Dec 132017
| Computer Underground Digest #6.23. | |||
|---|---|---|---|
| File Name | File Size | Zip Size | Zip Type |
| CUD623.TXT | 44855 | 18082 | deflated |
Download File CUD623.ZIP Here
Contents of the CUD623.TXT file
Computer underground Digest Thu Mar 10, 1994 Volume 6 : Issue 23
ISSN 1004-042X
Editors: Jim Thomas and Gordon Meyer ([email protected])
Archivist: Brendan Kehoe (He's Baaaack)
Acting Archivist: Stanton McCandlish
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Ian Dickinson
Copita Editor: Sheri O'Nothera
CONTENTS, #6.23 (Mar 10, 1994)
File 1--Time Magazine on Clipper
File 2--Some Thoughts on Clipper (by Jim Bidzos)
File 3--Dennings' Newsday piece is Convincing (Re CuD #6.20)
File 4--Re: Newsday Clipper Story (CuD 6.19)
File 5--Newsday's Encryption and Law Enforcement (Re: CuD 6.19)
File 6--DOS is not dead yet. . . .
File 7--Response to Frisk (Re CuD 6.19)
File 8--Re: "Hackers" Whack Harding (CuD 6.19)
File 9--"Porn Press Release" from EFF is a Hoax
Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost electronically.
CuD is available as a Usenet newsgroup: comp.society.cu-digest
Or, to subscribe, send a one-line message: SUB CUDIGEST your name
Send it to [email protected] or [email protected]
The editors may be contacted by voice (815-753-0303), fax (815-753-6302)
or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL
60115, USA.
Issues of CuD can also be found in the Usenet comp.society.cu-digest
news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of
LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT
libraries and in the VIRUS/SECURITY library; from America Online in
the PC Telecom forum under "computing newsletters;"
On Delphi in the General Discussion database of the Internet SIG;
on RIPCO BBS (312) 528-5020 (and via Ripco on internet);
and on Rune Stone BBS (IIRGWHQ) (203) 832-8441.
CuD is also available via Fidonet File Request from
1:11/70; unlisted nodes and points welcome.
EUROPE: from the ComNet in LUXEMBOURG BBS (++352) 466893;
In ITALY: Bits against the Empire BBS: +39-461-980493
FTP: UNITED STATES: etext.archive.umich.edu (141.211.164.18) in /pub/CuD/
aql.gatech.edu (128.61.10.53) in /pub/eff/cud/
EUROPE: nic.funet.fi in pub/doc/cud/ (Finland)
nic.funet.fi
ftp.warwick.ac.uk in pub/cud/ (United Kingdom)
COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views. CuD material may be reprinted for non-profit as long
as the source is cited. Authors hold a presumptive copyright, and
they should be contacted for reprint permission. It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified. Readers are encouraged to submit reasoned articles
relating to computer culture and communication. Articles are
preferred to short responses. Please avoid quoting previous posts
unless absolutely necessary.
DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Digest contributors assume all
responsibility for ensuring that articles submitted do not
violate copyright protections.
----------------------------------------------------------------------
Date: Sun, 6 Mar 1994 14:13:18 -0500
From: Dave Banisar
Subject: File 1--Time Magazine on Clipper
Time Magazine, March 14, 1994
TECHNOLOGY
WHO SHOULD KEEP THE KEYS?
The U.S. government wants the power to tap into every phone, fax and
computer transmission
BY PHILIP ELMER-DEWITT
... (general background)
... (general info on techo advances)
Thus the stage was set for one of the most bizarre technology-policy
battles ever waged: the Clipper Chip war. Lined up on one side are the three-
letter cloak-and-dagger agencies -- the NSA, the CIA and the FBI -- and key
policymakers in the Clinton Administration (who are taking a surprisingly
hard line on the encryption issue). Opposing them is an equally unlikely
coalition of computer firms, civil libertarians, conservative columnists and
a strange breed of cryptoanarchists who call themselves the cypherpunks.
At the center is the Clipper Chip, a semiconductor device that the NSA
developed and wants installed in every telephone, computer modem and fax
machine. The chip combines a powerful encryption algorithm with a ''back
door'' -- the cryptographic equivalent of the master key that opens
schoolchildren's padlocks when they forget their combinations. A ''secure''
phone equipped with the chip could, with proper authorization, be cracked by
the government. Law-enforcement agencies say they need this capability to
keep tabs on drug runners, terrorists and spies. Critics denounce the Clipper
-- and a bill before Congress that would require phone companies to make it
easy to tap the new digital phones -- as Big Brotherly tools that will strip
citizens of whatever privacy they still have in the computer age.
In a Time/CNN poll of 1,000 Americans conducted last week by Yankelovich
Partners, two-thirds said it was more important to protect the privacy of
phone calls than to preserve the ability of police to conduct wiretaps. When
informed about the Clipper Chip, 80% said they opposed it.
The battle lines were first drawn last April, when the Administration
unveiled the Clipper plan and invited public comment. For nine months
opponents railed against the scheme's many flaws: criminals wouldn't use
phones equipped with the government's chip; foreign customers wouldn't buy
communications gear for which the U.S. held the keys; the system for giving
investigators access to the back-door master codes was open to abuse; there
was no guarantee that some clever hacker wouldn't steal the keys. But in the
end the Administration ignored the advice. In early February, after computer-
industry leaders had made it clear that they wanted to adopt their own
encryption standard, the Administration announced that it was putting the NSA
plan into effect. Government agencies will phase in use of Clipper technology
for all unclassified communications. Commercial use of the chip will be
voluntary -- for now.
It was tantamount to a declaration of war, not just to a small group of
crypto-activists but to all citizens who value their privacy, as well as to
telecommunications firms that sell their products abroad. Foreign customers
won't want equipment that U.S. spies can tap into, particularly since
powerful, uncompromised encryption is available overseas. ''Industry is
unanimous on this,'' says Jim Burger, a lobbyist for Apple Computer, one of
two dozen companies and trade groups opposing the Clipper. A petition
circulated on the Internet electronic network by Computer Professionals for
Social Responsibility gathered 45,000 signatures, and some activists are
planning to boycott companies that use the chips and thus, in effect, hand
over their encryption keys to the government. ''You can have my encryption
algorithm,'' said John Perry Barlow, co-founder of the Electronic Frontier
Foundation, ''when you pry my cold dead fingers from my private key.''
... (history of Public Key encryption).
... (history of PGP)
Rather than outlaw PGP and other such programs, a policy that would
probably be unconstitutional, the Administration is taking a marketing
approach. By using its purchasing power to lower the cost of Clipper
technology, and by vigilantly enforcing restrictions against overseas sales
of competing encryption systems, the government is trying to make it
difficult for any alternative schemes to become widespread. If Clipper
manages to establish itself as a market standard -- if, for example, it is
built into almost every telephone, modem and fax machine sold -- people who
buy a nonstandard system might find themselves with an untappable phone but
no one to call.
That's still a big if. Zimmermann is already working on a version of PGP
for voice communications that could compete directly with Clipper, and if it
finds a market, similar products are sure to follow. ''The crypto genie is
out of the bottle,'' says Steven Levy, who is writing a book about
encryption. If that's true, even the nsa may not have the power to put it
back.
Reported by David S. Jackson/San Francisco and Suneel Ratan/Washington
------------------------------
Date: Tue Mar 8 12:07:47 1994
From [email protected]
Subject: File 2--Some Thoughts on Clipper (by Jim Bidzos)
SOME THOUGHTS ON CLIPPER, NSA, AND ONE KEY ESCROW ALTERNATIVE
In a recent editorial, Dr. Dorothy Denning of Georgtown University
argued in support of the U.S. government's proposed Clipper Chip, a
security device that would allow law enforcement to decipher the
communications of users of such devices.
Dr. Denning attempts to argue that Clipper is necessary for law
enforcement agencies to be able to do their job. I'm not going to
argue that one; there are plenty of people who can argue that
compromising privacy for all citizens in order to aid law enforcement
is a bad idea more effectively than I, particularly in the Clipper
case, where the arguments from law enforcement are dubious at best.
(The current justification is inadequate; there may be better reasons,
from a law enforcement perspective, but we haven't heard them yet.)
Without doubt, law enforcement and intelligence are huge stakeholders
in the debate over encryption. But every individual and corporation in
the U.S. must be included as well. Are NSA's actions really in the
best interests of all the stakeholders? Are there alternatives to the
current key escrow program?
If one steps back and looks at what has happened over the last few
years, one might well question the government's approach with Clipper,
if not its motivation, for dealing with this problem. (I believe it
may even be possible to conclude that Clipper is the visible portion
of a large-scale covert operation on U.S. soil by NSA, the National
Security Agency.) Over a number of years, through their subversion of
the Commerce Department (who should be championing the causes of U.S.
industry, not the intelligence agencies), NSA has managed to put many
U.S. government resources normally beyond their control, both legally
and practically, to work on their program of making U.S. and
international communications accessible.
The first step was the MOU (Memorandum of Understanding) between the
Commerce Department's National Institute of Standards and Technology
(NIST) and the Defense Department's NSA. This document appears to
contravene the provisions of the Computer Security Act of 1987, the
intent of which was to give NIST control over crypto standards-making
for the unclassified government and commercial sectors. The MOU
essentially gave NSA a veto over any proposals for crypto standards by
NIST.
By using the standards making authority of NIST, NSA is attempting to
force the entire U.S. government to purchase Clipper equipment since
only NIST-standard equipment may be purchased by government agencies.
This purchasing power can then be used to force U.S. manufacturers to
build Clipper products or risk losing government business. (GSA is
currently questioning NSA's authority to control government-wide
procurement, and should continue to do so.) This of course not only
subsidizes Clipper products, but could make Clipper a de facto
standard if the costs associated with alternatives are too high.
These costs to industry, of ignoring Clipper, come in the form of lost
government market share, costly support for multiple versions of
incompatible products, and non-exportability of non-Clipper products.
It also appears that NSA is desperately seeking a digital signature
standard that would force users to take that signature capability
wrapped up with a Clipper chip. If this is the case, as it appears to
be, then NSA has is trying to use what is probably the most powerful
business tool of the information age as a means to deny us its
benefits unless we subsidize and accept Clipper in the process. This
would, if true, be an unprecedented abuse of government power to
influence U.S. industry and control individual privacy. (Clipper is
part of a chip called Capstone, which is where their proposed digital
signature standard would be used.)
The overall cost of these policies is unknown. We only know that NSA
has spent a considerable amount of money on the program directly.
Other costs are not so obvious. They are:
- A burdened U.S. industry, which will have to build multiple products
or more expensive products that support multiple techniques;
- A low-intensity "trade war" with the rest of the world over
encryption;
- Lost sales to U.S. companies, since international buyers will surely
go to non-U.S. suppliers for non- Clipper encryption, as may buyers in
the U.S.;
- Potential abuses by government and loss of privacy for all citizens.
Does NSA truly believe they can displace other methods with Clipper?
With over three million licensed, documented RSA products, the
technology they feel threatened by, in use in the U.S. today? Not
likely; therefore, they have already decided that these costs are
acceptable even if they only delay the inevitable, and that U.S.
industry and U.S. taxpayers should bear these costs, whatever they
are. This policy was apparently developed by unelected people who
operate without oversight or accountability. Does the White House
really support this policy?
It has been reported that NSA is attempting to gain support from
foreign governments for escrow technology, especially if "local
control" is provided. Even if NSA can convince their sister
organizations around the world to support key escrow (by offering
Clipper technology with a do-your-own-escrow option), will these other
organizations succeed in selling it to their government, industry and
citizens? Most countries around the world have much stronger privacy
laws and a longer history of individual privacy than the U.S.
WHY AGAIN WHEN IT DIDN'T WORK THE FIRST TIME?
Many seem to have forgotten or are not aware that the Clipper program
is not new, and it's also not the first time NSA has attempted to
force communications security on U.S. industry that it could
compromise. In the mid-80's, NSA introduced a program called the
Commercial COMSEC Endorsement Program, or CCEP. CCEP was essentially
Clipper in a black box, since the technology was not sufficiently
advanced to build lower-cost chips. Vendors would join CCEP (with the
proper security clearances) and be authorized to incorporate
classified algorithms into communications systems. NSA had proposed
that they themselves would actually provide the keys to end-users of
such systems. The new twist is access by key escrow.
To see how little things have changed, consider this quote: "...RSA
Data Security, Inc. asserts that since CCEP-2 is not published and
therefore cannot be inspected by third parties, the NSA could put a
'trap door' in the algorithm that would enable the agency to inspect
information transmitted by the private sector. When contacted, NSA
representative Cynthia Beck said that it was the agency's policy not
to comment on such matters." That was in 1987. ("The Federal Snags in
Encryption Technology," Computer and Communications Decisions, July
1987, pp. 58-60.)
To understand NSA's thinking, and the danger of their policies,
consider the reply of a senior NSA official when he was asked by a
reporter for the Wall Street Journal if NSA, through the CCEP program,
could read anyone's communications: "Technically, if someone bought
our device and we made the keys and made a copy, sure we could listen
in. But we have better things to do with our time." (The Wall Street
Journal, March 28, 1988, page 1, column 1, "A Supersecret Agency Finds
Selling Secrecy to Others Isn't Easy," by Bob Davis.) Another NSA
official, in the same Journal story, said "The American Public has no
problem with relying on us to provide the technology that prevents the
unauthorized launch of nuclear weapons. If you trust us to protect
against that, you can trust us to protect private records." Remember
that the Cold War was still on at that time.
Law enforcement and intelligence gathering are certainly impeded by
the use of cryptography. There are certainly legitimate concerns that
these interests have. But is the current approach really the way to
gain support from industry and the public? People with a strong
military and intelligence bias are making all the decisions. There
seem to be better ways to strike a balance.
AN ALTERNATIVE PROPOSAL
One approach would be to have NIST develop a standard with three
levels. The first level could specify the use of public-key for key
management and signatures without any key escrow. There could be a
"Level II" compliance that adds government key escrow to message
preparation. "Level III" could be key escrow controlled by the user,
typically a corporation. Would this work? The first level, meeting
the standard by itself, would back up the government's claim that key
escrow is voluntary; if I want privacy and authentication without key
escrow, then I can have it, as the government has claimed I can.
Actions speak louder than words.
Why would any vendors support Level II? There would be several
reasons. They would find a market in the government, since the
government should purchase only Level II products. (I would certainly
like our public servants to use key escrow, just as I want work
product paid for by my corporation to be accessible. Of course, anyone
can buy Level I products for home and personal use.) So the
government can still influence the private sector by buying only
products that include Level II compliance. Also, Level II products
would be decontrolled for export. This way the market can decide;
vendors will do what their customers tell them to. This satisifies
the obvious desire on the part of the government to influence what
happens with their purchasing power.
Level III would allow any user to insert escrow keys they control into
the process. (Level II would not be a prerequisite to Level III.) My
company may want key escrow; I, as an individual, may want to escrow
my keys with my attorney or family members; a standard supporting
these funtions would be useful. I don't necessarily want or need the
government involved.
NIST already knows how to write a FIPS that describes software and
hardware implementations, and to certify that implementations are
correct.
This approach cetainly isn't perfect, but if the administration really
believes what it says and means it, then I submit that this is an
improvement over a single key escrow FIPS foisted on everyone by NSA,
and would stand a much better chance of striking a workable balance
between the needs of the government and the right of individuals to
privacy. Therefore, it RISKS much less than the current plan.
The real problem with the way NSA works is that we don't find out what
they're really doing and planning for decades, even when they're
wrong. What if they are?
In the 60's and 70's, the CIA was out of control, and the Congress,
after extensive hearings that detailed some of the abuses of power by
the CIA, finally moved to force more accountability and oversight. In
the 80's and 90's, NSA's activities should be equally scrutinized by a
concerned Congress.
------------------------------
Date: Thu, 3 Mar 1994 11:59:00 GMT
From: [email protected](Chris Hind)
Subject: File 3--Dennings' Newsday piece is Convincing (Re CuD #6.20)
I dunno, but I think the Encryption and Law Enforcement letter by
Dorothy Denning has convinced me that the Clipper Chip is safe.
Multiple people hold the keys to tapping the line and it has the
strongest encryption method created so far. I believed CUD earlier
that it was bad for the US, but now I see its advantages as long as
they don't outlaw other forms of encryption its okay with me. I mean,
its not like Big Brother can't tap into our line right now with us
knowing it! This technology isn't really new, its just a bit more
sophisticated and thats what scares us. Please tell me if I'm wrong!
As well as encryption, the clipper chip should also be modified to
give superior compression so more information can be sent over the
lines and during disaster they wouldn't be down. And as for the
Digital Telephony Bill, simple PGP encryption will scramble data
beyond recognition since it uses powerful public-key encryption. Sure,
this security might catch some, but some criminals they'll never be
able to catch anyways since they'll have the money to pay for even
more powerful encryption. I usually don't change my opinions easily so
it makes me wonder how many other people on the net have changed their
opinions also.
------------------------------
Date: Mon, 28 Feb 1994 13:25:25 -0500 (EST)
From: The Advocate
Subject: File 4--Re: Newsday Clipper Story (CuD 6.19)
> Newsday, Tuesday, February 22, 1994, Viewpoints
> The Clipper Chip Will Block Crime
> By Dorothy E. Denning
Before We go any further, let your old friend the Advocate join the
greek chorus, of people singing their personal respect and admiration
for Dr Denning. Her work in the Neidorf case was without par and her
commitment to issues in Cyberspace are intellectually rigorous and
passionate. It thus doubly pains me when such an old and respected
friend seems to have gone astray.
> Hidden among the discussions of the information highway is a fierce
> debate, with huge implications for everyone. It centers on a tiny
> computer chip called the Clipper, which uses sophisticated coding to
> scramble electronic communications transmitted through the phone
> system.
Just like other systems already in use for military and government
or commercial transactions.
>
> The Clinton administration has adopted the chip, which would allow
> law enforcement agencies with court warrants to read the Clipper codes
> and eavesdrop on terrorists and criminals. But opponents say that, if
or agencies with corrupt motives to spy on virtually every transaction
telephonic or datic that moves on the information highway.
future expansion of network systems will allow easy access to virtually
all data, without regard, and with intrusion, without detection.
> this happens, the privacy of law-abiding individuals will be a risk.
individuals and corporations.
> They want people to be able to use their own scramblers, which the
> government would not be able to decode.
WOuld not be able to decode? no, would not be able to decode without
spending some money. Dr Denning forgets that we spend an estimated
$27 Billion dollars per year on the NSA, an agency devoted entirely
to signals interception, decryption and analysis. THis same agency
has been involved in the Clipper developement and has refused to make
any of it's files available and has instead crowded the field with
classified segments.
> If the opponents get their way, however, all communications on the
> information highway would be immune from lawful interception. In a
Hardly. It merely means that interception would require either
more detailed de-crpyption efforts or attack at sources of
transmission or reception.
These same complaints are repackaged complaints about miranda rights,
the exclusionary rule and every other legal reform of this century.
> world threatened by international organized crime, terrorism, and rogue
> governments, this would be folly. In testimony before Congress, Donald
International organised crime? you mean like the Mafia, whom the
CIA helped set up? and who work routinely as government agents?
Terrorism? in this country of 250 million people less the 15 people
per year die on average from terrorist activities. considering
50,000 americans die every year on the roads, someone needs to get
their priorities re-aligned.
Rogue governments? like the libyans, or Iraq and iran? how will clipper
harm a foreign government? not to mention these countries are all
paper tigers. the last time we dealt with traq, i seem to recall
we waxed their army without breaking a sweat. i am not worried.
> Delaney, senior investigator with the New York State Police, warned
> that if we adopted an encoding standard that did not permit lawful
> intercepts, we would have havoc in the United States.
But don forgets that his standard allows un-lawful intercepts.
lets look at this word havoc. that means a state of chaos or confusion.
If i go to anacostia on a friday night, i would say havoc exists. if i
go into a DC school by day, i could say havoc exists. when LA burned
last year havoc ran rampant, and certainly this had little to do
with the lack of a proper data encryption standard. The operation
of the polis has little to do with the effectiveness of our secret
police.
>
> Moreover, the Clipper coding offers safeguards against casual
> government intrusion. It requires that one of the two components of
Not neccesarily. Although Dr denning and a team of independent
scientists reviewed the clipper standard, they are not specialists
in code breaking. I do not know how immune clipper is to corruption
once partial knowledge is attained. knowledge of header blocks,
and access to partial keys and key fragments may make closure of
the cryptic circle a simpler proposition then her analysis indicated.
> a key embedded in the chip be kept with the Treasury Department and the
The dept that brought us the Secret service and the ATF? i don't think
so.
> other component with the Commerce Department's National Institute of
> Standards and Technology. Any law enforcement official wanting to
who work hand in glove with the NSA?
she forgets a single compromised official may be able to subvert
the entire system as mr Ames so easily demonstrated last week.
> wiretap would need to obtain not only a warrant but the separate
> components from the two agencies. This, plus the superstrong code and
> key system would make it virtually impossible for anyone, even corrupt
> government officials, to spy illegally.
I think this is optimism in action.
> But would terrorists use Clipper? The Justice Department has
would Clipper stop terrorism? Seriously can anyone guarantee
that this technology will end terrorism? will clipper end
drug trafficking?
> their calls with their own code systems. But then who would have
> thought that the World Trade Center bombers would have been stupid
> enough to return a truck that they had rented?
Considering the people who bomber the world trade center were keystone
terrorists, i would hardly hold them up as examples.
I would look at people like Carlos the Jackal, THe Red Army,
Black September, Islamic Jihad, etc...
These are highly sophisticated, well trained killers, and far more
effective and dangerous.
> Court-authorized interception of communications has been essential
> for preventing and solving many serious and often violent crimes,
for all the crime and violence in our society, i doubt law enforcement
is doing a good job. what we see is another band-aid on serious social
problems.
> including terrorism, organized crime, drugs, kidnaping, and political
> corruption. The FBI alone has had many spectacular successes that
> depended on wiretaps. In a Chicago case code-named RUKBOM, they
> prevented the El Rukn street gang, which was acting on behalf of the
> Libyan government, from shooting down a commercial airliner using a
> stolen military weapons system.
Dr Dennings faith is touching here. The El Rukns were done in
in part because the government compromised their lawyer. And also
had several agents inside the organization. Please a better example
must be out there.
> To protect against abuse of electronic surveillance, federal
> statutes impose stringent requirements on the approval and execution
> of wiretaps. Wiretaps are used judiciously (only 846 installed
> wiretaps in 1992) and are targeted at major criminals.
and how many wiretaps are installed il-legally? considering during the
gulf war the FBI was wire-tapping the homes of arab-americans
i wonder how well they use the legal process.
also if we are talking 846 wiretaps, and say, 200 hours of tape
from each, we are talking about 200,000 hours of conversation.
i am certain that the NSA has the facility to de-crypt this number
of calls. And if they don't why don't they? they must listen to
foreign conversations, and i am sure the russians are not so
accomodating as to use clear voice signaling.
> Now, the thought of the FBI wiretapping my communications appeals to
> me about as much as its searching my home and seizing my papers.
> But the Constitution does not give us absolute privacy from
> court-ordered searches and seizures, and for good reason. Lawlessness
> would prevail.
But the constitution does not forbid me from keeping safes, or
cryptic records or speaking in navajo, either. Dr Denning must have
far less faith in the body politic then I do. besides if you want
to see lawlessness, look at the beltway on friday afternoon.
> Encoding technologies, which offer privacy, are on a collision
> course with a major crime-fighting tool: wiretapping. Now the
wiretapping is a minor crime fighting tool. for all the law enforcement
personnell we have, and all the cases brought each year, less then 1%
involve wiretapping to start with. these same complaints have been
made about facsimile transmission, computer data, cell phones
and cars. technology changes and law enforcement adapts. this is the
first time, i have ever seen law enforcement try to cripple a technology
befoe it becomes prevalent.
ASk yourself a question Dr Denning. Cars are used in crime, criminals
often escape from the police. why shouldn't all cars be restricted
to 35MPH, by design so the police can always capture and pursue?
fast cars, like the ferrari have not brought chaos to our society.
why should cryptography?
> Clipper chip shows that strong encoding can be made available in a way
> that protects private communications but does not harm society if it
> gets into the wrong hands. Clipper is a good idea, and it needs
how will clipper prevent the wrong hands from getting strong encoding?
will only outlaws have strong crypto?
> support from people who recognize the need for both privacy and
> effective law enforcement on the information highway.
sure we need law enforcement on the info highway, but i don't
need a trooper in the back seat to listen to me talk to
my girlfirend as we drive. i just need a trooper to watch for
speeders and drunk drivers.
Dr Denning was part of the clipper review team, and as such
may be psychologically and emotionally committed to the project.
I hope her earlier effort shave not clouded her ability to conduct a
dispassionate social and policy analysis.
Also Louis Freeh was interviewed by John Markoff in an article in
todays NYT about the return of the Digital Telephony Standard.
Freeh said "If we are to have a peaceful and orderly society,
people will have to sacrifice a little privacy". I couldn't
believe this. Didn't jefferson say something on the lines of
those who sacrifice liberty for a little peace deserve neither?
or was that heinlein?
The other interesting factoid to counter all the discussion on
Terrorism, Nuclear death threats and Drug Dealing, is that
Aldrich Ames was arrested last week in the biggest spy scandal
this century since the Rosenbergs. Ames who was the CIA chief of
CounterIntelligence/Soviet-Eastern Division was as well trained in
tradecraft as one can be.
He never used any telephonic encryption, despite total access to
all these devices.
Sorry if the spys aren't using them, then why do we need a
way to break them?
Your friend
The Advocate.
PS Advocate prediction #13. That to push the clipper chip,
supporters will claim that Child pornographers are distributing
Snuff films in unbreakable crypto-form so that they can't be
detected.
------------------------------
Date: 3 Mar 1994 12:12:08 -0500
From: [email protected](Haig Hovaness)
Subject: File 5--Newsday's Encryption and Law Enforcement (Re: CuD 6.19)
With all due respect to Professor Denning, I offer the following
observations in response to the material in her recent posting.
1. Professor Denning's views are representative of a small minority in
the US academic community. However, through her energetic campaign to
promote pro-Clipper arguments, a casual observer of the debate would
conclude that her position is representative of a substantial segment of
academic opinion. This was especially evident in the ACM Communications
"dialogue" on Clipper, in which Professor Denning's comments occupied
almost half of the editorial space.
2. Professor Denning's efforts to advance her views are not limited to
journalistic advocacy and Usenet postings. Her presence on the ACM
committee studying Clipper has contributed to the success of the
pro-Clipper faction in deadlocking the committee, and thus preventing
the largest computing professional society from taking an anti-Clipper
position, a position that would reflect the sentiments of the majority
of the membership.
3. Professor Denning consistently makes generous assumptions about the
proper and lawful actions of government officials - assumptions that
anyone familiar with recent American history knows to be naive. For
example, the political manipulation of information gathered by J. Edgar
Hoover, former Director of the F.B.I. is common knowledge.
4. Professor Denning relies heavily on anecdotal evidence of crimes
"prevented" through communications intercepts without presenting accurate
data on the (very small) number of crimes in which the intercept was
essential to the success of law enforcement. Others have posted the
figures, and they suggest that the practical value of such intercepts is
greatly overstated.
5. Professor Denning maintains that secure encryption is a difficult
technology to master and is not readily available to the general public.
In view of the existence of PGP, and the likely availability of its
voice-scrambling successor, this is a ludicrous claim.
6. Professor Denning offers no explanation for how a US national
standard restricting encryption can be viable in the context of
worldwide voice and data communications. How can the US government
possibly assert control of information packets crossing US "cyberspace?"
7. Professor Denning omits to mention that polls reveal that the
majority of the US public are opposed to telephone wiretaps. All
available evidence suggests that Clipper would never survive a public
referendum.
8. Professor Denning neglects to mention that the entire commercial
sector of the US computing industry is united in opposition to Clipper.
Moreover, much of the business community is also hostile to the concept
of Government interception of business communications.
9. Professor Denning's arguments are ultimately authoritarian. She
believes that the judgement of government officials must carry greater
weight than the will of the people. This is a profoundly
anti-democratic position.
Haig Hovaness
Pelham Manor, NY
[email protected]
------------------------------
Date: 8 Mar 94 16:23:23 GMT
From: [email protected](David Batterson)
Subject: File 6--DOS is not dead yet. . . .
Is DOS dead? Definitely not, says SPC
While millions of PC users own and use Windows regularly, many of
us grouse about its idiosyncrasies. Meanwhile, innumerable users
continue to use DOS applications, especially word processing programs.
The DOS flavors of WordPerfect (versions 5.0 and later) have
their legions of fans, along with Microsoft Word, WordStar and
Professional Write. Although I use Ami Pro for Windows, I also
occasionally use Professional Write (Ver. 2.2) which has been around
for several years.
Although WordPerfect users often turn up their noses at
Professional Write, I have always preferred ProWrite to
Word(not-so)Perfect. In fact, I never could understand why Software
Publishing Corp. (SPC) didn't update the program. They did come out
with a Windows version (Professional Write PLUS), but it didn't sell
very well.
Professional Write 3.0 is finally here, and should be in software
stores soon. "This new version was primarily driven by the large
number of customers who requested it," said Chris Randles, SPC's vice
president of marketing. It seems a bit overpriced (at $249 list) for a
program that has had only a modest facelift/update, though.
Randles said that "DOS word processing is one of the most widely
used applications in rapidly-growing niche markets such as small
business and the home office." In that market, PC users don't want to
mess around with memory problems, Windows GPFs (General Protection
Faults), or word processing programs that have become monster
applications akin to desktop publishing software.
Professional Write 3.0 is pretty much the same program, so the
learning curve is nil. There are some improvements that reflect the
changing PC arena. Now you can use a mouse; I missed having that
feature in Ver. 2.2. And SPC realizes that LANs are routine now, so
made it network-ready. The program supports Novell, IBM, Banyan,
Artisoft's LANtastic and Microsoft LAN Manager.
Marlise Parker of Ad Hoc Associates, a Denver-based computer
training and consulting firm, noted that "people are going back to the
belief that the finest things in life are the most simple, and for
many of us, that also applies to the software we use. Professional
Write is one of those rare software gems that keeps getting better,
without losing its simplicity," Parker added.
Want to import .PCX graphics into a document? Sorry, you can't
do it. You CAN include graphs produced with the DOS versions of
Harvard Graphics (2.0 or higher). Want to make fancy newsletters and
DTP documents? Forget it! SPC wisely decided to forego the "bells and
whistles," says Parker, because most users don't want or need them.
Software Publishers Association (SPA) reported recently that DOS
word processing software sales increased a bit in 1993 over 1992.
This occurred while sales of other DOS applications declined, as the
Windows Juggernaut continued.
So as far as word processing is concerned, rumors about the death
of DOS are greatly exaggerated. Remember, the most popular offline
mail readers are Blue Wave, Silver Xpress and OLX--all DOS programs.
Professional Write 3.0 should do well, I think. I would have liked to
have seen it at a $150 list price, however.
------------------------------
Date: Sat, 5 Mar 1994 13:57:23 -0500
From: "USENET News System"
Subject: File 7--Response to Frisk (Re CuD 6.19)
[email protected](Fridrik Skulason) wrote:
> A poster in CuD #6.19 wrote:
> >I even created a virus or two in my years of computing, but never with
> >the purpose of trying to harm another user's system! I create them only
> >for testing purposes, and when I find one that fails a scanned test, I
> >forward it to the company that created the anti-virus software.
>
> Do you really think you are doing anybody a favour by doing that ?
> Anti-virus companies already receive on the average 7 new viruses per
> day right now...we really don't need any more.
Fridrik:
It seems to me that one of the purposes of creating anti-virus software
is to combat viruses. *ahem* What better way to do so than to receive virus
programs from a "tester" and then write code to prevent similar
programs from proliferating from a less honest individual?
I don't see any validity in the argument against writing viruses
to be sent into anti-virus software companies. If these people
don't write test viruses, someone else will come up with similar
ones and use them unscrupulously.
If anti-virus companies are receiving "too many" new viruses every
day, then perhaps they need to deal with the backlog. A representative
such as yourself (I take it from your statementd that you work
with such a company) certainly shouldn't be ranting and raving at
people who are using their valuable time trying to help.
------------------------------
Date: Mon, 28 Feb 1994 09:34:40 GMT-0600
From: "Jeff Miller"
Subject: File 8--Re: "Hackers" Whack Harding (CuD 6.19)
Re: Media "Hackers" Whack Harding's E-Mail, CuD #6.19:
> LILLEHAMMER, Norway--In what was described as a "stupid,
> foolish mistake," perhaps as many as 100 American
> journalists peeked into figure skater Tonya Harding's
> private electronic mailbox at the Olympics.
++++++++++++++++
This story was mentioned on alt.2600 (an Internet news group dedicated
to the magazine "2600"). It annoys me now as much as when I first
read it. Here is the follow up I posted:
Well, I personally know many hackers who have entered systems with
someone elses password, looked around, and logged out. Did nothing
more. They all lost *all* their computer equipment, and many
non-computer related items, not to mention the thousands of dollars
in lawyer and court costs, just to get the felony and misd charges
slapped on them lowered to a misd.
These reporters have just admitted to committing the exact same
crime. Will they have all their equipment confiscated? Will they be
raided by the secret service with guns pointed at their mothers at
5am? I think not.
What a bunch of shit.
Even if Norway's computer crime laws do not apply here, and the
Olympic committee does not wish to take action against these
reporters, it really makes me sick that THESE hackers are given the
image of some responsible adults just having fun at 2AM while eating
pizza, while the other hackers you read about are juvenile delinquents
bent on moving satellites out of orbit and abusing the E911 system.
Just a hypothetical thought: What would have happened if a US hacker
was the one who broke into Harding's account instead of one of these
journalists?
------------------------------
Date: 10 Mar 1994 10:46:04 -0500
From: [email protected] (Mike Godwin)
Subject: File 9--"Porn Press Release" from EFF is a Hoax
At EFF, we have been receiving a number of queries about an alleged EFF
"press release" or "statement" announcing the following:
"Senator Jess Helms (R-NC) requested that the FBI become more involved in
the fight to stop adult images from being distributed on electronic
bulletin boards and the Internet."
Typically, the "press release" has included the following:
: "The EFF has issued a warning to sysops that the following files
: which depict any of the following acts are illegal in all 50
: states, and can subject the sysop to prosecution regardless of
: whether the sysop knows about the files or not.
:
: "--Depiction of actual sex acts in progress"
:
: "--Depiction of an erect penis"
*There is no such press release.*
*The press release is a hoax.*
Several people seem to have been fooled by the false press release,
including the new publication SYSOP NEWS, which reprinted it uncritically
in its first issue.
I urge you to spread this announcement to every BBS of which you a member.
Thank you for helping us stop the unethical people who spread this
misinformation.
--Mike
Mike Godwin, (202) 347-5400 |"And walk among long dappled grass,
[email protected] | And pluck till time and times are done
Electronic Frontier | The silver apples of the moon,
Foundation | The golden apples of the sun."
------------------------------
End of Computer Underground Digest #6.23
************************************
ISSN 1004-042X
Editors: Jim Thomas and Gordon Meyer ([email protected])
Archivist: Brendan Kehoe (He's Baaaack)
Acting Archivist: Stanton McCandlish
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Ian Dickinson
Copita Editor: Sheri O'Nothera
CONTENTS, #6.23 (Mar 10, 1994)
File 1--Time Magazine on Clipper
File 2--Some Thoughts on Clipper (by Jim Bidzos)
File 3--Dennings' Newsday piece is Convincing (Re CuD #6.20)
File 4--Re: Newsday Clipper Story (CuD 6.19)
File 5--Newsday's Encryption and Law Enforcement (Re: CuD 6.19)
File 6--DOS is not dead yet. . . .
File 7--Response to Frisk (Re CuD 6.19)
File 8--Re: "Hackers" Whack Harding (CuD 6.19)
File 9--"Porn Press Release" from EFF is a Hoax
Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost electronically.
CuD is available as a Usenet newsgroup: comp.society.cu-digest
Or, to subscribe, send a one-line message: SUB CUDIGEST your name
Send it to [email protected] or [email protected]
The editors may be contacted by voice (815-753-0303), fax (815-753-6302)
or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL
60115, USA.
Issues of CuD can also be found in the Usenet comp.society.cu-digest
news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of
LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT
libraries and in the VIRUS/SECURITY library; from America Online in
the PC Telecom forum under "computing newsletters;"
On Delphi in the General Discussion database of the Internet SIG;
on RIPCO BBS (312) 528-5020 (and via Ripco on internet);
and on Rune Stone BBS (IIRGWHQ) (203) 832-8441.
CuD is also available via Fidonet File Request from
1:11/70; unlisted nodes and points welcome.
EUROPE: from the ComNet in LUXEMBOURG BBS (++352) 466893;
In ITALY: Bits against the Empire BBS: +39-461-980493
FTP: UNITED STATES: etext.archive.umich.edu (141.211.164.18) in /pub/CuD/
aql.gatech.edu (128.61.10.53) in /pub/eff/cud/
EUROPE: nic.funet.fi in pub/doc/cud/ (Finland)
nic.funet.fi
ftp.warwick.ac.uk in pub/cud/ (United Kingdom)
COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views. CuD material may be reprinted for non-profit as long
as the source is cited. Authors hold a presumptive copyright, and
they should be contacted for reprint permission. It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified. Readers are encouraged to submit reasoned articles
relating to computer culture and communication. Articles are
preferred to short responses. Please avoid quoting previous posts
unless absolutely necessary.
DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Digest contributors assume all
responsibility for ensuring that articles submitted do not
violate copyright protections.
----------------------------------------------------------------------
Date: Sun, 6 Mar 1994 14:13:18 -0500
From: Dave Banisar
Subject: File 1--Time Magazine on Clipper
Time Magazine, March 14, 1994
TECHNOLOGY
WHO SHOULD KEEP THE KEYS?
The U.S. government wants the power to tap into every phone, fax and
computer transmission
BY PHILIP ELMER-DEWITT
... (general background)
... (general info on techo advances)
Thus the stage was set for one of the most bizarre technology-policy
battles ever waged: the Clipper Chip war. Lined up on one side are the three-
letter cloak-and-dagger agencies -- the NSA, the CIA and the FBI -- and key
policymakers in the Clinton Administration (who are taking a surprisingly
hard line on the encryption issue). Opposing them is an equally unlikely
coalition of computer firms, civil libertarians, conservative columnists and
a strange breed of cryptoanarchists who call themselves the cypherpunks.
At the center is the Clipper Chip, a semiconductor device that the NSA
developed and wants installed in every telephone, computer modem and fax
machine. The chip combines a powerful encryption algorithm with a ''back
door'' -- the cryptographic equivalent of the master key that opens
schoolchildren's padlocks when they forget their combinations. A ''secure''
phone equipped with the chip could, with proper authorization, be cracked by
the government. Law-enforcement agencies say they need this capability to
keep tabs on drug runners, terrorists and spies. Critics denounce the Clipper
-- and a bill before Congress that would require phone companies to make it
easy to tap the new digital phones -- as Big Brotherly tools that will strip
citizens of whatever privacy they still have in the computer age.
In a Time/CNN poll of 1,000 Americans conducted last week by Yankelovich
Partners, two-thirds said it was more important to protect the privacy of
phone calls than to preserve the ability of police to conduct wiretaps. When
informed about the Clipper Chip, 80% said they opposed it.
The battle lines were first drawn last April, when the Administration
unveiled the Clipper plan and invited public comment. For nine months
opponents railed against the scheme's many flaws: criminals wouldn't use
phones equipped with the government's chip; foreign customers wouldn't buy
communications gear for which the U.S. held the keys; the system for giving
investigators access to the back-door master codes was open to abuse; there
was no guarantee that some clever hacker wouldn't steal the keys. But in the
end the Administration ignored the advice. In early February, after computer-
industry leaders had made it clear that they wanted to adopt their own
encryption standard, the Administration announced that it was putting the NSA
plan into effect. Government agencies will phase in use of Clipper technology
for all unclassified communications. Commercial use of the chip will be
voluntary -- for now.
It was tantamount to a declaration of war, not just to a small group of
crypto-activists but to all citizens who value their privacy, as well as to
telecommunications firms that sell their products abroad. Foreign customers
won't want equipment that U.S. spies can tap into, particularly since
powerful, uncompromised encryption is available overseas. ''Industry is
unanimous on this,'' says Jim Burger, a lobbyist for Apple Computer, one of
two dozen companies and trade groups opposing the Clipper. A petition
circulated on the Internet electronic network by Computer Professionals for
Social Responsibility gathered 45,000 signatures, and some activists are
planning to boycott companies that use the chips and thus, in effect, hand
over their encryption keys to the government. ''You can have my encryption
algorithm,'' said John Perry Barlow, co-founder of the Electronic Frontier
Foundation, ''when you pry my cold dead fingers from my private key.''
... (history of Public Key encryption).
... (history of PGP)
Rather than outlaw PGP and other such programs, a policy that would
probably be unconstitutional, the Administration is taking a marketing
approach. By using its purchasing power to lower the cost of Clipper
technology, and by vigilantly enforcing restrictions against overseas sales
of competing encryption systems, the government is trying to make it
difficult for any alternative schemes to become widespread. If Clipper
manages to establish itself as a market standard -- if, for example, it is
built into almost every telephone, modem and fax machine sold -- people who
buy a nonstandard system might find themselves with an untappable phone but
no one to call.
That's still a big if. Zimmermann is already working on a version of PGP
for voice communications that could compete directly with Clipper, and if it
finds a market, similar products are sure to follow. ''The crypto genie is
out of the bottle,'' says Steven Levy, who is writing a book about
encryption. If that's true, even the nsa may not have the power to put it
back.
Reported by David S. Jackson/San Francisco and Suneel Ratan/Washington
------------------------------
Date: Tue Mar 8 12:07:47 1994
From [email protected]
Subject: File 2--Some Thoughts on Clipper (by Jim Bidzos)
SOME THOUGHTS ON CLIPPER, NSA, AND ONE KEY ESCROW ALTERNATIVE
In a recent editorial, Dr. Dorothy Denning of Georgtown University
argued in support of the U.S. government's proposed Clipper Chip, a
security device that would allow law enforcement to decipher the
communications of users of such devices.
Dr. Denning attempts to argue that Clipper is necessary for law
enforcement agencies to be able to do their job. I'm not going to
argue that one; there are plenty of people who can argue that
compromising privacy for all citizens in order to aid law enforcement
is a bad idea more effectively than I, particularly in the Clipper
case, where the arguments from law enforcement are dubious at best.
(The current justification is inadequate; there may be better reasons,
from a law enforcement perspective, but we haven't heard them yet.)
Without doubt, law enforcement and intelligence are huge stakeholders
in the debate over encryption. But every individual and corporation in
the U.S. must be included as well. Are NSA's actions really in the
best interests of all the stakeholders? Are there alternatives to the
current key escrow program?
If one steps back and looks at what has happened over the last few
years, one might well question the government's approach with Clipper,
if not its motivation, for dealing with this problem. (I believe it
may even be possible to conclude that Clipper is the visible portion
of a large-scale covert operation on U.S. soil by NSA, the National
Security Agency.) Over a number of years, through their subversion of
the Commerce Department (who should be championing the causes of U.S.
industry, not the intelligence agencies), NSA has managed to put many
U.S. government resources normally beyond their control, both legally
and practically, to work on their program of making U.S. and
international communications accessible.
The first step was the MOU (Memorandum of Understanding) between the
Commerce Department's National Institute of Standards and Technology
(NIST) and the Defense Department's NSA. This document appears to
contravene the provisions of the Computer Security Act of 1987, the
intent of which was to give NIST control over crypto standards-making
for the unclassified government and commercial sectors. The MOU
essentially gave NSA a veto over any proposals for crypto standards by
NIST.
By using the standards making authority of NIST, NSA is attempting to
force the entire U.S. government to purchase Clipper equipment since
only NIST-standard equipment may be purchased by government agencies.
This purchasing power can then be used to force U.S. manufacturers to
build Clipper products or risk losing government business. (GSA is
currently questioning NSA's authority to control government-wide
procurement, and should continue to do so.) This of course not only
subsidizes Clipper products, but could make Clipper a de facto
standard if the costs associated with alternatives are too high.
These costs to industry, of ignoring Clipper, come in the form of lost
government market share, costly support for multiple versions of
incompatible products, and non-exportability of non-Clipper products.
It also appears that NSA is desperately seeking a digital signature
standard that would force users to take that signature capability
wrapped up with a Clipper chip. If this is the case, as it appears to
be, then NSA has is trying to use what is probably the most powerful
business tool of the information age as a means to deny us its
benefits unless we subsidize and accept Clipper in the process. This
would, if true, be an unprecedented abuse of government power to
influence U.S. industry and control individual privacy. (Clipper is
part of a chip called Capstone, which is where their proposed digital
signature standard would be used.)
The overall cost of these policies is unknown. We only know that NSA
has spent a considerable amount of money on the program directly.
Other costs are not so obvious. They are:
- A burdened U.S. industry, which will have to build multiple products
or more expensive products that support multiple techniques;
- A low-intensity "trade war" with the rest of the world over
encryption;
- Lost sales to U.S. companies, since international buyers will surely
go to non-U.S. suppliers for non- Clipper encryption, as may buyers in
the U.S.;
- Potential abuses by government and loss of privacy for all citizens.
Does NSA truly believe they can displace other methods with Clipper?
With over three million licensed, documented RSA products, the
technology they feel threatened by, in use in the U.S. today? Not
likely; therefore, they have already decided that these costs are
acceptable even if they only delay the inevitable, and that U.S.
industry and U.S. taxpayers should bear these costs, whatever they
are. This policy was apparently developed by unelected people who
operate without oversight or accountability. Does the White House
really support this policy?
It has been reported that NSA is attempting to gain support from
foreign governments for escrow technology, especially if "local
control" is provided. Even if NSA can convince their sister
organizations around the world to support key escrow (by offering
Clipper technology with a do-your-own-escrow option), will these other
organizations succeed in selling it to their government, industry and
citizens? Most countries around the world have much stronger privacy
laws and a longer history of individual privacy than the U.S.
WHY AGAIN WHEN IT DIDN'T WORK THE FIRST TIME?
Many seem to have forgotten or are not aware that the Clipper program
is not new, and it's also not the first time NSA has attempted to
force communications security on U.S. industry that it could
compromise. In the mid-80's, NSA introduced a program called the
Commercial COMSEC Endorsement Program, or CCEP. CCEP was essentially
Clipper in a black box, since the technology was not sufficiently
advanced to build lower-cost chips. Vendors would join CCEP (with the
proper security clearances) and be authorized to incorporate
classified algorithms into communications systems. NSA had proposed
that they themselves would actually provide the keys to end-users of
such systems. The new twist is access by key escrow.
To see how little things have changed, consider this quote: "...RSA
Data Security, Inc. asserts that since CCEP-2 is not published and
therefore cannot be inspected by third parties, the NSA could put a
'trap door' in the algorithm that would enable the agency to inspect
information transmitted by the private sector. When contacted, NSA
representative Cynthia Beck said that it was the agency's policy not
to comment on such matters." That was in 1987. ("The Federal Snags in
Encryption Technology," Computer and Communications Decisions, July
1987, pp. 58-60.)
To understand NSA's thinking, and the danger of their policies,
consider the reply of a senior NSA official when he was asked by a
reporter for the Wall Street Journal if NSA, through the CCEP program,
could read anyone's communications: "Technically, if someone bought
our device and we made the keys and made a copy, sure we could listen
in. But we have better things to do with our time." (The Wall Street
Journal, March 28, 1988, page 1, column 1, "A Supersecret Agency Finds
Selling Secrecy to Others Isn't Easy," by Bob Davis.) Another NSA
official, in the same Journal story, said "The American Public has no
problem with relying on us to provide the technology that prevents the
unauthorized launch of nuclear weapons. If you trust us to protect
against that, you can trust us to protect private records." Remember
that the Cold War was still on at that time.
Law enforcement and intelligence gathering are certainly impeded by
the use of cryptography. There are certainly legitimate concerns that
these interests have. But is the current approach really the way to
gain support from industry and the public? People with a strong
military and intelligence bias are making all the decisions. There
seem to be better ways to strike a balance.
AN ALTERNATIVE PROPOSAL
One approach would be to have NIST develop a standard with three
levels. The first level could specify the use of public-key for key
management and signatures without any key escrow. There could be a
"Level II" compliance that adds government key escrow to message
preparation. "Level III" could be key escrow controlled by the user,
typically a corporation. Would this work? The first level, meeting
the standard by itself, would back up the government's claim that key
escrow is voluntary; if I want privacy and authentication without key
escrow, then I can have it, as the government has claimed I can.
Actions speak louder than words.
Why would any vendors support Level II? There would be several
reasons. They would find a market in the government, since the
government should purchase only Level II products. (I would certainly
like our public servants to use key escrow, just as I want work
product paid for by my corporation to be accessible. Of course, anyone
can buy Level I products for home and personal use.) So the
government can still influence the private sector by buying only
products that include Level II compliance. Also, Level II products
would be decontrolled for export. This way the market can decide;
vendors will do what their customers tell them to. This satisifies
the obvious desire on the part of the government to influence what
happens with their purchasing power.
Level III would allow any user to insert escrow keys they control into
the process. (Level II would not be a prerequisite to Level III.) My
company may want key escrow; I, as an individual, may want to escrow
my keys with my attorney or family members; a standard supporting
these funtions would be useful. I don't necessarily want or need the
government involved.
NIST already knows how to write a FIPS that describes software and
hardware implementations, and to certify that implementations are
correct.
This approach cetainly isn't perfect, but if the administration really
believes what it says and means it, then I submit that this is an
improvement over a single key escrow FIPS foisted on everyone by NSA,
and would stand a much better chance of striking a workable balance
between the needs of the government and the right of individuals to
privacy. Therefore, it RISKS much less than the current plan.
The real problem with the way NSA works is that we don't find out what
they're really doing and planning for decades, even when they're
wrong. What if they are?
In the 60's and 70's, the CIA was out of control, and the Congress,
after extensive hearings that detailed some of the abuses of power by
the CIA, finally moved to force more accountability and oversight. In
the 80's and 90's, NSA's activities should be equally scrutinized by a
concerned Congress.
------------------------------
Date: Thu, 3 Mar 1994 11:59:00 GMT
From: [email protected](Chris Hind)
Subject: File 3--Dennings' Newsday piece is Convincing (Re CuD #6.20)
I dunno, but I think the Encryption and Law Enforcement letter by
Dorothy Denning has convinced me that the Clipper Chip is safe.
Multiple people hold the keys to tapping the line and it has the
strongest encryption method created so far. I believed CUD earlier
that it was bad for the US, but now I see its advantages as long as
they don't outlaw other forms of encryption its okay with me. I mean,
its not like Big Brother can't tap into our line right now with us
knowing it! This technology isn't really new, its just a bit more
sophisticated and thats what scares us. Please tell me if I'm wrong!
As well as encryption, the clipper chip should also be modified to
give superior compression so more information can be sent over the
lines and during disaster they wouldn't be down. And as for the
Digital Telephony Bill, simple PGP encryption will scramble data
beyond recognition since it uses powerful public-key encryption. Sure,
this security might catch some, but some criminals they'll never be
able to catch anyways since they'll have the money to pay for even
more powerful encryption. I usually don't change my opinions easily so
it makes me wonder how many other people on the net have changed their
opinions also.
------------------------------
Date: Mon, 28 Feb 1994 13:25:25 -0500 (EST)
From: The Advocate
Subject: File 4--Re: Newsday Clipper Story (CuD 6.19)
> Newsday, Tuesday, February 22, 1994, Viewpoints
> The Clipper Chip Will Block Crime
> By Dorothy E. Denning
Before We go any further, let your old friend the Advocate join the
greek chorus, of people singing their personal respect and admiration
for Dr Denning. Her work in the Neidorf case was without par and her
commitment to issues in Cyberspace are intellectually rigorous and
passionate. It thus doubly pains me when such an old and respected
friend seems to have gone astray.
> Hidden among the discussions of the information highway is a fierce
> debate, with huge implications for everyone. It centers on a tiny
> computer chip called the Clipper, which uses sophisticated coding to
> scramble electronic communications transmitted through the phone
> system.
Just like other systems already in use for military and government
or commercial transactions.
>
> The Clinton administration has adopted the chip, which would allow
> law enforcement agencies with court warrants to read the Clipper codes
> and eavesdrop on terrorists and criminals. But opponents say that, if
or agencies with corrupt motives to spy on virtually every transaction
telephonic or datic that moves on the information highway.
future expansion of network systems will allow easy access to virtually
all data, without regard, and with intrusion, without detection.
> this happens, the privacy of law-abiding individuals will be a risk.
individuals and corporations.
> They want people to be able to use their own scramblers, which the
> government would not be able to decode.
WOuld not be able to decode? no, would not be able to decode without
spending some money. Dr Denning forgets that we spend an estimated
$27 Billion dollars per year on the NSA, an agency devoted entirely
to signals interception, decryption and analysis. THis same agency
has been involved in the Clipper developement and has refused to make
any of it's files available and has instead crowded the field with
classified segments.
> If the opponents get their way, however, all communications on the
> information highway would be immune from lawful interception. In a
Hardly. It merely means that interception would require either
more detailed de-crpyption efforts or attack at sources of
transmission or reception.
These same complaints are repackaged complaints about miranda rights,
the exclusionary rule and every other legal reform of this century.
> world threatened by international organized crime, terrorism, and rogue
> governments, this would be folly. In testimony before Congress, Donald
International organised crime? you mean like the Mafia, whom the
CIA helped set up? and who work routinely as government agents?
Terrorism? in this country of 250 million people less the 15 people
per year die on average from terrorist activities. considering
50,000 americans die every year on the roads, someone needs to get
their priorities re-aligned.
Rogue governments? like the libyans, or Iraq and iran? how will clipper
harm a foreign government? not to mention these countries are all
paper tigers. the last time we dealt with traq, i seem to recall
we waxed their army without breaking a sweat. i am not worried.
> Delaney, senior investigator with the New York State Police, warned
> that if we adopted an encoding standard that did not permit lawful
> intercepts, we would have havoc in the United States.
But don forgets that his standard allows un-lawful intercepts.
lets look at this word havoc. that means a state of chaos or confusion.
If i go to anacostia on a friday night, i would say havoc exists. if i
go into a DC school by day, i could say havoc exists. when LA burned
last year havoc ran rampant, and certainly this had little to do
with the lack of a proper data encryption standard. The operation
of the polis has little to do with the effectiveness of our secret
police.
>
> Moreover, the Clipper coding offers safeguards against casual
> government intrusion. It requires that one of the two components of
Not neccesarily. Although Dr denning and a team of independent
scientists reviewed the clipper standard, they are not specialists
in code breaking. I do not know how immune clipper is to corruption
once partial knowledge is attained. knowledge of header blocks,
and access to partial keys and key fragments may make closure of
the cryptic circle a simpler proposition then her analysis indicated.
> a key embedded in the chip be kept with the Treasury Department and the
The dept that brought us the Secret service and the ATF? i don't think
so.
> other component with the Commerce Department's National Institute of
> Standards and Technology. Any law enforcement official wanting to
who work hand in glove with the NSA?
she forgets a single compromised official may be able to subvert
the entire system as mr Ames so easily demonstrated last week.
> wiretap would need to obtain not only a warrant but the separate
> components from the two agencies. This, plus the superstrong code and
> key system would make it virtually impossible for anyone, even corrupt
> government officials, to spy illegally.
I think this is optimism in action.
> But would terrorists use Clipper? The Justice Department has
would Clipper stop terrorism? Seriously can anyone guarantee
that this technology will end terrorism? will clipper end
drug trafficking?
> their calls with their own code systems. But then who would have
> thought that the World Trade Center bombers would have been stupid
> enough to return a truck that they had rented?
Considering the people who bomber the world trade center were keystone
terrorists, i would hardly hold them up as examples.
I would look at people like Carlos the Jackal, THe Red Army,
Black September, Islamic Jihad, etc...
These are highly sophisticated, well trained killers, and far more
effective and dangerous.
> Court-authorized interception of communications has been essential
> for preventing and solving many serious and often violent crimes,
for all the crime and violence in our society, i doubt law enforcement
is doing a good job. what we see is another band-aid on serious social
problems.
> including terrorism, organized crime, drugs, kidnaping, and political
> corruption. The FBI alone has had many spectacular successes that
> depended on wiretaps. In a Chicago case code-named RUKBOM, they
> prevented the El Rukn street gang, which was acting on behalf of the
> Libyan government, from shooting down a commercial airliner using a
> stolen military weapons system.
Dr Dennings faith is touching here. The El Rukns were done in
in part because the government compromised their lawyer. And also
had several agents inside the organization. Please a better example
must be out there.
> To protect against abuse of electronic surveillance, federal
> statutes impose stringent requirements on the approval and execution
> of wiretaps. Wiretaps are used judiciously (only 846 installed
> wiretaps in 1992) and are targeted at major criminals.
and how many wiretaps are installed il-legally? considering during the
gulf war the FBI was wire-tapping the homes of arab-americans
i wonder how well they use the legal process.
also if we are talking 846 wiretaps, and say, 200 hours of tape
from each, we are talking about 200,000 hours of conversation.
i am certain that the NSA has the facility to de-crypt this number
of calls. And if they don't why don't they? they must listen to
foreign conversations, and i am sure the russians are not so
accomodating as to use clear voice signaling.
> Now, the thought of the FBI wiretapping my communications appeals to
> me about as much as its searching my home and seizing my papers.
> But the Constitution does not give us absolute privacy from
> court-ordered searches and seizures, and for good reason. Lawlessness
> would prevail.
But the constitution does not forbid me from keeping safes, or
cryptic records or speaking in navajo, either. Dr Denning must have
far less faith in the body politic then I do. besides if you want
to see lawlessness, look at the beltway on friday afternoon.
> Encoding technologies, which offer privacy, are on a collision
> course with a major crime-fighting tool: wiretapping. Now the
wiretapping is a minor crime fighting tool. for all the law enforcement
personnell we have, and all the cases brought each year, less then 1%
involve wiretapping to start with. these same complaints have been
made about facsimile transmission, computer data, cell phones
and cars. technology changes and law enforcement adapts. this is the
first time, i have ever seen law enforcement try to cripple a technology
befoe it becomes prevalent.
ASk yourself a question Dr Denning. Cars are used in crime, criminals
often escape from the police. why shouldn't all cars be restricted
to 35MPH, by design so the police can always capture and pursue?
fast cars, like the ferrari have not brought chaos to our society.
why should cryptography?
> Clipper chip shows that strong encoding can be made available in a way
> that protects private communications but does not harm society if it
> gets into the wrong hands. Clipper is a good idea, and it needs
how will clipper prevent the wrong hands from getting strong encoding?
will only outlaws have strong crypto?
> support from people who recognize the need for both privacy and
> effective law enforcement on the information highway.
sure we need law enforcement on the info highway, but i don't
need a trooper in the back seat to listen to me talk to
my girlfirend as we drive. i just need a trooper to watch for
speeders and drunk drivers.
Dr Denning was part of the clipper review team, and as such
may be psychologically and emotionally committed to the project.
I hope her earlier effort shave not clouded her ability to conduct a
dispassionate social and policy analysis.
Also Louis Freeh was interviewed by John Markoff in an article in
todays NYT about the return of the Digital Telephony Standard.
Freeh said "If we are to have a peaceful and orderly society,
people will have to sacrifice a little privacy". I couldn't
believe this. Didn't jefferson say something on the lines of
those who sacrifice liberty for a little peace deserve neither?
or was that heinlein?
The other interesting factoid to counter all the discussion on
Terrorism, Nuclear death threats and Drug Dealing, is that
Aldrich Ames was arrested last week in the biggest spy scandal
this century since the Rosenbergs. Ames who was the CIA chief of
CounterIntelligence/Soviet-Eastern Division was as well trained in
tradecraft as one can be.
He never used any telephonic encryption, despite total access to
all these devices.
Sorry if the spys aren't using them, then why do we need a
way to break them?
Your friend
The Advocate.
PS Advocate prediction #13. That to push the clipper chip,
supporters will claim that Child pornographers are distributing
Snuff films in unbreakable crypto-form so that they can't be
detected.
------------------------------
Date: 3 Mar 1994 12:12:08 -0500
From: [email protected](Haig Hovaness)
Subject: File 5--Newsday's Encryption and Law Enforcement (Re: CuD 6.19)
With all due respect to Professor Denning, I offer the following
observations in response to the material in her recent posting.
1. Professor Denning's views are representative of a small minority in
the US academic community. However, through her energetic campaign to
promote pro-Clipper arguments, a casual observer of the debate would
conclude that her position is representative of a substantial segment of
academic opinion. This was especially evident in the ACM Communications
"dialogue" on Clipper, in which Professor Denning's comments occupied
almost half of the editorial space.
2. Professor Denning's efforts to advance her views are not limited to
journalistic advocacy and Usenet postings. Her presence on the ACM
committee studying Clipper has contributed to the success of the
pro-Clipper faction in deadlocking the committee, and thus preventing
the largest computing professional society from taking an anti-Clipper
position, a position that would reflect the sentiments of the majority
of the membership.
3. Professor Denning consistently makes generous assumptions about the
proper and lawful actions of government officials - assumptions that
anyone familiar with recent American history knows to be naive. For
example, the political manipulation of information gathered by J. Edgar
Hoover, former Director of the F.B.I. is common knowledge.
4. Professor Denning relies heavily on anecdotal evidence of crimes
"prevented" through communications intercepts without presenting accurate
data on the (very small) number of crimes in which the intercept was
essential to the success of law enforcement. Others have posted the
figures, and they suggest that the practical value of such intercepts is
greatly overstated.
5. Professor Denning maintains that secure encryption is a difficult
technology to master and is not readily available to the general public.
In view of the existence of PGP, and the likely availability of its
voice-scrambling successor, this is a ludicrous claim.
6. Professor Denning offers no explanation for how a US national
standard restricting encryption can be viable in the context of
worldwide voice and data communications. How can the US government
possibly assert control of information packets crossing US "cyberspace?"
7. Professor Denning omits to mention that polls reveal that the
majority of the US public are opposed to telephone wiretaps. All
available evidence suggests that Clipper would never survive a public
referendum.
8. Professor Denning neglects to mention that the entire commercial
sector of the US computing industry is united in opposition to Clipper.
Moreover, much of the business community is also hostile to the concept
of Government interception of business communications.
9. Professor Denning's arguments are ultimately authoritarian. She
believes that the judgement of government officials must carry greater
weight than the will of the people. This is a profoundly
anti-democratic position.
Haig Hovaness
Pelham Manor, NY
[email protected]
------------------------------
Date: 8 Mar 94 16:23:23 GMT
From: [email protected](David Batterson)
Subject: File 6--DOS is not dead yet. . . .
Is DOS dead? Definitely not, says SPC
While millions of PC users own and use Windows regularly, many of
us grouse about its idiosyncrasies. Meanwhile, innumerable users
continue to use DOS applications, especially word processing programs.
The DOS flavors of WordPerfect (versions 5.0 and later) have
their legions of fans, along with Microsoft Word, WordStar and
Professional Write. Although I use Ami Pro for Windows, I also
occasionally use Professional Write (Ver. 2.2) which has been around
for several years.
Although WordPerfect users often turn up their noses at
Professional Write, I have always preferred ProWrite to
Word(not-so)Perfect. In fact, I never could understand why Software
Publishing Corp. (SPC) didn't update the program. They did come out
with a Windows version (Professional Write PLUS), but it didn't sell
very well.
Professional Write 3.0 is finally here, and should be in software
stores soon. "This new version was primarily driven by the large
number of customers who requested it," said Chris Randles, SPC's vice
president of marketing. It seems a bit overpriced (at $249 list) for a
program that has had only a modest facelift/update, though.
Randles said that "DOS word processing is one of the most widely
used applications in rapidly-growing niche markets such as small
business and the home office." In that market, PC users don't want to
mess around with memory problems, Windows GPFs (General Protection
Faults), or word processing programs that have become monster
applications akin to desktop publishing software.
Professional Write 3.0 is pretty much the same program, so the
learning curve is nil. There are some improvements that reflect the
changing PC arena. Now you can use a mouse; I missed having that
feature in Ver. 2.2. And SPC realizes that LANs are routine now, so
made it network-ready. The program supports Novell, IBM, Banyan,
Artisoft's LANtastic and Microsoft LAN Manager.
Marlise Parker of Ad Hoc Associates, a Denver-based computer
training and consulting firm, noted that "people are going back to the
belief that the finest things in life are the most simple, and for
many of us, that also applies to the software we use. Professional
Write is one of those rare software gems that keeps getting better,
without losing its simplicity," Parker added.
Want to import .PCX graphics into a document? Sorry, you can't
do it. You CAN include graphs produced with the DOS versions of
Harvard Graphics (2.0 or higher). Want to make fancy newsletters and
DTP documents? Forget it! SPC wisely decided to forego the "bells and
whistles," says Parker, because most users don't want or need them.
Software Publishers Association (SPA) reported recently that DOS
word processing software sales increased a bit in 1993 over 1992.
This occurred while sales of other DOS applications declined, as the
Windows Juggernaut continued.
So as far as word processing is concerned, rumors about the death
of DOS are greatly exaggerated. Remember, the most popular offline
mail readers are Blue Wave, Silver Xpress and OLX--all DOS programs.
Professional Write 3.0 should do well, I think. I would have liked to
have seen it at a $150 list price, however.
------------------------------
Date: Sat, 5 Mar 1994 13:57:23 -0500
From: "USENET News System"
Subject: File 7--Response to Frisk (Re CuD 6.19)
[email protected](Fridrik Skulason) wrote:
> A poster in CuD #6.19 wrote:
> >I even created a virus or two in my years of computing, but never with
> >the purpose of trying to harm another user's system! I create them only
> >for testing purposes, and when I find one that fails a scanned test, I
> >forward it to the company that created the anti-virus software.
>
> Do you really think you are doing anybody a favour by doing that ?
> Anti-virus companies already receive on the average 7 new viruses per
> day right now...we really don't need any more.
Fridrik:
It seems to me that one of the purposes of creating anti-virus software
is to combat viruses. *ahem* What better way to do so than to receive virus
programs from a "tester" and then write code to prevent similar
programs from proliferating from a less honest individual?
I don't see any validity in the argument against writing viruses
to be sent into anti-virus software companies. If these people
don't write test viruses, someone else will come up with similar
ones and use them unscrupulously.
If anti-virus companies are receiving "too many" new viruses every
day, then perhaps they need to deal with the backlog. A representative
such as yourself (I take it from your statementd that you work
with such a company) certainly shouldn't be ranting and raving at
people who are using their valuable time trying to help.
------------------------------
Date: Mon, 28 Feb 1994 09:34:40 GMT-0600
From: "Jeff Miller"
Subject: File 8--Re: "Hackers" Whack Harding (CuD 6.19)
Re: Media "Hackers" Whack Harding's E-Mail, CuD #6.19:
> LILLEHAMMER, Norway--In what was described as a "stupid,
> foolish mistake," perhaps as many as 100 American
> journalists peeked into figure skater Tonya Harding's
> private electronic mailbox at the Olympics.
++++++++++++++++
This story was mentioned on alt.2600 (an Internet news group dedicated
to the magazine "2600"). It annoys me now as much as when I first
read it. Here is the follow up I posted:
Well, I personally know many hackers who have entered systems with
someone elses password, looked around, and logged out. Did nothing
more. They all lost *all* their computer equipment, and many
non-computer related items, not to mention the thousands of dollars
in lawyer and court costs, just to get the felony and misd charges
slapped on them lowered to a misd.
These reporters have just admitted to committing the exact same
crime. Will they have all their equipment confiscated? Will they be
raided by the secret service with guns pointed at their mothers at
5am? I think not.
What a bunch of shit.
Even if Norway's computer crime laws do not apply here, and the
Olympic committee does not wish to take action against these
reporters, it really makes me sick that THESE hackers are given the
image of some responsible adults just having fun at 2AM while eating
pizza, while the other hackers you read about are juvenile delinquents
bent on moving satellites out of orbit and abusing the E911 system.
Just a hypothetical thought: What would have happened if a US hacker
was the one who broke into Harding's account instead of one of these
journalists?
------------------------------
Date: 10 Mar 1994 10:46:04 -0500
From: [email protected] (Mike Godwin)
Subject: File 9--"Porn Press Release" from EFF is a Hoax
At EFF, we have been receiving a number of queries about an alleged EFF
"press release" or "statement" announcing the following:
"Senator Jess Helms (R-NC) requested that the FBI become more involved in
the fight to stop adult images from being distributed on electronic
bulletin boards and the Internet."
Typically, the "press release" has included the following:
: "The EFF has issued a warning to sysops that the following files
: which depict any of the following acts are illegal in all 50
: states, and can subject the sysop to prosecution regardless of
: whether the sysop knows about the files or not.
:
: "--Depiction of actual sex acts in progress"
:
: "--Depiction of an erect penis"
*There is no such press release.*
*The press release is a hoax.*
Several people seem to have been fooled by the false press release,
including the new publication SYSOP NEWS, which reprinted it uncritically
in its first issue.
I urge you to spread this announcement to every BBS of which you a member.
Thank you for helping us stop the unethical people who spread this
misinformation.
--Mike
Mike Godwin, (202) 347-5400 |"And walk among long dappled grass,
[email protected] | And pluck till time and times are done
Electronic Frontier | The silver apples of the moon,
Foundation | The golden apples of the sun."
------------------------------
End of Computer Underground Digest #6.23
************************************
December 13, 2017
Add comments