1994-02-06 - Government Policy makes Internet breakins easier

Header Data

From: wcs@anchor.ho.att.com (bill.stewart@pleasantonca.ncr.com +1-510-484-6204)
To: mnemonic@eff.org
Message Hash: 0d3567f748904009424dc380069fa1f8f965e2d16008ef6c3b5fd888d3a0d14d
Message ID: <9402061248.AA09213@anchor.ho.att.com>
Reply To: N/A
UTC Datetime: 1994-02-06 12:50:29 UTC
Raw Date: Sun, 6 Feb 94 04:50:29 PST

Raw message

From: wcs@anchor.ho.att.com (bill.stewart@pleasantonca.ncr.com +1-510-484-6204)
Date: Sun, 6 Feb 94 04:50:29 PST
To: mnemonic@eff.org
Subject: Government Policy makes Internet breakins easier
Message-ID: <9402061248.AA09213@anchor.ho.att.com>
MIME-Version: 1.0
Content-Type: text/plain


Newsgroups: comp.org.eff.talk,comp.security.misc,talk.politics.crypto,alt.security,alt.activism
Subject: Government Encryption Policies Simplify Internet Break-ins
Distribution: 

[Sure would be nice if the EFF or CPSR would put out a press release
along these lines.  Anybody?]

The news from the Information Superhighway hasn't been good this week.
Major breakins have been occurring from someone who's been stealing
users' passwords as they log in across the net, using them to break
into their machines, and using their machines to watch the net for
more passwords.  It's not really that hard to stop - encryption
technology has been available for several years that sends passwords
across the net in encrypted form the eavesdroppers can't use - but
most people haven't deployed encryption.  Why not?

Well, part of it's just laziness, but in large part the use of
encryption has been restricted by the government's Cold War era
policies against developing, using, or distributing encryption software.
Encryption is the mathematical privacy coding that lets people
send their passwords and conversations privately.
If you want to sell encryption software overseas, you have to get a
munitions export license, just as you would for exporting assault
rifles or nuclear weapon parts, and they'll only give you a license
for crippled software that the NSA can break easily, unless you're a
bank or selling to a "friendly" government's military.
If you want to sell encryption software in the US, you can't export it,
which means you have to sell separate US and export versions.

And if you want to give it away free, like lots of university and
public domain software, you can't just post it to the net or make it
available for ftp (the Internet version of the public library),
without risking years in jail or at least having your computers
confiscated while the government tries to decide whether to indict you -
and you'd better be able to afford some *very* good lawyers.
Can this sort of free speech really be illegal?  Nobody's really sure,
the government won't give you permission and few people want to risk
the jail time to find out if they'll give you forgiveness.

Meanwhile, most computer systems have simple password systems that
can't protect against wiretappers.  It's especially a problem on
international long-distance circuits, where the connections are more
exposed, because export rules say your business can't ship it the
package you use on your US computers to your foreign branches.

The Clinton Administration has announced that they're going to relax
the export rules a bit, if you use their new Escrow Encryption Chip
(which has built-in wiretapping capabilities) or simple encryption
systems with short, easy-to-guess keys.  The paperwork will be simpler,
and you won't need an arms dealer license to carry your cellular phone
or laptop computer on a business trip, but the NSA still retains
control over what technology you can use.  Proposed legislation in
Congress would transfer control of crypto exports to the Commerce
Department, which handles most other export licensing.  

Without the Communist Party to kick around, U.S. Administration press
releases bring up spectres of drug dealers, terrorists, and pornographers,
but some of the major applications for the wiretapping capabilities of
the new Escrow Chip appear to be financial transactions and tax evasion,
since banks will need to replace their current encryption systems with
something newer, as faster generations of computer technology will
make the present systems insecure over the next 5-10 years.
Because the Escrow Chip is a hardware-only approach,
it's adequate for automatic teller machines, but you'd need to buy a
government encryption module if you want to do your banking over the
Information Superhighway - more secure encryption can be done cheaply,
in software, but the NSA's 55 mph speed limit won't let you - for now.

On the other hand, the Cold War's over and you can get good encryption software
from Finland, Moscow, Bulgaria, Switzerland, or Australia, often free,
and it's becoming widely used by political activists in post-Communist
countries.  


---------
The preceding has been the personal opinion of Bill Stewart,
and does not necessarily represent the views of the EFF, CPSR,
Cypherpunks, or my employer, but I'll be happy to have my rhetoric stolen :-)
---------
Bill Stewart billstewart@attmail.com





Thread