Computer underground Digest Sun Aug 9, 1998 Volume 10 : Issue 45 ISSN 1004-042X Editor: Jim Thomas (cudigest@sun.soci.niu.edu) News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu) Archivist: Brendan Kehoe Shadow Master: Stanton McCandlish Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Field Agent Extraordinaire: David Smith Cu Digest Homepage: http://www.soci.niu.edu/~cudigest CONTENTS, #10.45 (Sun, Aug 9, 1998) File 1--Security Researchers oppose pending copyright legislation File 2--WIPO Letter From the InfoSec Community [] File 3--Cu Digest Header Info (unchanged since 25 Apr, 1998) CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION ApPEARS IN THE CONCLUDING FILE AT THE END OF EACH ISSUE. --------------------------------------------------------------------- Date: Sat, 1 Aug 1998 12:04:30 -0500 From: Gene Spafford Subject: File 1--Security Researchers oppose pending copyright legislation Sat, Aug 1, 1998 LEADING SECURITY RESEARCHERS URGE CONGRESS TO RECONSIDER PENDING COPYRIGHT LEGISLATION Washington, DC - A group of nearly 50 of the nation's top security researchers and practitioners have delivered a letter to Congressional leaders urging them to reconsider provisions of controversial legislation concerning copyright protection. Several versions of the bill, H.R. 2281 (the "Digital Millennium Act"), are currently under consideration by the House of Representatives, and one version has already passed the Senate. The bill would make it illegal to circumvent "technological protection measures" that could be used to protect digital works on the Internet. However, those same technologies are also employed to protect users against computer viruses, perform security tests of commercial network installaions, and conduct basic security education and research in universities and government labs. The experts assert that if the bill is passed in its current form, many vital forms of security testing may be rendered illegal. Realizing that scientists need to circumvent systems to conduct effective research, the House Commerce Committee recently amended the bill to permit circumvention for the puposes of encryption research. However, according to security experts, such a provision simply does not go far enough. "[The Commerce Committee bill] fails to further recognize that encryption research is simply one aspect of security research, and that research is different from actual practice. While [the bill] may exempt encryption research, it still criminalizes other crucial techniques used in security research and practice," wrote Eugene Spafford, the author of the letter, and a world-leading expert in information security. "If passed in anything similar to its present form, [the Digital Millenium Copyright Act] has the potential to imperil computer systems and networks throughout the United States, criminalize many current university courses and research in information security, and severely disrupt a growing American industry in information security technology. The result would be grave damage to the U.S. economy and to national security." Ironically, the letter comes at a time when security researchers are working to alert the public to a significant security flaw found in three of the most popular e-mail systems in use in the Internet. On Tuesday, the U.S. Energy Department's security team issued an emergency bulletin, confirming reports that Microsoft Outlook Express, Outlook 98, and Netscape's Messenger Mail all contain serious security flaws. Identified, in part, through processes of reverse engineering -- one of the techniques that would be prohibited by the pending legislation -- the security hole allows booby-trapped e-mail messages to cause havoc on a user's computer system. Security researchers have noted that such serious security flaws are often uncovered only because the public is able to freely test the security of such programs. Public scrutiny and outcry are sometimes the only way that such security flaws are identified and quickly fixed before criminals can identify and exploit the flaw themselves. However, the Digital Millenium Copyright Act could very well prohibit the processes of public scrutiny. reverse engineering, and public notice that have successfully identified these flaws to date. Bruce Schneier, noted cryptography expert and author, described the situation as "In our country there is a long tradition of consumer advocacy. Organizations like Consumer Reports regularly evaluate products and make those evaluations available to buyers. The WIPO provision against encryption research would make it illegal for companies to evaluate security products. If a company asked me which firewall was good, it would be illegal for me to tell them. This is like the meat industry getting a law passed making it illegal for someone to publicize that a particular brand of hamburger has rat hair in it." Spafford drafted the letter on Wednesday, July 29, after becoming aware of the full import of the pending legislation. Within hours, 48 experts agreed to act as co-signers. Spafford noted "If we had more time to solicit supporters, we might have doubled the number of prominent names on the letter. The community is gravely concerned that this legislation will endanger information security in the U.S. Although we are against violation of valid copyrights, we believe that legislation should be designed to punish the violators rather than criminalize tools that are also necessary to the protectors." An electronic copy of the security researchers' letter is available at: . Contact details and pointers to background information are also present at this location. ------------------------------ Date: Mon, 3 Aug 1998 23:57:08 -0500 From: jthomas@VENUS.SOCI.NIU.EDU(Jim Thomas) Subject: File 2--WIPO Letter From the InfoSec Community [] SOURCE - http://www.cs.purdue.edu/homes/spaf/WIPO/ [] WIPO Letter From the InfoSec Community [] What this is about The World Intellectual Property Organization (WIPO) produced a new treaty in 1996 for the protection of intellectual property. The U.S. signed the treaty, and Congress has been considering enabling legislation to bring U.S. law into alignment with treaty provisions. As part of this legislative process, a number of major trade groups and industry lobbyists have weighed in with their desires for the legislation. It appears as if only content producers and providers (e.g., entertainment companies and software publishers) have had significant influence, and the resulting law is very biased in their favor. In particular, the law in its current form appears to: [] Ban reverse engineering of software in almost all cases [] Restricts or eliminates traditional fair-use provisions on intellectual property [] Prohibits research and production of technology that might be used to defeat copyright protection measures [] Criminalizes many currently accepted practices in information security. Thus, either directly or as unintended (?) consequences, the bill could severely restrict what professionals can do in education, research, and the practice of information security. The biggest problem with the bill is that it outlaws technology and research rather than simply criminalizing violations of copyright. This is roughly analogous to outlawing automobiles and research into engine design to prevent the possibility of drunk driving. A number of prominent lawyers have reviewed this bill and communicated their findings to me: they all agree (as much as any group of lawyers can agree) that the bill is as dismal as I have outline here. The bill has passed the Senate. In the House, it has passed two major committees: Judiciary and Commerce. The Judiciary version is basically the version that passed the Senate. The version that passed the Commerce committee has had a few small amendments attached, including one that exempts some encryption research from the law -- but no general exemptions exist for other work in security. What I Have Done About It After consulting with personnel on the ACM's Public Policy committee (of which I am a member), and staff of the Computing Research Association's Washington office (I am on the board of CRA), I wrote a letter to several members of Congress -- including the Speaker of the House, the chairs and ranking minority members of several involved House committees, and some key Senators. This is not a letter from either ACM or CRA, but a letter from me as a senior security professional. The letter outlines why I think the law is damaging to the profession, and encourages the Congressmen to do what they can to either have the bill reconsidered or simply not considered on the floor of the House this term. I decided to ask other security professionals if they wanted to be co-signers. 48 leading professionals agreed to add their names to the letter, despite there being only a few days to respond. What You Can Do You can read my letter. If you agree with what I wrote in the letter, then you can write your own letter to your representative and senators expressing your opinion on the legislation. A phone call, or a personal visit to their local offices might also be beneficial. More Information You can obtain more information on the Digital Millennium Act, H.R. 2281, by consulting these pages: [] A PCWeek article on the bill [] Background material at dfc.org [] Material from the EFF on the bill [] For actual text of the bill, go to Thomas and search for 'Digital Millennium Act' [] Article from the current issue of the Chicago Lawyer Letter Recipients Who Why Representative Newt Gingrich Speaker Representative Richard Armey Majority Leader Representative Tom DeLay Majority Whip Representative Richard Gephardt Minority Leder Representative David E. Bonior Minority Whip Representative Gerald B.H. Solomon Rules Committee Chair Representative Joe Moakley Rules Committee Ranking Member Representative Thomas J. Bliley Commerce Committee Chair Representative John D. Dingell Commerce Committee Ranking Member Representative W.J. "Billy" Tauzin Subcommittee on Telecommunications, Trade, and Consumer Protection Chair Representative Edward J. Markey Subcommittee on Telecommunications, Trade, and Consumer Protection Ranking Member Representative Edward Pease Representative of my District in Indiana Representative Henry J. Hyde Judiciary Committee Chair Representative John Conyers, Jr. Judiciary Committee Ranking Member Representative Howard Coble Subcommittee on Courts and Intellectual Property Chair Representative Barney Frank Subcommittee on Courts and Intellectual Property Ranking Member Representative F. James Sensenbrenner, Jr. Science Committee Chair Representative George E. Brown, Jr. Science Committee Ranking Member Senator Orrin G. Hatch Judiciary Committee Chair Senator Patrick J. Leahy Judiciary Committee Ranking Member The Text of the Letter August 1, 1998 Dear Representative/Senator X: We, the undersigned, are a group of the nation's leading scientists and technologists in computer and network security with (collectively) hundreds of years of service in academia, industry and government. We are writing to express our profound concerns about both versions of H.R. 2281, the Digital Millennium Act. If passed in anything similar to its present form, H.R. 2281 has the potential to imperil computer systems and networks throughout the United States, criminalize many current university courses and research in information security, and severely disrupt a growing American industry in information security technology. The result would be grave damage to the U.S. economy and to national security. We recently became aware of provisions of this legislation, and we are now seeking to have H.R. 2281 recast to address our concerns, or prevented from being passed into law. The growing use of network-based information sources does indeed create new opportunities that require updated protections. As producers ourselves of articles, books and software, we are in favor of appropriate copyright regulations. However, H.R. 2281 takes an approach that has damaging side-effects: rather than criminalizing inappropriate actions, it would restrict technology and techniques that have legitimate and vital uses in information security, such as reverse-engineering. By analogy, the approach taken in 2281 is akin to banning the development and sale of automobiles to curtail drunk driving, or criminalization of the sale of paper and ink to prevent the possibility of libel. While sometimes of potential use to infringers, most information security-related technologies are also essential for security practitioners to maintain the protection of the public. Ironically, the provisions of H.R. 2281 may actually hinder researchers in developing and deploying future copyright protection technologies. We believe that the damage that would be wrought by H.R. 2281 is unintentional. For instance, by amending H.R. 2281 to permit encryption research, the Commerce Committee evidenced recognition of the great importance of that sub-field of research. However, their version of the bill fails to further recognize that encryption research is simply one aspect of security research, and that research is different from actual practice. While that version of H.R. 2281 may exempt encryption research, it still criminalizes other crucial techniques used in security research and practice. Here are four examples of how security practice and research consists of much more than encryption research and depends on technologies and techniques that H.R. 2281 would prohibit: * When a new computer virus is discovered, it is necessary to reverse-engineer the programs that are affected to discover how the virus spreads, how to remove it to disinfect the programs, and how to build defenses against future encounters with the same virus. However, H.R. 2281 only allows reverse engineering for the purposes of interoperability. This legislation would thus criminalize anti-virus efforts because they include examination of copyrighted code for other than the "sole purpose" of interoperability. Furthermore, it would criminalize the development, refinement, and sale of any software tools that would make such virus analysis more effective. * Penetration analysis is a time-tested method of examining networks and computers for unnoticed security flaws. Regularly used by major accounting firms, government agencies, and independent consultants in assessing security, penetration analysis is the practice of breaking into a system to see if it resists attack. Because penetration analysis is not encryption research, H.R. 2281 might criminalize the teaching, the performance, and the development of supporting technology for many forms of this valuable approach to security research and practice. * Several universities offer detailed coursework in software disassembly, reverse-engineering, penetration analysis, and related fields as a means of training information security professionals. This is not done to violate the property rights of any software owners but to provide an appropriate education in an area of critical national need; this is similar to medical students learning dissection and anatomy on real bodies to hone fundamental skills. H.R. 2281 could be interpreted as prohibiting such education, labeling it as "trafficking in certain technologies... that can be used to circumvent a technological protection measure." * Major vendors are often unable (or unwilling) to adequately test mass-market software packages. When these packages are released into the marketplace, they are adopted by thousands of businesses. With the significant emphasis on cost-cutting and interoperability, these "COTS" (commercial, off-the-shelf) packages are also widely adopted by U.S. government agencies and the military. Upon release, these packages are intensely scrutinized by hackers, spies, and criminals throughout the world as they search for flaws they can exploit. The same packages are also examined by hundreds of computer users, searching for flaws so as to protect their own systems. When these "good guys" find flaws, they report them to the vendors and the user community so that the flaws can be fixed. While real criminals will not be dissuaded, H.R. 2281, in any of its forms, will almost certainly restrict those who wish to search and report flaws in "good faith." We are law-abiding citizens who work in a leading-edge area of science and technology; we are not seeking to infringe others' valid economic interests protected by copyright. However, to advance the state of the art, it is necessary for us to have freedom of inquiry and experimentation. It is essential that we be able to freely conduct security research so that stronger and more robust technology protection measures will be developed. Thereafter, professionals need the freedom to apply the results of our research to protect the interests of copyright owners, the privacy of citizens, and the security of U.S. business and government. We urge Congress to reconsider H.R. 2281 -- both the version passed by the Committee on the Judiciary and the Commerce Committee. We believe the best approach is to criminalize inappropriate behavior and intent, and not ban technology with multiple uses in this fast-moving field of critical, national importance. If such a reconsideration is not possible, we strongly recommend that the bill not be passed this legislative session. Several of us are willing to assist Congress in developing an appropriate replacement or modification of the legislation, if asked. (N.B. Titles. affiliations and city of residence below are provided for identification only; the material presented in this letter is the personal and professional opinion of the people listed, and not necessarily the official position of their employers or organizations.) Signed, Eugene H. Spafford, Ph.D., FACM Professor of Computer Sciences Director, Center for Education and Research in Information Assurance and Security (CERIAS) Director, the COAST Laboratory Purdue University West Lafayette, IN 47907-1398 (765) 494-7825 Co-Signers Ronald L. Rivest, Ph.D. Edwin S. Webster Professor of Electrical Engineering and Computer Science EECS Dept., MIT Associate Director of the MIT's Laboratory for Computer Science Member, National Academy of Engineering Arlington, Mass Peter S. Browne Senior Vice President and Division Head First Union Corporation Information Technology Services and Information Security Charlotte, NC Howard O. Halpin III Vice President, Information Technology Motorola Computer Group Tempe, Arizona Peter J. Denning, PhD, FACM, FIEEE, FAAAS Past President, Association for Computing Machinery George Mason University Fairfax, VA Lance J. Hoffman, Ph. D., FACM Professor of Computer Science Director, Cyberspace Policy Institute The George Washington University Washington, D. C. Thomas A. Berson, Ph.D. President, Anagram Laboratories Past-President, International Association for Cryptologic Research Chair-Elect, IEEE Computer Society Technical Committee on Security and Privacy Palo Alto, CA Joan Feigenbaum, PhD Editor-in-Chief, Journal of Cryptology Division Manager, Algorithms and Distributed Data Research AT&T Labs - Research New York, NY Andrew W. Appel, Ph.D., FACM Professor of Computer Science Princeton University Princeton, NJ Keith A. Marzullo, Ph.D. Associate Editor, IEEE Transactions on Software Engineering Associate Professor, Dept. of Computer Science and Engineering University of California, San Diego La Jolla, CA William J. Cook Intellectual Property Attorney & Co-Chair of ABA Science & Technology Global Network Committee Winston & Strawn Chicago, IL Daniel E. Geer, Jr., Sc.D. Vice President & Senior Strategist CertCo, LLC 55 Broad Street New York, N.Y. Virgil D. Gligor, Ph.D. Professor of Electrical Engineering University of Maryland College Park, Maryland J. Douglas Tygar, PhD Professor of Computer Science and Information Management University of California, Berkeley, CA Kevin S. McCurley, Ph.D. President, International Association for Cryptologic Research and Research Staff Member, IBM Research San Jose, CA Dr. J. Thomas Haigh, Ph.D. Vice Presidant and Chief Technologist The Secure Computing Corporation Minneapolis, MN Ross Stapleton-Gray, Ph.D. President, TeleDiplomacy, Inc. Adjunct Professor, Georgetown University Arlington, VA Edward W. Felten, Ph.D. Assistant Professor of Computer Science Director, Secure Internet Programming Laboratory Princeton University Bruce Schneier President, Counterpane Systems Author, Applied Cryptography Minneapolis, MN David P. Maher, Ph.D. Division Manager and Head, Secure Systems Research Department AT&T Labs Livermore, CA Bennet S. Yee, PhD Assistant Professor of Computer Science Co-director, Cryptography and Security Laboratory University of California San Diego, CA Karen F. Worstell Principal, SRI Consulting Director, Research and Technology International Information Integrity Institute (I-4) Houston, TX Michael Merritt, PhD Division Manager, Specification and Algorithm Research Department AT&T Labs -- Research Mendham, NJ Stuart Haber, Ph.D. Chief Scientist, Surety Technologies New York, N.Y. Jack V. Leifel Senior Director, Information Technology Services Cellular Infrastructure Group, Communications Enterprise Motorola, Inc. Arlington Hts., Il. Gary Garb, Director, Corporate Computer & Information Security Unisys Corporation Bensalem, PA Jonathan K. Millen, Ph.D. Senior Computer Scientist SRI International Palo Alto, CA Susan Swope, CISSP Deputy Program Director, International Information Integrity Institute (I-4) Senior Consultant SRI Consulting Menlo Park, CA Barbara J. Pease Senior Scientist Information Warfare and Secure Systems Engineering MITRE Corporation Somerville, MA Hilary H. Hosmer President Data Security, Inc. Bedford, MA Michael K. Reiter, Ph.D. Principal Technical Staff Member AT&T Labs - Research Raritan, NJ Jonathan Trostle, PhD Senior Software Engineer Cisco Systems Cupertino, CA John J. Kinyon Manager, Corporate Information Security and Risk Management Motorola, Inc. Lake Zurich, IL Becky Bace President/CEO Infidel, Inc. Security Engineering Services Scott Valley, CA Douglas R. Steinbaum Electronics Engineer Network Security Section, Naval Research Laboratory Alexandria, VA James Cannady Research Scientist Georgia Institute of Technology Atlanta, GA Julie L. Connolly Lead Information Systems Security Engineer The MITRE Corporation Nashua NH Daylan Darby Lead Software Engineer Information Warfare - The Boeing Company Seattle, WA Joseph C. Konczal Computer Scientist National Institute of Standards and Technology Mount Airy, MD William Hill Lead INFOSEC Engineer The MITRE Corporation Vienna, VA Daniel Thomas Grove HP Software Security Team Coordinator Hewlett-Packard Company San Jose, CA Steven W. Lodin Manager, Information Security Services Ernst & Young LLP Indianapolis, IN Robert H. Bagwill Computer Specialist National Institute of Standards and Technology Montgomery Village, MD Roger A. Safian Information Security Coordinator Northwestern University Evanston, Il Carl M. Ellison Senior Security Architect (organization withheld) Portland, OR David R. Campbell, CNE CIO WireX Communications, Inc. Vancouver, WA Puck-Fai Senior INFOSEC Engineer The MITRE Corporation Mitchellville, MD Amgad Fayad Sr. INFOSEC Engineer The MITRE Corporation Springfield, VA David Wagner Founding Member, ISAAC Security Research Group University of California, Berkeley Berkeley, CA Return to the top [] Gene Spafford spaf@cs.purdue.edu Date Last Modified: 7/30/98 ------------------------------ Date: Thu, 25 Apr 1998 22:51:01 CST From: CuD Moderators Subject: File 3--Cu Digest Header Info (unchanged since 25 Apr, 1998) Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost electronically. CuD is available as a Usenet newsgroup: comp.society.cu-digest Or, to subscribe, send post with this in the "Subject:: line: SUBSCRIBE CU-DIGEST Send the message to: cu-digest-request@weber.ucsd.edu DO NOT SEND SUBSCRIPTIONS TO THE MODERATORS. The editors may be contacted by voice (815-753-6436), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115, USA. To UNSUB, send a one-line message: UNSUB CU-DIGEST Send it to CU-DIGEST-REQUEST@WEBER.UCSD.EDU (NOTE: The address you unsub must correspond to your From: line) CuD is readily accessible from the Net: UNITED STATES: ftp.etext.org (206.252.8.100) in /pub/CuD/CuD Web-accessible from: http://www.etext.org/CuD/CuD/ ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/ aql.gatech.edu (128.61.10.53) in /pub/eff/cud/ world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/ wuarchive.wustl.edu in /doc/EFF/Publications/CuD/ EUROPE: nic.funet.fi in pub/doc/CuD/CuD/ (Finland) ftp.warwick.ac.uk in pub/cud/ (United Kingdom) The most recent issues of CuD can be obtained from the Cu Digest WWW site at: URL: http://www.soci.niu.edu/~cudigest/ COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Authors hold a presumptive copyright, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ------------------------------ End of Computer Underground Digest #10.45 ************************************