Information Security News mailing list archives
CRYPTO-GRAM, August 15, 2001
From: InfoSec News <isn () c4i org>
Date: Wed, 15 Aug 2001 05:22:03 -0500 (CDT)
CRYPTO-GRAM
August 15, 2001
by Bruce Schneier
Founder and CTO
Counterpane Internet Security, Inc.
schneier () counterpane com
<http://www.counterpane.com>
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on computer security and cryptography.
Back issues are available at
<http://www.counterpane.com/crypto-gram.html>. To subscribe or
unsubscribe, see below.
Copyright (c) 2001 by Counterpane Internet Security, Inc.
** *** ***** ******* *********** *************
In this issue:
Code Red Worm
Crypto-Gram Reprints
News
Counterpane Internet Security News
The Doghouse: Chantilley Data Security
Adobe, Elcomsoft, and the DMCA
Protecting Copyright in the Digital World
Europe's Cybercrime Treaty
Comments from Readers
** *** ***** ******* *********** *************
Code Red Worm
There has been a lot written about Code Red and its variants in the past
month. There are lessons in both the specifics of the original infection,
and the general threats these worms exemplify. So, first the trees and
then the forest.
The trees: On 19 July 2001, the White House narrowly averted a terrorist
attack when security personnel were able to exploit a flaw in a bomb's
trigger mechanism and evacuate key personnel to a remote location, causing
the bomb to fizzle. The attack was a denial-of-service attack, the target
was the White House Web site, and the flaw was in malicious code, but other
than that the sensationalist story is basically correct. And this tale of
attack and defense in cyberspace contains security lessons for us all.
In June, eEye Digital Security discovered a serious vulnerability in
Microsoft's Information Internet Server (IIS) that would allow a hacker to
take control of the victim's computer. Microsoft hastily patched the
software to eliminate the vulnerability, as they are generally good about
doing these days.
By now, everyone realizes that it is impossible for system administrators
to keep their patches up to date, so it came as no surprise that hacker
tools developed to exploit the vulnerability were able to break into
unpatched systems. The Code Red worm exploited this vulnerability. This
worm, estimated to have affected over 300,000 computers in the first week,
spread automatically without any user intervention (no attachments to open).
Even during the first week there were several variants of the original
worm, and most early articles underestimated its virulence -- both in terms
of what it does and how well it succeeded. When the original Code Red
infected a computer, it defaced any Web site on the server with the words:
"Welcome to http://www.worm.com! Hacked by Chinese!" (One variant only
defaced the site for ten hours.) Simultaneously, the worm attacked 99
hosts at a time, as quickly as possible. The original variant spread
slowly, both because the Web site defacement called attention to itself,
and because it had a buggy random number generator. (It's important to use
a different seed each time.) A corrected variant, with a correct random
number generator and no defacement, spread at a much faster rate. Peak
infection rates were estimated at 6,000 hosts a minute.
So far, this is a normal, if virulent, worm. But there was an additional
feature. The Code Red worm was programmed to flood www.whitehouse.gov in a
massively coordinated distributed denial-of-service attack at 8:00 PM on
July 19. The attack failed because of some programming errors in the
worm. One, the attack was against a specific IP address, and not a
URL. So whitehouse.gov moved from one IP address to another to avoid the
attack. And two, the worm was programmed to check for a valid connection
before flooding its target. With whitehouse.gov at a different IP address,
there was no valid connection. No connection, no flooding.
The worm was programmed to continue to spread until July 20, and try to
attack the former IP address of whitehouse.gov until July 28. Then, on
August 1, it was to go back to spreading. At least some variants are still
spreading today, albeit at a much slower rate than many of the Internet
doomsayers predicted.
At first glance, this looked to be a politically motivated attack:
hactivism, as it has come to be called. The worm's defacement message
implied that it was Chinese, and it was programmed to attack only
English-language versions of Windows NT or 2000. If it encountered a
foreign version, it went into hibernation, neither spreading nor attacking
the White House. But it's hard to know for sure; many random hackers take
on mantles of political activism because it gives them a cool cover
story. Honestly, I don't believe the political connection.
The White House got lucky. The next worm writer won't make the same
programming mistakes. The White House could have alerted their ISP and the
upstream network nodes to block the offending packets, but only because
they knew what the attack looked like and had enough warning. We can't
count on that next time, either.
Since the original Code Red attack, there have been several new (and
nastier) variants of the worm discovered, predictions of the entire
Internet clogging, admonitions for system administrators to patch their IIS
systems to prevent the worm's spreading, and reams of columnists trying to
make sense of it all. The result, predictably, is apathy. A CNN online
poll showed that 84% of Americans were no longer worried about Code
Red. Cry wolf too often, and the public just stops listening.
Now, the forest: The truth is that we all got lucky. Code Red could have
been much worse. It had full control of every machine it took over; it
could have been programmed to do anything the author imagined, including
dropping the entire Internet. It could have spread faster and smarter. It
could have exploited several vulnerabilities, and not just one. It could
have been stealthier. It could have been polymorphic. Code Red II
installs a back door in infected computers. Code Red III is further
improved. What will Code Red IV do? What will Code Red XXVII do?
I have long said that the Internet is too complex to secure. One of the
reasons is that it is too complex to understand. The swath of erroneous
predictions about Code Red's effects illustrates this: we don't know how
the Internet really works. We know how it should work, but we are
constantly surprised. It's no wonder we can't adequately secure the Internet.
The hundreds of thousands of infected networks could have had better
security, but I have long argued that expecting users to keep their patches
current is blaming the victim. Even so, I would have expected most people
to install *this* patch. But as late as 1 August, after Code Red had been
in the headlines for weeks, the best estimates show that only 50% of IIS
systems had been patched. Even Microsoft, the company that continually
admonishes us all to install patches quickly, was infected by Code Red in
unpatched systems.
The Internet moves too fast for static defenses. You can't install every
possible patch, and you don't know beforehand which ones are going to be
important. New viruses and worms appear all the time, and you don't know
beforehand which ones are the ones to worry about. If we are going to make
security work on the Internet, we need to think differently. I have put my
effort into detection and response, instead of protection, because
detection and response can be resilient. I have put my effort into people
instead of software because people can be resilient.
But even if you can secure your particular network, what about the millions
of other networks out there that aren't secure? One of the great security
lessons of the past few years is that we're all connected. The security of
your network depends on the security of others, and you have no control
over their security.
We shouldn't lose sight of who is really to blame for this problem. It's
not the system administrators who didn't install the patch in time, or the
firewall and IDS vendors whose products didn't catch the problem. It's the
authors of the worm and its variants, eEye for publicizing the
vulnerability, and especially Microsoft for selling a product with this
security problem. You can argue that eEye did the right thing by
publicizing this vulnerability, but I personally am getting a little tired
of them adding weapons to hackers' arsenals. I support full disclosure and
believe that it has done a lot to improve security, but eEye is going too
far. As for Microsoft, you can argue that the marketplace won't pay for
secure and reliable software, but the fact remains that this is a software
problem. If software companies were held liable for systematic problems in
its products, just like other industries (remember Firestone tires), we'd
see a whole lot less of this kind of thing.
There are two other lessons of Code Red that I haven't seen talked
about. One: Code Red's infection mechanism causes insecure computers to
identify themselves to the Internet, and this feature can be profitably
exploited. My network is regularly probed by Code Red-infected computers,
trying to infect me. I can easily generate a list of those computers and
their IP addresses. This is a list of computers vulnerable to the
particular IIS exploit that Code Red uses. If I wanted to, I could attack
every computer on that list and install whatever Trojan or back door I
wanted. I don't have to scan the network; vulnerable computers are
continuously coming to me and identifying themselves. How many hackers are
piggybacking on Code Red in this manner?
Two: Code Red's collateral damage illustrates the dangers of relying on
HTTP as the Internet's communications medium. Cisco has admitted that DSL
routers with older firmware were susceptible to a denial-of-service attack
when attacked by Code Red. HP print servers and 3Com LANmodems also seem
to have been similarly affected, and it is likely that other network
infrastructure hardware fell over as well. These devices were not
specifically targeted by Code Red. Instead, their Web interface couldn't
handle the Code Red attack. There has been an enormous proliferation of
random devices with a Web interface: listening on Port 80. This is a large
single-point-of-failure that Code Red has illustrated, and no one seems to
be talking about.
Hacking is a way of life on the Internet. Remember a few years ago, when
defacing a Web site made the newspaper? Remember two years ago, when
distributed denial-of-service attacks and credit card thefts made the
newspaper? Or last year, when fast-spreading worms and viruses made the
newspaper? Now these all go unreported because they are so common. Code
Red ushers in a new form of attack: a preprogrammed worm that unleashes a
distributed attack against a predetermined target. After a couple of dozen
Code Red variants and other worms designed along similar lines, we'll think
of them too as business as usual on the Internet. And oddly enough, the
Internet will survive.
Code Red Worm (the news story as it unfolded):
<http://news.cnet.com/news/0-1003-200-6604515.html>
<http://news.cnet.com/news/0-1003-202-6616583.html>
<http://news.cnet.com/news/0-1003-202-6617292.html>
<http://news.cnet.com/news/0-1003-202-6625470.html>
<http://news.cnet.com/news/0-1003-200-6792918.html>
<http://news.cnet.com/news/0-1003-200-6814221.html>
Advisories:
<http://www.cert.org/advisories/CA-2001-19.html>
<http://www.cert.org/advisories/CA-2001-23.html>
<http://www.ciac.org/ciac/bulletins/l-117.shtml>
Good commentary:
<http://www.time.com/time/columnist/taylor/article/0,9565,169678,00.html>
Code Red hype:
<http://www.theregister.co.uk/content/55/20908.html>
Even Microsoft can't keep its patches up to date:
<http://www.eastsidejournal.com/sited/story/html/60582>
<http://www.theregister.co.uk/content/4/20937.html>
Excellent mathematical analyses of the worm:
<http://www.silicondefense.com/cr/>
<http://www.caida.org/analysis/security/code-red/>
Original flaw in IIS:
<http://news.cnet.com/news/0-1003-200-6312870.html>
<http://www.eeye.com/html/Research/Advisories/AD20010618.html>
Editorial on the wisdom of disclosing this vulnerability:
<http://www.theregister.co.uk/content/4/20546.html>
Microsoft's patch:
<http://www.microsoft.com/technet/security/bulletin/MS01-033.asp>
Editorial on the dangers of Port 80:
<http://www.zdnet.com/filters/printerfriendly/0,6061,2792689-2,00.html>
How others can piggyback on Code Red to attack computers:
<http://braddock.com/cr2.html>
** *** ***** ******* *********** *************
Crypto-Gram Reprints
Vulnerabilities, Publicity, and Virus-Based Fixes:
<http://www.counterpane.com/crypto-gram-0008.html#2>
Bluetooth:
<http://www.counterpane.com/crypto-gram-0008.html#8>
A Hardware DES Cracker:
<http://www.counterpane.com/crypto-gram-9808.html#descracker>
Biometrics: Truths and Fictions:
<http://www.counterpane.com/crypto-gram-9808.html#biometrics>
Back Orifice 2000:
<http://www.counterpane.com/crypto-gram-9908.html#BackOrifice2000>
Web-Based Encrypted E-Mail:
<http://www.counterpane.com/crypto-gram-9908.html#Web-BasedEncryptedE-Mail>
** *** ***** ******* *********** *************
News
Log analysis e-mail list! This list is for system administrators who are
building and using a centralized logging infrastructure in their
networks. Tina Bird moderates. To subscribe, send an e-mail to:
loganalysis-subscribe () securityfocus com
The problem of IDS false positives:
<http://www.computerworld.com/cwi/story/0,1199,NAV47_STO61973,00.html>
My follow-up letter to the editor:
<http://www.computerworld.com/cwi/story/0,1199,NAV47_STO62618,00.html>
Vendor incompetence as a security problem:
<http://cgi.zdnet.com/slink?118523:8469234>
Russian Mafia is hacking for profit:
<http://www.zdnet.com/intweek/stories/news/0,4164,2784950,00.html>
This is a big deal. The Soviet Union had some excellent programmers, some
of whom are certainly willing to work for organized crime.
The NIT Computer Security Division's ICAT project team is now giving away
copies of the its vulnerability database for public use (in Microsoft
Access form). The database currently contains 2628 vulnerabilities:
<http://icat.nist.gov>
Hackers are cheating on their SETI@home scores. I've written about this
previously: people cheating about the amount of work they do on the
SETI@Home project to inflate their standings. This is another article on
the same topic, describing an even nastier attack. This is interesting
primarily because it shows that there are often non-financial motivations
for computer hacking. There's no money involved here; only bragging
rights. And look at the effort some people put into cheating.
<http://webserv.vnunet.com/News/1124058>
Good essay on the unfortunate synergies between DMCA and UCITA:
<http://www.osopinion.com/perl/story/12143.html>
The Center for Internet Security is launching a campaign to pressure
software companies to improve security and ship software with security
features enabled. In a Reuters article, I was quoted as saying: "It will
help, but not that much." That comment was printed out of context, and
needs clarification. What CIS is doing is trying to establish minimum
security standards for various products. Their first attempt is for the
Solaris OS: a document detailing the steps necessary to implement a level
of security in the operating system, and a program to test how far an
existing implementation deviates from that standard. It's free, and
versions for Windows and Linux are coming. Near as I can tell, the idea is
to establish a security benchmark and then to ratchet it up slowly. Given
all of my talk about insurance and risk management, this kind of thing is
exactly what we need. By itself it won't improve security, but if
insurance companies start writing policies based on compliance, if software
companies start touting compliance as a selling point...then it will help a
lot. When the CIS first formed, I worried that it would become an
"extort-a-standard" body, charging people for a seal of approval. So far
there are no signs of them doing that.
<http://www.cisecurity.org/>
<http://www.cisecurity.org/bench_solaris.html>
<http://dailynews.yahoo.com/h/nm/20010720/tc/tech_standards_dc_1.html>
<http://www.counterpane.com/crypto-gram-0101.html#1>
The U.S. government has successfully pressured the Danish government to
change its laws, to make searching for copyright violators easier.
<http://www.cluebot.com/article.pl?sid=01/06/26/042210>
Companies don't care about identity theft:
<http://www.washingtonpost.com/wp-dyn/articles/A27475-2001Jul20.html>
Death to virus writers!
<http://www.zdnet.com/anchordesk/stories/story/0,10738,2795678,00.html>
The only reason I am listing this article is because of the extreme
sentiment. The Internet is a new and strange place to lawmakers. The
risks are complex, considerable, and not well-understood. It's easy to
overreact. We've seen this overreaction in the prosecutions, convictions,
and sentencing of early hackers -- Kevin Poulsen, Kevin Mitnick, etc. --
and we've seen it in some of the government's large-scale Internet
surveillance initiatives. The punishments do not fit the crimes. In the
1800s in the American West, stealing horses was often punished by
death. The extreme punishment was because horses were so important to
society, and people would not tolerate the disruption. The Internet is
becoming increasingly important to industrialized society, and I worry that
this kind of extreme punishment will continue.
<http://www.zdnet.com/enterprise/stories/security/0,12379,2797879,00.html>
An interesting spin on something I've been saying for a long time: the
interconnectedness of systems increases their vulnerability:
<http://www.nytimes.com/2001/07/27/opinion/27FRIE.html>
Here's a hacker who knows how to make money. Someone broke into the Web
site of a company called JDS and gained early access to a press release
announcing its fourth-quarter financial results. The company asked both
NASDAQ and the Toronto Stock Exchange to halt trading it its stock.
<http://dailynews.yahoo.com/h/nm/20010726/wr/tech_jds_hacker_dc_1.html>
I'm not sure if I want to write about the SirCam worm. On one hand, it's
just another Windows e-mail worm that automatically sends itself to people
in an infected computer's address book. But it has some clever
features. One, it hides in the trash, where most anti-virus programs don't
bother checking. Two, it e-mails random data files from the victim's "My
Documents" folder to other people. This is probably the cleverest payload
I've seen. Many people I know are posting the documents they've received
via this worm: personal letters, recipes, business plans, financial
documents, and one case of "personal pornography." I read one story about
sensitive FBI documents being mailed to people by this worm. I've received
51 copies of this worm so far; more than any other.
<http://news.cnet.com/news/0-1003-200-6671080.html?tag=mn_hd>
<http://cgi.zdnet.com/slink?122010:8469234>
And another about secret Ukrainian documents being leaked:
<http://news.cnet.com/news/0-1003-200-6763200.html>
Malware authors are certainly getting more clever.
Way back in 1984, John Gordon gave an after-dinner speech at a coding
theory and cryptography conference. The story of this speech has been
passed down through the years, as perhaps the funniest speech about
cryptography ever given. It's the story of Alice and Bob, of coding theory
and cryptography. And it's available online for you to read.
<http://www.conceptlabs.co.uk/alicebob.html>
NIST has posted two new crypto standards for comment. The first is a new
version of FIPS 186-2, the Digital Signature Standard (DSS):
<http://csrc.nist.gov/186-2.pdf>
And there's the "Recommendation for Block Cipher Modes of Operation,"
associated with AES. Especially notice Dual Counter Mode, by Mike Boyle
and Chris Salter of the National Security Agency.
<http://csrc.nist.gov/publications/drafts/Modes01.pdf>
Most hacking and cracking contests are nothing more than self-serving
nonsense. It's nice to be able to point to an exception: the RSA factoring
contest. It has a real objective, fair rules, and a good prize.
<http://www.theregister.co.uk/content/55/20638.html>
Iris recognition will be used to identify passengers at Heathrow
Airport. I've written a lot about bad biometric applications. This is
actually a good one.
<http://www.msnbc.com/news/605612.asp?pne=msn>
Security problems with Microsoft's Passport protocol. It's a long article
and worth reading. From the conclusion: "The bulk of Passport's flaws
arise directly from its reliance on systems that are either not trustworthy
(such as HTTP referrals and the DNS) or assume too much about user
awareness (such as SSL). Another flaw arises out of interactions with a
particular browser (Netscape). Passport's attempt to retrofit the complex
process of single sign-on to fit the limitations of existing browser
technology leads to compromises that create real risks."
<http://avirubin.com/passport.html>
More details on the FBI's bugging of a suspect's computer without a
wiretap. Soon we'll find out whether this is constitutional or not.
<http://news.cnet.com/news/0-1003-200-6719544.html>
<http://www.wired.com/news/privacy/0,1848,45684,00.html>
<http://www.wired.com/news/politics/0,1283,45730,00.html>
The FBI says the technology is secret, but the judge asks the FBI for it
anyway:
<http://www.wired.com/news/politics/0,1283,45851,00.html>
<http://www.wired.com/news/politics/0,1283,45925,00.html>
Risks of spyware. Some software packages monitor the customers using the
software. But what if the servers that the spyware talks to are infected
by viruses and Trojans?
<http://www.kuro5hin.org/?op=displaystory;sid=2001/6/28/235018/395>
Update on the sentencing of the convicted author of the Melissa virus:
<http://www.securityfocus.com/news/230>
We'll soon have software capable of copying any human voice. In a world
where voice is a prevalent means of authentication, this will have serious
ramifications.
<http://www.nytimes.com/2001/07/31/technology/31VOIC.html>
This story is too weird for words. Microsoft adds PGP signatures at the
bottom of its security bulletins, for verification. But if you try to
verify the signatures, they fail. Already there has been at least one
forged security bulletin, urging people to install a "patch" with a Trojan
Horse. Microsoft's reaction to this all simply makes no sense; it's like
there's no one thinking there.
<http://www.newsbytes.com/news/01/168397.html>
PDF files can contain viruses. This is 1) another example of the dangers
of mixing code and data, and 2) a potential rat's nest if Adobe keeps using
the DMCA to restrict people from reverse-engineering its security.
<http://computerworld.com/nlt/1%2C3590%2CNAV65-663_STO62902_NLTSEC%2C00.html>
If you thought Code Red's infection speed was bad, read about Warhol Worms:
malware capable of infecting the Internet in 15 minutes.
<http://www.cs.berkeley.edu/~nweaver/warhol.html>
** *** ***** ******* *********** *************
Counterpane Internet Security News
Schneier is speaking at ISSA events in Wilmington on 8/17, and in Portland,
OR, on 9/13.
<http://www.issa-dv.org/>
<http://www.issa.org/Portland/>
A couple of months ago, I gave the URL for my white paper on the state of
security and the value of network monitoring. Here's a review of the white
paper:
<http://www.nwfusion.com/newsletters/sec/2001/00898092.html>
The white paper itself:
<http://www.counterpane.com/msm.html>
Along with Vint Cerf, Schneier testified before a U.S. Senate Subcommittee
on the subject of Internet security:
<http://www.counterpane.com/commerce-testimony.html>
News reports:
<http://www.cnn.com/2001/TECH/internet/07/16/internet.security/index.html>
<http://www.newsbytes.com/news/01/167998.html>
<http://www.thestandard.com/article/0,1902,27996,00.html>
<http://www.computerworld.com/itresources/rcstory/0,4167,KEY73_STO62309,00.h
tml>
** *** ***** ******* *********** *************
The Doghouse: Chantilley Data Security
This column hasn't appeared recently. Things that two years ago deserved
"doghouse" treatment -- badly configured Web sites, ineffectual security
standards, lousy product security -- are commonplace today; exposing them
feels like shooting fish in a barrel. But once in a while I stumble on a
company so bizarre that it just screams for ridicule.
Let's all welcome Chantilley Data Security to the world of
encryption. From their Web site: "Until five years ago, encryption
technology was the province of state security, diplomacy, banking and
multinational corporations. Now it is the concern of everyone who sends
information by e-mail, who trades on the web, who uses a credit card or
who, for any reason, needs to authenticate himself/herself or preserve the
integrity of information. Incredible as it may appear, this huge explosion
in demand has not been matched by any improvement in encryption
technology. Until now." Five years ago? What happened in 1996? Could
they possibly be referring to the publication of the second edition of
"Applied Cryptography"?
It gets *much* better. On another page they describe "Ciphers:XES the new
European Encryption Standard?" "A Solar Cipher is an idea unique to
Chantilley. It uses a PRIMARY ENCRYPTION STREAM to 'fire up' a system of
SUN WHEELS and PLANET WHEELS providing high encryption strength and using
only a small number of simple logical on-line operations. In a Solar
Cipher, each new key is a set of primitives which generate
cryptographically strong pseudo-random streams, which in turn scramble the
wiring of three 256-position rotors as in a rotary cipher." When I first
read this page, I thought it was a joke.
"The theoretical maximum entropy of the algorithm is therefore ...
equivalent to a 100818 bit key." "There are very sound reasons for
claiming that XES1152 may be the best combination of strength and speed of
any software cipher in the world." "XES-36 is 30,000 times stronger than
DES with similar key strength (if that were possible)." What in the world
does that last quote mean?
Their Web site rings all the snake-oil warning bells. They give their
stuff weird fancy names: e.g. "expert encryption standard." There are
claims about breakthrough technology and totally new cryptography and the
like. There are unsubstantiated accolades from nameless experts. There's
scientific mumbo-jumbo (that "solar cipher" stuff had me rolling on the
floor, and they invoke something called "Multiple Fermat Sequencing"):
comparisons with a one-time pad, ridiculous key lengths (they have a
symmetric 1152-bit cipher), and claims that conventional ciphers are too
slow for real-time data encryption. (Here's a representative
quote: "XES-1152 is the fastest and strongest cipher of its kind in the
world.") And they clearly don't know what's going on in the cryptography
world; they have a product called "Automatic E-Mail Security" that they
refer to as "AES."
There's more, but I can't reprint it all. These guys are too much, and
their Web site is great entertainment.
<http://www.chantilley.com>
Generic snake-oil information:
<http://www.counterpane.com/crypto-gram-9902.html#snakeoil>
<http://www.interhack.net/people/cmcurtin/snake-oil-faq.html>
** *** ***** ******* *********** *************
Adobe, Elcomsoft, and the DMCA
In July, after DefCon in Las Vegas, the FBI arrested a Russian computer
security researcher who had presented a paper on the strengths and
weaknesses of software used to protect electronic books. Dmitry Sklyarov
(age 27) landed in jail because the Digital Millennium Copyright Act (DMCA)
makes publishing critical research on this technology a more serious
offense than publishing nuclear weapon designs. Just how did the United
States of America end up with a law protecting the entertainment industry
at the expense of freedom of speech? And How did the entertainment
industry end up with stronger laws protecting their content than the
information on constructing nuclear weapons?
I've already written about the DMCA, and the ultimate futility of employing
technical solutions to prevent digital copying. The specific DMCA
provision at work here is the one that explicitly forbids the invention and
distribution of "circumvention devices" and "reverse engineering of
document protection." Basically, it is illegal to break -- or explain how
to break -- technology used to protect digital copyright. If you do, you
go to jail (see above).
Technically, the law only protects "effective" copy-protection
technology. This is a wonderful piece of circular logic: surely if it has
been broken, it wasn't effective. The complaint against Sklyarov
sidestepped this problem: "Nevertheless, because the book sold in encrypted
form and only accessible through the eBook Reader and is not duplicatable,
the copyright holder's interest in the book is protected." But if that
were true, then there would no grounds for the case.
There are also provisions in the DMCA to allow for security research,
provisions that I and others fought hard to have included. But these
provisions are being ignored, as we've seen in the DeCSS case against 2600
Magazine, the RIAA case against Ed Felten, and this arrest.
What the DMCA has done is create a new controlled technology. In the
United States there are several technologies that normal citizens are
prohibited from owning: lock picks, fighter aircraft, pharmaceuticals,
explosives. (Ignore guns, since the 2nd Amendment makes it impossible to
generalize from their example.) In each of these cases, only people with
the proper credentials can legally buy and sell these technologies. (Every
participant in the commerce of these items -- buying, selling, or even
possessing -- must be registered with some governmental
agency. Registration is a mandatory requirement for commerce.) The DMCA
goes one step further, though. Not only are circumvention tools
controlled, but information about them is also controlled. 2600 Magazine
merely described, and linked to implementations of, DeCSS. Ed Felten
wanted to present a paper on the deficiencies of the RIAA's various
watermark schemes.
I attended Dmitry Sklyarov's talk at DefCon. What he did was legitimate
security research. He determined the security of several popular e-book
reader products and then notified the respective firms of his
findings. His company Elcomsoft published, in Russia, software that
circumvented these ineffectual security systems. His DefCon talk was a
clear and evenhanded presentation of the facts. He said, in effect: "This
security is weak, and here's why." (One particular company he mentioned
stored the password in plaintext inside the executable. So anyone with
Notepad could have the book modified for easy distribution.)
The FBI nabbed him at the request of Adobe Systems, Inc. for breaking the
security on Acrobat's E-Reader API, and held him for weeks without
bail. (He's currently out on bail.) The arrest was not because of his
presentation, but because of the work his company did while in
Russia. This is even more confusing. Elcomsoft created and marketed a
product that circumvented Adobe's product. This kind of software is often
required in Russia, where people have a legal right to make personal
backups. Sklyarov was one of the programmers working on this project,
which was completed entirely in Russia. The FBI seems to be claiming that
they can arrest you for breaking U.S. law while not in the
U.S. Additionally, they can arrest you if your company breaks U.S. law
while not in the U.S. Computer scientists have long viewed
reverse-engineering as legitimate security research. Fair use allows the
owner of a copyrighted work to make copies for his personal use. The DMCA
assumes that the only reason to do any of this work is to pirate
copyrighted works. Writing software, publishing technical details, even
giving a technical talk is illegal under the DMCA.
In 1979, "The Progressive" magazine tried to publish an article containing
technical information on H-bomb design. The government claimed publication
of the would result in "grave, direct, immediate and irreparable harm to
the national security of the United States." After six months of legal
maneuvering, the magazine published it. In 1971, the government tried to
prevent "The New York Times" from publishing "The Pentagon Papers." The
Supreme Court promptly voted 6-3 to reject the government's censorship
attempt, with Chief Justice Warren Burger declaring that "prior restraints
on speech and publication are the most serious and least tolerable
infringement on First Amendment rights."
Welcome to 21st century America, where the profits of the major record
labels, movie houses, and publishing companies are more important than
First Amendment rights or nuclear weapons information. (The more you look
at the problem, the weirder it becomes. "The New York Times" has the legal
right to publish secret government documents, unless they are protected by
a digital copy-protection scheme, in which case publishing them would lead
to an FBI raid.)
In many ways, the entertainment industry's tactics are similar to the NSA's
during their long war against cryptography and cryptographic
information. Until the late 1990s, the NSA used the threat of national
security to prevent the dissemination of encryption technologies. When
they could, they blocked the publication and dissemination of cryptographic
information. When that failed, they concentrated on products, using both
legal and illegal methods to block encryption software. Many people
believe the NSA's primary rubric, export controls, would not stand up to a
constitutional challenge, but it was never tested. It wasn't until the
Internet made cryptography ubiquitous that the NSA eventually gave up.
During those years I was often asked about the NSA's strategy. Wasn't it
doomed to fail? Yes, eventually. But for the NSA, every day they could
delay the failure was another day of victory. Maybe the export control
regulations (they were never laws) were unconstitutional. Maybe preventing
publication of this and that was prior restraint. Maybe pressuring
companies to install back doors into their software was illegal. But if it
worked for a while, who cares? The NSA was fighting a holding action, and
they knew it.
The entertainment industry is behaving the same way. The DMCA is
unconstitutional, but they don't care. Until it's ruled unconstitutional,
they've won. The charges against Sklyarov won't stick, but the chilling
effect it will have on other researchers will. If they can scare software
companies, ISPs, programmers, and T-shirt manufacturers (Hollywood has sued
CopyLeft for publishing the DeCSS code on a T-shirt) into submission,
they've won for another day. The entertainment industry is fighting a
holding action, and fear, uncertainty, and doubt are their weapons. We
need to win this, and we need to win it quickly. Please support those who
are fighting these cases in the courts: the EFF and others. Every day we
don't win is a loss.
Elcomsoft's products:
<http://www.elcomsoft.com/>
Government document:
<http://www.eff.org/IP/DMCA/US_v_Sklyarov/20010707_complaint.html>
A description of Sklyarov's talk, including a link to the slides:
<http://www.zdnet.com/zdnn/stories/comment/0,5859,2800985,00.html>
EFF support:
<http://www.eff.org/IP/DMCA/US_v_Sklyarov/20010717_eff_sklyarov_pr.html>
<http://www.eff.org/IP/DMCA/US_v_Sklyarov/20010718_eff_sklyarov_statement.html>
News articles:
<http://www.nytimes.com/2001/07/18/technology/18CRYP.html>
<http://dailynews.yahoo.com/h/nm/20010717/wr/tech_hacker_arrest_dc_1.html>
<http://www.wired.com/news/politics/0,1283,45298,00.html>
<http://news.cnet.com/news/0-1003-202-6651535.html>
<http://news.cnet.com/news/0-1005-200-6699001.html>
<http://news.cnet.com/news/0-1005-200-6794178.html>
Thoughtful analyses:
<http://www.osopinion.com/perl/story/12143.html>
<http://securitygeeks.shmoo.com/article.php?story=20010719141720141>
<http://www.nytimes.com/2001/07/30/opinion/30LESS.html>
<http://www.zdnet.com/anchordesk/stories/story/0,10738,2802199,00.html>
Other DMCA cases:
<http://www.eff.org/IP/DMCA/>
Essays about the dangers of the DMCA:
<http://www.privacyfoundation.org/commentary/tipsheet.asp?id=47&action=0>
<http://www.infowarrior.org/articles/2001-05.html>
<http://www.cs.cmu.edu/~dst/DeCSS/Gallery/cacm-viewpoint.html>
Poignant satire of the DMCA:
<http://www.linuxplanet.com/linuxplanet/opinions/3642/1/>
Article about this essay:
<http://www.theregister.co.uk/content/4/20932.html>
** *** ***** ******* *********** *************
Protecting Copyright in the Digital World
Every time I write about the impossibility of effectively protecting
digital files on a general-purpose computer, I get responses from people
decrying the death of copyright. "How will authors and artists get paid
for their work?" they ask me. Truth be told, I don't know. I feel rather
like the physicist who just explained relativity to a group of would-be
interstellar travelers, only to be asked: "How do you expect us to get to
the stars, then?" I'm sorry, but I don't know that, either.
I am a scientist, and I explain the realities of the science. I apologize
if you don't like the truth, but the truth doesn't change because people
wish it would be something else. I don't know how authors and artists will
make money in a world of easy copyability. I'm an author myself,
personally concerned about protecting my own copyright, but I still don't
know. I can tell you what will and won't work, technically. You can argue
about whether my technical analysis is correct, but it just doesn't make
sense to bring social arguments into the technical discussion.
If I had to guess, I believe companies will find a way to make money
despite the prevalence of digital copying. Television stations figured out
how to make money despite having to broadcast their programming to
everyone. There are lots of financial models that don't require selling
individual units to make money: advertising, patronage,
pay-for-performance, pay-for-timeliness, pay-for-interaction, public
funding. I started Crypto-Gram when I was a consultant; I gave the
newsletter away and charged for my time. The newsletter was free
advertising. The Grateful Dead gave away concert recordings but charged
for live performances. Stephen King kept writing chapters of his
electronic book as long as a sufficient percentage of his readers paid him to.
I don't know what model will become the prevalent one in the digital
world. But I do know that technical methods to prevent digital copying are
doomed to fail. (This is not to say that social methods, or legal methods,
won't work.) Those companies that have business models that accept this
reality are more likely to succeed than those that have business models
that reject it. Complain all you like, but reality is reality.
My original analysis:
<http://www.counterpane.com/crypto-gram-0105.html#3>
** *** ***** ******* *********** *************
Europe's Cybercrime Treaty
About a year ago, around eighty of us computer-security people signed a
letter to the Council of Europe expressing grave concerns with the
Council's draft of the Crime in Cyberspace Treaty. Basically, we were
concerned about provisions that would criminalize legitimate security
research in the same way the DMCA does.
Surprise, surprise: it seems like they listened. Here's the new treaty
language:
Article 6: Misuse of devices
1. Each Party shall adopt such legislative and other measures as may be
necessary to establish as criminal offences under its domestic law, when
committed intentionally and without right:
a. the production, sale, procurement for use, import, distribution or
otherwise making available of:
1. a device, including a computer program, designed or adapted primarily
for the purpose of committing any of the offences established in accordance
with Article 2 -5;
2. a computer password, access code, or similar data by which the whole or
any part of a computer system is capable of being accessed with intent that
it be used for the purpose of committing any of the offences established in
Articles 2 - 5; and
b. the possession of an item referred to in paragraphs (a)(1) or (2) above,
with intent that it be used for the purpose of committing any of the
offences established in Articles 2 - 5. A Party may require by law that a
number of such items be possessed before criminal liability attaches.
2. This article shall not be interpreted as imposing criminal liability
where the production, sale, procurement for use, import, distribution or
otherwise making available or possession referred to in paragraph 1 of this
Article is not for the purpose of committing an offence established in
accordance with articles 2 through 5 of this Convention, such as for the
authorized testing or protection of a computer system.
3. Each Party may reserve the right not to apply paragraph 1 of this
Article, provided that the reservation does not concern the sale,
distribution or otherwise making available of the items referred to in
paragraph 1 (a) (2).
Not bad. Not perfect, but not bad. It's rare in this business that
governments actually listen and do the right thing. Kudos to the European
governments who drafted the treaty. This is kind of neat, really.
Let's hope the Americans don't muck it all up.
The entire treaty:
<http://conventions.coe.int/Treaty/EN/projets/FinalCybercrime.htm>
Our letter:
<http://www.cerias.purdue.edu/homes/spaf/coe/TREATY_LETTER.html>
My original analysis of the treaty:
<http://www.counterpane.com/crypto-gram-0008.html#6>
** *** ***** ******* *********** *************
Comments from Readers
From: Bill_Royds () pch gc ca
Subject: Monitoring
One important thing modern control theory works on is error modeling. As
well as controlling the process, you also monitor the changes in process
error to know when processes are getting too many errors. In systems
administration we often are so concerned about getting the thing to work,
that we don't also watch our processes and improve them as well. This
attitude (if it ain't broke, don't fix it) works with static systems, but
is absolutely dangerous in the dynamic world of IT security. The real
slogan should be "if it ain't broke now, it will be soon."
From: "Dmitry Streblechenko" <dmitry () dimastr com>
Subject: Outlook Redemption
You mention one of my products (Outlook Redemption) in your Crypto-Gram
newsletter on July 15, and I strongly believe that you are missing the
point. Redemption bypasses the Outlook security patch (aka HELL) only when
it comes to executing the code already downloaded to a local machine. It
does *not* bypass the Outlook security when Outlook disables scripting in
HTML e-mails or hides executable attachments. Big difference.
Outlook provides two layers of API: object model (which can be accessed by
any language, including any scripting language) and Extended MAPI, which
Outlook itself (and Redemption!) uses and which is only accessible to
C/C++/Delphi. No scripting languages or VB. Extended MAPI cannot possibly
be crippled because Outlook itself will simply stop working. So instead of
only blocking the means of receiving and executing the malicious code, MS
created an annoyance for those using Outlook Object Model from their
legitimate (local) applications. Being an Outlook MVP, I witnessed people
who built their businesses using Visual Basic screaming for help when the
security patch was released.
For all practical reasons, one can write a virus that uses Extended MAPI
instead of the Outlook object model (it just takes more time and a little
knowledge of the relevant API); there will be no way to block it short of
uninstalling Outlook. Which is fine, since once the code is downloaded and
run in the current user security context it can do anything it wants
whether Outlook or any other application is installed.
The only way to stop spreading such code is to block it from executing
automatically (e.g. script in an HTML e-mail) or to make a user think twice
before executing it. Blocking the code which is already installed and
assumed to come from a trusted source is outright stupid. That's where
Redemption comes into play.
** *** ***** ******* *********** *************
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on computer security and cryptography.
To subscribe, visit <http://www.counterpane.com/crypto-gram.html> or send a
blank message to crypto-gram-subscribe () chaparraltree com. To unsubscribe,
visit <http://www.counterpane.com/unsubform.html>. Back issues are
available on <http://www.counterpane.com>.
Please feel free to forward CRYPTO-GRAM to colleagues and friends who will
find it valuable. Permission is granted to reprint CRYPTO-GRAM, as long as
it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is founder and CTO of
Counterpane Internet Security Inc., the author of "Secrets and Lies" and
"Applied Cryptography," and an inventor of the Blowfish, Twofish, and
Yarrow algorithms. He served on the board of the International Association
for Cryptologic Research, EPIC, and VTW. He is a frequent writer and
lecturer on computer security and cryptography.
Counterpane Internet Security, Inc. is the world leader in Managed Security
Monitoring. Counterpane's expert security analysts protect networks for
Fortune 2000 companies world-wide.
<http://www.counterpane.com/>
Copyright (c) 2001 by Counterpane Internet Security, Inc.
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.
Current thread:
- CRYPTO-GRAM, August 15, 2001 InfoSec News (Aug 15)