(Note: turn off graphics before following [1]. The text alone downloads 332K and the graphics add little to the report.)

[1] http://www.iptvreports.mcmail.com/interception_capabilities_2000.htm
[2] http://www.nandotimes.com/technology/story/body/0,1634,89923-142316-981920-0,00.html

Sweden: general license for 128-bit crypto

Sten Linnarsson <sten at cajal dot mbb dot ki dot se> of the Karolinska Institute published this note to the EUcrypto mailing list.

Germany deregulates crypto exports

A German technology magazine published a brief piece [4] (in German) stating that the German government intends to remove most of the red tape from the export of commercial crypto products. Here is a rough translation of the article, courtesy of TBTF Irregulars [5] Justin Mason <jm at netnoteinc dot com> and Mark Kraml <kraml at ibm dot net>:

Did Microsoft build a back door into Windows for the NSA? I'm doubting it

By now you've heard all about the extra signing key found in Microsoft's CryptoAPI in all Win95, 98, NT, and 2000 systems. Here's the posting by Andrew Fernandes that started all the fuss [6]. The BBC has an annotated screen shot [7] of a debugger session showing the variable named, portentously, _NSAkey. Microsoft's official response [8] to the flap makes a whole lot more sense than assuming that the National Security Agency had somehow weakened Microsoft's crypto and tagged the fix "_NSAkey." To put a few authoritative nails in this coffin, read the thoughts of Russ Cooper [9], proprietor of NTBugTraq, and of the noted cryptographer Bruce Schneier [10].

The investigations of Fernandes (building on work last year by Nicko van Someren and Adi Shamir) have publicized a way to disable crypto export control in Windows. Anyone outside the US can replace _NSAkey with their own key, and use that key to sign a crypto module of any strength, and then use that strong crypto under the auspices of Windows. But note that this impotence of Microsoft's CryptoAPI to control what crypto gets run is not new news. Bruce Schneier pointed out this Windows weakness in his CRYPTO-GRAM newsletter last April [11], before anybody discovered the name of the replaceable second key.

Over the weekend Brian Gladman <gladman at seven77 dot demon dot co dot uk> posted a note [12] to the UK Crypto list demonstrating that the Microsoft CryptoAPI had been a serious political issue in Britain 3-1/2 years ago. He worked with British authorities to make sure that Microsoft UK was able to sign cryptographic modules separately from the US authority.

The _NSAkey fiasco raises four separate issues, and little of the commentary I've read makes much effort to disentangle them. The issues are:

1. Did Microsoft collude with the NSA? (Answer: who knows? Probably not.)

2. Will Microsoft's actions allow the NSA to penetrate the computers of Windows users? (Answer: almost certainly not.)

3. Did the US government, represented by the NSA, work with Microsoft to assure that only weak crypto is exportable in the Windows framework? (Answer: absolutely.)

4. Does Microsoft's CryptoAPI implementation allow anyone to circumvent the restrictions imposed by US crypto export rules? (Answer: yes, demonstrably.)

What will be the fallout of this tangle? Even more people will be made aware that Microsoft security is porous. Even more people will learn of the utter inability of US controls to stop the export of technology which truly escaped a decade ago. And even fewer people will believe what Microsoft says, even though in the matter of the _NSAkey the company is probably telling the truth. A few years back Nicholas Petreley, the IDG pundit, summed up the common perception this way:

They picked your locks? Then put up a brick wall

After the hacker group Global Hell defaced the US Army's Web site [13] (note: link may deactivate after 1999-09-15), the Army investigated ways to secure their Web presence. One action the service took was to shut down their public-facing Windows NT server and replace it with a Macintosh [14] running the WebStar server. As one poster noted in the Slashdot discussion [15], one factor that renders MacOS secure is its "quaint" (his word) native reliance on the AppleTalk protocol over TCP/IP. An out-of-the-box Macintosh on the Net presents no open ports through which attackers may enter, just port 80 to the Web server. Two years ago the Crack-a-Mac Challenge [16] survived thousands of break-in attempts over 6 weeks before succumbing to a hole (immediately fixed) in a 3rd-party add-on to the WebStar server.

The White House server was also cracked by Global Hell, which may motivate this Federal Times story's claim [17] (note: this looks like a temporary URL) that the executive is studying how best to diversify the government's infrastructure away from reliance on Microsoft in favor of open source systems.

Look for a marked dip in Windows sales to the US government and, over time, to other organizations with high security needs. The introduction of Windows 2000, with its reportedly immense learning curve, might make a natural break-point.

[13] http://www.washingtonpost.com/wp-srv/feed/articles/a656-1999sep1.htm
[14] http://www.dtic.mil/armylink/news/Sep1999/a19990901hacker.html
[15] http://slashdot.org/comments.pl?sid=99%2F09%2F10%2F1034202&...
[16] http://tbtf.com/archive/1997-08-18.html#s01
[17] http://www.federaltimes.com/topstory.html

Digital technology is the universal solvent of intellectual property rights

Is it piracy to put up a page of links to music files? Tommy Olsson is waiting to hear a Swedish court's ruling on that question [18]. Olsson didn't create any music files, copy them, or send them to anyone. The case is the first to go to trial of some 1000 Web sites challenged over the last two years by the Swedish branch of the International Federation of the Phonographic Industry, which represents record companies. If convicted Olsson could be fined a few hundred dollars, which is about how much he made from ads on his Web site. But a conviction could leave him liable for damages. Thanks to TBTF Irregular [5] Chuck Bury <cbury at softhome dot net> for the tipoff. And thanks, indirectly, to Tom Parmenter <tompar at world dot std dot com> for the subtitle -- it's been his tag line on the now-revived Desperado mailing list since the early 1980s. (Send the message subscribe to desperado-request@world.std.com.)

[18] http://www.mercurycenter.com/svtech/news/breaking/merc/docs/043449.htm

Log-file pollution

Someone at Microsoft was polluting my Web log file. Every minute of every day, at 18 seconds after the minute, someone at Microsoft was depositing the following 339-character string into my Web log (nearly 1/2 MB per day). I've broken it into 60-character chunks for convenience.

  tide78.microsoft.com - - [01/Sep/1999:23:59:18 -0500] "GET h
  ttp://channels.real.com/getlatest.glh?PV=6.0.6.45&OS=WIN&L=e
  n-US, en, *&LID=1033&ch=70+132+0+0+programs=intro,52,33,50&c
  h=52+425+0+0+0&ch=72+30+0+0+0&ch=16+358+0+0+0&ch=44+281+0+0+
  0&ch=33+327+0+0+0&ch=47+386+0+0+0&ch=73+18+0+0+0&ch=94+167+0
  +0+0&ch=98+24+0+0+0 HTTP/1.0" 403 220 -

My guess is that someone with a channel-enabled browser (IE5?) happened to be looking at tbtf.com when setting up a channel request, and somehow ended up proxying the once-a-minute request through my site.

I posted my dilemma as a Tasty Bit of the Day with the title Please make it stop and implored any reader within Microsoft to forward it to the IS department. Three readers wrote in with helpful comments; one had forwarded my problem to the appropriate Microsoft group. The barrage ceased 20 hours later. (The power of the press belongs to him as owns one.)

Cost transfer

After I posted the above, a reader sent in the following note that Linus Gelber <linus at panix dot com> had posted to a local list. It is excerpted here by permission.

News from the micro- and nano-scale frontiers

The German publication Telepolis caught the Net's attention with a story [20], possibly picked up from the New Scientist [21], about Berkeley researchers and their smart dust [22]. The 5-mm devices they have constructed can sense local conditions and communicate using beams of light. Though the devices are far too large to be called "dust" -- what they are is Micro Electro-Mechanical Systems, or MEMS -- Slashdot was alive with speculation about invisible FBI bugs wafting in the open window. One poster quipped:

[20] http://www.heise.de/tp/english/inhalt/co/5269/1.html
[21] http://www.newscientist.com/ns/19990828/newsstory2.html
[22] http://robotics.eecs.berkeley.edu/~pister/SmartDust/
[23] http://www.amazon.com/exec/obidos/ASIN/0553573314/tbtf/
[24] http://news.bbc.co.uk/hi/english/sci/tech/newsid_441000/441670.stm
[25] http://abcnews.go.com/sections/science/DailyNews/nanomotors990908.html

Probing a giant black hole, quite indirectly

The center of our galaxy contains, scientists assume, a black hole several million times as massive as our own sun. Such an object makes conditions highly interesting for light-years around. Now a pair of physicists have calculated [26] how the (putative) black hole would affect the (putative) halo of "dark" matter in its vicinity. They suggest the black hole would sculpt any dark matter into a dense spike where particle interactions would be more frequent. If hypothetical particles called neutralinos (you read that right) make up the bulk of the dark matter, as a leading hypothesis supposes, they would self-annihilate like crazy. The neutralino is its own antiparticle, you see. I am not making this up. The annihilations would produce, in addition to the expected gamma rays [27], a soup of energetic particles including neutrinos, which would be most useful for probing the galactic core. These neutrinos could be detected in tiny numbers by vast "telescopes" composed of thousands of gallons of purified water or perhaps dry-cleaning fluid.

Do you see why I love this stuff?

[26] http://www.aip.org/enews/physnews/1999/physnews.446.htm
[27] http://www.compart.fi/~flc/right.html

Natural phenomenon meets ancient scientific instrument

Three weeks before last month's solar eclipse, Mark Gingrich <grinch at rahul dot net> posted a request to several astronomy newsgroups. Gingrich knew that many central European churches and cathedrals are set up as giant pinhole cameras -- they feature a tiny hole in the dome or cupola and an inscribed meridian line somewhere inside. When the sun's projected image crosses the "noon mark," it's noon local time. The most famous such arrangement was designed 350 years ago by the astronomer Gian Domenico Cassini for the Church of San Petronio in Bologna, Italy. Gingrich asked for photos of the partially eclipsed sun as it crossed the meridian lines in these historical scientific instruments. Gingrich's request bore fruit and Franco Martinelli has put up this page [28] with the results. Many thanks to TBTF Irregular [5] Mary Ellen Zurko for the pointer.

[28] http://www.nauticoartiglio.lu.it/almanacco/Aa_ecli_13.htm

A wake-up call to PR flaks everywhere

Rebecca Eisenberg, net.skink [29] and one of the top 25 women on the Web [30], wrote up her advice [31] to public relations specialists in the Internet industry. It is squarely on target.

[29] http://eXaminer.com/skink/
[30] http://www.wired.com/news/print_version/culture/story/17451.html?wnpg=all
[31] http://www.bossanova.com/rebeca/clips/prletter.html
[31a] http://www.vanderzande.com/rtfm/pers-e.html

TBTF home and archive at http://tbtf.com/ . To (un)subscribe send
the message "(un)subscribe" to tbtf-request@tbtf.com. TBTF is Copy-
right 1994-1999 by Keith Dawson, <dawson dot tbtf at gmail dot com>. Commercial
use prohibited. For non-commercial purposes please forward, post,
and link as you see fit.
_______________________________________________
Keith Dawson    dawson dot tbtf at gmail dot com
Layer of ash separates morning and evening milk.