From: dlv@bwalk.dm.com (Dr.Dimitri Vulis KOTM)
Date: Wed, 9 Oct 1996 11:28:02 +0800
To: cypherpunks@toad.com
Subject: [NEWS] Crypto-relevant wire clippings
Message-ID: <Z5NHVD1w165w@bwalk.dm.com>
MIME-Version: 1.0
Content-Type: text/plain


Agence France Presse: Tuesday, October 1, 1996

Swiss Socialists Call for Abolition of Banking Secrecy

BERN-- Socialist members of the Swiss parliament tabled a motion calling for
abolition of banking secrecy to combat tax evasion, on Tuesday.

The motion urged the government to act quickly to remove article 47 of federal
banking law which lays down penalties of six months in prison and/or a fine of
50,000 Swiss francs (40,000 dollars) for any breach of banking secrecy.

The penalties may be enforced against anyone who works, or has worked, in the
banking sector.

The law was approved in 1934 to protect people, notably Jews, being persecuted
by Hitler's Nazi party in Germany who risked the death penalty for trying to
protect their assets in foreign banks and other institutions.

"At the time this law was adopted against the activities of the Gestapo (German
Nazi police) I would have voted in favour," said member of parliament Jean
Ziegler who tabled the motion in the name of the socialist group. "But today it
has resulted in total protection and serves only to facilitate the flight of
capital from the Third World and tax evasion."

The intention was to enable Switzerland to "adopt the European norm" concerning
banking secrecy, he said.

Removal of the penalties would not in any way affect normal "commercial
confidentiality", he said.

Late on Monday members of parliament voted unanimously in the national council
to set up an independent enquiry to investigate Switzerland's financial
dealings, notably in gold, with Nazi forces before and during World War II and
what has become of assets placed by the persecuted in bank accounts, and
through insurance policies and lawyers.

Banking secrecy is to be lifted for the members of this commission to enable
them to investigate accounts in private banks and in the central bank.



International Herald Tribune: Tuesday, October 1, 1996

Waging Cyberwar: Is the World Ready?

Steve Lohr

It was the OPEC meeting in May 2000 that started the crisis. The oil-price
hawks, led by Iran, demanded a sharp cutback in production to drive prices up
to ''at least $60 a barrel."

The stormy gathering of the Organization of Petroleum Exporting Countries ended
on May 4, with a shouting match between the Iranian and Saudi Arabian oil
ministers. Over the next two weeks, Iran and its allies mobilized troops and
fired on Saudi warships. But they also unleashed an arsenal of high-technology
weapons to try to destabilize the Saudi government and prevent the United
States from intervening.

A huge refinery near Dhahran was destroyed by an explosion and fire because of
a mysterious malfunction in its computerized controls. A software ''logic
bomb'' caused a ''new Metro-Superliner'' to slam into a misrouted freight train
near Laurel, Maryland, killing 60 people and critically injuring another 120.

The Bank of England found ''sniffer'' programs running amok in its electronic
funds transfer system. And a ''computer worm'' started corrupting files in the
Pentagon's top-secret force deployment data base.

The opening scenes from a Hollywood script or a new Tom Clancy novel? No, these
are excerpts from a role-playing game conducted last year at the government's
National Defense University in Washington. The goal was to generate some
serious thinking about ''information warfare.''

Today, there are a lot of people thinking seriously about information warfare,
not only at the Pentagon and the CIA but also in the executive offices of
banks, securities firms and other companies. Once dismissed as the stuff of
science fiction, high-tech information warfare is fast becoming a reality.

Defense and intelligence officials believe that enemy nations, terrorists and
criminal groups either already have the capability to mount information warfare
strikes or soon will. Criminals are quickly progressing beyond the vandalism
and petty theft associated with teenage hackers and into robbery and extortion
schemes ranging up to millions of dollars, corporate executives and private
investigators say.

In the future, they fear, information warfare assaults could be made against
commercial networks like the banking system or utilities in several states.

Yet there is a heated debate among experts in this emerging field about whether
the kinds of catastrophic incidents cited in the National Defense University
war game are imminent threats or worst-case nightmares.

''A couple of years ago, no one took information warfare seriously,'' said

Howard Frank, director of the information technology office at the Defense
Advanced Research Project Agency, or DARPA. ''But the more you learn about it,
the more concerned you become.''

Others reply that the worst threats mentioned are mostly speculation.
''Information warfare is a risk to our nation's economy and defense,'' said
Martin Libicki, a senior fellow at the National Defense University. ''But I
believe we will find ways to cope with these attacks, adjust and shake them
off, just as we do to natural disasters like hurricanes.''

Experts on both sides of the debate do agree that the growing reliance on
computer networks and telecommunications is making the nation increasingly
vulnerable to ''cyber attacks'' on military war rooms, power plants, telephone
networks, air traffic control centers and banks. John Deutch, the director of
Central Intelligence, told Congress in June that such assaults ''could not only
disrupt our daily lives, but also seriously jeopardize our national and
economic security.'' ''The electron, in my view,'' Mr. Deutch warned, ''is the
ultimate precision-guided weapon.''

Last July, President Bill Clinton created a Commission on Critical
Infrastructure Protection to craft a coordinated policy to deal with the
threat.


Within the government, information warfare tactics and intelligence are highly
classified issues. But the CIA has recently created an Information Warfare
Center. And the National Security Agency intends to set up an information
warfare unit staffed by as many as 1,000 people, with both offensive and
defensive expertise, as well as a 24-hour response team, according to a staff
report by the Senate Permanent Subcommittee on Investigations, which was
initiated by Senator Sam Nunn, Democrat of Georgia. This budding warfare
industry is an eclectic field indeed, ranging from computer scientists whose
work is funded by the government to hackers-for-hire who specialize in theft,
extortion and sabotage. In his Senate testimony, Mr. Deutch said the CIA had
determined that cyber attacks are now ''likely to be within the capabilities of
a number of terrorist groups,'' including the Hezbollah in the Middle East.

The weapons of information warfare are mostly computer software, like
destructive logic bombs and eavesdropping sniffers, or advanced electronic
hardware, like a high-energy radio frequency device, known as a HERF gun.

In theory, at least, these weapons could cripple the computer systems that
control everything from the electronic funds transfer systems of banks to
electric utilities to battlefield tanks.

For the military, information warfare raises the prospect of a new deal for
America's adversaries. Cyberwar units could sidestep or cripple conventional
weaponry, undermining the advantage the United States holds.

''Even a third-tier country has access to first-class programmers, to
state-of-the-art computer hardware and expertise in this area,'' said Barry
Horton, principal deputy assistant secretary of defense, who oversees the
Pentagon's information warfare operations. ''There is a certain leveling of the
playing field.''

In the business world, the reported hacker activity to date is mostly stealing
credit card numbers, vandalizing software or harassing Internet service
companies.

Citibank got an alarming brush with the problem two years ago, when a Russian
computer hacker tapped into the bank's funds transfer system, taking more than
$10 million.

Citibank will not discuss the case, but investigators say the bank recovered
all but $400,000 Major breakdowns caused by computer intruders have not yet
occurred. But there is evidence that more sophisticated hackers are now at
work. Science Applications International Corp., a defense contractor and
technology security firm, surveyed more than 40 major corporations who
confidentially reported that they lost an estimated $800 million due to
computer break-ins last year, both in lost intellectual property and money.

Private investigators and bankers say they are aware of four banks, three in
Europe and one in New York, that have made recent payments of roughly $100,000
each to hacker extortionists. The bankers and investigators would not name the
banks, but the weapon used to blackmail the banks was a logic bomb - a software
program that, when detonated, could cripple a bank's internal computer system.


Time: October 7, 1996

Cyber Vending Machine: Cash on the Internet

By MICHAEL KRANTZ

It is a truth universally acknowledged that an infant media-distribution
network in possession of a large audience must be in want of a way to cash in
on it. Case in point: the World Wide Web, the interconnected computer universe
that teems with affluent consumers whose only means of spending money online is
to surrender their credit card to insecure networks--hardly a recipe for
success.

This week CyberCash, based in Reston, Virginia, launches a product that could
change all that, and turn the Web into one giant vending machine. The company's
CyberCoin system will allow online "microtransactions" of as little as a
quarter. "We think," says an exuberant Larry Gilbert, CyberCash's vice
president and general manager, "it's going to be the core of electronic
commerce on the Internet."

Here's how the system works: starting this week, you'll visit the CyberCash Web
site, download an empty electronic wallet onto your hard drive and register it
with the company (if your own bank signs up with CyberCash, it will offer you
its own self-named wallet). The software acts like an ATM, allowing you to
transfer $ 20 to $ 100 from your bank into your wallet before heading off onto
the Web. When you reach a site that accepts CyberCash, you can spend your money
by using either your credit card or CyberCoins.

For online entrepreneurs, these 'coins,' digital markers of your money, could
be the magic bullet that makes commerce viable on the Web. Suppose that, say, a
certain TIME writer wants to promote his short stories online. Putting them on
a Web site is a breeze. But suppose he wants to charge readers 50[cents] a
story? Nobody's going to fork over a credit-card number for that.

CyberCoins could let thousands of such harebrained Web schemes bloom. Take
Worbble, a multiplayer word game created by Headgames Inc. of Edmonton,
Alberta, that is set to hit the Web next week. From five to 2,000 players at
once will look for words hidden in a 3-by-3 grid; the first player to find each
word will win $ 10 to $ 60. The entrance fee: one buck. The currency:
CyberCoin. "The product fits our marketing strategy like a glove," says
Headgames president Ray Speichert.

That's music to CyberCash, whose revenue will come from usage fees, just like
those of credit-card issuers. "On a 25[cents] transaction," says Gilbert,
"we'll charge the bank 6[cents], and they'll charge the merchant 8[cents]." As
transaction sizes go up, they'll get a much smaller percentage; still, over
millions of users, CyberCoin profits could add up to big bucks.

Inevitably, the company will have company. CyberCash launches CyberCoins with a
respectable roster of partners: some 30 Web hosting companies will offer
CyberCash to their client sites, and by year's end CyberCash expects about 100
Web sites to take them up on it. Initially six banks will offer electronic
wallets to their customers, including the Charlotte, North Carolina-based First
Union, the nation's sixth largest. "There's an obvious niche for 'coin'
payments on the Internet," says Parker Foley, First Union's director of
electronic commerce. "CyberCash is the first company to have their model
together."

But most banks are sitting out this round, notably Citibank, which is
developing its own E-money software. And numerous start-ups are readying
entries in the online commerce sweepstakes. And that can only mean transaction
fees will drop quickly, just as they have in nearly every software-driven
business extant.

Is cybercash safe from hackers and outright criminals? Last fall the Bank of
International Settlements appointed a task force to examine security issues for
E-money products like CyberCoin. The group, headed by Israel Sendrovic, an
executive vice president at the Federal Reserve Bank of New York, reviewed a
raft of upcoming 'smart card' and/or software-based products. Its report,
released early this month, conveys guarded optimism. "These systems are much
more secure than credit cards," says Sendrovic. "There's no single


American Banker: Friday, October 4, 1996

Banks Like Export Plan for High-Power Encryption

By DREW CLARK

Bank technology experts have reacted favorably to the Clinton administration's
proposal to liberalize the development and sale of strong data security tools.

This week, the government said it would lift export restrictions on certain
kinds of cryptography, provided U.S. companies agree to cooperate with a
procedure that would give law enforcement officials access to the "keys" of
such codes, upon presentation of a warrant.

Banks were heartened by the announcement because many view the widely used Data
Encryption Standard -- a low-level form of data scrambling -- as inadequate
protection against the rising computer power of so-called hackers.

Though banks can use a complex 56-bit data encryption key for financial
transactions, sensitive communications with overseas branches are limited to a
less powerful 40-bit standard. Banks hope that a loosening of restrictions in
general will benefit them, too.

"This policy announcement is better than anyone expected," said Kawika M.
Daguio, federal representative at the American Bankers Association in
Washington. "It is gravy for us, but it's the meat and potatoes for the
hardware and software industries."

"Banks probably won't be adversely affected," said Stewart A. Baker, a partner
at Steptoe & Johnson, a Washington law firm, "and they will be left pretty much
where they were before." The announcement by Vice President Al Gore said that
controls over powerful encryption technology would be lifted as the government
and private sector develop a "key recovery" system. (International Business
Machines Corp. already has stepped forward to head a consortium dedicated to
creating such a system.)

Current law forbids the export of computer hardware or software that uses
cryptographic codes with digital "keys" -- randomly generated combinations of
0's and 1's -- longer than 40 bits. The longer the key length, the more
impenetrable the code.

For three years, the government has said it would permit the general use of
more complex cryptography only if the companies using it placed their keys in
the hands of the government or a third party.

"Key escrow," as it is known in the technical community, is needed in order to
prosecute people who have stored evidence of illegal activity on the hard drive
of a computer, officials argued. But the private sector -- banks included --
have balked at handing over such access to any third party.

The disagreement gave rise to a compromise system known as "key recovery" in
which companies would hold their own keys but could be required to divulge
certain information about specific transactions when presented with a court
order or warrant.

"What is novel is that it doesn't escrow any keys," said Homayoon Tajalli,
executive vice president of Trusted Information Systems, Glenwood, Md., one of
IBM's consortium partners.

"If the government comes and gets this data with a court order," explained Mr.
Tajalli, "then they take a digital lockbox from the third party or parties that
hold it, and they read the message."

Kathy Kincaid, director of information technology for IBM, said the difference
between key escrow and key recovery is analogous to the following approach to
securing a house when its owner goes on vacation: Instead of giving a key to
two neighbors, the owner gives each neighbor half the combination to a lockbox
that holds the key.

"You must have both halves and put them together in exactly the right
sequence," said Ms. Kincaid. "This provides protection against a single point
of attack."

Companies participating in development of key recovery systems include: Apple
Computer Inc., Digital Equipment Corp., Groupe Bull, Hewlett-Packard Co., NCR
Corp., RSA Data Security, Sun Microsystems Inc., Trusted Information Systems,
and United Parcel Service.

And a government official said banks may even play a role.

"Banks have really taken a leadership role in the responsible management of
cryptography," said a senior Clinton administration official who asked not to
be named. "Banks are already doing what we want other organizations to do:
safeguarding their keys and providing them, when necessary, to law
enforcement."

Heidi Kukis, a spokeswoman for Vice President Gore, said: "This key recovery
system is the proper balance between commercial interests and national
security."

But not all agree. Some argue that the key recovery system still gives the
government too much control over information flow.

"Providing 56-bit encryption with key recovery doesn't help us," said Netscape
spokeswoman Chris Holton. "The government is saying that you can export it but
you have to provide us with the keys. We feel that is extortion on the part of
the government."

"We are making the best of a bad situation," said Scott Schnell, vice president
of marketing for RSA Data Security.

"The bottom line is that the standard proposed by the government is an
insubstantial step in the right direction," he said. "We want to make sure it
is usable and prepare for the day that products will be available that do not
have this key recovery situation."

The government's announcement came three months after a National Research
Council report on the role of cryptography in an information- oriented society.

The report encouraged liberalization of government standards and questioned the
feasibility of the key escrow system then favored by government.

"We raised the issue about the security of key escrow systems," said law
professor Kenneth W. Dam, chairman of the body that prepared the report, "and
we said the government should work on it."

"I take it this is an attempt to move in the way of key escrow, with the help
of industry," said Mr. Dam.


Reuters: Sunday, October 6, 1996

Dutch Banks to Be First with Smartcards

By Lucas van Grinsven

AMSTERDAM-- Dutch banks are poised to become the first in the world to
introduce computer smartcards on a nationwide scale this year, eventually
giving 15 million people the possibility of living their lives without cash.

Dozens of smartcard trials are being carried out across the globe and industry
pundits forecast billions will be in circulation at the beginning of the next
millennium, but it's the Dutch who lead the field.

Undeterred by union warnings of thousands of job losses in the sector, Dutch
banks will start issuing smartcards to their clients this month and by October
1997 all 15 million people in the Netherlands will have access to them.

The Dutch smartcards are not just reloadable cash cards but can also be used
for on-line bank transfers, retail loyalty schemes such as airmiles,
teleshopping and ticket reservation.

A Dutch consumer can store small amounts of cash on a card which can be used
even for purchases such as icecream or bus fares. The money will be transferred
from the card to the retailer's account without costly on-line links via the
bank.

More expensive articles will ideally be paid on-line, validated by the client's
secret four digit individual code.

Smartcards can be loaded at "cash dispensers," but by the end of 1996 topping
up will also be possible at home via smartphones or cheap "home-loaders"
connected to an ordinary telephone.

"The Netherlands is forerunner. We're the first country to introduce smartcards
on a national scale," said a spokesman for the Dutch "Chipknip" consortium.

There will be two types of Dutch smartcards, issued by two groups of banks,
Rabobank and ABN AMRO on one side with their "Chipknip," and Postbank and PTT
Telecom on the other with the "Chipper."

"Our card has slightly more computer memory which will make payment
transactions more secure," said the Chipknip spokesman.

The Chipper consortium on the other hand claims its card has a multifunctional
character. "It's a services card. You can also use it to book cinema tickets
and then go the theatre where your card is checked at the entrance for
identification. You don't need a physical paper ticket anymore," a Chipper
spokesman said.

Chipknip says such applications will also be possible with their card in the
near future. In a bid to avoid a battle of standards, Chipknip said it planned
to offer all Postbank customers their type of smartcard.

"This country is too small for two different standards," an ABN AMRO spokesman
said. The computer chips on the current generation of smartcards can hold as
much of four densely-typed A4 pages of information, but the industry keeps
expanding capacity in the fight for this potential multi-billion dollar market.

The more information that can be stored on one card, the fewer smartcards
consumers will have to be carried.

Trials in the U.S, such as one carried out in Atlanta at this year's Olympic
Games by Visa, focus on payment transactions.

The Spanish and French governments will launch smartcards on a huge scale next
year to make health care and social security safer and more efficient. People
will carry their medical or social records on a card.

Public transport is another area for smartcards as they reduce ticket sales
time and fare-dodging.

Contactless fare collection is currently pioneered in the South Korean capital,
Seoul, using systems developed by Mikron Indentification, an Austrian company
which was bought by Philips Electronics in 1995 and which also runs pilots in
Sydney.

Smartcards are also used to personalise GSM telephones, computers and
pay-television. Although the first smartcard was developed as early as in 1977
by Motorola and Bull for a bank in France, the home of the smartcard, they are
only now catching on, but without one standard leading the industry.

The choice of an encryption method to ensure safety is still being debated as
is the method for contactless reading.

The battle over smartcard technology and licence fees is being fought between a
few companies, giants such as Motorola, Bull, Philips, Visa and Mastercard but
also LSI, Thomson and specialised France's Gemplus and Britain's Mondex.

But Dutch banks and retailers, who will have to carry most of the
infrastructure costs, will not wait for a single standard despite higher costs
of adapting to different systems at a later stage. The immediate cost
advantages are far too clear.

---

Dr.Dimitri Vulis KOTM
Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps