precedence: bulk Subject: RISKS DIGEST 19.41 RISKS-LIST: Risks-Forum Digest Friday 17 October 1997 Volume 19 : Issue 41 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** Contents: New York air traffic slowed by Construction effluvia (PGN) Union Pacific rolling (?) stock (Daniel P. B. Smith) Indian satellite failure (Scott Lucero) Paris police computer spares Corsican motorists (Gianfranco Boggio-Togna) Another way to exploit local classes in Java (Andre L. Dos Santos) Risks of installing Internet Explorer 4.0 (Bryan O'Sullivan) Cold weather impairs fiber performance (Stig) Stink-Bombed Computers (Stuart L. Anderson) US West and 911: Silence Is OK (Scot E. Wilcoxon) The risks of license servers (Dan Wallach) Risk of not updating web pages (John Oliver) Re: Possible breakthrough in NP-completeness (Mark Stalzer, Michael A. Schatz via Gary McGraw) Microsoft euphemisms (Matt Welsh) Re: AOL may introduce ads on private e-mail (Matt Welsh) Re: FBI wants to ban the Bible: steganography (Brian Clapper) Re: FBI wants to ban the Bible: Linear A/B (Stephen Crane, Mike Williams) The Electronic Privacy Papers: A new book by Schneier/Banisar (Bruce Schneier) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 16 Oct 97 10:40:17 PDT From: "Peter G. Neumann" Subject: New York air traffic slowed by Construction effluvia Air contamination (dust? chemicals?) from an overnight renovation project at the Westbury New York area air-traffic control center caused controllers to have to leave their stations for almost 10 hours on 15 Oct 1997. Only a few controllers were able to keep some air traffic going, with a spacing of 30 miles instead of five. Newark was hit the hardest of NY's airports, with 150 flights canceled and arrival delays up to five hours. [*San Francisco Chronicle* News Services, 16 Oct 1997, and other sources] ------------------------------ Date: Tue, 14 Oct 1997 14:16:16 -0400 (EDT) From: "Daniel P. B. Smith" Subject: Union Pacific rolling (?) stock Following Union Pacific's assimilation of Southern Pacific, to form the nation's largest railroad, UP has been unable to accurately track its freight cars, resulting in gridlocks and lost trains -- most visibly in the southern corridor from LA to Texas, the Gulf Coast region, and the central corridor from Oakland to Chicago. There are major bottlenecks in LA, North Platte, Chicago, and Houston. Integrating the computer systems was reportedly ``more difficult than anticipated.'' There are many horror stories, including a load of liquid gas that had "virtually evaporated into thin air by the time it arrived;" it took 51 days to ship a load of plastic resin from Dallas to Forth Worth; a shipment from Memphis to California by way of Little Rock, _then Memphis, then Little Rock, then Memphis, then Little Rock,_ then El Paso... A Mr. Lundgren of Englin Cotton Oil Mill reported watching one of his own freight cars on UP tracks barreling past his office. ``A few days later, he saw it pass again in the opposite direction.'' [Culled by PGN from Daniel's submitted item by Anna Wilde Mathes and Daniel Machalaba, *Wall Street Journal*, Monday, 13 Oct 1997, p. B1, and another detailed item by Carl Nolte and Kenneth Howe, *San Francisco Chronicle*, 11 Oct 1997, D1] ------------------------------ Date: Mon, 06 Oct 97 12:18:02 EST From: "lucero" Subject: Indian satellite failure According to the 6 Oct 1997 *Daily Brief*, officials in India say the country's most advanced communications satellite was abandoned yesterday due to a power failure aboard the craft. The loss of the satellite reportedly affected communications to remote parts of the nation and the operation of satellite-dependent functioning of India's stock exchange. This appears to be an example of the familiar RISK of having a single point of failure, or, more colloquially, putting all your eggs in one basket. Scott Lucero ------------------------------ Date: Sun, 5 Oct 97 22:27:40 ITA From: G.Boggio@agora.stm.it Subject: Paris police computer spares Corsican motorists "For more than six years, Corsican motorists fined in Paris have not paid their PV's [_Proces Verbal_]: the central police computer rejected the code identifying the _departement_ because, with a digit and a letter ('2A' or '2B'), it is different from the codes used on the mainland. The anomaly, which resulted in the absence of prosecutions for nonpayment of fines for all cars registered in Corsica, goes back to 1990. It has now been removed and 'since May 1997 all PV's are correctly processed by the program', said the _prefet de police_, Philippe Massoni. ... M. Massoni explained that the error was introduced at the time of the changeover from manual processing to a computer system. It was decided to implement 'some checks' to verify agreement between the data in the PV (car model and type), the information recorded in a database of all cars circulating in France and the address of the driver as recorded in the database. 'The error was related to the last check'. There was confusion between the city code (starting with '2A' or '2B') and the city postal code (starting with '20'). For all other French _departements_, the first two characters of the city code and of the postal code are the same, and numeric. Now, the program installed in 1990 checked that the first two characters of the city code were numeric. If the check failed, the record was rejected and the PV was not processed." Source: "Pas de PV a Paris pendant six ans pour les Corses" NICE-MATIN, October 5th, 1997 According to a report on French radio ('France Info', October 3rd), the reason for the rejection was actually the mismatch between city and postal codes (which, as bugs go, sounds more likely). Gianfranco Boggio-Togna, Ventimiglia (Italy) ------------------------------ Date: Wed, 8 Oct 1997 16:30:37 -0700 (PDT) From: "Andre L. Dos Santos" Subject: Another way to exploit local classes in Java The attack described here is of interest because it uses the CLASSPATH feature, which has been known to allow security breaches. However, it uses it in a different way. The result is that the security enhancements that have been introduced by Netscape to fix the previously known vulnerability using this feature are ineffective in stopping this attack. The danger of setting the CLASSPATH environment variable to a path where malicious classes are located is well known. Because of this Netscape began restricting what a class loaded from the local disk can do starting with Navigator 2.x. In Navigator 3.x Netscape took it one step further with its setScopePermission model, and Communicator 4.x has signed applets, where a capability based model is enforced. Microsoft has not enhanced the model suggested by Javasoft. The security model implemented by Netscape and Microsoft considers any local class as a "system" class. Therefore, when a class is needed the browser searches the local disk before requesting a class from the net. Thus, if the user has classes in his/her local disk that have the same name as classes that are used by a site, these classes will be used instead of the ones from the network. Because of this it is possible to implement an attack on a user interacting with a target site, where classes on the local disk implement the functionality desired by the attacker. Our attack is able to proceed because the classes that are used in our attack do not need to request or require special privileges. The attack uses only the privileges granted to classes loaded using the classloader. In order to understand the risks of this flaw we have implemented a demo of the attack on the Reliable Software Group site. This demo has as a target the site of a bank that uses Java for login. The results of this demo is that although the bank site uses SSL, a user is able to verify that he/she is interacting with the desired site, when being attacked. So there is no indication of an attack, and the user can verify the bank's certificate. However, in the demo, instead of the browser sending the login information to the bank server, it sends it to our server, in plain text. As is the case with most of the previously reported CLASSPATH attacks, for our attack it is necessary for the user to load classes on the CLASSPATH. One can not stress enough that there is a lot of trust involved with downloading files onto your computer and pre-loading classes onto your classpath. Therefore, if the user is following the procedure of installing only files that he/she can be 100% sure will not do any harm, then this CLASSPATH attack will not work. We believe, however, that it is likely that one could trick a user into loading .zip files. One such file could have the classes necessary for the attack in addition to a set of useful and harmless classes. We have notified Netscape and Microsoft about our attack. Microsoft answered that this is the way that Java is supposed to work. Netscape said that this problem can be partially solved using the function matchPrincipal from their enhanced model. They also added that they are working on improvements for this model and will consider a total solution to the problem. Andre Santos, Reliable Software Group, UCSB [See a paper by Flavio De Paoli, Andre Santos, and Dick Kemmerer, ``Vulnerability of `Secure' Web Browsers, presented last week at the National Computer Information Systems Security Conference in Baltimore, pp. 476-487, which was presented by Dick. PGN] ------------------------------ Date: Fri, 10 Oct 1997 21:41:18 -0700 (PDT) From: "Bryan O'Sullivan" Subject: Risks of installing Internet Explorer 4.0 [See a subsequent message from Bryan in RISKS-19.42 before you read this. Note added in archive copy. PGN] I just downloaded and installed Microsoft Internet Exploder 4.0 onto my PC running Windows 95 at home. Among the optional features that come with this release are a few tidbits that were included with Plus!, the mostly-useless set of bells and whistles that was packaged separately from Windows 95. Two of these features are opaque window manipulation (when you move or resize a window, the entire window moves in real time, rather than a rubberband representation being tweaked) and anti-aliasing of large fonts. The anti-aliasing feature is quite useful; it makes fonts in large point sizes noticeably less pixelated. However, in this feature lies a small, and somewhat malicious, piece of code. This snippet of code apparently checks to see whether it is being asked to render a font by the Netscape Navigator browser (or, indeed, any component of the Communicator 4.x suite). If it is, it gives back a plain old jagged-edged font; otherwise, in every instance I have been able to check, it gives back an anti-aliased font. This appears to be a clear instance of discriminatory coding on the part of Microsoft, and is intended, one presumes, to make Navigator look somewhat cruddy in comparison with MSIE (not to mention all of the other software on a system). It begs a troubling question: what other features were included in MSIE 4.0 that were intended to, in some sense, impede the software of Microsoft's competitors? ------------------------------ Date: 8 Oct 1997 19:09:39 -0000 From: stig@hackvan.com Subject: Cold weather impairs fiber performance According to Interactive Week, Bellcore has recently been reminding the world that things tend to shrink when they get cold. Including fiber optic cables, which tend to pull themselves more tightly around corners when they contract. This can interrupt signals in the fiber because the fiber isn't engineered to do hairpin turns. Add the move to DWDM (Dense Wave Division Multiplexing), which uses multiple wavelengths of light on the same fiber to carry more data, and fiber that worked before can suddenly start to go dead when the temperature drops. The longer wavelengths of light (up to 1650nm instead of the older 1310nm), the more intolerant those wavelengths are to tight bending of the fiber. This problem was first noted in 1993 when Nynex was having problems, but people still seem not to be aware of the problem. Of course, Bellcore wants to sell you test equipment to see if your fiber might have these sorts of problems. I just think it's a particularly entertaining mode of failure... Stig ------------------------------ Date: Fri, 10 Oct 1997 21:30:42 -0700 (PDT) From: "Stuart L. Anderson" Subject: Stink-Bombed Computers According to the *South China Morning Post* Internet Edition of 10 Oct 1997, the Hong Kong Government Flying Service will replace its two fixed-wing search and rescue aircraft after the move from Kai Tak to the new airport. Maintenance and spare parts on the two Super Kingair planes cost millions of HK dollars (1US$ = 7.74 HK$). The aircraft computer systems were repeatedly corroded by hydrogen sulphide gas (rotten egg smell) from sewage and industrial waste in a nearby waterway. Stu Anderson (stuander@halcyon.com) ------------------------------ Date: Mon, 13 Oct 1997 10:16:12 -0500 (CDT) From: sewilco@fieldday.mn.org Subject: US West and 911: Silence Is OK US West has pointed out that 911 phone lines are working too well. The 911 emergency reporting system in the largest cities in Minnesota was converted to a digital phone system. There is less noise on the phone lines, and apparently there was concern that people will hear complete silence before the ringing starts, without the common hiss of static, and will think there's a problem with the phone or their dialing. http://www.uswest.com/com/aboutusw/newsreleases/comm/100897.html Minneapolis/ St. Paul Metropolitan 9-1-1 Board Urges: When You Call 9-1-1, Stay on the Line Upgraded 9-1-1 Network Provides Quiet, Digital Connections and Improved Reliability MINNEAPOLIS/ST. PAUL, Minn., Oct. 8 -- It's an emergency. You need help fast. You pick up the telephone and call 9-1-1 ... just like you have been instructed many times. But there is no immediate sound on the line. No immediate ringing and the line is absolutely noiseless. You begin to think the call has not gone through. Don't hang up, say the Metropolitan 9-1-1 Board, U S WEST and public safety officials. New digital technology and an upgraded 9-1-1 network are providing a noise-free 9-1-1 network. So, even though you don't hear the typical call processing sounds, the call is being routed through the network to a 9-1-1 answering point. So, if you call 9-1-1, stay on the line. Do not hang up. Although the seconds can seem like an eternity when help is needed, hanging up and redialing could cost valuable time. U S WEST and the Metropolitan 9-1-1 Board have implemented a new digital switching system and a redundant network for the 9-1-1 system serving the seven-county metro area. The digital system provides state-of-the-art call processing. The redundant network provides a backup call routing path that tremendously enhances the reliability of the 9-1-1 system. "This new digital technology and redundant network provide a highly reliable 9-1-1 system that is one of the best in the country," said Nancy Pollock, executive director for the Metropolitan 9-1-1 Board. "Our upgraded 9-1-1 system also provides significantly improved call transfer capabilities and clear, quiet connections." Wally Abrahamson, chair of the Metropolitan 9-1-1 Board and former Stillwater police chief said, "Some 911 Centers report an increase in the number of callers who are hanging up before the 911 call taker has the opportunity to answer the call. You should stay on the line, even if you hear silence instead of an immediate ring. Hanging up to redial could waste valuable time." The Metropolitan 9-1-1 Board serves 26 public safety answering points (PSAPs) in the seven-county metropolitan area. ------------------------------ Date: Wed, 15 Oct 1997 16:50:40 -0400 From: Dan Wallach Subject: The risks of license servers I recently got this message attempting to find out what's on TV at www.tvguide.com. login: FATAL ERROR: Server message: Message number: 18458, Severity 14, State 1, Line 0 Server 'Microsoft SQL Server' Message String: Login failed- The maximum simultaneous user count of 25 licenses for this server has been exceeded. Additional licenses should be obtained and registered via the Licensing application in the NT Control Panel. The risks are sending your customers to other servers using software that actually works, although you may get some strange calls from customers wondering why they need to buy new licenses... Dan ------------------------------ Date: Tue, 14 Oct 1997 09:02:00 GMT From: jdoliver@ozemail.com.au (John Oliver) Subject: Risk of not updating web pages I have been trying to get information about courses at one of the major Australian universities. The web site lists X as the contact person for the Faculty of Arts. All mail to X bounces with a message that the mail spool is full. After weeks of trying, I finally found someone who would read my complaint about it and check. It turns out that X is on maternity leave and no one changed the web page. I wonder how many enquires are backed up in the mail queue and how many have bounced? John (jdoliver@ozemail.com.au) ------------------------------ Date: Wed, 1 Oct 1997 13:09:09 -0700 From: stalzer@macaw.hrl.hac.com (Mark Stalzer) Subject: Re: Possible breakthrough in NP-completeness (Hayward, RISKS-19.40) I have quickly (15 min) reviewed the description of Jonathan Hayward's npc algorithm in npc.tar.Z.uu. Using sets to represent collections of satisfying states is clever. Unfortunately, it has been done before and it does not get around a combinatorial explosion because the set representation (a tree) can blow up. (Its size can in no way be bounded by the size of the formula parse tree.) I have attached a list of references below. The reference bdd:survey is probably the best general reference, and bdd:ordering deals with combinatorial explosion of the data structures and the sensitivity to variable ordering. My dissertation also contains a chapter on these techniques. Mark @ARTICLE{bdd:bryant, AUTHOR = "R.E. Bryant", TITLE = "Graph-based algorithms for boolean function manipulation", JOURNAL = "IEEE Transactions on Computers", YEAR = 1986, VOLUME = "C-35", NUMBER = 8} @ARTICLE{bdd:survey, AUTHOR = "R.E. Bryant", TITLE = "Ordered binary-decision diagrams", JOURNAL = "ACM Computing Surveys", YEAR = 1992, VOLUME = 24, NUMBER = 3} @INPROCEEDINGS{bdd:ite, AUTHOR = "K.S. Brace and R.L Rudell and R.E. Bryant", TITLE = "Efficient implementation of a {BDD} package", BOOKTITLE = "27th ACM/IEEE Design Automation Conference", YEAR = 1990} @TECHREPORT{bdd:ucsc, AUTHOR = "K. Karplus", TITLE = "Representing Boolean Functions with {If-Then-Else DAGs}", INSTITUTION = "University of California, Santa Cruz", YEAR = 1988, NUMBER = "UCSC-CRL-88-28"} @ARTICLE{bdd:ordering, AUTHOR = "H-T Liaw and C-S Lin", TITLE = "On the {OBDD}-Representation of General Boolean Functions", JOURNAL = "IEEE Transactions on Computers", YEAR = 1992, VOLUME = "C-41", NUMBER = 6} ------------------------------ Date: Wed, 1 Oct 1997 17:14:31 -0400 (EDT) From: Gary McGraw Subject: P =? NP One of our star research associates took a look at the Web pages the "NP solution" blurb pointed to. Here's what he has to say. gem Without a rigorous look at the algorithm, it appears to do some sort of short-circuiting evaluation. If you look at a short-circuited truth table with N expressions it can have between N+1 and F(N+1) rows in it, where F(N) is our good friend Fibonacci. (F(0) = 1, F(1) = 1, F(N+2) = F(N) + F(N+1) for N>=0) which has a NON polynomial closed form. Expressions that look like: ((((....(A || B) && C) || D) && E)....) have the maximum number of rows in the truth table. After converting these to the form of just AND's and NOT's I ran it through the given program. Interestingly, the two functions: intersection and complement were each called very close to F(N+4) when I used an expression with N variables. This held true for 4 30, the program core dumped. While, I don't know for a fact that this relation continues to hold for large N, the relation is very close for the N tried, which leads me to believe that this is NOT a polynomial solution to the problem. Michael A. Schatz, RST Corporation, 21515 Ridgetop Circle, Sterling, VA 20166 mschatz@rstcorp.com (703) 404-9293 ------------------------------ Date: 1 Oct 1997 23:12:48 GMT From: mdw@midnight.CS.Berkeley.EDU (Matt Welsh) Subject: Microsoft euphemisms (Re: Mellor, RISKS 19.40) My favorite Microsoft euphemism at last week's Professional Developer Conference in San Diego: "Down-level browser": Any browser which isn't Internet Explorer 4.0, including Netscape. This is apparently part of Microsoft's strategy to pull the rug out from underneath Java and JavaScript by introducing Dynamic HTML, VBScript, and ActiveX as the "new cutting edge" of web scripting. Apparently Microsoft's idea is that since their browser supports this technology and nobody else's does, all other browsers are now immediately tagged "down-level browsers". I guess since my own homebrew Foobar Explorer Web browser has the lastest-and-greatest version of my own FrobnitzScript language and nobody else has it, *both* Netscape and IE are "down-level browsers" as far as I'm concerned! M. Welsh, UC Berkeley, mdw@cs.berkeley.edu ------------------------------ Date: 1 Oct 1997 23:16:26 GMT From: mdw@midnight.CS.Berkeley.EDU (Matt Welsh) Subject: Re: AOL may introduce ads on private e-mail (Rothwell, 19.40) >The German unit of AOL is planning to boost advertising revenues by >including ads on private electronic mail, and AOL itself is considering it. ... thus rendering _all_ electronic mail passed through AOL "commercial e-mail", making it illegal (without appropriate header tags) under various proposed anti-spam bills! I love it! M. Welsh, UC Berkeley, mdw@cs.berkeley.edu ------------------------------ Date: Thu, 2 Oct 1997 10:49:11 -0400 (EDT) From: Brian Clapper Subject: Re: FBI wants to ban the Bible: steganography (Theunissen, RISKS-19.40) I believe Mr. Theunissen is describing `steganography'--hiding secret messages inside other messages. According to the "International Cryptography" web page , there are a number of existing tools to accomplish steganographic ends. I quote directly from Steganography - Stealth is a simple filter for PGP which strips of all identifying header information to leave only the encrypted data in a format suitable for steganographic use. It is available in http://dcs.ex.ac.uk/~aba/stealth/. - Stego converts a binary file into nonsense text. http://www.fourmilab.ch/stego/. - Stegodos is a set of DOS programs that encodes binaries into captured images. It is available in ftp.funet.fi:/pub/crypt/steganography. - MandelSteg and GIFExtract hide data in Mandelbrot GIFs. There is a home page, and it is available in idea.sec.dsi.unimi.it:/pub/security/crypt/code. - Hide and Seek is a stego program for dos. It is available in ftp://ftp.funet.fi/pub/crypt/steganography/hdsk41.zip. - jpeg-jsteg hides data inside a JPEG file. It is available in ftp.funet.fi:/pub/crypt/steganography as a diff to the standard jpeg-v4 distribution. - Steganography Tools 4 encrypts the data with IDEA, MPJ2 (up to 512bits key), DES, 3DES and NSEA in CBC, ECB, CFB, OFB and PCBC modes and hides it inside graphics (BMP files), digital audio (WAV files) or unused sectors of HD floppies. ftp://idea.sec.dsi.unimi.it/pub/security/crypt/code/s-tools4.zip Brian Clapper, clapper@platinum.com ------------------------------ Date: Fri, 3 Oct 1997 14:30:39 +0100 (BST) From: Stephen Crane Subject: Re: FBI wants to ban the Bible: Linear A/B (Fenimore, RISKS-19.40) Linear A is undeciphered (due to a lack of text, I would imagine). Linear B was deciphered by Michael Ventris in 1952. I don't think Linear-C exists; while there were 3 Minoan languages, the first of these was hieroglyphic, not linear. Of (potentially) greater relevance is this URL turned up by AltaVista, http://raphael.math.uic.edu/~jeremy/crypt/LinearB.html Unfortunately at the time of writing, raphael.math.uic.edu seems to be asleep. Ho hum. Steve [Ventris also noted by Pete Mellor . PGN] ------------------------------ Date: Sun, 05 Oct 1997 16:27:20 -0400 From: Mike Subject: Re: FBI wants to ban the Bible: Linear A/B (Fenimore, RISKS-19.40) "Forgotten Scripts," Cyrus Gordon (revised and enlarged 1982, Dorset Press Edition 1987) is a wonderful tutorial by a primary scholar on the application of cryptanalysis and decipherment to Egyptian, Old Persian, Sumerian, Akkadian, Cuneiform and Hittite, Ugaritic, (non-Greek, Semitic) Minoan in Linear A script, (Greek) Mycenean written in Linear B script, and Eblaite. There are some uncertainties in all of these, awaiting more text to turn up, but all have been deciphered. ------------------------------ Date: Wed, 1 Oct 1997 20:18:04 -0500 From: Bruce Schneier Subject: The Electronic Privacy Papers: A new book by Schneier/Banisar Bruce Schneier and David Banisar The Electronic Privacy Papers: Documents on the Battle for Privacy in the Age of Surveillance John Wiley & Sons, 1997 ISBN: 0-471-12297-1; 747 pages Retail: $60 hardcover Info is at http://www.counterpane.com. Trying to keep up with the advancements in cryptography and digital telephony, the government has advocated controversial new tools that will allow them to monitor electronic communications. On the other side of the spectrum, privacy advocates are vehemently opposed to any government monitoring whatsoever. The Electronic Privacy Papers is a collection of previously unreleased documents dealing with privacy in the Information Age. Combining public government pronouncement, public reactions, and previously classified documents released under FOIA, this book paints a clear picture of government policies towards encryption and privacy and how they will impact individuals and companies involved with the Internet. Issues covered include: * The economic and political rationale for demanding digital wiretapping and surveillance. * The legal foundations, and limitations to, government surveillance. * Government strategies for soliciting cooperation from telephone companies and equipment manufacturers. * Which policies industries and individuals can expect the government to pursue in the future. The Electronic Privacy Papers retails for $60 in hardcover. I am offering it at the usual 15% discount. Bruce Schneier, Counterpane Systems, 101 E Minnehaha Parkway, Minneapolis, MN 55419 Table of Contents PART 1: PRIVACY AND THE INFORMATION SNOOPERHIGHWAY Introduction: Roadblocks on the Information Superhighway PART 2: WIRETAPPING Overview of Wiretapping PART 3: LOBBYING FOR SURVEILLANCE: THE DIGITAL TELEPHONY PROPOSAL Government Pronouncements: The Digital Telephony Proposal Behind the Iron Curtain: Operation Root Canal Digital Telephony: The Public Response PART 4: CRYPTOGRAPHY Cryptography - The Cure for the Common Bug PART 5: THE BATTLE FOR CONTROL OF CRYPTOGRAPHY The Field of Battle: An Overview Early Skirmishes The Clipper Chip Proposal Unclassified: The Story Behind Clipper Clipping the Clipper: Public Response to Desktop Surveillance PART 6: PUTTING THE GENIE BACK IN THE BOTTLE: EXPORT CONTROLS ON CRYPTOGRAPHY Atom Bombs, Fighter Planes, Machines Guns and Cryptography: Export Control Untying the Gordian Knot: Efforts to Relax Export Controls PART 7: BIG BROTHER AS THE KEEPER OF THE KEYS: WILL THE GOVERNMENT TAKE OVER CRYPTO? Banning Cryptography Software Key Escrow EPILOGUE: THE FUTURE OF CRYPTOGRAPHY Bibliography of Books on Wiretapping, Cryptography and Privacy Index. ------------------------------ Date: 1 Apr 1997 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Or use Bitnet LISTSERV. Alternatively, (via majordomo) DIRECT REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] => The INFO file (submissions, default disclaimers, archive sites, .mil/.uk subscribers, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 18" for volume 18] or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. The ftp.sri.com site risks directory also contains the most recent PostScript copy of PGN's comprehensive historical summary of one liners: get illustrative.PS ------------------------------ End of RISKS-FORUM Digest 19.41 ************************