Don't know about you, but I've always wanted to know the things they don't
want me to know. Not for political or monetary gain, but just because I'm
not supposed to. For instance, wouldn't you just love to know how fine is
the detail that U.S. spy satellites can resolve on the ground? (Cold War
joke: a sign on the roof of the Pentagon says, in 6-inch-high letters: "If
you can read this / you're where we were / 8 years ago.") Wouldn't you love
to know if the NSA and/or the CIA is really listening in on U.S. citizens'
phone and Internet traffic? (One of my favorite .sig's, originator unknown,
reads: "The NSA is now funding research not only in cryptography, but in all
areas of advanced mathematics. If you'd like a circular describing these new
research opportunities, just pick up your phone, call your mother, and ask
for one.") Wouldn't you love to know whether the NSA can break messages
encrypted with a 512-bit PGP key?
On 1996-01-28 Harvard Law School hosted a symposium titled "Information,
National Policies, and International Infrastructure." Paul Strassmann
(National Defense University) and William Marlow
(Science Applications International
Corporation) gave a talk
[1] entitled
"Anonymous Remailers as Risk-Free
International Infoterrorists." A week later an attendee, an Austrian
economist, wrote a note
[2],
[3] apparently to the
"help" email address
of HotWired; at some point the note was posted anonymously to a number
of newsgroups on anonymity and politics. I have not been able to find
an email address for the author.
The note makes some alarming claims about what the presenters said in answer
to questions at this symposium. I wrote to Strassmann and Marlow about the
accuracy of these observations. Strassmann replied today that what the
attendee reported was a personal interpretation of what had been said and was
out of context. They plan to issue a statement correcting what was reported.
I'll post a pointer to it here, assuming the authors grant permission.
Note: URLs [2]
and [3] below were
obtained from an Alta Vista search
[4].
You may have trouble following these links. In particular
[2]
resides on
Alta Vista's Usenet spool and its lifetime there will be at most two weeks.
[3] will work only from a
Netscape browser; and at the moment the Domain
Name Service is disclaiming knowledge of anon.penet.fi. Reissuing the Alta
Vista search
[4]
might turn up more hits later as other Usenet newsgroups'
traffic is indexed by the superspider.
Note added 1997-01-18: Metacrawler
[4a] found two URLs
at which the referenced note is archived: see
[4b] and
[4c].
[1] http://www.strassmann.com/pubs/anon-remail.html
[2] http://ww2.altavista.digital.com/cgi-bin/news?msg@1142@alt%2eprivacy%2eanon%2dserver
[3] news:132317Z03031996@anon.penet.fi
[4] http://altavista.digital.com/cgi-bin/query?pg=aq&what=news&fmt=d&q=Strassman+and+Marlow+and+Chaarles&r=&d0=&d1=&text=yes
[4a] http://metacrawler.cs.washington.edu:8080/
[4b] http://www.metatrout.com/~jwehling/NSARemailer.html>
[4c] http://www.consilpdx.com/~jwehling/NSARemailer.html>
 |
Cryptography export policy
See also TBTF for
2000-02-06,
1999-10-05,
08-30,
08-23,
08-16,
07-26,
05-22,
05-08,
04-21,
03-01,
01-26,
more...
|
Bills introduced to ease cryptography export regulations
On 1996-03-05 Senator Patrick Leahy (D-VT) introduced the Encrypted
Communications Privacy Act of 1996 in the Senate and held a press conference with
Senate and House cosponsors. The Senate
[5] and
House [6] versions
differ
somewhat; only the Senate version makes any reference to key-escrow schemes
that the administration has been pushing, and consumers and corporations
rejecting, for several years. The bills would waive export restrictions on
such "generally available" software as PGP and popular Web browsers. They
would impose criminal penalties for the use of encryption in the commision
of a crime. While most civil liberties and privacy organizations applaud
the bills as a good start, all have some issues with it. See the analyses
of EPIC [7],
CDT [8], and
VTW [9]. EPIC
[7]
in particular catches subtle
implications in the Senate bill that would prolong the NSA's unwelcome
involvement in commercial encryption. Two noted cryptgraphers, Matt Blaze
[10]
and Bruce Schneier [11],
have written open letters to Sen. Leahy that generally praise the bill but express
reservations with the provisions
criminalizing some uses of encryption.
[5] http://www.epic.org/crypto/legislation/s1587.html
[6] http://www.vtw.org/archive/960305_235808
[7] http://www.epic.org/crypto/legislation/s1587_analysis.html
[8] http://www.cdt. org/publications/pp_2.9.html
[9] http://www.vtw.org/archive/960305_120857
[10] http://www.vtw.org/archive/960305_124928
[11] http://www.vtw.org/archive/960306_000807
Hanging up the I-Phone
On 1996-03-04 a group of long-distance carriers petitioned the Federal
Communications Commission to stop companies from selling software and hardware
products that enable use of the Internet for long-distance voice calls. A
handful of companies sell software, mostly in the $50 range, for this
purpose; the free software is even more plentiful
[12],
[13]. At first
glance these tools don't look like much of a threat to established long-distance
carriers. The quality of Internet phone connections is generally poor and
they are subject to the unreliability that characterizes the overloaded Net
today. Also, the various software packages aren't compatible; you can only
talk to someone who has the same software you do. One estimate puts the
current number of users at 20,000 according to a story in the _Boston Globe_
today. The FCC has moved with uncharacteristic speed in scheduling public
comment on the question; petitions for rule-making commonly sit for weeks or
months without action, but within 2 days the agency had set an April 8 date
for comments.
[12] http://rpcp.mit.edu/~asears/main.html
[13] http://www.northcoast.com/savetz/voice-faq.html
The funniest 650K you'll download this month
Dan Bricklin , one of the original authors of
Visicalc, these days has a product called "demo-it!" for mocking up conceptual
demos of software that hasn't been prototyped yet. He was asked by David
Coursey , organizer of the annual Demo conference and
editor/publisher of PC Letter, to come up with something amusing for Demo
96 in late January. Bricklin's "ChiaPaint" demo near about brought down the
house, reports say, and earned him the honorary title of "Demo God." If you
run Windows 3.1 or Windows 95 you simply must download this demo
[14]. It
contains a Readme file with a script that will enable you to render your
own friends and family helpless with laughter. The Readme is also available
separately at [15].
Here is a description of Bricklin's star turn from Nando, the official
newspaper of Demo 96:
> The most entertaining event of the day was Dan Bricklin's demo of
> ChiaPaint. At first it appeared to be a Java-based variation on Kid-
> Pix, where you could mark up clip art with goofy tools like "fur" or
> "lots 'o hair," but as Bricklin encountered a series of ever more
> ridiculous error messages, most of which demanded that he enter his
> credit card number to extend his license for various Java objects,
> it became clear that it was a satire of the Sun-Oracle vision of net-
> work-centric computing -- a vision that, judging from the audience's
> howls of laughter, most of them don't share. The final punchline was
> that the joke was also a real demo -- of Bricklin's demo-it utility.
[14] http://www.pcletter.com/PC%20Letter%20Online/bricklin.html
[15] http://www.pcletter.com/dbreadme.html
An online who's-who of cryptography researchers
Kevin McCurley , one of the perpetrators of DigiCrime
(see [16]),
maintains a page
[17]
of links to the home pages of crypto
researchers. The last time I visited 72 were listed. [Note added 1996-12-20: URL
updated for moved page; the count is now 90 and includes 3 research groups. -- KD]
[16] http://www.tbtf.com/archive/1995-12-31.html
[17] http://www.swcp.com/~mccurley/cryptographers/cryptographers.html
Full U.S. phone book, residential and business, now online
First there was Four11
[18]; then there was WhoWhere
[19]; then a half-dozen
others. In the same way that Alta Vista
[20] trumped the full-text, full-Web
search engines, SwitchBoard
[21] has trumped the
people-finding Web pages.
This site gives you free access to the 100 million personal and business
listings in the Database America CD-ROM; and you can write to it too. The
site certainly raises disturbing questions of privacy. My phone number and
address are visible to the greater Internet, until and unless I visit
, register with them, and change my listing.
I'm sure they tried to eliminate unlisted (our British cousins would say
"ex-directory") numbers from the database, but with upwards of 30% of U.S.
customers requesting unlisted status, how many do you suppose slipped
through? There's worse. As far as I can see there is nothing to stop me
from searching for "Patrick Buchanan," picking on the candidate's listing
to say "that's me," giving an anonymous email address, receiving a password
there, and then adding insulting and libelous material to Mr. Buchanan's
SwitchBoard listing.
From Ryan Conley <nfn00634 at naples dot net>, 1996-03-26:
"Switchboard at first seems first-rate, but there is one staggering
shortcoming. It has a limit (about 10 letters) to how long a name can be
to be included in the database. For instance, the computer believes that
there is no one in the whole country with the first name of
'Christopher.' It's too long. Try it and see. I have sent them mail
about this."
[18] http://www.four11.com/
[19] http://www.whowhere.com/
[20] http://www.altavista.digital.com/
[21] http://www.switchboard.com/
Security (1): Apple server unbreached in 45-day open challenge
Between 1995-10-15 to 1995-11-31, six Macintosh Internet companies offered a $10,000
prize to anyone who could read one protected line from a particular public Web
page; the target was secured only by off-the-shelf Macintosh software
(StarNine's WebSTAR server and NetCloak, a CGI application from Maxum Development).
The goal was to raise awareness of the Macintosh server as a highly secure Web
platform. The results
[22]
of the challenge were published in TidBITS. Bottom line: no-one collected.
[22] http://www.dartmouth.edu/pages/TidBITS/issues/TidBITS-317.html#s5
Security (2): Followup on JavaScript flaws
Responding to the publicity about security holes in Navigator 2.0 resulting
from the JavaScript language implementation, Netscape has promised to fix at
least two of the three outstanding problems in a release 2.01 due out this
week. On 1996-02-29 Brendan Eich posted a response
[24]
to the security concerns. (You will need the Netscape browser to retrieve
this URL.)
[23] http://www.tbtf.com/archive/1996-02-27.html
[24] snews://secnews.netscape.com/31367495.7AAE@atm.mcom.com
Security (3): Another hole in Java, fixed
On 1996-02-18, Drew Dean posted a note
[25] to the Risks
forum detailing the findings of a group Princeton researchers. They had
discovered a flaw that would allow a Java applet, after separate subversion
of
the Domain Name System, to make an arbitrary network connection. Sun
responded quickly and prepared a patch
[26]
for the affected platforms, Win 95, Win
NT, and several flavors of Unix. Sun's response is at
[27].
[25] http://www.cs.princeton.edu/~ddean/java
[26] http://www.netscape.com/comprod/mirror/java-patch-download.html
[27] http://www.netscape.com/newsref/std/java_security.html
Security (4): The real story of Microsoft's Registration Wizard
I found the pointer to this engrossing account
[28]
(OK, it's engrossing if
you are now or have ever been a programmer) on Rich Graves's
Hack Microsoft page
[29].
Written by Andrew Schulman , it
gives the lowdown skinny on the Win95 Registration Wizard, first fingered
in TBTF for 1995-05-23
[30]
[28] <ftp://ftp.ora.com/pub/examples/windows/win95.update/regwiz.html>
[29] <http://www.c2.org/hackmsoft/>
[30] <http://www.tbtf.com/archive/1995-05-23.html>
Security (5): Three-headed-dog night
>>From Edupage (1996-03-03):
> FLAW FOUND IN KERBEROS SECURITY SYSTEM
> Researchers at Purdue University have discovered a flaw in the popular
> Kerberos computer-security system that affects the way Version 4 of the
> software creates the secret keys for encryption. The problem does not
> affect Version 5, unless it is run in a way that emulates Version 4. The
> software is supposed to select its keys randomly from among billions of
> numbers, but the problem occurs in the random-number generator, which is
> selecting from a much smaller pool of perhaps a million or so, making it
> much easier for an intruder to crack the key. "Basically, we can forge
> any key in a matter of seconds," says Purdue professor Eugene Spafford.
> The CERT Coordination Center at Carnegie Mellon University has issued an
> advisory on the problem -- CA-96.03 -- and recommends using "patches" to
> fix the flaw. < http://www.sei.cmu.edu/technology/cert.cc.html >
> (Chronicle of Higher Education 1 Mar 96 A29)
>>Notes:
Thanks to those of you who wrote with suggestions and comments about the
style of URL references in TBTF. A good number took the time to say com-
plimentary things about the newsletter -- thanks for those too. There was
a wide wingspan of opinion and in the end I agreed with those of you who
expressed a view that can be characterized as "It's your newsletter, do
whatever you ruddy well want. Just keep on doing it." So be it.
>>Sources:
>>TidBITS -- mail listserv@ricevm1.rice.edu without subject and with
> message: subscribe TidBITS Your Name .
>>Edupage -- mail listproc@educom.edu without subject and with
> message: subscribe edupage <your name> .
TBTF alerts you weekly to bellwethers in computer and communications tech-
nology, with special attention to commerce on the Internet. See the archive
at <http://www.tbtf.com/>. To subscribe send the message
"subscribe" to tbtf-request@world.std.com. Commercial use prohibited. For
non-commercial purposes please forward and post as you see fit.
______________________________________________________
Keith Dawson dawson at world dot std dot com dawson@atria.com
Layer of ash separates morning and evening milk.
Copyright © 1994-2008 by
Keith Dawson.
Commercial use prohibited. May be excerpted, mailed,
posted, or linked for non-commercial purposes.