Dear Readers,

Since our Valentine's Day issue, serious security flaws have been reported in Kerberos 4, Java, JavaScript, and Microsoft's Internet Information Server. Los Alamos National Laboratory suffered an(other) embarrassing intrusion when a hacker penetrated a firewall there. But Los Alamos was not alone; the Justice Department identified an Argentinian youth as the intruder in a variety of U.S. systems in the last half of 1995 (his equipment had been confiscated at the end of December). The significance of this case seems to be that it is the first time a wiretap warrant has been obtained on a telephone line connected to a computer. The warrant was needed because the system being monitored did not provide a warning banner that its communications might be monitored.

On the legislative front, while a legal challenge to the Communications Decency Act (CDA) is underway in Philadelphia courtroom, a router vendor is planning to market a product that would give Internet service providers a tool for filtering all traffic sent to a given connection. The White House has evidently received lots of e-mail, both legitimate and spam, in the wake of the CDA. Some anti-spamming software installed on the White House mail system has evidently been put to good use. Time Magazine technology writer Philip Elmer-Dewitt could use a copy of it, as he fell victim to a similar assault.

New legislation to address the content of Internet communications, cryptography use and export rules, and copyright are in various stages of consideration in the U.S. Most recently, Senator Burns of Montana announced at the Computers, Freedom and Privacy conference that he will introduce legislation to allow unrestricted export of mass market or public domain encryption programs such as PGP and to prohibit the imposition of mandatory key-escrow encryption policies on the domestic market.

From Europe, reports are that Belgium may assume France's role as the country most strictly controlling the use of encryption. As France seems ready to trade its policy permitting the use only of authorized encryption schemes, for one that might only require that keys be deposited with a to-be-specified trusted third party, Belgium turns out to have passed a law over a year ago that includes constraints similar to the former French ones.

On the electronic commerce front, American Express has joined Visa and Mastercard in endorsing the SET specifications, which are now available for downloading at . Digicash teamed with European Internet service provider EUnet and Finland's largest bank, Merita, to launch their ecash system. Half a dozen organizations, primarily media-related services, are reported willing to accept ecash as payment. Oracle announced it will collaborate with Verisign, incorporating Verisign Digital IDs in its WebServer release 2.0 in order to provide cryptographically- based authentication of parties to electronic transactions. Cybercash announced several new agreements as well.

Any questions?

Carl Landwehr
Editor, Cipher