LISTWATCH (7/10/98)

by Mary Ellen Zurko

This issue's highlights are from cypherpunks, risks, tbtf, and crypto-gram.

Several stories were posted about Echelon, "a global network of highly sensitive listening posts operated in part by America's most clandestine intelligence organization, the National Security Agency" according to Wired. This system is purported to have been searching through telephone, email, fax, and telex traffic looking for certain keywords. Each agency involved is said to have a set of keywords of concern, and full conversation or document is sent on when a keyword of interest is hit. There are accusations that the system was used to monitor European and Japanese businesses, to the potential advantage of US businesses as well. European Parliament discussion on the topic is at

CASIO is offering a prize (worth about $7K US) for breaking their message encoded with MDSR, which is based on on Multi-Dimensional Space Rotation and Time-Dependent Multi-Dimensional Space Rotation (

There was a lot of discussion on cypherpunks about defining and using a "cypherpunks license" in the spirit of GNU GPL, that requires developers who use code under this license to follow good cypherpunk practices like not using key recovery. It didn't seem like using a license was in the end the best place to try to encourage this sort of behavior.

A DoD memo went out expressing concern that too much information about infrastructure and capabilities was being made available on Web pages, and it might be used by terrorists. Military organizations were tasked with reviewing their web sites' information and "strike a balance between openness and sound security." The army struck its balance by pulling all its web sites off the internet, with no indication of when they might be back.

Bruce Schneier has created a self-stufy block-cipher cryptanalysis guide that sounds like fun to me. He publishes papers to describe the algorithms, challenges the student to try to reproduce published attacks, then points the student at the attacks to see how they did (

A British company is offering superior physical security for its Web server by putting it in a room they purchased that was formerly part of a military base. There it is protected from electronic eavesdropping, physical intrusion, and electromagnetic damage, as well as a nuclear strike.

A flaw in Netscape's Javascript that could allow access to the user's cache was reported in the New York Times. As a sign of the times, there were quotes pointing out both what a big security violation it could be, and what a big privacy violation it could be.

The Naval Surface Warfare Center reported on attacks that were launched in a synchronized fashion from a variety of sites in order to escape detection by auditing tools. The concept should be no surprise to anyone here, but it did surprise me that a report like that was posted on's technology section.

The official Starr report was delivered to the White House as a WordPerfect document. When the White House converted it to HTML, the conversion process inserted some previous "deleted" footnotes and removed some other passages. Turns out "deleted" footnotes are scrubbed, just marked to be ignored. The conversion process ignored the "ignore" mark. One of the "deleted" footnotes that made it out had a mildly entertaining quote from Lewinsky about Clinton.

The FTC decided to test claims of privacy self-regulation by surfing about 1,400 web sites. They found more than 90% collected personal information but only 14% disclosed how they would use it. Some sites don't publish a policy on purpose, so that they can't be accused of not holding to it. Last month, the FTC settled with Geocities, who the commission found was selling information in disregard of their posted policy.

There was discussion on cypherpunks about ArcotSign ( Although they're not releasing technical details, several people, include Bruce Schneier, tried to explain the product without giving away protected information about it. Passwords cannot be verified by an offline attack, even if the password file is stolen from the client. This seems to involve some sort of obfuscation involving mathematical magic that simulates lots and lots of potential passwords, only one of which is correct. They use public key technology, but both the "public" and private keys must remain undisclosed. It's targeted at providing authentication with a party with whom you already have a relationship (a bank, your employer).

The Mercantile Bank has stopped supporting Digicash (which it acquired along with the Mark Twain Bank). Rumor has it that another large institution will be announcing some sort of Digicash support later this year.

In mid-September, the US updated its crypto export rules again. You can export 56 bit DES without any key recovery plans (this of course was after the EFF crack; see below). Exports of unlimited strength crypto have been "streamlined" to certain sectors, including subsidiaries of US firms (except in terrorist nations), insurance companies, health and medical organizations, and for the purposes of on-line merchant transaction.

Two items from early September from TBTF:
----------------------------------------------- A digital signature makes e-commerce history

Using smart cards in place of pens

On his visit to Ireland last week, President Clinton and Irish Prime Minister Bertie Ahern made technology history as the first heads of state to sign an intergovernmental document digitally (it was a com- munique on e-commerce). The signing took place at 4 PM GMT on 9/4/98 at the Gateway 2000 plant in Dublin, Ireland. The smartcards and software for the event were provided by Baltimore Technologies [8], whose account you can read here [9]. Thanks to Mike Hanafin for timely word of this milestone.


[We're told that Clinton and Ahern swapped smart cards afterwards. I wonder if they had their PINs written on them . Mez]

..Crypto policy costs the US a citizen

A financial cryptography practitioner becomes an African-Caribe

Vince Cate gave up his US citizenship last Sunday [10] (registration and cookies required for this site). Cate, who lives in Anguilla, said he wants to be "free from the silly US laws on crypto." His company [11] develops software for financial cryptography. Cate is one of the organizers of the Financial Cryptography conferences on his Caribbean island; he's also the man who brought us the "Become an international arms trafficker in one click" page [12]. Before renouncing his US citizenship Cate paid about $5,000 for Mozambiquan citizenship. The Times article quotes a lawyer who specializes in export licenses as opining that Cates's gesture was not strictly necessary, because the law has always given more latitude to crypto- graphy used strictly for financial transactions [13].


There was a great deal of discussion on cypherpunks on the new UK custom's policy of scanning laptop hard drives looking for porn. There was some concern about this scanning being a vector for viruses, but it seems that their procedures are suitably prophylactic. There is also concern for protecting business secrets (and of course other privacy issues).

Counterpane is offering $10,000 in prize money to the best attacks on Twofish during the first round of AES evaluation (

Just after the last Cipher went to press, John Gilmore, with backing from the EFF, cracked DES with "Deep Crack", a specialized parallel processor optimized for DES key search. I expect you've all heard about it already, but if you haven't, more information is at

At the same time, there was a lot of discussion on cypherpunks about "Private Doorbell", Cisco's answer to US crypto controls. Basically Cisco is saying their routers already meet law enforcement needs, as there is an operator that can be served with papers who can record traffic before (or after) it is encrypted ( . There hasn't been much about it since; it may meet "death by procrastination", which seems to be the last resort reaction to interesting new approaches.

Shameless personal plug department: In Schneier's CRYPTO-GRAM of August 15, 1998 stated: "IBM is giving away the source code to PKIX. Good for them. " This is the project I'm working on (Iris is part of Lotus is part of IBM). The first snapshot is finally available at