-----BEGIN PGP SIGNED MESSAGE----- Since I've had so many people either ask what s/w was installed on this box, or else claim that "J.A. must be on crack! :-)", here is the breakdown... NT4.0; SP3; Every post SP3 hotfix through the third week of December; NT4.0 Server Resource Kit; I.E. 3.02 with Java VM pkg installed; PGP 5.0 Commercial; Adobe Photoshop 4.0 with a couple of special filter plugins; Adobe Illustrator 4.something, no addons; Adobe Premier with no addons; Micrographics Webtricity; Front Page 97 with assorted HotFixes; Outlook 97 with assorted HotFixes; TCL/TK; J++; Java 1.something with SDK; WordPerfect Suite 7.something. Obviously, this is on a Web Authoring station, so there is absolutely no reason for any of the above programs to be playing around with Skipjack... Never the less... I brought up a testbed system over the Xmas break, using the same install packages that I used to build the workstation in question. No sign of ANY ciphers: Skipjack or anything else! Which makes sense. The question now is just how in the h%@#& did it get here in the first place? And why are my others ciphers explicitly disabled for SSL? This is a really disturbing finding. I am more concerned that Skipjack was *silently* installed than anything else: I have plans to completely reinstall all of the software from scratch on this particular box, and then enable full key ACL logging in an attempt to find out how it got there. I am VERY concerned about this! The ONLY way I can conceive of this machine having this configuration is if it was silently downloaded to the machine during a W3 session. And it would NOT likely have been an SSL session: We do absolutely NO on-line transactions here. If Skipjack is being silently, I want to know by whom, and for what purpose. OK, maybe I'm just paranoid, or smoking crack, but I spent several years in the late '80's working in COMSEC, and the scenario which first comes to mind is not too far-fetched (at least for me) to be believable... It is most definitely an SSL 3 supported cipher but unless you have the token or such, then it is not going to be used for anything, and then only if you try to connect to a Skipjack (ie. fortezza) site. I doubt you have the code as it is classified and available (at this time) only in hardware. Don't sweat it, it looks like it's just a hook or ..... What environment/flavor of stuff are you running? I can help you with this if you want to contact me off the list. At 11:45 AM 12/26/97 -0500, Ray Arachelian wrote:
Now this is interesting! :) (Either that or JA is smoking crack... - no idea on JA's reputation capital though...)
=====================================Kaos=Keraunos=Kybernetos============== .+.^.+.| Ray Arachelian |Prying open my 3rd eye. So good to see |./|\. ..\|/..|sunder@sundernet.com|you once again. I thought you were |/\|/\ <--*-->| ------------------ |hiding, and you thought that I had run |\/|\/ ../|\..| "A toast to Odin, |away chasing the tail of dogma. I opened|.\|/. .+.v.+.|God of screwdrivers"|my eye and there we were.... |..... ======================= http://www.sundernet.com ==========================
---------- Forwarded message ---------- Date: Wed, 24 Dec 1997 01:29:07 -0600 From: "J.A. Terranson" <sysadmin@mfn.org> To: 'NT Security Listserv' <ntsecurity@iss.net> Subject: [NTSEC] SKIPJACK / NT4.0 (SP3?)
-----BEGIN PGP SIGNED MESSAGE-----
I was rooting around in the registry tonight, (looking to repair my own stupidity!), and guess what I saw? SKIPJACK is installed, and ENABLED! I have NOT (now would I EVER) installed it voluntarily, and Micro$loth only advertises the "standard" ciphers (which I also found).
Is anyone else aware of this? Is it safe to delete the key (and code? Hopefully this is DLL driven: I'm still looking!).
Also, anyone know what it was put there for? It's certainly not what I would
consider an SSL issue!
J.A. Terranson sysadmin@mfn.org A small fading light in a vast and obscure universe...
PROTECT YOUR RIGHT TO PRIVACY - ENCRYPT! PGP/DSS: 0x12896749 FP: 63F2 1777 BC38 AC1E 3359 0B0E C6C0 ED6B 1289 6749 PGP/RSA: 0x9D85DF05 FP: 810C 25E9 7DD3 C157 3081 A202 DDFD 4245 If Government wants us to behave, it should set a better example!
-----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv
iQEVAwUBNKC5wqAMF5Wdhd8FAQFsDQgAkietW1awMFDE9ZY5d9B+Zc0cGuGxlPC+ XzVy6+RleDngUecSAf8MbZZlTDDyN69liKG2Of0n+pZnlJSbKZWZiG0cRN592bbL xCF/cwgNdJi1/HTA/mDZ7fpRT1phCMi/b2U3XXyV3QG2fv+Z8M5o4LjykYT+u4Lt aEkfedFZKjkURO+artvGFnISfVxAMwpW0TfdbxE2Izw8iSjX2w+4aT0ub+Ck3OA4 X3Bek8ZPhbmsf9lIfBSe38ZPMZGrk7VwTPaMo7JiU5MM58OmCMaodKlwyxfsptKf khLnbWJbwHrlbW2yXL7nh7Ttnxv1WJ6BHaaJhxX/5EWSU4xAc/FjaQ== =jsvV -----END PGP SIGNATURE-----
Attachment Converted: "F:\GDW\Mail\[NTSEC] SKIPJACK NT4.0 (SP3)"
-----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQEVAwUBNKRqWaAMF5Wdhd8FAQEoawf+PlZlxSUBhsO1Pj37arRPt0YDIiCX0e5K UzKIOyIk82Q3s2py5LQmqUv8hrqIY2NxTcn2DaNYm4yS2UOgKDfgfJbswmWdRlYZ UHOt+ROiUn5P7qJqMThKHxE2EnQKhhtyiRJaUYgilGbgKCAAs/YYtP5uu7XOfd3l u9TNmZwz6GCUv3+QrGXBi3g5+KQkzNZ/4cJLn+LYV5dGBzbGAsnSaAjQ+Kai0Xs9 tNTLZjM2wWvUDU7BNUYu/mHyY+ltiURgaqUSQpz9VV3y6SOlyh/Oef2JMtZtYkVc K8EkebhEQNQ4uECxChyGYsmiuDmnt8yCYeX3moCcu+szHebQ/YyPeA== =KIsG -----END PGP SIGNATURE-----