Copy Link
Add to Bookmark
Report
NuKE Issue 08-017
-----BEGIN PGP SIGNED MESSAGE-----
NuKE_NuKE_NuKe_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_N
uK Nu
KE "NuKE World News" uK
E_ "Cipher Related News Stories" KE
_N by E_
Nu Firecracker _N
uK Nu
KE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuK
NuKE Info-Journal #8
April 1994
________________________________________________________________________________
February 2, 1994, Wednesday, PM cycle
A year-old computer network has become the communications backbone of
Germany's neo-Nazi scene, with users sharing ideas on how to rid Germany of
foreigners, coordinate illegal rallies and swap bomb-making recipes.
The "Thule Network," guarded by passwords and loyalty tests, consists of at
least a dozen bulletin boards in three western states, according to law
enforcement officials and computer experts. It is used by extreme rightists to
avoid detection by police unfamiliar with new computer technology.
The network computers call one another nightly and exchange files. Important
information - such as contact numbers for transportation on the eve of a big
rally - can be disseminated in a few hours and without a paper trail.
The network's name derives from the small, elite 1920s movement considered
the Nazi vanguard. Thule movement leaders included Hitler henchman Rudolf Hess,
whose Aug. 14 birthday is marked annually by today's neo-Nazis.
With the network's aid, some 500 neo-Nazis formed a convoy that drove into
the city of Fulda and rallied there unhindered on last year's anniversary.
Demonstration bans and police dragnets had thwarted their plans to meet at
Hess's grave in Bavaria.
But the Thule Network is much more than a place to look for rides to rallies.
It is a place where Russian ultranationalist Vladimir Zhirinovsky is
commended as a "Robin Hood" who wants to protect the downtrodden and keep both
Germany and Russia ethnically pure.
Suppose some young neo-Nazis want to put out a newspaper, for example, but
lack the know-how. Just plug into "Resistance," one of the network's bulletin
boards.
"A network-connected attorney can check the text, a graphics office can put
together the newspaper," the Resistance host says in a digital preamble. The
network is also a refuge - where a crowd closely watched by police can disappear
into cyberspace. Technologically ahead of most police, network gatekeepers are
having considerable success keeping out the law.
Not a single one has been prosecuted.
"German police don't know much about computers and bulletin boards. It's very
new for them," said Uwe Kauss, editor of the Munich-based computer magazine
Chip, which has penetrated the network through informants.
Chip estimates 1,500 of Germany's more than 40,000 right-wing extremists are
active on the network. They also say its operators are seeking links with U.S.
comrades such as Nebraska neo-Nazi Gary Lauck, who ships hate literature to
Germany.
Along with mobile phones and answering machines, the Thule Network is helping
a diverse neo-Nazi scene establish a united front - a phenomenon acknowledged by
Germany's government.
"Previously, the scene had many loosely connected splinter groups. Now they
are getting in touch more easily," said Matthias Schenk, spokesman for the
Baden-Wuerttemburg agency that monitors enemies of the state.
All you need to visit Thule boards is a computer and a modem. But to hook up
to the network, you must leave your name, phone number and address. You then
receive a phone call and must pass a loyalty test to get full access.
Federal officials and law officers in Baden-Wuerttemburg, Bavaria and North
Rhine-Westphalia states, where the Thule boards are located, won't say whether
police agents have infiltrated the network.
But they speak with frustration of their inability so far to shut down even a
single neo-Nazi bulletin board.
"This is a very difficult realm for gathering solid evidence," said Schenk,
especially because members post messages and announcements under pseudonyms.
It's the same with the "infophones," answering machines where rightists leave
messages about political foes. A Mainz man has twice been arrested for running
one, but no charges have been filed and he has boasted he'll just start up
another.
The extreme right has tapped the power of computer networking, creating a
sophisticated breed of neo-Nazis, such as the publishers of Junge Freiheit, a
35,000-circulation weekly neo-Nazi newspaper in Potsdam.
In network forums, for example, racist tracts are allowed, but network
operators immediately jump on anyone who boasts of beating up foreigners.
The heads of the bulletin boards, "Germania," "Elias" and "The Empire," say
on introductory screens loaded with German flags and iron crosses that theirs is
a network of "nonconformists" who oppose the "spirit of the times."
They post slogans such as "Give Peace a Chance" on their sign-off screens and
include disclaimers denying any intention to violate the law.
But clever technophiles run these systems.
A police informant encountered a bomb-making manual on the Resistance system,
located in Erlangen, but it was gone when the informant looked again two days
later, said Ewald Behrschmidt, justice spokesman in nearby Nuremberg.
If police could determine who put it there - and prove that - they could have
made an arrest, said Behrschmidt.
The Resistance operator, reportedly a Nuremberg computer science student, has
introduced into a private message area an encryption program called Pretty
Good Privacy that ensures electronic mail confidentiality.
The program is so airtight that U.S. authorities are investigating its
Colorado author for possible export law violations because he sent it out
publicly onto the Internet worldwide computer network.
Such encryption programs are considered weapons under U.S. law.
So, does that make them explosives in the hands of neo-Nazis?
________________________________________________________________________________
October, 1993
I've never had a sip of alcohol, nor any recreational drugs (not one puff to
un-inhale), but, being 38 years old, I feel I was part of the hippie culture. I
was young and rural in the sixties, but my formative years were spent listening
to music created by people who chased the muse down many chemical alleys.
Top 40 radio blared that the government wasn't to be trusted. Dylan sang
"Phone's tapped anyway," and his inflection said that was a bad thing. But even
as I was sucking up the culture, my skeptical side said that all the "Tin
soldiers and Nixon's coming . . ." stuff might be a little dramatic.
Romanticizing living outside the law, coupled with the physiological effect of
drugs, might be making these artists a little paranoid, a little nutty.
The joke was kinda on me. Paranoid or not, John Lennon was on Nixon and FBI
hate lists, the Vietnam War probably was a very bad idea, and the Watergate
break-in and subsequent cover-up really did happen. No government is to be
trusted. I could have gotten a stronger lesson from the founding fathers, but
they didn't have any records out. "You say you want a revolution?". . . "The
government that governs least governs best."
Clinton is younger than any Rolling Stone (unless they replace Bill Wyman
with a new bass player from his ex-wife's generation). It would seem that Bill
Jefferson Clinton would share the mistrust of Big Brother that we tapped our
collective foot to. But remember, he's not Bob Dylan and Neil Young__he's Kenny
G and Fleetwood Mac. Watch him.
Willy picked up Bush's evil encryption Clipper Chip fascist football and ran
with it ("Meet the new boss__same as the old boss"). The Clipper Chip is
supposed to give us more privacy, which we need. An ex-friend of mine taped
Madonna talking to her business manager on her cordless phone, and some punk
("punk" in the prison sense) broke into my Internet account and read my mail.
The Clipper Chip, which was designed by government engineers, would be used
to scramble and decode information so that only the addressee could read it. The
government would sell this chip below market value (some people believe they'd
be getting something for nothing; some people believe Elvis put syringes in
Pepsi), and we'd all have cheap privacy. Oh, by the way ("The large print
giveth, the small print taketh away"), the government would keep all the keys so
they could eavesdrop on might-be-bad-guys (with a subpoena, of course).
What?!
The antiClipper Chip people sent me megs and megs of reasons why the Clipper
Chip sucks (the information on how it works is kept secret, so private
scientists wouldn't be able to check for mistakes; trade with other countries
would be difficult; how safe could the codes be kept?; and so on). Big cheese
computer people yapped against it, and it got shot down the first time around on
the legislation front.
On the tech front, there is a great cypherpunk ("punk" in the rock and roll
sense) alternative called Pretty Good Privacy, which is nongovernment and
free. One of my math-hip friends explained public-key encryption to me, and it's
pretty thinking; I'll try to explain it in a future column. There was even talk
of making private encryption illegal (an evil idea, pure and simple).
The more research I did, the simpler it got. You have inalienable rights
including life, liberty, and the pursuit of happiness. That's it. We have a
right to communicate with anyone we choose without anyone listening in. The
government works for us. Power to the people.
Look for the new Penn & Teller tour.
________________________________________________________________________________
September 27, 1993
A federal grand jury in San Jose, Calif., has subpoenaed information from a
pair of software companies that distribute a public/private key encryption
program called Pretty Good Privacy.
The program, distributed as freeware by Austin Code Works of Austin, Texas,
is being readied in a licensed version for distribution in the United States and
Canada by ViaCrypt, a division of Lemcom Systems Inc. of Phoenix.
The subpoenas require the companies to submit records related to the
international distribution of PGP. The program __ which is more powerful than
most encryption programs cleared for export beyond Canada __ has found its way
into countries such as Finland.
The investigation is part of a complicated web of issues that encompass
First Amendment rights and the use of encryption software to protect
information.
"We are looking at a very early part of a very long process which involves
... changes in information and information flow," said Eben Moglen, a professor
of law and legal history at Columbia University in New York.
________________________________________________________________________________
November 25, 1993
THE NEWS came, appropriately enough, over the electronic networks: Phil
Zimmermann needs help. The details followed: the US Customs Department is
investigating him to determine whether he was responsible for exporting
full-strength encryption from the US. Under US law, strong encryption is
classified as a munitions.
Zimmermann is the author of the first version of PGP, which stands for
" Pretty Good Privacy" . The program runs on a variety of microcomputers and is
widely available as freeware on online services all over the world, including
Cix and CompuServe. In fact, the program is probably "exported" many times every
day. Anyone can use it to make sure that their electronic communications are
secure.
Zimmermann seems to have become interested in cryptography as early as
junior school. Computers came into it later: after taking a computer science
degree in Florida he became a computer consultant specialising in cryptography.
It wasn't until 1991 that PGP 1.0, a DOS program, was released: one of the
technical difficulties was learning how to get computers to do calculations
involving 300-digit numbers. Since then others have built on Zimmermann's work;
there are versions of the program for DEC VAX VMS, Unix and even Microsoft
Windows. There have also been improved DOS versions: we are now up to 2.3.
PGP is based on the RSA encryption algorithm, named for its developers,
Rivest, Shamir and Adelman. RSA relies on a system called public-key
cryptography. The program starts by generating two keys, a public and a private
one. Your private key is just that: private. You keep it safe and share it with
no one. Your public key, however, you get digitally signed by people who know
you and can attest that it's yours. After that you can distribute it as widely
as you like by any method you like. There are already "key servers" - one of
them at Demon Internet Limited in London - where public keys are available for
downloading by anyone who wants them. But you will, of course, keep a "key ring"
of your correspondents' public keys, which you will use to decrypt their
messages.
Public-key cryptography has several elegant features. First, the encryption
really is "industrial strength". Second, the keys authenticate messages as well
as protect them from prying eyes: if a message can be decrypted using your
public key, that's a guarantee that the message came from you - and you can't
later disavow it.
Enter the cypherpunks, to whom Zimmermann is a hero. Instead of relying on
data protection legislation and the goodwill of systems administrators, they
argue, use the computer to give us back the privacy that computerised systems
have taken away. Think of encryption as an envelope: you wouldn't want to send
all your private mail on postcards, would you? The private nature of the act of
writing electronic mail and messages makes it easy to forget how public they
really are.
Protecting the privacy of correspondence is only the beginning. Other
proposed uses for encryption include digital cash, which would allow you to pay
for goods and services electronically and anonymously, and selective smart
cards, which would only tell authorities the information they need and no more.
For example, you could have a card that told the DSS you were entitled to
benefit, but gave staff none of your personal details.
The fact that it's illegal to export strong encryption from the US does not
make it illegal to use PGP in the UK. However, it has been technically illegal
to use PGP inside the US, because the RSA algorithm is patented by RSA Data
Security, a company set up to exploit RSA, which was developed at MIT with
public funding.
Ironically this patent is not valid in the UK and other countries, because
of prior publication in Scientific American. This situation may be changing: a
commercial version of PGP is being released in the US, and the GATT talks may
uphold such US patents. (Of course many cypherpunks argue that it should not be
possible to patent an algorithm, any more than you should be allowed to patent
the human genome or a compound's molecular structure.)
The present US Customs investigation doesn't deal with the patent issues,
only the export question. But it's come at the same time as Clinton's Clipper
Chip proposals and the Digital Telephony bill, both of which seek to limit the
strength of encryption available within the US. This has a certain irony:
encryption is too dangerous to be given to the American public, but anyone can
have a gun.
The result has been to give Zimmermann some of the gloss of a folk hero: he
is regarded as being the man who gave strong encryption to the masses.
Zimmermann contends that he did not export PGP. But win or lose, he will
face the usual astronomical American legal bills, so a defense fund has been set
up by his attorney (email: dubois@csn.org). And win or lose, the technology is
out there now. No amount of scouring of the world's hard discs will ever bring
it back under control.
________________________________________________________________________________
November 23, 1993
WHILE THE CONTROVERSY BREWING over the Clipper encryption chip focuses on
individual privacy, the privacy issue extends far beyond the borders of your
desktop to the global arena.
Software that includes strong encryption is subject to strict export controls
in order to minimize the spread of technology that could undermine the
government's ability to gather intelligence. In fact, cryptography is included
on the State Department's list of weapons that could compromise the country's
security.
Despite attempts to keep the technology stateside, 84 products that employ
the Digital Encryption Standard (DES) are available overseas, says the Software
Publishers Association. But the regulation has succeeded in keeping U.S.
companies out of the global marketplace. And recently, the makers of a software
encryption program called Pretty Good Privacy (PGP) have been investigated for
possible export violations. (Both DES and PGP are available on the Internet.)
The American Civil Liberties Union has questioned the rule's
constitutionality. "We think it's a violation of the First Amendment for the
government to say you can't export those products because computer software is a
form of speech that's given special protection," says Kate Martin, director of
the ACLU's Center for National Security Studies.
________________________________________________________________________________
November 9, 1993, Tuesday
ALTHOUGH THE "data superhighway" planned by the current administration is not
yet a reality, thousands of confidential documents and electronic mail messages
are racing around the country, many of them between attorneys and their clients.
Unfortunately, the security of these documents and messages is a matter of
controversy and media attention.
Increasingly, attorneys and clients are staying in touch with each other via
e-mail. In some cases documents or messages are transmitted over "dedicated
lines" or telephone lines linked directly between client and attorney. These
dedicated lines provide a high measure of security. However, most documents and
messages are transmitted via third party e-mail service providers, who lease
"mail boxes" to which subscribers can dial in to send and receive electronic
mail. These mailboxes can direct mail to other service providers, so that
potentially, a message or document may pass through several systems before it
reaches the intended recipient.
Even if one does not consider malicious interference, the number of systems
handling a document, and the increasing complexity of addressing an e-mail
message greatly increases the likelihood of incorrectly addressed mail.
Ten years ago, when facsimile machines were relatively new, misdirected faxes
was not a great concern. Today fax machines are so commonplace that law firms
and businesses routinely place a confidentiality notice on the cover page. From
this standpoint, there is far greater risk of an undetected misdirected e-mail
than a fax. A misdialed fax must arrive at another fax machine or no
transmission can occur. An incorrectly addressed e-mail message may be
"bounced" and returned to the sender, or equally likely, may be sent to the
wrong party, and the sender may never be aware of the mistake.
When "hackers and crackers" and other technological miscreants are added to
the equation, the likelihood of an e-mail disaster in the legal profession looms
ominously.
Computer experts have been concerned with e-mail and telecommunications
security for many years. In addition to worrying about accidents and hackers,
there is fear of unwarranted monitoring of e-mail communications by government
agencies. And of course, government agencies (particularly the military) have
been concerned about security since the beginning of telecommunications.
The solution is cryptography, the science of codes and ciphers, which for
many years was a somewhat arcane field of mathematics.
Using "traditional" techniques, a confidential message or document would be
encrypted pursuant to a complex series of mathematical algorithms. A single
password would be used to both encrypt and decrypt the document or message.
This approach continues to be quite commonplace as a security measure in
business and industry. Unfortunately, such an approach has certain difficulties
and vulnerabilities.
A single password encryption scheme requires that both the sender and the
receiver have the same password. However, the mechanism for transmitting the
password is problematic. If any attorney is uncomfortable with the security
associated with transmitting the document via e-mail, then e-mail would not be
adequate means to convey the password.
Further, communicating the password via telephone or regular mail becomes
cumbersome, especially if long or complex passwords are used. Finally, in a
large organization, there may be many people who will be generating or receiving
confidential materials. A single password system requires that each such person
have access to that password and keep it confidential.
A solution to this problem was arrived at in the mid 1970s, when "public key
cryptography" was developed. In brief, there are actually two "keys" or
passwords in a public key cryptography scheme. One key, a public key, "locks"
or encrypts documents. The other key, a private key, "unlocks" or decrypts the
document. The keys are matched and generally quite large (they are long strings
of apparently random characters, rather than the traditional one or two word
password).
In using a public key cryptography system, a user generates a public key and
a private key. The public key would then be made available to the
world-at-large.
Anyone could then use the public key to encrypt documents, messages, etc.
However, only the intended recipient could decrypt the message, using the
private key.
Such a system solves many problems. Virtually anyone can securely send
encrypted documents. If the documents are intercepted or routed to the wrong
person, there is little anyone could do without the private key (short of using
a supercomputer for long periods of time).
Perhaps even more exciting is the concept of a "digital signature" which
public key cryptography creates. A unique aspect to certain public key
cryptography systems is the ability to generate unique identifier codes or
"signatures" which can be attached to documents, e-mail messages, etc. The
digital signature can only be generated using the private key, and can only be
confirmed as valid using the public key.
The result is that if someone distributes a document which purports to be
"signed," the recipient can confirm the identity of the sender by testing the
signature with the sender's public key. If the recipient is confident that the
public key is genuine, she can validate the signature because only the
corresponding private key can generate a digital signature which can be
validated by the public key.
This technology opens entire new avenues for lawyers and business people,
because, in essence, it permits truly "paperless" transactions. For many years,
banking and securities institutions have authorized without a manual signature.
However, in general, elaborate precautions were put in place, including
dedicated lines, hardware access restrictions, etc. to prevent fraud. Lawyers
and business people are generally unwilling to eliminate manual signatures
because such procedures are too onerous. However, with the advent of public key
cryptography, electronic "signatures" may become commonplace:
For example, the Securities and Exchange Commission is accepting
electronically "signed" filings under its Electronic Data Gathering, Analysis
and Retrieval (EDGAR) system. Manual signatures are not required for a valid
filing, but must be maintained on file.
New word processing and e-mail software packages are now incorporating public
key cryptography technology. It is therefore not unimaginable that in the near
future, documents will be executed and delivered electronically, without the
need for "hard copy."
Patent Controversy
However, at the same time this technology is opening up new legal vistas, it
is being scrutinized. At the heart of the controversy is a software package
called " Pretty Good Privacy" or PGP as it is generally known.
This package was written several years ago by Philip Zimmermann and
distributed free to interested parties. Since that initial release PGP has been
updated by others and is still available, free of charge, from many computer
sources around the world.
The controversy initially concerned the issue of patent infringement. PGP
was based on a series of algorithms developed at MIT by several researchers.
Those algorithms were originally publicly published. Thereafter they were
licensed to a private concern to be sold or licensed commercially. The private
company which holds the license to the algorithms claimed that PGP infringed on
its patents.
Recently, the company has agreed to sublicense the public key cryptography
technology to a second company to develop a commercial version of PGP. Shortly
after the infringement issue appeared to be resolved (or close to resolution)
another, less mundane issue surfaced.
A federal grand jury subpoenaed both software companies, apparently concerned
that the technology would be (or had been) illegally exported in violation of
State Department regulations. The department regulates the export of weapons
and other technology which might be a threat to national security. Cryptography
software and technology is classified as such a potential threat, and therefore
its export is subject to governmental regulation as a "munition." Unfortunately
for the government, PGP is available world wide.
To add further controversy, the government proposed its own cryptography
standard, incorporated in a tamper proof computer chip referred to as the
"Clipper Chip." The proposal was made in response to concerns that cryptography
technology generally available to the public (such as PGP) would cripple law
enforcement agencies' ability to monitor phone conversations or data
transmissions under a valid court order.
The Clipper Chip is designed to require two encryption keys which would be
"escrowed" with two separate government agencies. Upon a court order, both
government agencies would provide their keys to law enforcement agencies, which
would then allow them to "crack" any transmissions made using that particular
Clipper Chip.
The "Big Brother" aspect of the regulation of cryptography systems upset many
in the computer and legal community concerned with privacy rights. Further, to
date, the government is unwilling to publicly release the details of the Clipper
Chip algorithms.
Cryptography experts and aficionados (cypherpunks) argue that without
rigorous public scrutiny, there is no way of assuring that the Clipper Chip
technology is truly secure, or worse, does not incorporate a secret "back door"
under which someone could by-pass the security without the escrowed keys. The
final evaluation and recommendation on the proposal by the government are
pending.
Regardless of the outcome of both the PGP and Clipper Chip cases, however, it
is apparent that cryptography is becoming an important tool in business and law.
It is one of the few cases where an inability to understand what a lawyer says
may be a good thing.
________________________________________________________________________________
November 8, 1993
On Sept. 17, bureaucrats claiming to act in your best interest again
interfered with your ability to protect network transmissions using the best,
most cost-effective encryption algorithms available. It's time for network
managers to take action to stop government meddling in the business of privacy.
U.S. manufacturers are not permitted to export their most powerful encryption
tools without a license. The difficulty of obtaining such export licenses forces
U.S. manufacturers either to forego sales outside the U.S. and Canada or to
produce a weaker version of their software for international distribution.
The costs of maintaining the different versions are paid for in higher prices
for U.S. users. Similarly, giving away foreign markets also decreases the
profits of U.S. firms and keeps prices higher than they could be if vigorous
competition were the rule.
In addition, U.S. taxpayers have been paying bureaucrats' salaries to apply
the International Traffic in Arms Regulations (ITAR) to encryption software.
According to ITAR, the Office of Defense Trade Controls of the U.S. Department
of State can define anything it wants as equivalent to munitions. There is
nothing to stop the bureaucrats from adding the decoder rings found in popcorn
boxes to the U.S. Munitions List and designating them as a restricted export.
Just because some paper-pusher claims that encryption is a munition shouldn't
make it so. In the words of Lennart Benschop of Eindhoven University of
Technology in the Netherlands, Making cryptographic software equivalent to
munitions is just as foolish as making addictive crossword puzzles equivalent to
drugs.''
The notion that the U.S. government should let alone can prevent foreign
nationals from having access to encryption technology was never reasonable in
the first place, but it's ludicrous today.
Trying to restrict the export of encryption programs in this age of the
global Internet is about as useful as trying to keep cigarette smoke from
drifting into the no-smoking zone in your favorite restaurant. Trying to control
the flow of information via diskette or paper when data can travel unimpeded
through the Internet is just plain dumb. How can a government official stop
international users from using anonymous File Transfer Protocol to get a copy of
any encryption algorithm found on a file server anywhere in the world?
ITAR's application to software is unenforceable and has been for years. One
can already find encryption technology of the highest quality everywhere on the
planet, ITAR notwithstanding.
On Sept. 17, the latest incident in which the federal government has
attempted to enforce these ill-conceived regulations occurred. Grady Ward,
president of Austin Code Works (ACW), a software firm in Austin, Texas, was
ordered by a U.S. Customs special agent to turn over all paper and electronic
documents pertaining to the distribution of ACW's encryption products.
Ward has compiled a 9M-byte anthology of already published encryption source
code, which he called Moby Crypto.'' This collection includes no executable code
only the algorithmic descriptions in C language that can be found (and exported)
from scores of books and journals from the U.S. and elsewhere already freely
distributed throughout the world.
Ward argued that the only difference between his cryptographic whale'' and
other descriptions of encryption algorithms is that Moby Crypto'' is purely
electronic, whereas textbooks and journal articles which are freely circulated
internationally without interference from ITAR are printed on paper pulp.'' Even
the Supreme Court, he continued, will provide its judgments in electronic form,
and electronic White House records must be treated with the same respect as
official paper documents.
Another software company, Phoenix-based ViaCrypt, was served with a similar
subpoena because it recently contracted to sell a commercial version of Pretty
Good Privacy (PGP), an encryption utility that has been circulated worldwide
via the Internet. Although the first version of PGP was written in the U.S. by
software author Phil Zimmermann, Version 2.0 of PGP came from the Netherlands,
not the U.S.
The Electronic Freedom Foundation, which is dedicated to supporting the cause
of liberty in cyberspace, has publicly announced its intention to support ACW
and ViaCrypt, stating, Neither of these companies are engaged in the
international distribution of any illegal materials... If Moby Crypto contains
no executable code, it should be exportable under ITAR, just as textbooks
containing such materials are exportable.'' A legal defense fund has been
started to help defray the enormous costs that these two victims of bureaucratic
meddling are likely to incur.
ITAR is not a dead letter either. The latest modifications to ITAR are
reported in the July 22 issue of the Federal Register.
Network managers need encryption technology to secure transmissions against
eavesdropping and stored data against unauthorized access. You should brook no
interference with the natural evolution of this technology.
The House Foreign Affairs Committee, Subcommittee on Economic Policy, Trade
and the Environment held a hearing on mass market cryptography and export
controls on Oct. 12 at which speakers from industry expressed outrage over
inclusion of cryptography in ITAR. Chairman Sam Gejdenson (D-Conn.) opened the
hearing with a statement that summed up the situation pretty clearly: Just as in
the case of telecommunications, the National Security Agency is attempting to
put the genie back in the bottle. It won't happen; and a vibrant and productive
sector of American industry may be sacrificed in the process.''
In (nearly) the words of former Canadian Prime Minister Pierre Trudeau, The
government has no place in the file servers of the nation.'' Tell your
congressional representatives to take cryptography out of ITAR.
2Kabay is director of education with the
Network World, November 8, 1993
National Computer Security Association in Carlisle, Pa.
He can be reached on the Internet at 75300.3232@compuserve.com or by phone at
(514) 931-6187.
________________________________________________________________________________
October 4, 1993
Philip Zimmermann wanted to strike a blow for freedom. To help computer users
keep data safe from snoopers, the Boulder (Colo.) software consultant and
self-described "privacy activist" wrote a program making it easy to encode
messages with an all-but-unbreakable cipher. And he offered it free through the
network known as the Internet.
Now, Zimmermann's gift to cyberspace has exposed an enormous gap in the
Administration's vision of a high-tech future. The White House is promoting a
data superhighway as a key to a competitive future. But the National Security
Agency is trying to restrict the use of high-quality encryption, which experts
believe business will need to take full advantage of the "information
infrastructure."
The focus of the fight is a program Zimmermann calls " pretty good privacy"
(PGP). On Sept. 9, two software companies in Texas and Arizona that have been
involved in publishing PGP received federal grand-jury subpoenas requesting
documents and information about the program. CRACKDOWN. Although the government
won't discuss the investigation, the computer world has a pretty good idea
what's going on. Because sophisticated encryption allows friends and foes alike
to protect communications, the software is subject to the same export controls
as munitions. But PGP has popped up all over the world. The probe, says
Zimmermann's lawyer, Philip Dubois, is aimed at "finding out how it occurred and
whether an offense was committed."
Oddly, the crackdown on software comes just as the Administration is
loosening export controls on computer hardware. But the schizophrenia may be
more apparent than real. "I don't think they've got the export policy together
enough to be split," says a key congressional staffer. The underlying problem,
explains Paul Freedenberg, a Washington attorney and export-control specialist,
is that "Clinton is very cautious about dabbling in national security. This is
an area that has essentially been turned over to the spooks."
Meanwhile, there is growing concern in Congress about possible damage to
exports. Quality encryption software "is available from foreign
manufacturers...and is easily transmitted using only a long-distance telephone
line and a modem," complained Representative Sam Gejdenson (D-Conn.) and a
high-powered bipartisan group of colleagues in a Sept. 20 letter to the
President. "Yet the U.S. continues to control this computer software as a
Munitions List item." Says Douglas Miller of the Software Publishers Assn.: "The
U.S. government is succeeding only in crippling an American industry's exporting
ability."
While the goal of the NSA and other security agencies __ keeping U.S.
messages secure while allowing Uncle Sam to read those of both domestic and
foreign bad guys __ is laudable, technology may be rendering it impossible. "Law
enforcers no longer have the inside track," says Eben Moglen of Columbia
University law school.
Experts agree that NSA officials are smart enough to see the writing on the
wall, encrypted or not. But, says James Bitzos, president of RSA Data Security
Inc. in Redwood City, Calif., the agency wants to maintain as much control as
possible for as long as possible. Today, intelligence agencies still have a shot
at finding "needles in the haystack," he says. "If they lift export controls,
they might as well go home."
Still, the NSA can't stave off the inevitable for long. Gejdenson hopes to
produce legislation by early next year to revamp government policy on high-tech
exports. The result will probably include looser restrictions on encryption
software __ and a victory for Phil Zimmermann in his battle to keep snoops out
of his cyberspace.
________________________________________________________________________________
October 4, 1993
Philip Zimmermann wanted to strike a blow for freedom. To help computer users
keep data safe from snoopers, the Boulder (Colo.) software consultant and
self-described "privacy activist" wrote a program making it easy to encode
messages with an all-but-unbreakable cipher. And he offered it free through the
network known as the Internet.
Now, Zimmermann's gift to cyberspace has exposed an enormous gap in the
Administration's vision of a high-tech future. The White House is promoting a
data superhighway as a key to a competitive future. But the National Security
Agency is trying to restrict the use of high-quality encryption, which experts
believe business will need to take full advantage of the "information
infrastructure."
The focus of the fight is a program Zimmermann calls " pretty good privacy"
(PGP). On Sept. 9, two software companies in Texas and Arizona that have been
involved in publishing PGP received federal grand-jury subpoenas requesting
documents and information about the program. CRACKDOWN. Although the government
won't discuss the investigation, the computer world has a pretty good idea
what's going on. Because sophisticated encryption allows friends and foes alike
to protect communications, the software is subject to the same export controls
as munitions. But PGP has popped up all over the world. The probe, says
Zimmermann's lawyer, Philip Dubois, is aimed at "finding out how it occurred and
whether an offense was committed."
Oddly, the crackdown on software comes just as the Administration is
loosening export controls on computer hardware. But the schizophrenia may be
more apparent than real. "I don't think they've got the export policy together
enough to be split," says a key congressional staffer. The underlying problem,
explains Paul Freedenberg, a Washington attorney and export-control specialist,
is that "Clinton is very cautious about dabbling in national security. This is
an area that has essentially been turned over to the spooks."
Meanwhile, there is growing concern in Congress about possible damage to
exports. Quality encryption software "is available from foreign
manufacturers...and is easily transmitted using only a long-distance telephone
line and a modem," complained Representative Sam Gejdenson (D-Conn.) and a
high-powered bipartisan group of colleagues in a Sept. 20 letter to the
President. "Yet the U.S. continues to control this computer software as a
Munitions List item." Says Douglas Miller of the Software Publishers Assn.: "The
U.S. government is succeeding only in crippling an American industry's exporting
ability."
While the goal of the NSA and other security agencies __ keeping U.S.
messages secure while allowing Uncle Sam to read those of both domestic and
foreign bad guys __ is laudable, technology may be rendering it impossible. "Law
enforcers no longer have the inside track," says Eben Moglen of Columbia
University law school.
Experts agree that NSA officials are smart enough to see the writing on the
wall, encrypted or not. But, says James Bitzos, president of RSA Data Security
Inc. in Redwood City, Calif., the agency wants to maintain as much control as
possible for as long as possible. Today, intelligence agencies still have a shot
at finding "needles in the haystack," he says. "If they lift export controls,
they might as well go home."
Still, the NSA can't stave off the inevitable for long. Gejdenson hopes to
produce legislation by early next year to revamp government policy on high-tech
exports. The result will probably include looser restrictions on encryption
software __ and a victory for Phil Zimmermann in his battle to keep snoops out
of his cyberspace.
________________________________________________________________________________
October 3, 1993, Sunday, Home Edition
When Charles and Diana discovered millions of people were reveling in their
most intimate telephone calls, the world's most public couple had to face the
facts of private life in the electronic age.
In a world of cellular phones, computer networks, electronic mail and
interactive TV, the walls might as well have ears.
With the explosion of such devices, more people and companies __ from banks
to department stores __ seem to have more access to more information that
someone wants to keep private. In response, computer users are devising their
own electronic codes to protect such secrets as corporate records, personal mail
or automated teller transactions.
Historically, the biggest ears have belonged to the federal government, which
has used surveillance techniques designed to track down criminals and security
risks to keep electronic tabs on subjects ranging from civil rights leaders to
citizens making overseas calls.
But, today, federal officials are afraid that advanced technology, which for
almost 50 years has allowed them to conduct surveillance on a global scale, is
about to make such monitoring impossible.
Now, federal intelligence and law enforcement agencies are insisting on their
right to eavesdrop.
The government is proposing a standardized coding, or encryption, system that
would eliminate eavesdropping by anyone except the one holder of the code's key
__ the government itself.
To ensure that federal agents and police can continue to wiretap
communications, the National Institute of Standards and Technology (NIST) is
introducing a national electronic code. It will cover all telephone systems and
computer transmissions, with a built-in back door that police can unlock with a
court order and an electronic key.
White House and FBI officials insist they have no way to force any company to
adopt the new technology. They will not outlaw other forms of coding, they said.
But experts say a series of regulatory actions involving Congress, the State
Department, the U.S. attorney general, export licensing restrictions and the
purchasing power of the federal government will effectively force people to use
the code.
The government's plan has triggered an outcry among computer users, civil
rights groups and others. The American Civil Liberties Union and groups of
computer professionals say the plan raises major constitutional questions.
Federal laws are designed to limit the government's ability to wiretap, not
guarantee it, they say.
"Where does the U.S. government get the right to understand everything that
is transmitted?" asked Michel Kabay, director of education for the National
Computer Security Assn. in Carlisle, Pa.
Not so many years ago, powerful encryption techniques were the monopoly of
military and intelligence agencies. Over time, computer experts and corporate
cryptographers created codes to protect their private communications. Some of
these scramble electronic signals so thoroughly that even the supercomputers of
the National Security Agency cannot decipher them. One of the best codes, called
Pretty Good Privacy, is free and can be downloaded from computer network
libraries around the world __ yet it still contains safeguards that protect its
secrets from prying eyes.
Combined with advances in fiber optics and digital communications, these
codes enable people to send electronic mail, computer files and faxes the
government cannot read, and to make phone calls even the most sophisticated
wiretapper cannot understand.
As new technologies converge to form the roadbed of a national information
superhighway, the government faces the prospect of millions of people around the
world communicating in the absolute privacy of the most secure codes science can
devise.
At the same time, hundreds of phone companies channel calls through new
digital switches into long-distance fiber-optic cables where, translated into
light-speed laser pulses, they may elude interception more easily. Dozens of
other companies are organizing global wireless digital networks to send phone
calls, faxes and computer files over the airwaves to people no matter where they
are or how often they move.
Given all this, NIST officials say the new code, called Skipjack, is the
government's attempt to strike a balance between personal privacy and public
safety.
They say it will protect people from illicit eavesdropping, while allowing an
authorized government agent to unlock any scrambled call or encrypted computer
message. It could be incorporated into virtually every computer modem, cellular
phone and telecommunications system manufactured in the United States.
Designed by the National Security Agency, which conducts most of the
country's communications surveillance, the code is one facet of an ambitious
government blueprint for the new information age.
But critics say the code is just one of several steps by federal law
enforcement groups and intelligence agencies to vastly expand their ability to
monitor all telecommunications and to access computer databases.
Federal officials acknowledge that they are even considering the idea that
foreign governments should be given the keys to unlock long-distance calls,
faxes and computer transmissions from the United States. An international
agency, supervised by the United Nations or Interpol, might be asked to hold in
trust the keys to electronic codes, said Clint Brooks, a senior NSA technical
adviser.
The Skipjack furor pits the White House, the FBI and some of the government's
most secret agencies against privacy advocates, cipher experts, business
executives and ragtag computer-zoids who say codes the government cannot break
are the only way to protect the public from the expanding reach of electronic
surveillance.
On the computer networks that link millions of users and self-styled
Cypherpunks __ a group of encryption specialists __ the federal proposal has
stirred fears of an electronic Big Brother and the potential abuse of power.
"It really is Orwellian when a scheme for surveillance is described as a
proposal for privacy," said Marc Rotenberg, Washington director of Computer
Professionals for Social Responsibility.
Encryption is the art of concealing information in the open by hiding it in a
code. It is older than the alphabet, which is itself a code that almost everyone
knows how to read.
Today, electronic codes conceal trade secrets, protect sensitive business
calls and shelter personal computer mail. They also scramble pay-per-view cable
television programs and protect electronic credit card transactions.
Everyone who uses an automated teller machine is entrusting financial secrets
to an electronic code that scrambles transmissions between the automated teller
and the bank's main computer miles away. One inter-bank network moves $1
trillion and 1 million messages around the world every day, swaddled in the
protective cocoon of its code.
Nowhere has the demand for privacy grown so urgent as on the international
confederation of computer systems known as the Internet. There, in a proving
ground for the etiquette of electronic communication, millions of people in
dozens of countries are adopting codes to protect their official business, swap
gossip and exchange personal notes elbow-to-elbow in the same crowded electronic
bazaar.
"People have been defending their own privacy for centuries with whispers,
darkness, envelopes, closed doors, secret handshakes and couriers," said Eric
Hughes, moderator of the Cypherpunks, an Internet group that specializes in
encryption. "We are defending privacy with cryptography, with anonymous
mail-forwarding systems, with digital signatures and with electronic money."
And it's working. The technology is leaving law enforcement behind.
Federal officials who defend the Skipjack plan say they are worried about too
much privacy in the wrong hands.
"Are we going to let technology repeal this country's wiretap laws?" asked
James K. Kallstrom, FBI chief of investigative technology. Under U.S. law, any
wiretap not sanctioned by a court order is a felony.
Federal law enforcement agencies and intelligence groups were galvanized last
fall when AT&T introduced the first inexpensive mass-market device to scramble
phone calls. The scrambler contains a computer chip that generates an electronic
code unique to each conversation.
FBI officials paled at what they said was the prospect of racketeers, drug
dealers or terrorists being able to find sophisticated phone scramblers to code
and decode calls at the nearest phone store.
National security analysts and Defense Department officials say U.S.
intelligence agencies find the new generation of computer encryption techniques
especially unsettling. It promises to make obsolete a multibillion-dollar
investment in secret surveillance facilities and spy satellites.
"We would have the same concerns internationally that law enforcement would
have domestically about uncontrolled encryption," said Stewart A. Baker, NSA
general counsel.
NSA officials are reluctant to discuss their surveillance operations, but
they said they would not want terrorists or anyone else "targeting the United
States" to be able to communicate in the secrecy provided by unbreakable modern
codes.
The Clinton Administration is expected to advise telecommunications and
computer companies this fall to adopt the Skipjack code as a new national
encryption standard used by the government, the world's largest computer user,
and anyone who does business with it.
The government also will be spending billions in the next 10 years to promote
a public network of telecommunications systems and computer networks called the
National Information Infrastructure. Any firm that wants to join will have to
adopt the Skipjack code.
Skipjack is being offered to the public embedded in a tamper-proof, $26
computer circuit called the Clipper Chip. It is produced by Mykotronx Inc., a
computer company in Torrance.
To make it easier for agents to single out the proper conversation in a
stream of signals, every Clipper Chip has its own electronic identity and
broadcasts it in every message it scrambles.
Federal agents conducting a court-authorized wiretap can identify the code
electronically and then formally request the special keys that allow an outsider
to decipher what the chip has scrambled.
Federal officials say they expect companies to incorporate the chip into
consumer phone scramblers, cellular phones and "secure" computer modems. Within
a few years, FBI officials say, they expect the Skipjack code to be part of
almost every encryption device available to the average consumer.
Many companies say they are leery of adopting the sophisticated electronic
code, even though it could protect them from foreign intelligence agencies and
competitors seeking their trade secrets. But AT&T, which has a long history of
cooperating with the government on communications surveillance, has already
agreed to recall the company's consumer scramblers and refit them this fall with
the new chip.
Even without Skipjack and the Clipper Chip, advanced computers and electronic
databases already have expanded government's ability to track and monitor
citizens.
Searches of phone records, computer credit files and other databases are at
an all-time high, and court-authorized wiretaps __ which listened in on 1.7
million phone conversations last year __ monitor twice as many conversations as
a decade ago, federal records show.
The General Accounting Office says that federal agencies maintain more than
900 databanks containing billions of personal records about U.S. citizens.
This type of easy access to electronic information is addictive, critics
contend.
Since the FBI set up its computerized National Criminal Information Center in
1967, for example, information requests have grown from 2 million a year to
about 438 million last year, and the criminal justice database itself now
encompasses 24 million files.
The FBI records system, like computer files at the Internal Revenue Service,
is "routinely" used for unauthorized purposes by some federal, state and local
law enforcement agencies, the General Accounting Office said.
GAO auditors found that some police agencies have used the FBI system to
investigate political opponents. Others have sold FBI information to companies
and private investigators. In Arizona, a former law enforcement official used it
to track down his estranged girlfriend and kill her, the auditors reported.
What the government can't find in its own files, it can obtain from any one
of hundreds of marketing firms that specialize in compiling electronic dossiers
on citizens. The FBI is seeking authority from Congress to obtain those records
without consulting a judge or notifying the individual involved, which is
required now.
Information America, for example, offers data on the location and profiles of
more than 111 million Americans, 80 million households and 61 million telephone
numbers. Another firm specializes in gay men and lesbians.
A third, a service for doctors called Patient Select, singles out millions of
people with nervous stomachs.
Computer experts say encryption can draw a curtain across such electronic
windows into private life.
In fact, the FBI is planning to encrypt its criminal justice computer files.
"Recent years have seen technological developments that diminish the privacy
available to the individual," said Whitfield Diffie, a pioneering computer
scientist who helped invent modern cryptography. "Cameras watch us in the
stores, X-ray machines search us at the airport, magnetometers look to see that
we are not stealing from the merchants, and databases record our actions and
transactions.
"Cryptography," he said, "is perhaps alone in its promise to give us more
privacy rather than less."
NEXT: Inside the company that makes the secret chip.
Scrambling for Privacy
As more people and companies adopt codes to protect their telephone calls,
faxes and computer files, the federal government has proposed a national
encryption standard that will allow people to protect their privacy while
ensuring that law enforcement agents can still wiretap telecommunications. Here
is how it would work:
1. When someone using a Skipjack-equipped secure phone calls another secure
phone, chips inside the phone generate a unique electronic code to scramble the
conservation.
2. The chip also broadcasts a unique identifying serial number.
3. If a law enforcement agent wants to listen in, he first must obtain a
court order and the get the chip's serial number from the signal.
4. The agent obtains takes that number to the Treasury Department and the
National Institute of Standards and Technology, which keep the government's
digital keys to the chip.
5. The keys are combined to unscramble the conversation. When legal
authorization for the wiretap expires, the keys are destroyed.
*
The Skipjack Code
Designer: The National Security Agency.
Manufacturer: Mykotronx Inc. in Torrance.
Users: Anyone who wants to make sure their telephone calls, faxes, electronic
mail or computer transmissions are private.
When available: This fall from AT&T.
Cost: Available only on a tamper-proof $26 Clipper Chip.
Programming the Clipper Chip
Each Clipper Chip is permanently imprinted with a unique serial number, a
unique key and a family key.
1. Two 80-digit random strings of zeros and ones are selected.
2. They are factored together to form the chip's unique key the key is then
split in half.
3. Each half is paired with the serial number of the chip to form two keys.
5. One is kept by the Treasury Department and the other by the National
Institute of Standards and Technology.
Sources: U.S. National Security Agency, Mykotronx Inc.
Someone Is Listening
To eavesdrop on a telephone conversation, law enforcement agents must obtain
a court order, but they can use other devices, such as so-called pen registers,
that record incoming or outgoing telephone numbers without actually listening to
the calls.
WIRETAP COURT ORDERS
From 1985 through 1991, court-ordered wiretaps resulted in 7,324 convictions
and nearly $300 million in fines. A single court order can involve many
telephones. This data includes federal and state orders, but does not include
many national security wiretaps.
1985: 784
1986: 754
1987: 673
1988: 738
1989: 763
1990: 872
1991: 856
1992: 919
*
MONITORING PHONE ACTIVITY
Pen registers are devices that record only the outgoing numbers dialed on a
telephone under surveillance. Below are the number of pen registers in use, by
year.
1987: 1,682
1988: 1,978
1989: 2,384
1990: 2,353
1991: 2,445
1992: 3,145
Sources: Administrative Office of the U.S. Courts, U.S. Justice Department,
House Judiciary Committee
________________________________________________________________________________
Los Angeles Times, October 3, 1993
Computer Audit Update
October, 1993
In a decision with implications for free speech and data privacy, a US
Federal grand jury has issued subpoenas to two software companies that sell
versions of a popular data encryption program, according to a report in The New
York Times.
The investigation seems to be focusing on whether the programs, based on the
encryption software Pretty Good Privacy (PGP), have been exported in violation
of State Department regulations controlling the sale of weapons and other
technologies deemed to compromise national security.
ViaCrypt and Austin Code Works, the companies at the centre of the inquiry,
intend to sell licensed versions of PGP to software developers for incorporation
into their own programs. Under the terms of the subpoenas, the companies have
had to submit all correspondence and records relating to the international
distribution of their products, although both companies claim to have no
intention to sell their products abroad. "I think their more concerned with our
intentions than what we've done", said Leonard Mikus, president of Viacrypt.
"They're on a fishing expedition, but this could become a landmark case that
sets the limits that distinguish between electronic and conventional
publishing".
-----BEGIN PGP SIGNATURE-----
Version: 2.2
iQCVAgUBLfmoN00EOTLgG0HDAQH1QQP8Cb0AsAl/w5sUsqngLH/rL+8gJED3G4O4
UQcUT3YcmMWZmmWDwHO3HPppWsY8QuR+yU1FFMuiE4BQBz65HR7p0vYR9eB3ejJ7
tPQuQFjk2xHiiR9xggEbFlfUTwHh5F5W83cQPkqapjwA/RIPeN0l/C9wg+N2Ozbp
46D/BiLqPNE=
=z9dL
-----END PGP SIGNATURE-----