Copy Link
Add to Bookmark
Report
SURFPUNK Technical Journal 104
Date: Fri, 11 Feb 94 00:46:23 PST
Reply-To: <surfpunk@versant.com>
Return-Path: <cocot@versant.com>
Message-ID: <surfpunk-0104@SURFPUNK.Technical.Journal>
Mime-Version: 1.0
Content-Type: text/plain
From: surfpunk@versant.com (frphevgl pyrnenapr erdhverq)
To: surfpunk@versant.com (SURFPUNK Technical Journal)
Subject: [surfpunk-0104] CLIPPER: some reactions
Prof. Denning has issued a defense of the Clipper proposal
(which she advocated in a CACM article long before the
initiative was announced). Her specifics are easy enough
to refute and I'm sure others will do so. However, she
closes with an idea so radical that it shocked me.
Her idea that we citizens need a security clearance in
order to enter the debate over whether or not we should
give up a right we've had for all time (to make, use,
disseminate, ..., our own strong cryptography, interfering
with the government's ability to spy on us) is so radically
off base that the technical debate pales by comparison.
- Carl Ellison
I believe everything in this issue came over the Cypherpunks list,
except for the trailer, which was on bugtraq@crimelab.com ..... strick
________________________________________________________________________
________________________________________________________________________
From: gnu@toad.com (John Gilmore)
To: cypherpunks@toad.com
Date: Mon, 07 Feb 94 13:14:48 -0800
------- Forwarded Message
To: gnu@toad.com
From: whitfield.diffie@Eng.Sun.COM
Date: Mon, 7 Feb 1994 at 13h01
Subject: Preliminary remarks
A preliminary reading of the public announcements made on Friday,
4 February 1994, about the results of the Interagency Review of Crypto
Policy, suggests that there is less than meets the eye, but there are
some interesting points.
Whitfield Diffie
> The two escrow agents are the National Institute of Standards and
> Technology (NIST), a part of the Department of Commerce, and the
> Automated Systems Division of the Department of the Treasury. The
> two escrow agents were chosen because of their abilities to
> safeguard sensitive information, while at the same time being able
> to respond in a timely fashion when wiretaps encounter encrypted
> communications. In addition, NIST is responsible for establishing
> standards for protection of sensitive, unclassified information in
> Federal computer systems.
Why NIST should excel among federal agencies or even Department of
Commerce agencies in the ability ``to safeguard sensitive information,
while at the same time being able to respond in a timely fashion when
wiretaps encounter encrypted communications'' is hardly obvious. I
would have thought the patent office, which has responsibility for for
the confidentiality of patent applications and has never, in my
memory, been accused of leaking would have been more plausible. The
final sentence sounds more like a conflict of interest than a
recommendation. Perhaps there is more in this selection than meets
the eye.
> * License Reform: Under new licensing arrangements, encryption
> manufacturers will be able to ship their products from the United
> States directly to customers within approved regions without
> obtaining individual licenses for each end user.
> * Rapid review of export license applications: . . .
> goal of two working days.
> * Personal use exemption: We will no longer require that U.S.
> citizens obtain an export license prior to taking encryption
> products out of the U.S. temporarily for their own personal use.
Pending the fine print, I suspect these will please lots of
people.
> * Allow exports of key-escrow encryption: After initial review,
> key-escrow encryption products may now be exported to most end
> users. Additionally, key-escrow products will qualify for special
> licensing arrangements.
This is, to me, the most interesting point. Allowing exports,
undercuts my assumption that the export significance of the trap-door
was merely to make the system unpalatable to foreigners and thereby
support a no-export policy. It brings into high relief the question
of how escrowed keys will be handled in respect to foreign
intelligence. The possibilities would seem to be:
o NSA is allowing the export of key escrow devices
despite the fact that it will not have access to
escrowed keys for reading their traffic and will
not be able to read the traffic.
o There are procedures we haven't been told about for
allowing NSA to get keys for reading the communications
of exported devices.
This will undoubtedly inspire concern that that route will be used
to obtain keys for illegal taps on Americans.
A plausible procedure would be to allow export without individual
export licenses, but to require reporting of all exported devices and
to transfer the keys to those devices to NSA. This would raise the
question of whether NSA should have access to the keys for devices
exported under the personal use exemption.
o Despite all the assurances, there is another trap door
in the algorithm that will be used in reading foreign
traffic. A publicly explainable mechanism is needed
if the intercepts are to be used in court, but not if
they are to be `Handled Via COMINT Channels Only.'
> - Approval by the Commerce Secretary of the Escrowed Encryption
> Standard (EES) as a voluntary Federal Information Processing
> Standard, which will enable government agencies to purchase the
> Key Escrow chip for use with telephones and modems. The
> department's National Institute of Standards and Technology
> (NIST) will publish the standard.
This is a surprise to me. I thought that after a `no vote' of 300
to 2 the first time around, they would a least go through the ritual
of another round of comments.
> The Administration has created a new interagency working group on
> data security to deal with issues like encryption and digital
> telephony. . . .
> In addition, the working group will coordinate Administration
> policies regarding digital telephony. As more and more telephone
> companies install high-speed, digital communications links, it
> becomes more and more difficult for law enforcement agencies to
> conduct wiretaps. The working group will work with industry to
> ensure that new digital telecommunications systems are designed in
> a way that ensures that do not prevent court authorized wiretaps.
This suggests that they have stopped trying to stiff the telephone
companies for the cost of building in the spying and may come around
with some `incentives.' No doubt this will get them a much warmer
reception.
> These procedures do not create, and are not intended to create,
> any substantive rights for individuals intercepted through
> electronic surveillance, and noncompliance with these procedures
> shall not provide the basis for any motion to suppress or other
> objection to the introduction of electronic surveillance evidence
> lawfully acquired.
This hardly seems likely to allay the suspicions of anyone who was
skeptical about the abuse potential of key escrow.
------- End of Forwarded Message
________________________________________________________________________
From: Mike Godwin <mnemonic>
Message-Id: <199402072159.QAA06512@eff.org>
Subject: EFF Wants You (to add your voice to the crypto fight)
To: mech@eff.org, mnemonic (Mike Godwin)
Date: Mon, 7 Feb 1994 16:59:32 -0500 (EST)
* DISTRIBUTE WIDELY *
Monday, February 7th, 1994
From: Jerry Berman, Executive Director of EFF
jberman@eff.org
Dear Friends on the Electronic Frontier,
I'm writing a personal letter to you because the time has now come for
action. On Friday, February 4, 1994, the Administration announced that it
plans to proceed on every front to make the Clipper Chip encryption scheme
a national standard, and to discourage the development and sale of
alternative powerful encryption technologies. If the government succeeds
in this effort, the resulting blow to individual freedom and privacy could
be immeasurable.
As you know, over the last three years, we at EFF have worked to ensure
freedom and privacy on the Net. Now I'm writing to let you know about
something *you* can do to support freedom and privacy. *Please take a
moment to send e-mail to U.S. Rep. Maria Cantwell (cantwell@eff.org) to
show your support of H.R. 3627, her bill to liberalize export controls on
encryption software.* I believe this bill is critical to empowering
ordinary citizens to use strong encryption, as well as to ensuring that
the U.S. software industry remains competitive in world markets.
Here are some facts about the bill:
Rep. Cantwell introduced H.R. 3627 in the House of Representatives on
November 22, 1993. H.R. 3627 would amend the Export Control Act to move
authority over the export of nonmilitary software with encryption
capabilities from the Secretary of State (where the intelligence community
traditionally has stalled such exports) to the Secretary of Commerce. The
bill would also invalidate the current license requirements for
nonmilitary software containing encryption capablities, unless there is
substantial evidence that the software will be diverted, modified or
re-exported to a military or terroristic end-use.
If this bill is passed, it will greatly increase the availability of
secure software for ordinary citizens. Currently, software developers do
not include strong encryption capabilities in their products, because the
State Department refuses to license for export any encryption technology
that the NSA can't decipher. Developing two products, one with less secure
exportable encryption, would lead to costly duplication of effort, so even
software developed for sale in this country doesn't offer maximum
security. There is also a legitimate concern that software companies will
simply set up branches outside of this country to avoid the export
restrictions, costing American jobs.
The lack of widespread commercial encryption products means that it will
be very easy for the federal government to set its own standard--the
Clipper Chip standard. As you may know, the government's Clipper Chip
initiative is designed to set an encryption standard where the government
holds the keys to our private conversations. Together with the Digital
Telephony bill, which is aimed at making our telephone and computer
networks "wiretap-friendly," the Clipper Chip marks a dramatic new effort
on the part of the government to prevent us from being able to engage in
truly private conversations.
We've been fighting Clipper Chip and Digital Telephony in the policy arena
and will continue to do so. But there's another way to fight those
initiatives, and that's to make sure that powerful alternative encryption
technologies are in the hands of any citizen who wants to use them. The
government hopes that, by pushing the Clipper Chip in every way short of
explicitly banning alternative technologies, it can limit your choices for
secure communications.
Here's what you can do:
I urge you to write to Rep. Cantwell today at cantwell@eff.org. In the
Subject header of your message, type "I support HR 3627." In the body of
your message, express your reasons for supporting the bill. EFF will
deliver printouts of all letters to Rep. Cantwell. With a strong showing
of support from the Net community, Rep. Cantwell can tell her colleagues
on Capitol Hill that encryption is not only an industry concern, but also
a grassroots issue. *Again: remember to put "I support HR 3627" in your
Subject header.*
This is the first step in a larger campaign to counter the efforts of
those who would restrict our ability to speak freely and with privacy.
Please stay tuned--we'll continue to inform you of things you can do to
promote the removal of restrictions on encryption.
In the meantime, you can make your voice heard--it's as easy as e-mail.
Write to cantwell@eff.org today.
Sincerely,
Jerry Berman
Executive Director, EFF
jberman@eff.org
P.S. If you want additional information about the Cantwell bill, send
e-mail to cantwell-info@eff.org. To join EFF, write membership@eff.org.
The text of the Cantwell bill can be found with the any of the following
URLs (Universal Resource Locaters):
ftp://ftp.eff.org/pub/Policy/Legislation/cantwell.bill
http://www.eff.org/ftp/EFF/Policy/Legislation/cantwell.bill
gopher://gopher.eff.org/00/EFF/legislation/cantwell.bill
________________________________________________________________________
From: Mike Godwin <mnemonic>
Message-Id: <199402072010.PAA04906@eff.org>
Subject: Newspaper coverage of Administration encryption announcements
To: eff-staff, eff-board
Date: Mon, 7 Feb 1994 15:10:49 -0500 (EST)
The Washington Post, the New York Times, and the Wall Street Journal have
all published stories over the last three days concerning the
Administration's announcement on Friday, Feb. 5, 1994, that it will
continue to deploy the controversial "Clipper Chip" encryption technology
and will not significantly change its export controls.
>From the Post on Saturday:
"That means the administration will continue long-standing restrictions on
exports of powerful encryption devices that the NSA cannot crack, and
continue to encourage use of NSA-developed encryption gear, called the
"Clipper chip," by all U.S. firms. The Clipper Chip makes it relatively
easy for the government to eavesdrop on encrypted communications....
"Further, government officials said, the administration is expected in a
few weeks to endorse an FBI proposal that U.S. telecommunications firms be
required to guarantee law enforcement agencies' ability to tape phone and
computer lines regardless of where the technology goes.
"At the core of these high-tech disputes lies a fundamental conflict
between Americans' cherished privacy rights and the government's
investigative needs."
>From the Times on Saturday:
"But the Administration's action immediately drew a chorus of criticism
from both business and privacy-rights groups. Computer and software
companies, including Apple Computer, I.B.M. and Microsoft, have adamantly
opposed the Clipper Chip because they believe customers will not trust an
encryption program that was built by the government and whose inner
workings remain a secret.
"Perhaps more importantly, they fear that it will harm their ability to
export products; they predict that foreign customers will resist buying
computers and telecommunications equipment built with decoding technology
devised by the National Security Agency.
"Privacy-rights groups argue that the technology could lead to
unauthorized eavesdropping, because the keys for unscrambling the code
will remain in official hands.
"'This is bad for privacy, bad for security and bad for exports,' said
Jerry Berman, executive director of the Electronic Frontier Foundation, a
Washington nonprofit group that lobbies on privacy issues related to
electronic networks. 'The Administration is preparing to implement systems
that the public will not trust, that foreign countries will not buy, and
that terrorists will overcome.'"
>From the Wall Street Journal on Monday:
"The issue has become a controversial one between law enforcement
officials and the computer industry and civil libertarians. In unfolding
details of the administration's decision, Mike Nelson, an official at the
Office of Science and Technology Policy, said the issue was so difficult
it represented 'the Bosnia of telecommunications policy.'
"Jerry Berman, executive director of the Electronic Frontier Foundation, a
Washington-based computer users' civil-rights group, said the
administration's handling of the Clipper Chip policy could make it 'as
successful' as the Bosnia policy, which has come under widespread
criticism."
William Safire has also written about this in today's NYTimes.
[It was worth looking up --strick ]
________________________________________________________________________
________________________________________________________________________
The SURFPUNK Technical Journal is a dangerous multinational hacker zine
originating near BARRNET in the fashionable western arm of the northern
California matrix. Quantum Californians appear in one of two states,
spin surf or spin punk. Undetected, we are both, or might be neither.
________________________________________________________________________
Send postings to <surfpunk@versant.com>,
subscription requests to <surfpunk-request@versant.com>.
WWW Archive at ``http://www.acns.nwu.edu/surfpunk/''. [stale; moving soon]
________________________________________________________________________
________________________________________________________________________
From: erikb@tic.com (Chris Goggans)
Subject: Insecurity? What else is new?
Date: Thu, 10 Feb 94 00:02:42 -0600
To: firewalls@GreatCircle.COM
As many have read lately, the Internet is once
again the center of attention for people up in
arms about "SECURITY PROBLEMS!!"
This is a load of hooey. What is happening now,
is no different than what has been going on for
years. The only difference now is that more
reporters are (or at least consider themselves)
net aware.
Here's the story...
The biggest perpetrators of the recent break ins
(recent meaning the last year or so) have been a
group of miscreants who are oftimes referred to
as "The Posse."
They, and their friends, are located in
Pennsylvania, New York/New Jersey, Ohio, Arizona,
and Florida.
One of the PA residents, and the FL person,
involved in the breakins has parted ways with the
two main people involved due to in-fighting among
their little group. The New York/New Jersey
parties are not as actively involved in the
hacking, but perfom needed social engineering and
phone related tricks for the group in exchange
for other favors. The main antagonists are both
in their late teens...a PA data entry clerk, and
an OH hotel desk clerk.
Their main method of attack involves getting root
on a site then monitoring incoming and outgoing
traffic using ethernet sniffers (on suns since
they are too pathetic to port their swiped
esniff.c program to run on ultrix or other
variants) and capturing all tcp activity. They
then use this information to get in other hosts
and start over.
They have programs that allow them to get ypmaps
from remote (ypsnarf.c); to nfs mount damn near
anything; to get root using sendmail, rdist, the
mult bug, and others.
They have patches to allow them the ability to
place backdoors in login and in.telnetd, and to
run other shells to let them jump over
firewalls. They have utilities to remove
themselves from wtmp, utmp, pacct, ps, and
netstat. Unless you have a tcp-wrapper going,
you probably wont notice them.
I would estimate that about 25% of the American
Internet is compromised. This is predominantly
university traffic but since these are the people
behind breakins at The Well, CNS, Panix, NSFNet,
BarrNet, Sun, and others, its pretty safe to
assume that they have a lot of fun addresses to
play with.
Although they have amassed a HUGE amount of hosts
through their sniffing, it is unclear as to what
they want with the hosts. The predominant motive
appears to be the ability to get on IRC
anonymously and send ICMP floods to servers and
annoy people. They also play games impersonating
people on netnews and mail, they fake hacking
attempts in order to try to frame people, they
play phone games and prank people over and over
or otherwise disconnect or disrupt service, they
get credit information or billing records to
spread around, etc.
(As I said before, its pretty pathetic)
The real crime here is that the authorities know
precisely who is involved, and it persists. One
individual was even involved with the MOD busts a
few years back and is no longer a minor. Perhaps
this time his father won't be able to intervene.
They really dont seem to care what happens to
them, and they know full well that the
authorities have been questioning people about
them, yet they persist. Obviously the illusion
of power on the net is far more desirable than
their petty real lives.
my .02
- ->ME
