Re: Is finding security holes a good idea?

[Jerrold Leichter]

| Thor Lancelot Simon <[EMAIL PROTECTED]> writes:
|
| > On Mon, Jun 14, 2004 at 08:07:11AM -0700, Eric Rescorla wrote:
| >> Roughly speaking:
| >> If I as a White Hat find a bug and then don't tell anyone, there's no
| >> reason to believe it will result in any intrusions.  The bug has to
| >
| > I don't believe that the premise above is valid.  To believe it, I think
| > I'd have to hold that there were no correlation between bugs I found and
| > bugs that others were likely to find; and a lot of experience tells me
| > very much the opposite.
|
| The extent to which bugs are independently rediscovered is certainly
| an open question which hasn't received enough study. However, the
| fact that relatively obvious and serious bugs seem to persist for
| long periods of time (years) in code bases without being found
| in the open literature, suggests that there's a fair amount of
| independence.
I don't find that argument at all convincing.  After all, these bugs *are*
being found!

It's clear that having access to the sources is not, in and of itself,
sufficient to make these bugs visible (else the developers of close-source
software would find them long before independent white- or black-hats).
Something else accounts for their surfacing.  I would guess that at least two
factors are involved:

- There's a level of similarity beyond, say, "buffer overflow".
For example, once one buffer overflow in parsing a "To:"
field is found, everyone starts looking for bugs in "To:"
field parsing - and then at the closely-related code for
parsing other header fields.  We know from experience - look
at the attempts to gain super-high reliability through
N-version programming - that bugs cluster:  Certain kinds of
problems are harder to get right than others.  Thus, this
focused attention on an area where bugs have been found is
highly likely to find other bugs.

- New tools and techniques for finding bugs in code are developed,
bring to light previously-hidden bugs.

To the extent these are true, a white-hat could reasonably argue that a
newly-found bug is unlikely to be rediscovered only if it is neither closely
related to previously-found bugs; nor found using a new technique.  But these
are exactly the cases in which you would *want* to publish!

-- Jerry

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Is finding security holes a good idea?

[Eric Rescorla]

Thor Lancelot Simon <[EMAIL PROTECTED]> writes:

> On Mon, Jun 14, 2004 at 08:07:11AM -0700, Eric Rescorla wrote:
>> in the paper. 
>> 
>> Roughly speaking:
>> If I as a White Hat find a bug and then don't tell anyone, there's no
>> reason to believe it will result in any intrusions.  The bug has to
>
> I don't believe that the premise above is valid.  To believe it, I think
> I'd have to hold that there were no correlation between bugs I found and
> bugs that others were likely to find; and a lot of experience tells me
> very much the opposite.

The extent to which bugs are independently rediscovered is certainly
an open question which hasn't received enough study. However, the
fact that relatively obvious and serious bugs seem to persist for
long periods of time (years) in code bases without being found
in the open literature, suggests that there's a fair amount of
independence. 

-Ekr


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

He Pushed the Hot Button of Touch-Screen Voting

[R. A. Hettinga]

The New York Times

June 15, 2004

He Pushed the Hot Button of Touch-Screen Voting
By KATHARINE Q. SEELYE

Kevin Shelley is a big and voluble Irish politician, the son of a former
San Francisco mayor, and not the sort you would figure for the heretofore
semi-obscure job of California secretary of state. But Mr. Shelley, who was
elected to the post in November 2002 after a career as a state legislator,
has adapted the job to suit his style, taking the arcane matter of voting
machines and turning it into a hobbyhorse that some predict he could ride
to the governor's office.

Mr. Shelley, a Democrat, has gained national notice for his skepticism
toward touch-screen voting and his insistence that voters be able to look
at a paper record inside the voting booth to verify their ballots. He says
such paper trails are crucial if government wants voters to have confidence
that their ballots are being counted correctly.

As a result, he has ordered that after July 1, 2005, no county in
California can buy a touch-screen system without a paper record that is
verifiable by the voter, and as of July 2006, all touch-screen systems here
must be equipped with paper trails, regardless of when they were bought.
Until the machines have that capability, he wants people who do not trust
them to have the option of voting by a traditional paper ballot.

Then, on April 30, he banned the use of certain touch screens in 4 counties
and decertified them in 10 other counties until additional security
measures could be put in place.

 "Someone said to me, 'The problem with Kevin Shelley is, he's an
activist,' " Mr. Shelley recalled in an interview earlier this month in his
office here overlooking the black-and-gold dome of City Hall in San
Francisco. "I plead guilty. But, oh my God, never has it been more
important to be an activist."

His directive has national implications because 40 percent of all
touch-screen voting machines in use are in California. If vendors start
making equipment to the specifications of the huge California market, that
market is likely to dictate what is available to the rest of the country.

But Mr. Shelley's advocacy of paper trails has set off a fierce and
emotional reaction among local election officials in California and
elsewhere and has brought the purchase of such systems to a near
standstill. Nearly one third of voters nationwide this November will vote
on touch screens.

 Local officials say that despite demonstrations from computer experts that
hackers can break into the machines, there is no evidence that anyone has
done so. Moreover, voters may expect an actual, individual receipt after
they vote; what happens instead is that a paper record, visible to the
voter, is created in the machine. Officials have also expressed concern
about paper jams.

Mr. Shelley's insistence on paper trails has prompted officials in four
California counties to sue him. The clash is being repeated in other states
and courtrooms and has even roiled the venerable League of Women Voters,
where advocates of paper trails tried to overthrow the league's
establishment, which has been against them. They settled yesterday on a
compromise resolution to support "secure, accurate, recountable and
accessible" systems, all code words for paper trails.

Conny B. McCormack, the respected registrar of Los Angeles County, the
biggest voting jurisdiction in the country, has emerged as one of Mr.
Shelley's chief critics. Ms. McCormack said that Mr. Shelley had confounded
local officials by handing down directives that require a technology that
does not yet exist. Rather than inspire voter confidence, she said, Mr.
Shelley has undermined it.

 (Manufacturers have said that if the technology were required, they could
supply it, but not in time for the November elections.)

"He put out a report on April 20 saying that touch screens were 100 percent
accurate," Ms. McCormack said. "And then two days later he decertified
them." She said such actions had "destabilized the entire election process
in California and potentially nationwide."

In random testing during the March 2 California primary, Mr. Shelley's
office found that the machines "recorded the votes as cast with 100 percent
accuracy."

In an effort to prod the industry, Mr. Shelley yesterday issued standards
for the manufacturers in developing paper trails, the first in the country.
They include requirements that voters who are disabled be able to vote and
verify their vote without assistance, that voters be able to verify their
votes before casting them and that the paper records be printed in both
English and the voter's preferred language.

 "I'm insisting, quite unapologetically, on the need to have these
appropriate security measures in place to protect the voters, which is my
principal charge," Mr. Shelley said.

 Mr. Shelley, 48, grew up in politics, the son of Jack Shelley, a former
mayor of San F

Post-9/11 laws expand to more than terrorism

[R. A. Hettinga]

Times Record News

 

To print this page, select File then Print from your browser

URL:
http://www.timesrecordnews.com/trn/nw_washington/article/0,1891,TRN_5707_2962597,00.html
Post-9/11 laws expand to more than terrorism

By LANCE GAY
June 14, 2004


 Federal and state prosecutors are applying stiff antiterrorism laws
adopted after the 9/11 attacks to broad, run-of-the-mill probes of
political corruption, financial crimes and immigration frauds.

 If the government gets its way, even routine transactions of buying or
selling American homes could soon come under the scrutiny of
money-laundering provisions of the USA Patriot Act. The Treasury
Department, which already has caught up financial transactions in casinos,
storefront check-cashing stores and auto dealers for scrutiny, wants to
expand Patriot Act coverage to home purchases as well.

 Since 9/11, critics say the greatest effect of new state and federal
antiterrorism laws has been on crimes already covered by other laws.

 Washington-area snipers John Muhammad and Lee Boyd Malvo were both
convicted under a post-9/11 Virginia antiterrorism statute making it a
death-penalty offense to be involved in more than one murder in a
three-year period. Muhammad was sentenced to death, and Malvo was given
life imprisonment without parole.

 The FBI has used Patriot Act provisions in a political corruption probe
involving a Las Vegas girlie bar, and the Justice Department reported to
the House Judiciary Committee last year that it used the new law in probes
of credit-card fraud, theft from a bank account and a kidnapping.

 In the first action of its kind, the Treasury Department also used the
Patriot Act this year to put Syria's largest commercial bank and two
commercial banks in Myanmar on blacklists - actions that forbid any U.S.
financial institution from doing business with them.

 Legal experts say they're not surprised that antiterrorism laws are being
used for more than just terrorism.

 Peter Swire, a law professor at Ohio State University, recalled that
Congress adopted antiracketeering laws in 1970 with the intent to thwart
mobsters, but the punitive laws have since been broadened and put to use in
civil cases against corporations, and most recently against the organized
campaigns of pro-life protesters against abortion clinics.

 Swire worked in the Clinton administration and chaired a White House
working group looking at issues involved with electronic surveillance. He
said many Patriot Act provisions, which sped through Congress within days
after 9/11, were proposals that either Congress or the White House had
previously rejected. Many provisions are slated to expire next year unless
Congress makes the changes permanent.

 Swire said one little-noted impact of that law on the judicial system is
that prosecutors can add more charges against defendants, even when
terrorism isn't involved.

 "Prosecutors like to have more arrows in their quiver - it gives them more
leverage in plea bargaining," he said. Plea bargaining is the process where
prosecutors offer to drop some charges in return for a defendant's guilty
plea in order to avoid costly, time-consuming trials.

 Swire contends the Patriot Act has been so controversial that the Justice
Department has been very cautious in using all of its provisions.

 "They are careful because they know people are checking to see if it is
abused," he said. "Once it becomes permanent, I think it will be used more
widely."

 The American Civil Liberties Union and other civil rights groups are
campaigning for Congress to terminate some of the more controversial
provisions of the Patriot Act, contending the law unnecessarily expands
government powers.

 The ACLU says the government already has sufficient investigative tools,
and the Patriot Act has been used for non-terrorist-related crimes such as
seizing stolen funds from bank accounts in Belize.

 Michael Mello, a law professor at Vermont Law School, disagrees and said
the Patriot Act made some needed changes in government procedures,
including provisions that tore down barriers that prohibited the FBI and
CIA from sharing information.

 "There's been a sea change by tearing down that wall," said Mello. "To
forbid the FBI from getting spooks' (CIA) information that someone in the
United States was carrying out a significant criminal enterprise is insane."

 In spite of the criticism from the ACLU and others, Mello said he doesn't
believe the Patriot Act has been misused or has resulted in any expansion
of government powers. "In the absence of evidence, the critics lose," he
said.

 Mello agrees that there are some provisions in the Patriot Act that should
be allowed to expire. He opposes a controversial provision allowing the
Justice Department to use so-called "national security letters" to obtain
library records, medical records and banking records of peop

Re: Breaking Iranian Codes (Re: CRYPTO-GRAM, June 15, 2003)

[Peter Gutmann]

"R. A. Hettinga" <[EMAIL PROTECTED]> forwarded:

>So now the NSA's secret is out.  The Iranians have undoubtedly changed
>their encryption machines, and the NSA has lost its source of Iranian
>secrets.  But little else is known.  Who told Chalabi?  Only a few
>people would know this important U.S. secret, and the snitch is
>certainly guilty of treason.

Someone (half-)remembered reading the Crypto AG story in the Baltimore Sun
several years ago, bragged to Chalabi that the US had compromised Iranian
crypto, and the story snowballed from there.  The story could have started out
with a loquacious (Sun-reading) cab driver for all we know.  Some reports have
suggested the source was drunk, so maybe it was a drunk in a bar.  Maybe
Chalabi read the story himself and invented the snitch to make it seem more
important than it was, or to drive the US security community nuts with an orgy
of internal witch-hunting.  Given the lack of further information, it could
have been just about anything.

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Breaking Iranian Codes (Re: CRYPTO-GRAM, June 15, 2003)

[R. A. Hettinga]

At 4:03 AM -0500 6/15/04, Bruce Schneier wrote:
> Breaking Iranian Codes
>
>
>
>Ahmed Chalabi is accused of informing the Iranians that the U.S. had
>broken its intelligence codes.  What exactly did the U.S. break?  How
>could the Iranians verify Chalabi's claim, and what might they do about it?
>
>This is an attempt to answer some of those questions.
>
>Every country has secrets.  In the U.S., the National Security Agency
>has the job of protecting our secrets while trying to learn the secrets
>of other countries.  (Actually, the CIA has the job of learning other
>countries' secrets in general, while the NSA has the job of
>eavesdropping on other countries' electronic communications.)
>
>To protect their secrets, Iranian intelligence -- like the leaders of
>all countries -- communicate in code.  These aren't pencil-and-paper
>codes, but software-based encryption machines.  The Iranians probably
>didn't build their own, but bought them from a company like the
>Swiss-owned Crypto AG.  Some encryption machines protect telephone
>calls, others protect fax and Telex messages, and still others protect
>computer communications.
>
>As ordinary citizens without serious security clearances, we don't know
>which machines' codes the NSA compromised, nor do we know how.  It's
>possible that the U.S. broke the mathematical encryption algorithms
>that the Iranians used, as the British and Poles did with the German
>codes during World War II.  It's also possible that the NSA installed a
>"back door" into the Iranian machines.  This is basically a
>deliberately placed flaw in the encryption that allows someone who
>knows about it to read the messages.
>
>There are other possibilities: the NSA might have had someone inside
>Iranian intelligence who gave them the encryption settings required to
>read the messages.  John Walker sold the Soviets this kind of
>information about U.S. naval codes for years during the 1980s.  Or the
>Iranians could have had sloppy procedures that allowed the NSA to break
>the encryption.
>
>Of course, the NSA has to intercept the coded messages in order to
>decrypt them, but they have a worldwide array of listening posts that
>can do just that.  Most communications are in the air-radio, microwave,
>etc. -- and can be easily intercepted.  Communications via buried cable
>are much harder to intercept, and require someone inside Iran to tap
>into.  But the point of using an encryption machine is to allow sending
>messages over insecure and imperceptible channels, so it is very
>probable that the NSA had a steady stream of Iranian intelligence
>messages to read.
>
>Whatever the methodology, this would be an enormous intelligence coup
>for the NSA.  It was also a secret in itself.  If the Iranians ever
>learned that the NSA was reading their messages, they would stop using
>the broken encryption machines, and the NSA's source of Iranian secrets
>would dry up.  The secret that the NSA could read the Iranian secrets
>was more important than any specific Iranian secrets that the NSA could
>read.
>
>The result was that the U.S. would often learn secrets they couldn't
>act upon, as action would give away their secret.  During World War II,
>the Allies would go to great lengths to make sure the Germans never
>realized that their codes were broken.  The Allies would learn about
>U-boat positions, but wouldn't bomb the U-boats until they spotted the
>U-boat by some other means...otherwise the Nazis might get suspicious.
>
>There's a story about Winston Churchill and the bombing of Coventry:
>supposedly he knew the city would be bombed but could not warn its
>citizens.  The story is apocryphal, but is a good indication of the
>extreme measures countries take to protect the secret that they can
>read an enemy's secrets.
>
>And there are many stories of slip-ups.  In 1986, after the bombing of
>a Berlin disco, then-President Reagan said that he had irrefutable
>evidence that Qadaffi was behind the attack.  Libyan intelligence
>realized that their diplomatic codes were broken, and changed
>them.  The result was an enormous setback for U.S. intelligence, all
>for just a slip of the tongue.
>
>Iranian intelligence supposedly tried to test Chalabi's claim by
>sending a message about an Iranian weapons cache.  If the U.S. acted on
>this information, then the Iranians would know that its codes were
>broken.  The U.S. didn't, which showed they're very smart about
>this.  Maybe they knew the Iranians suspected, or maybe they were
>waiting to manufacture a plausible fictitious reason for knowing about
>the weapons cache.
>
>So now the NSA's secret is out.  The Iranians have undoubtedly changed
>their encryption machines, and the NSA has lost its source of Iranian
>secrets.  But little else is known.  Who told Chalabi?  Only a few
>people would know this important U.S. secret, and the snitch is
>certainly guilty of treason.  Maybe Chalabi never knew, and never told
>the Iranians.  Maybe the Iranians figured it

recommendations/evaluations of free / low-cost crypto libraries

[Amir Herzberg]

I will appreciate experience-reports/evaluations/comparisons with free 
or low cost (and in particular  zero `per seat` cost) crypto libraries, 
especially in C / C++ (or links to web-sites containing them). If I'll 
get substantial useful information (off-list) I'll try to compile it and 
send to the list. Important aspects include reliability, functionality, 
performance, documentation, cost (for development system - no `per seat` 
cost!), and licensing terms (in particular can it be used for commercial 
products, and any restrictions).

Thanks a lot...
--
Best regards,
Amir Herzberg
Associate Professor, Computer Science Dept., Bar Ilan University
http://amirherzberg.com (information and lectures in cryptography & 
security)

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Is finding security holes a good idea?

[Thor Lancelot Simon]

On Mon, Jun 14, 2004 at 08:07:11AM -0700, Eric Rescorla wrote:
> in the paper. 
> 
> Roughly speaking:
> If I as a White Hat find a bug and then don't tell anyone, there's no
> reason to believe it will result in any intrusions.  The bug has to

I don't believe that the premise above is valid.  To believe it, I think
I'd have to hold that there were no correlation between bugs I found and
bugs that others were likely to find; and a lot of experience tells me
very much the opposite.

Thor

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]