[Prev][Next][Index][Thread]
INLS310 Anonymity & Privacy Update for 3 Feb 97
INLS310 Anonymity & Privacy Update for 3 Feb 97
CONTENTS:
* Anonymity/Privacy in the News
* Hands-on Help
* Tools
* Policy
|:|:|:|:|:|:|:|:|:|:|:|:|:|:|:|:|:|:|::|:|:|:|:|:|:|:|:|:|:|:|:|:|:|:|:|:|:|
***
***ISSUE: A/P in the News
***
Date: Tue, 28 Jan 1997 15:59:15 -0800 (PST)
From: Ian Goldberg <iang@cs.berkeley.edu
To: cryptography@c2.net
Subject: Last nail for US crypto export policy?
EXPORTABLE CRYPTOGRAPHY TOTALLY INSECURE: CHALLENGE CIPHER BROKEN IMMEDIATELY
January 28, 1997 - Ian Goldberg, a UC Berkeley graduate student, announced
today that he had successfully cracked RSA Data Security Inc.'s 40-bit
challenge cipher in just under 3.5 hours.
RSA challenged scientists to break their encryption technology, offering a
$1000 award for breaking the weakest version of the code. Their offering
was designed to stimulate research and practical experience with the security
of today's codes.
The number of bits in a cipher is an indication of the maximum level of
security the cipher can provide. Each additional bit doubles the potential
security level of the cipher. A recent panel of experts recommended
using 90-bit ciphers, and 128-bit ciphers are commonly used throughout
the world, but US government regulations restrict exportable US products
to a mere 40 bits.
Goldberg's announcement, which came just three and a half hours after
RSA started their contest, provides very strong evidence that 40-bit
ciphers are totally unsuitable for practical security. "This is the
final proof of what we've known for years: 40-bit encryption technology
is obsolete," Goldberg said.
The US export restrictions have limited the deployment of technology
that could greatly strengthen security on the Internet, often affecting
both foreign and domestic users. "We know how to build strong
encryption; the government just won't let us deploy it. We need strong
encryption to uphold privacy, maintain security, and support commerce on
the Internet -- these export restrictions on cryptography must be
lifted," Goldberg explained. Fittingly, when Goldberg finally
unscrambled the challenge message, it read: "This is why you should use
a longer key."
Goldberg used UC Berkeley's Network of Workstations (known as the NOW) to
harness the computational resources of about 250 idle machines. This allowed
him to test 100 billion possible "keys" per hour -- analogous to safecracking
by trying every possible combination at high speed. This amount of computing
power is available with little overhead cost to students and employees at
many large educational institutions and corporations.
Goldberg is a founding member of the ISAAC computer security research group
at UC Berkeley. In the Fall of 1995, the ISAAC group made headlines by
revealing a major security flaw in Netscape's web browser.
+++
***
***ISSUE: Hands-on Help
***
EXCLUDING YOUR WEB PAGES FROM SEARCH ENGINES
Many search engines, indexers, and archives are beginning to support the
Robot Exclusion Standards and META tags, which allow administators and
site authors to exclude their servers and pages from these services.
The META tag exclusion syntax is:
<META NAME="robots" CONTENT="[none | noindex | nofollow]">
The "noindex" directive tells the robot not to index the page, and
"nofollow" tells it not to follow any of the links on the page. "None" is
equivalent to stating both directives. So to exclude both, the code to
put in your file(s) (within <HEAD>) is:
<META NAME="robots" CONTENT="none">
See http://info.webcrawler.com/mak/projects/robots/robots.html for more
information.
***
***ISSUE: Tools
***
You can find the latest version of PGP at:
http://web.mit.edu/network/pgp
***
***ISSUE: Policy
***
Date: Tue, 21 Jan 1997 14:15:40 -0800
From: John Gilmore <gnu@toad.com>
Subject: Risks of letting NSA near your laws (security fixes embargoed)
Lucky Green is right in RISKS-18.75. Security fixes and virus-protection
software are now export-controlled. Under the old ITAR, virus-protection
software was part of the list of *exempted* crypto software in
XIII(b)(1)(ix). Even if it used crypto, it wasn't embargoed if the
software's purpose was protection against malicious code.
In the new EAR, such software is specifically included as
export-controlled under category 5D002 -- even if it doesn't include
crypto!
It's now illegal to build worldwide products that are designed or modified
to protect against malicious computer damage.
This sounds like a manufacturer can't even fix bugs in their products if
the fix eliminates a security breach, since the fixed product is "modified
to protect against malicious computer damage". This is not a joke.
Everybody, it's time to call your lawyers...
It looks to me like the Information Warfare hawks have shot themselves in
the foot. They were probably trying to prevent American products from
defending foreign countries against infrastructure attacks by the US
military. Instead, as usual, they just leave our own infrastructure wide
open to attacks.
I encourage companies to comment to the Commerce Department about these
new regulations. They are listening for comments by Feb 13th; see the web
reference below for details. Don't expect your comments to change
anything; the NSA (which is pulling the strings here) seems to *want* the
US to be wide-open to both wiretapping and active attacks on
computer-based infrastructure.
John
[David Holland's contribution to RISKS-18.76 gave an http address
that pointed to a draft version. John points out that the
www.epic.org URL is correct, and so is http://jya.com/bxa123096.txt.]
RISKS-LIST: Risks-Forum Digest Weds 22 January 1997 Volume 18 : Issue 78
+++
|:|:|:|:|:|:|:|:|:|:|:|:|:|:|:|:|:|:|::|:|:|:|:|:|:|:|:|:|:|:|:|:|:|:|:|:|:|
Send comments or suggestions to: macmw@ils.unc.edu