Re: Intel Symantec v. ZKS?

[William H. Geiger III]

In [EMAIL PROTECTED], on 04/29/99 
   at 03:40 PM, Anonymous [EMAIL PROTECTED] said:

William H. Geiger III writes:

 One has to wonder if this is the actions of a company that is trustworthy
 enough to supply RNG's to the community. IMHO it is not and I sincerely
 hope support for the PIII is *not* included in /dev/random and/or IPSEC. I
 will not be adding any support code in my software.

He quotes John Markoff's story in the New York Times:

 Earlier this month, an Intel executive called executives at the Symantec
 Corporation, maker of the popular Norton Antivirus software, and told them
 that the demonstration program was "hostile code."

 Symantec agreed that the program fit its definition of a type of malicious
 program known as a Trojan horse, so it included the software in its
 continually updated list of dangerous programs, which include viruses,
 that cause warnings to pop up on its customers' computers.

In fact, this is perfectly reasonable on the part of Symantec, and if I
had a PIII I would absolutely want my virus detection software to catch
code which enables the serial number.  Any such action on the part of
downloaded code is malicious and not in my interests, and anything the
software can do to prevent it is good.

This sets a precedent that code which reads the serial number contrary to
the user's wishes is hostile.  This should help dissuade over-eager
software registration programs from using the serial number in their
registration process.  No antivirus software can detect all programs
which try to read the serial number, but by making clear that such
actions are antisocial it will help restrict its use.

Granted, it would be better if the serial number didn't exist at all (but
of course we know that network interface cards have always had serial
numbers, don't we?).  And it would be better if Intel's method of turning
off the serial number worked right.  But given that it does exist in a
family of processors which will probably be widely used (ineffectual
boycotts to the contrary), users do benefit by having unauthorized serial
number programs be detected and identified as dangerous.

No, all this does is set the precedent of a major corporation flexing it's
muscle in an attempt to silence those who would expose their lies. This is
a typical case of corporate CYA and I am appalled by it. Do you honestly
think that Symantec is going to list any Microsoft products as a virus
when they covertly turn on this feature?

As far as ineffectual boycotts, I am not asking for the software not to
run on a P-III, I am asking that specific support for the P-III RNG not be
added. I don't think requiring Intel to shape up if they want to be
players in the crypto community is a Badthing(TM).


 [Personally, given how bad the random number sources are in most
 software, I'd say you are not doing your users a service. --Perry]

Of course Perry is absolutely right.  The Intel RNG can provide a badly
needed source of randomness.  The real problems are first, as was pointed
out here yesterday, Intel has not documented how to read the RNG (and is
apparently only supplying that information to partners like RSA and
Microsoft).  And second, how should we count the entropy added by the
RNG. Here is where the trust issue comes into play.  If it is really a
good RNG we can count every bit as a bit of entropy.  If we don't trust
it, we can use the RNG data but not count entropy from it at all.  Or we
could split the difference and "semi" trust Intel, counting only some
fraction of the nominal entropy provided by the RNG source.

So we should just blindly use a RNG of unknown properties from an
untrustworthy company? What will happen next when the P-IV has built in
crypto module (it is the next logical step)? Yes many programs have bad
random sources, many programs have bad crypto period. I don't use them and
I don't support them, plain and simple. I have to reiterate my original
statement from the /dev/random thread that I started:

"I have specific concerns, the #1 of which is that no analysis of this
program has been done!! If this was a crypto algorithm and one was to use
it without any analysis of it but only because "it came with the OS" one
would be severely chastised by the community. Unfortunately I am seeing
too many programmers blindly using /dev/(u)random on this very basis. I am
not saying it is a bad program, I am not saying it is a good program, I am
saying it is an unknown, and with something as important as one's random
number pool IMNSHO an unknown is not acceptable."

Here we have a RNG on unknown properties and yet there is already those
who wish to blindly rush out and uses it. You really should know better.

-- 
---
William H. Geiger III  http://www.openpgp.net
Geiger ConsultingCooking With Warp 4.0

Author of E-Secure - PGP Front End for MR/2 Ice
PGP  MR/2 the only way for secure e-mail.
OS/2 PGP 5.0 at: 

Re: Intel Symantec v. ZKS?

[alano]

   Symantec agreed that the program fit its definition of a type of malicious
   program known as a Trojan horse, so it included the software in its
   continually updated list of dangerous programs, which include viruses,
   that cause warnings to pop up on its customers' computers.
  
  In fact, this is perfectly reasonable on the part of Symantec, and if I
  had a PIII I would absolutely want my virus detection software to catch
  code which enables the serial number.  Any such action on the part of
  downloaded code is malicious and not in my interests, and anything the
  software can do to prevent it is good.
 
 True, but a question well worth asking is "why doesn't antivirus
 software assume that ActiveX controls are malicious until proven
 otherwise"?

Because every copy of Win98 would be flagged as being totally ridden with hostile 
trojans and viruses.  (I know.  "And your point being?")

Re: Intel Symantec v. ZKS?

[William H. Geiger III]

One has to wonder if this is the actions of a company that is trustworthy
enough to supply RNG's to the community. IMHO it is not and I sincerely
hope support for the PIII is *not* included in /dev/random and/or IPSEC. I
will not be adding any support code in my software.

[Personally, given how bad the random number sources are in most
software, I'd say you are not doing your users a service. --Perry]

-
The following message is forwarded to you by "William H. Geiger III"
[EMAIL PROTECTED] (listed as the From user of this message).  The
original sender (see the header, below) was "James S. Tyre"
[EMAIL PROTECTED] and has been set as the "Reply-To" field of this
message.
-
To: [EMAIL PROTECTED]
From: "James S. Tyre" [EMAIL PROTECTED]
Subject: Intel  Symantec v. ZKS?

Fascinating.  Intel doesn't like ZKS' latest expose of PIII flaws, so it
has Symantec classify ZKS as a virus.  Nice to have money and power, I
guess.  What with McAfee Antivirus blocking www.digicrime.com and a few
others, do we have a newly emerging class of censorware?

-J

http://www.nytimes.com/library/tech/99/04/biztech/articles/29chip.html

April 29, 1999
Intel Goes to Battle as Its Embedded Serial Number Is Unmasked By JOHN
MARKOFF

SAN FRANCISCO -- When privacy advocates first sounded alarms in January
about a serial number that the Intel Corporation had embedded in its new
Pentium III processor, the company quickly responded by distributing
software that enabled owners of Pentium III computers to hide the number.
But it now appears that the problem is not solved and is not about to fade
away.

Recently a researcher at a small Canadian software company found a way to
make the serial number that has been hidden visible again to prying eyes
--
and without the owner's realizing it. Acting in what it says is the public
interest, the company, Zero-Knowledge Systems of Montreal, placed a
program on its Web site demonstrating the vulnerability.

This time, Intel is responding more aggressively.

Earlier this month, an Intel executive called executives at the Symantec
Corporation, maker of the popular Norton Antivirus software, and told them
that the demonstration program was "hostile code."

Symantec agreed that the program fit its definition of a type of malicious
program known as a Trojan horse, so it included the software in its
continually updated list of dangerous programs, which include viruses,
that cause warnings to pop up on its customers' computers.

Now users of the Norton antivirus software who visit the Zero-Knowledge
site gets a warning that they are about to download a virus.

In this case, one man's virus is another's diagnostic tool.

[]

-- End of forwarded message
-

-- 
---
William H. Geiger III  http://www.openpgp.net
Geiger ConsultingCooking With Warp 4.0

Author of E-Secure - PGP Front End for MR/2 Ice
PGP  MR/2 the only way for secure e-mail.
OS/2 PGP 5.0 at: http://www.openpgp.net/pgp.html
Talk About PGP on IRC EFNet Channel: #pgp Nick: whgiii

Hi Jeff!! :)
---

Re: Intel Symantec v. ZKS?

[Bill Sommerfeld]

  Symantec agreed that the program fit its definition of a type of malicious
  program known as a Trojan horse, so it included the software in its
  continually updated list of dangerous programs, which include viruses,
  that cause warnings to pop up on its customers' computers.
 
 In fact, this is perfectly reasonable on the part of Symantec, and if I
 had a PIII I would absolutely want my virus detection software to catch
 code which enables the serial number.  Any such action on the part of
 downloaded code is malicious and not in my interests, and anything the
 software can do to prevent it is good.

True, but a question well worth asking is "why doesn't antivirus
software assume that ActiveX controls are malicious until proven
otherwise"?

- Bill