesses in 
existing systems, and when those weaknesses are found it is reasonable to 
let those who will be affected know.  After making the theoretical attacks 
known in February 1999, we found that many web server vendors felt that the 
attacks were impractical and ignored the issue.  Thus we went on to prove 
the practicality of these attacks and let the server vendors have the 
details of our new results.  We then went on to let the rest of the world know.

While you are right to say that nCipher has some interest in the results of 
this research, it is rare for any company to carry out research without 
having some interest in the results.

We stand by our stance that publication of potential modes of attack is 
preferable to obscuring them and allowing them to be employed on an 
unsuspecting world.


From: ruth@innocent.com
Subject: Radio Pirates

The "Radio pirates" story originated in New Scientist, where for all I know 
it was told in a more balanced way, and probably had a side panel 
explaining RDS technology and the reason for this vulnerability.

RDS (Radio Data System) lets consumer radios decode a low bit rate digital 
signal from compatible FM broadcasts.  This signal can include a station ID 
(such as "BBC R4" or "KISS FM", and various other info, but there is also 
an additional feature which drivers can switch on at their option called TP 
(Traffic Programme) which switches to local stations when they are 
broadcasting a travel update.

Just why is this a "Good illustration of the hidden vulnerabilities in 
digital systems"?  Even if you believed the misleading articles from the 
BBC which says that "radio stays tuned in until ... the driver switches off 
the RDS feature," you'd still realise that this system degrades nicely to 
ordinary FM radio service at the push of a button.  Actually those reports 
are an exaggeration, all the RDS car radios I've ever seen had a button 
labelled "TP", which when pressed enables or disables just the traffic 
programme service.  This leaves all the other benefits of RDS intact.

I cannot think of a mechanism that would permit radios to identify and 
ignore pirate TP signals, without going to fully fledged DAB (as the UK 
inevitably will in the next decade anyway)? Offering an optional additional 
service which is subject to a potential DOS doesn't seem like such a 
vulnerability to me.


From: anonymous
Subject: French Smart Card Break

in the December 15, 1999 issue of Crypto-Gram, you wrote:

 > A French engineer succeeded in factoring the 640-bit
 > RSA key stored in the chip on the card (all French
 > "CB" credit cards have had a chip since 1990).

What is clearly established [agreed by Serge Humpich and the Groupement des 
Cartes Bancaires in court] is that Humpich made some counterfeit Smart 
Cards, with incremental account numbers, and used them to buy metro tickets 
in an automatic machine, as a demonstration to the Groupement.  This is 
basically what he is charged for.  The judge is expected to release a 
verdict on February 25, 2000.  A summary (in French) of the audience is at 
<http://www.legalis.net/legalnet/actualite/affairehumpish/pagehumpish.htm>

 >From several sources, including Humpich himself on a TV show and this 
audience report, he was trying to sell his expertise to the Groupement, 
through a lawyer in an attempt to remain anonymous.

The 640-bit claim originated in the "Pirate Mag" magazine (also known for 
promoting the idea that PGP has a backdoor).  They have an interview 
<http://www.acbm.com/pirates/num_05/interview.html> of Serge Humpich where 
he claims:
- He broke a "fairly solid 96 digits code" [i.e. 320 bits] used by the 
Groupement for the "CB" credit cards, with details consistent with an RSA 
signature scheme with simple redundancy.
- He made a spectacular demonstration to experts, factoring some special 
format 640-bit public modulus, guessing the factors had been chosen close 
to the square root of the modulus and with some special properties.  He is 
clear his method does not work in a general case.  He makes no explicit 
claim 640-bit signatures are used in the counterfeit Smart Cards.  I failed 
to find any independent confirmation of a 640-bit factorization by Humpich, 
or even any other statement attributed to Humpich that he ever factored a 
640-bit RSA key.

Based on undeniable evidence that the Groupement des Cartes Bancaires 
originally used a systemwide 321 bits public key, and the lack of evidence 
of wider keys in general use as of early 1999, many believe that the card 
fraud Humpich demonstrated is a combination of:
- Factoring the systemwide public modulus of 321 bits, which corresponding 
secret key is used at card issuance to produce a static 320-bit RSA 
signature held in the card, certifying the 16 digits card number and expiry 
date; this static signature being checked by POSTs as a simple off-line 
validation of the card.
- Making working Smart Cards holding counterfeit card number, expiry date, 
and signature thereof.

<http://humpich.com/>, a recent Web site on the case with sources 
apparently close to Serge Humpich, describes how he factored a 321-bit key 
in 1997, citing the classical MPQS factoring algorithm, modest computing 
resources, and a Japanese program.  They present 640-bit keys as a 
reasonable choice the Groupement des Cartes Bancaires could have made, but 
did not.

The same Web site contains on-line scans of publications where French 
expert Louis C. Guillou, known to be involved in the design of the Smart 
Card system used by the Groupement des Cartes Bancaires, warns as early as 
1988 [in French] then again in 1990 [in English] that the 320 bit key then 
in still-experimental use by CB is obsolete.
<http://humpich.com/LCguillou_AnnTelecom_No43_1988.jpg>
<http://humpich.com/SmartCard19900810-2.jpg>

It could be that Humpich demonstrated he can break an obsolete system, 
tried to make money out of it, and as a retaliation is being sued using 
whatever legal means available.

Make your own opinion.


** *** ***** ******* *********** *************

CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, 
insights, and commentaries on computer security and cryptography.

To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a 
blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe, 
visit http://www.counterpane.com/unsubform.html.  Back issues are available 
on http://www.counterpane.com.

Please feel free to forward CRYPTO-GRAM to colleagues and friends who will 
find it valuable.  Permission is granted to reprint CRYPTO-GRAM, as long as 
it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier.  Schneier is founder and CTO of 
Counterpane Internet Security Inc., the author of "Applied Cryptography," 
and an inventor of the Blowfish, Twofish, and Yarrow algorithms.  He served 
on the board of the International Association for Cryptologic Research, 
EPIC, and VTW.  He is a frequent writer and lecturer on computer security 
and cryptography.

Counterpane Internet Security, Inc. is a venture-funded company bringing 
innovative managed security solutions to the enterprise.

http://www.counterpane.com/

Copyright (c) 2000 by Counterpane Internet Security, Inc.



[: hacktivism :]
[: for unsubscribe instructions or list info consult the list FAQ :]
[: http://hacktivism.tao.ca/ :]