LISTWATCH (12/08/98)

by Mary Ellen Zurko

This issue's highlights are from cypherpunks, dcsb, privacy, tbtf.

Last week the report came back that the countries who had signed the Wassenaar Agreement had agreed to limitations on cryptography. The reports on details and just what it will mean continue to come in, and I expect what's available will be superseded by the time you see this. Public statements on the meeting are at . U.S. special envoy for cryptography David Aaron was reported saying that the countries had agreed to impose controls on mass market software. The gist seems to be that mass-market software, symmetric key length is limited to 56-bits, generally available software (with other restrictive tests on end-user re-configurability) symmetric key is length limited to 64-bits, asymmetric key lengths limited to: RSA & Digital logarithm: 512 bits, Elliptic curve : 112 bits. And its up to signatory states to interpret and legislate. John Gilmore has put out a call to replicate the archives of PGP, Kerberos, IPSEC and others as widely as possible, while the barriers are not in place. Jim Choate has warned that anyone doing so could face punishment from their local government (depending, of course, on what the rules are, how they're enforced, and how the web site is controlled). John Young has put up a preliminary list of international cryptography sources for mirroring . Steve Bellovin commented on cryptography that encryption algorithms are easy to type in, but easy to use or interoperable cryptography is harder. I agree with the sentiment that widely deploying strong cryptography takes a great deal of engineering (and business) effort. Someone from Denmark claimed that in a call to the Danish Ministry of Commerce he mentioned his web site that posts strong cryptography and was told that he could be fined or jailed for maintaining such a site. Another poster pointed out that national laws and regulations cannot have changed so fast and several have stated that an agreement in secrecy like this still faces problems making it into enforced law. However, another poster pointed out that in some countries they are able to enforce the agreement without extra regulations. Some people claim the effect will be to diminish domestic crypto use, as it will shrink the market for such software. Reports from the UK, Finland and Australia support the reported results.

Bob Hettinga points to Sun's handling of crypto in Java as an excellent strategy. They only ship strong cryptography within the US. Users outside of the US are expected to find or produce their own version. They define the Java Cryptographic Extensions API, which they adhere to, and they ship building blocks such as big numbers, a key management framework, and digital signatures everywhere.

[Wassenaar information is still unfolding: Sites giving the text of the Arrangement and related documents and links are indicated below under "New Interesting Links on the Web". There was also a global strike called to protest Wassenaar planned for Monday Dec. 14. Information about the strike and related commentary is at . Thanks to Mez for sending in these URLs after her LISTWATCH summary was turned in Dec 8. (We experienced an unavoidable delay assembling this issue.) Also, a recent posting in RISKS notes that some member countries have exemptions for Open Source crypto software. --Eds.]

Any account's NorthWest airlines frequent flier miles can be used by anyone else with the phone number of account holder, and catching and punishing misuse the is the responsibility of the account holder. At least according to a poster to the Privacy list. I find this amazing, and if I had an account there, I'd certainly check this claim out.

Markus Kuhn, a Ph.D. student under Ross Anderson, is doing work on joint administration of distributed archives like Eternity. The goal is to allow for control of content (for, example, spam management) while not exposing the managers to punishment by the legal system of national powers. He states "The distributed administration in my system will be controlled via a sort of cryptographically enforced digital constitution (written in a tiny special purpose functional programming language) that determines administrative rights in a freely configurable way for a distributed server architecture (allowing elections, votes, vetoes, impeachment, updates to the constitution, etc.). This way, no single person will be responsible for the maintenance of such international software repositories, but a (usually international) group of democratically controlled volunteers does this." Posters to cypherpunks suggest the use of e$ instead, either by the content providers or by the recipients (readers). While money gives influence to those who have, it also provides a representation of scale of passion. There was also some concern that the content provider would really be the one in danger of litigation.

The ZapMe! Corp. provides equipment and Web access to schools in return for the ability to monitor student browsing habits by age, sex and zip code, allowing its advertisers to microtarget students . It sells advertising that run constantly in the lower left hand corner of its browser. It gives kids access to about 10,000 screened Web sites, with Internet at-large available with parental permission. The kids also get email accounts and a place to store their bookmarks.

Digicash has filed for bankruptcy protection . It may have to sell its assets. Bob Hettinga ( is trying to get a syndicate together to buy the blind signature patent.

A frame security hole allows spoofers to replace the information in a frame with their own. There are no obvious clues that the spoof has happened, but you can tell that some of the information in the frames is not from the spoofed site with a View Page Info in Netscape (not like I ever even though of issuing this menu item until now).

From the Vancouver Sun: "The [Canadian] federal government believes tonnes of highly-sensitive material, including tax records, unemployment insurance claims and parole records were sold intact by a Lower Mainland company that was supposed to shred and recycle the material, The Vancouver Sun has learned. Federal agencies found more than 110 tonnes of unshredded files in a Burnaby warehouse last July that were being offered for sale by West Document Shredding (1995) Inc. But they have been unable to determine what happened to nearly another 200 tonnes they know the company was given by National Archives, the federal agency responsible for disposing of classified and non-classified documents no longer required by the government. [...] West apparently sold the material unshredded because it could get a higher price per tonne than if it had to tear it into unreadable strips as required under the terms of its contract." The RCMP's National Security Intelligence Service does not believe there was any security breach (none of the unshredded documents were classified), though there was a privacy breach.

So many cypherpunks were using the list as an email address when registering, someone kindly set up a separate list for that very use.

Someone noticed that Network Associates is still a member of the Key Recovery Alliance, and there was a flurry of concern about what that might mean for PGP. As is so often the case, TBTF has the story: ---------------------------------------------------------------------- ..Network Associates and the Key Recovery Alliance: nothing new

This widely circulated story is without substance

Wired News originated a story [1] claiming that NAI had quietly rejoined the KRA, after publicly disavowing it [2] following its acquisition of PGP last December [3]. Here are the facts: NAI ac- quired Trusted Information Systems in May 1998. TIS had been a leader in the Alliance, and its technology was considered to be among the best solutions in this space. NAI resigned the leader- ship posts that TIS had held in the Alliance and continued to mon- itor its work, but stopped attending its meetings. The NAI name still appears on the KRA Web site [4], as it has since May. There is no news here. Perhaps Wired was tipped by a disgruntled KRA member after Network Associates sent a representative to a recent meeting to suggest that they disband, because Open Source develop- ment provides greater security and assurance than any approach based on key recovery. The following statement was sent to me by Jon Callas, CTO of Total Network Security (formerly PGP Inc.) at Network Associates.

    Hash: SHA1

    Here is the official statement:

    "NAI officially withdrew from the Key Recovery Alliance in late
    1997.  In May of 1998, NAI acquired Trusted Information Systems,
    which had been an active member of the KRA.  NAI subsequently
    reliquished the leadership role TIS had taken in the
    organization.  NAI Labs' TIS Advanced Research Division
    continues to monitor the KRA's activities from a technical
    perspective, but Network Associates in no way advocates
    mandatory key recovery."


    Version: PGP 6.0

    -----END PGP SIGNATURE-----


Someone came across the following warning while visiting the Goddard Space Flight Center's website at :

U.S. GOVERNMENT COMPUTER If not authorized to access this system, disconnect now. YOU SHOULD HAVE NO EXPECTATION OF PRIVACY By continuing, you consent to your keystrokes and data content being monitored.

3Com issued a Security Advisory for some of its switches, suggesting customers change a series of preset passwords, such as, in the CoreBuilder 7000, username: tech password: tech. Takes me back to the days in VMS of username: System password: Manager. In addition, the admin password was also available through a proprietary MIB variable.

Some openings in the area of privacy software: Lorrie Faith Cranor ( has an opening for a Java programming contractor to implement a P3P user agent as a client-side proxy. Anonymizer Inc. is also looking for programmers to work on various projects under development.

John Cutler ( is starting a Palo Alto cryptography study group.

Someone posted Bill Gates' SSN from the Microsoft filing information at the SEC.

Back in October, the FCC proposed that law enforcement agencies armed with court-authorized surveillance orders should be able to determine the location of a mobile telephone caller.

Netscape 4.06's "What's Related" feature will, by default, track the user's clickpath after its invoked, to provide more data for the feature . Microsoft's WebTV does similar backchanneling. It polls users and uploads television and Web site viewing habits nightly.

Scotland Yard and a local council are trying out a closed circuit TV system in London's East End that will raise an alarm when it spots a face from a database (in this case, of known criminals). It matches on the position of facial features.