[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

From Todays' RISKS column





I'm sending this because of the first item, but thought the rest were
relevant also, although I would assume that most c'p'ers would read
comp.risks anyway...


If you haven't seen it, be sure to check out the piece by EFFector
Online 07.08 and Digital Media, "Ever Feel Like You're Being Watched?
You Will..." -- see below for details...

...

from: RISKS-LIST: RISKS-FORUM Digest  Tuesday 10 May 1994  Volume 16 : Issue 04

----------------------------------------------------------------------

Date: 06 May 94 00:06:10 -0500
From: [email protected] (Dave Leibold)
Subject: Secret elevator codes baffle Metro Toronto government

An article in _The_Toronto_Star_ on 5 May 1994 described secret codes which
are necessary to maintain elevators at Metro Hall, the building which houses
Metro Toronto municipal council and services. The elevators, made and
maintained by Schindler Elevator Corp., require secret password codes in order
to maintain them. This means that only Schindler staff can maintain the Metro
Hall lifts, and as such forced Metro Council to award a 10 year contract of
$3.5 million to Schindler. Meanwhile, Metro is also suing the building's
developer, Marathon Realty, to try to get the codes. Without the passwords,
elevator maintenance contracts cannot be given to a competing firm.

Metro Councillor Howard Moscoe wanted the Council to issue a $10 000
reward to the first person to successfully crack Schindler's Code.
This motion probably didn't get approval.

David Leibold       Fidonet 1:250/730  [email protected]

------------------------------

Date: 09 May 94 06:31:56 EDT
From: "Mich Kabay [NCSA]" <[email protected]>
Subject: Dartmouth prof spoofed

Here is some old news that was new to me:

According to the _Dartmouth Life_ newsletter (Feb 1994--I'm just clearing up
my in basket today), an article appeared in _The New York Times_ on 94.01.05
entitled "Confronting changing ethics of the computer age."

The unsigned article begins, "Hanover, N.H. -- Somebody in Prof. David
Becker's course on Latin American politics did not want to take the midterm
exam, so he or she used Dartmouth's innovative electronic mail network to
impersonate a department secretary and cancel the test.
     "At 11 o'clock on the night before the test in the Government 49 class, a
message flashed on students' computer screens.  Because of a family emergency,
the message said, Professor Becker would be unable to administer the midterm."

The article explains that half the class understandably failed to show up for
the test.  No one has been identified yet as the culprit.

The rest of the article talks about the extensive electronic mail system on
campus.  One of the key concerns of the unregulated network is the rapid
spread of rumours: "Late in August computer flashed an account of a woman
being raped while jogging near campus.  The message was intended as a warning,
but there had been no rape."

The Hanover police department were swamped with calls.  The Chief of Police now
has his own electronic mail account to try to squelch rumours.

M. E. Kabay, Ph.D. (Dartmouth '76) / Dir Educn / Natl Computer Security Assn.

------------------------------

Date: Mon, 9 May 1994 18:04:54 +0100
From: [email protected] (Paul C Leyland)
Subject: Re: Bellcore cracks 129-digit RSA encryption code (RISKS-16.03)

>   predicted would take "40 quadrillion years" to break.  ...

>   This mathematically arduous task was accomplished in eight months by
>   600 volunteers in 24 countries who used their organizations' spare
>   computing capacity.  ...

There are two risks, one amusing.  Ron Rivest now regrets ever making that 40
quadrillion years estimate.  It was silly when he made it; his papers in the
scientific literature from that era give estimates which are within an order
of magnitude of how much computation we actually used.  From those estimates,
and the observation that way back then it wasn't feasible to hook together
hundreds of computers, we can deduce that a late 70's supercomputer using the
best algorithms available then would have taken a few decades, maybe a
century.  Certainly much less than the 40 quadrillion years.  The risk is:
making predictions about the runtime of computer programs can sometimes make
you look silly 8-)

The other risk is more serious.  RSA is widely used to protect commercially
significant information.  512-bit keys are widely used for this.  Most, if not
all, smart-card implementations are restricted to 512-bit keys.  RSA-129 has
425 bits.  I estimate (taking a risk 8-) that 512-bit keys are only about 20
times harder to break than 425-bit keys.  Readers are left to draw their own
conclusions.  However, it is not by chance that I have a 1024-bit PGP key.

Oh yes, as Arjen Lenstra had pointed out: if you had used RSA-129 as
the modulus in a digital signature for a 15-year mortgage, you would
have been cutting it pretty fine.  It is the use of RSA for long-lived
signatures which needs to be examined with a very critical eye.

Paul Leyland (one of four RSA-129 project coordinators)

------------------------------

Date: Fri, 6 May 1994 02:45:26 +0200
From: [email protected]
Subject: Re: Bellcore cracks 129-digit RSA encryption code

Perhaps because there is no risk beyond the known ones?  Bob Silverman of
MITRE (well known in number factoring circles) has publicly predicted already
some time ago that it would require about 5000 MIPS years to factor the
number.  Reasonably close to the actual figure.

That the team was led by Bell Communications Research is untrue.  It is a team
led by four people from Bellcore (Arjen Lenstra), MIT (Derek Atkins), Iowa
State University (Michael Graff) and Oxford University (Paul Leyland).

dik t. winter, cwi, kruislaan 413, 1098 sj  amsterdam, nederland, +31205924098
home: bovenover 215, 1025 jn  amsterdam, nederland; e-mail: [email protected]

------------------------------

Date: Thu, 5 May 94 20:02 PDT
From: [email protected] (Paul Buder)
Subject: Re: Bellcore cracks 129-digit RSA encryption code (RISKS-16.03)

I've heard this 40 quadrillion years figure a couple of times now and I
find it odd.  Is that what the Scientific American said?  I have the
original document from MIT's Laboratory for Computer Science.  It's
titled "A Method for Obtaining Digital Signatures and Public-Key
Cryptosystems" by Ronald Rivest, Adi Shamir, and Len Adleman, April
1977.  I can't do superscripting with vi so 10 10th means 10 to the
10th power.  It has the following table in it:

Digits        Number of Operations          Time
===================================================
50            1.4 X 10 10th                 3.9 hours
75            9.0 X 10 12th                 104 days
100           2.3 X 10 15th                 73 years
200           1.2 X 10 23rd                 3.8 X 10 9th years
300           1.5 X 10 29th                 4.8 X 10 15th years
500           1.3 X 10 39th                 4.2 X 10 25th years

200 digits was supposed to take 3.8 trillion years and 100 a mere 73.
So where does the 40 quadrillion figure come from?

[email protected]  Not affiliated with teleport.

------------------------------

Date: 9 May 1994 15:26:52 GMT
From: [email protected](Walter C. Daugherity)
Subject: White House May Issue National ID Cards

>From Prodigy 5/9/94:

White House May Issue National ID Cards

The Clinton administration is working on a national ID card that every
American would need in order to interact with any federal agency, reports
Digital Media: A Seybold Report, a computer industry newsletter based in
Media, Pa.

The so-called U.S. Card would be issued to citizens by the Postal Service.  It
would be issued as a "smart card," with its own internal CPU, or as a plug-in
"PCMCIA" card with megabytes of built-in memory.

Administration approval of the plan "could come at any time," states the
newsletter.

Walter C. Daugherity  [email protected]  uunet!cs.tamu.edu!daugher
Texas A & M University, College Station, TX 77843-3112  DAUGHER@TAMVENUS

   [Several folks sent me Mitch's piece from EFFector Online 07.08, and
   Digital Media, "Ever Feel Like You're Being Watched?  You Will..."  
   However, I cannot run it in RISKS because of its copyright notice.  
   Contact Mitch Ratcliffe <[email protected]> (NOT RISKS) if you want 
   a copy of the whole article.  PGN]

------------------------------


-- 
[email protected] (David Taffs)