------- Forwarded Message Follows ------- Date: Wed, 21 May 1997 09:45:53 -0700 (PDT) From: Phil Agre <pagre@weber.ucsd.edu> To: rre@weber.ucsd.edu Subject: key recovery report, information hiding, and fire ants Reply-to: rre-maintainers@weber.ucsd.edu [I trust Matt and Ross, but the fire ants story is too good to be true.] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= This message was forwarded through the Red Rock Eater News Service (RRE). Send any replies to the original author, listed in the From: field below. You are welcome to send the message along to others but please do not use the "redirect" command. For information on RRE, including instructions for (un)subscribing, send an empty message to rre-help@weber.ucsd.edu =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Date: Wed, 21 May 1997 07:05:53 -0700 (PDT) From: risks@csl.sri.com Subject: RISKS DIGEST 19.17 RISKS-LIST: Risks-Forum Digest Wednesday 21 May 1997 Volume 19 : Issue 17 ---------------------------------------------------------------------- Date: Tue, 20 May 1997 20:27:08 -0400 From: Matt Blaze <mab@research.att.com> Subject: RISKS of Key-Recovery Encryption In January 1997, an ad-hoc group of cryptographers and computer scientists met to explore the technical implications, risks, and costs of the ``key recovery'', ``key escrow'' and ``trusted third party'' encryption systems being promoted by various governments. We have just completed a preliminary report of our findings. We have specifically chosen not to endorse, condemn, or draw conclusions about any particular regulatory or legislative proposal or commercial product. Rather, it is our hope that our findings will shed further light on the debate over key recovery and provide a long-needed baseline analysis of the costs of key recovery as policymakers consider embracing one of the most ambitious and far-reaching technical deployments of the information age. Our preliminary report is available as follows: On the web at: http://www.crypto.com/key_study In PostScript format via ftp: ftp://research.att.com/dist/mab/key_study.ps In plain ASCII text format via ftp: ftp://research.att.com/dist/mab/key_study.txt ======================================================================= THE RISKS OF KEY RECOVERY, KEY ESCROW, AND TRUSTED THIRD-PARTY ENCRYPTION Hal Abelson Ross Anderson Steven M. Bellovin Josh Benaloh Matt Blaze Whitfield Diffie John Gilmore Peter G. Neumann Ronald L. Rivest Jeffery I. Schiller Bruce Schneier 21 May 1997 Executive Summary: A variety of ``key recovery,''``key escrow,'' and ``trusted third party'' encryption requirements have been suggested in recent years by government agencies seeking to conduct covert surveillance within the changing environments brought about by new technologies. This report examines the fundamental properties of these requirements and attempts to outline the technical risks, costs, and implications of widely deploying systems that provide government access to encryption keys. The deployment of a global key-recovery-based encryption infrastructure to meet law enforcement's stated specifications will result in substantial sacrifices in security and greatly increased costs to the end-user. Building the secure infrastructure of the breathtaking scale and complexity demanded by these requirements is far beyond the experience and current competency of the field. Even if such an infrastructure could be built, the risks and costs of such a system may ultimately prove unacceptable. These difficulties are a function of the basic law enforcement requirements proposed for key-recovery encryption systems. They exist regardless of the design of the recovery system -- whether the system uses private-key cryptography or public-key cryptography; whether the database is split with secret sharing techniques or maintained in a single hardened secure facility; and whether the recovery service provides private keys, session keys, or merely decrypts specific data as needed. All key-recovery systems require the existence of a highly sensitive and highly available secret key or collection of keys that must be maintained in a secure manner over an extended time period. These systems must make decryption information quickly accessible to law enforcement agencies without notice to the key owners. These basic requirements make the problem of general key recovery difficult and expensive -- and potentially too insecure and too costly for many applications and many users. Attempts to force the widespread adoption of key-recovery encryption through export controls, import or domestic use regulations, or international standards should be considered in light of these factors. The public must carefully consider the costs and benefits of embracing government-access key recovery before imposing the new security risks and spending the huge investment required (potentially many billions of dollars, in direct and indirect costs) to deploy a global key recovery infrastructure. ------------------------------ Date: Sat, 17 May 1997 13:59:48 +0100 From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk> Subject: Information-Hiding Workshop Call for Papers, WORKSHOP ON INFORMATION HIDING (pruned for RISKS) 15 - 17 April 1998, Portland, Oregon Many researchers are interested in hiding information or in stopping other people doing this. Current research themes include copyright marking of igital objects, covert channels in computer systems, subliminal channels in cryptographic protocols, low-probability-of-intercept communications, broadcast encryption schemes, and various kinds of anonymity services ranging from steganography through location security to digital elections. These closely linked areas of study were brought together in 1996 by a workshop on information hiding held at the Isaac Newton Institute in Cambridge. This was felt to be very worthwhile by the research community, and it was decided to hold a second workshop in 1998. This second international workshop on information hiding will be held in Portland, Oregon from the 15th to the 17th April 1998. See http://www.cl.cam.ac.uk/users/rja14/ihws.html for the call for papers. Papers should be submitted by 31 Dec 1997 to awk@mailbox.jf.intel.com (Program Chairman David Aucsmith, Intel Architecture Labs, 5200 N. E. Elam Young Parkway, Hillsboro, OR 97124-6497, USA). The program committee also includes Ross Anderson, Steve Low, Ira Moskowitz, Andreas Pfitzmann, Jean-Jacques Quisquater, Gus Simmons, and Michael Waidner. Details of the first (1996) information-hiding workshop are at http://www.cl.cam.ac.uk/users/fapp2/steganography/bibliography/workshop.html [Watch out for the invisible steganosauruses. PGN] ------------------------------ Date: Tue, 20 May 1997 12:33:20 -0400 From: "Mich Kabay [NCSA]" <Mich_Kabay@compuserve.com> Subject: Another Computer Bug: Ants in the Machine

From WIRED via PointCast:

Another Computer Bug: Ants in the Machine by Ashley Craddock, 19 May 1997

Stephanie Upps watched in horror as one of her final papers disappeared off her PowerBook at 2 a.m. one night during her last semester as a University of Texas graduate student. Her friends couldn't find the bug, so she called the 1-800 support line in desperation. "They told me to pull out the battery and give them the serial number," she says. "When I did, it was just crawling with ants." Far from a fluke, Upps' encounter with ants in the machine is happening to others with greater frequency. "The problem's endemic across Texas," she said.

The author makes the following key points: * Major problem is fire ants, an exotic introduced to the Southern US in the 1920s. * Fire ants seem to like living in and eating electrical equipment. * The critters may be attracted by electrical fields; Craddock writes,` "They have some short-range attraction to electricity," says Dr. Harlan Thorvilson of Texas Tech's Department of Plant and Soil Sciences. . . . "They become almost mesmerized and behave oddly, piling dirt against the wires and signaling to other members of their communities who come and join them." ' [MK: I don't want to make a mountain out of an ant-hill, but this looks like a case of form(icidae) over function. I expect further creepy puns from our moderator, perhaps about how the victims are engaged in formication and should ant-icipate trouble.] M.E. Kabay, PhD, CISSP (Kirkland, QC), Director of Education National Computer Security Association (Carlisle, PA) http://www.ncsa.com [Turn on the fire-hider-ants; someone is in for a shock. PGN] ------------------------------ End of RISKS-FORUM Digest 19.17 ************************