Computer underground Digest Wed Mar 20, 1996 Volume 8 : Issue 22 ISSN 1004-042X Editor: Jim Thomas (cudigest@sun.soci.niu.edu) News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu) Archivist: Brendan Kehoe Shadow Master: Stanton McCandlish Field Agent Extraordinaire: David Smith Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Cu Digest Homepage: http://www.soci.niu.edu/~cudigest CONTENTS, #8.22 (Wed, Mar 20, 1996) File 1--The CDA challenge is about to begin! File 2--Shimomura's "Takedown" v. Littman's "Fugitive Game" File 3--"Takedown": A Postmodernist Romance File 4--CFP96 - the Sixth Conference on Computers, Freedom, and Privacy File 5--Dorothy Denning attacks Leahy's crypto bill File 6--Cu Digest Header Info (unchanged since 16 Dec, 1995) CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION APPEARS IN THE CONCLUDING FILE AT THE END OF EACH ISSUE. --------------------------------------------------------------------- Date: Wed, 20 Mar 1996 13:32:48 -0800 (PST) From: Declan McCullagh <declan@EFF.ORG> Subject: File 1--The CDA challenge is about to begin! Read on for more information on the details of the court challenge. -Declan // declan@eff.org // I do not represent the EFF // declan@well.com // March 20, 1996 _____________________________________________________ News from the ACLU National Headquarters ACLU V. RENO: Background Briefing Three-Judge Panel to Hear ACLU Testimony in Landmark Challenge to Internet Censorship Law PHILADELPHIA, PA--Beginning tomorrow, a three-judge panel in federal district court in Philadelphia will hear testimony in the consolidated cases of ACLU et al v. Reno and American Library Association et al v. Reno, the landmark challenge to censorship provisions of the Telecommunications Law of 1996. Free speech in cyberspace is at stake as the first major legal challenge to censorship on the Internet gets underway. The case began when the ACLU filed a motion for a temporary restraining order against indecency provisions of the Telecommunications Bill immediately after it was signed into law by President Clinton on February 8. The suit challenges provisions of the law that criminalize making available to minors "indecent" or "patently offensive" speech. Acting on behalf of 20 individuals and organizations that provide information via the Internet -- including itself -- the ACLU said it was moving quickly because it feared that the telecommunications legislation would have an immediate impact on the Internet. Following this action, a second legal challenge was filed on February 26 by a coalition of more than 20 corporate and trade organizations known as the Citizens Internet Empowerment Coalition (CIEC). The CIEC suit, organized by the American Library Association, America Online and the Center for Democracy and Technology, was formally consolidated with ACLU v. Reno. The CIEC lawsuit, which addresses essentially the same issues as the ACLU challenge, further illustrates the broad spectrum of individuals and organizations that would be affected by the censorship provisions, and strengthens the case for a finding that the law is unconstitutional. The Court Case According to procedures laid out by the judges, direct testimony in ACLU v. Reno is to be submitted via affidavit. During the three days of testimony allowed, which will take place over March 21 and 22 and April 1, lawyers for the Department of Justice will cross-examine coalition witnesses, after which lawyers for the ACLU and ALA coalitions will have an opportunity to redirect, i.e., question their witnesses in response to the government's cross-examination. In preparation for the case, lawyers for the Department of Justice have been deposing all the ACLU and CIEC witnesses it may choose to cross-examine. So far, government lawyers have declined to cross- examine only two witnesses: Christine Soto and Hunter Allen, teenagers whose affidavits attest to the importance of uncensored access to the Internet by minors. The government is scheduled to present its witnesses for cross- examination on April 11 and 12, 1996. A fourth day of testimony has been scheduled for April 26, to allow the ACLU and ALA coalitions to present witnesses rebutting the government's testimony. Following these six days of trial, the judges will issue a ruling. Depending on the outcome, either side may seek an appeal to the U.S. Supreme Court. The Witnesses Thursday, March 21: --Scott O. Bradner, senior technical consultant, Information Technology Services, Harvard University (ALA) --Ann W. Duvall, president, SurfWatch Inc. (ALA) --Patricia Nell Warren, author and publisher, WildCat Press (ACLU) Friday, March 22 --Donna Hoffman, associate professor of management, Owen Graduate School of Management, Vanderbilt University (ACLU) --William Stayton, psychologist and Baptist minister (ACLU) --Robert B. Cronenberger, director, Carnegie Library of Pittsburgh Professor (ALA) --Kiyoshi Kuromiya, director, Critical Path AIDS Project (ACLU) Monday, April 1 --Howard Rheingold, author and cyberspace expert --Barry Steinhardt, associate director, ACLU --Stephen Donaldson, Stop Prisoner Rape (*Note: schedule is subject to change) Chronology February 7 -- At a news conference in Washington, D.C., the ACLU announces plans to seek a temporary restraining order against indecency provisions of the Telecommunications Bill immediately after it is signed into law by President Clinton on February 8. --The ACLU announces the launch of its new "Freedom Network" World Wide Web site, <http://www.aclu.org>, with a home page declaring, "Keep Cyberspace Free." Over 200,000 hits are recorded in the first 48 hours of the launch. February 8 --The ACLU files its legal challenge in federal district court in Philadelphia before Judge Ronald L. Buckwalter. -- In the first court action over the constitutionality of the Communications Decency Act , Judge Buckwalter directs the government to refrain from prosecuting for so-called indecent or patently offensive material online until the motion for a TRO is decided. -- The judge instructs the government to file a reply brief to the ACLU's request for a TRO within one week. --Government lawyers conceded that the abortion speech restrictions of the CDA are unconstitutional. February 15 -- Judge Buckwalter grants a temporary restraining order on the indecency provisions of the Communications Decency Act, and denies the TRO motions on prosecution for "patently offensive material" and on the "Comstock Law" abortion speech provisions of the CDA. --A three-judge panel is convened to hear the case: Chief Judge Dolores K. Sloviter, Judge Stuart Dalzell, and Judge Ronald L. Buckwalter. February 21 --More than 5,000 visitors to the ACLU website use the "instant action" feature to e-mail or fax Attorney General Janet Reno, urging her not to prosecute under the new law. February 23 -- ACLU announces that government lawyers have agreed not to initiate investigations or prosecute Internet "indecency" until three-judge court rules on the case. --Hearing dates set for the case; the ACLU will present its evidence on March 21 and 22, with April 1 reserved. The government's dates are April 11 and 12, 1996. The total trial is scheduled to last five days. February 26 --More than 20 corporate and trade organizations, known as the Citizens Internet Empowerment Coalition (CIEC), initiate a second legal challenge to the Communications Decency Act. February 27 --The CIEC suit, organized by the American Library Association, America Online and the Center for Democracy and Technology, is formally consolidated with ACLU v. Reno. March 21 --Trial opens at 9:30 a.m. in the ceremonial courtroom in federal district court in Philadelphia. ### Contact: Emily Whitfield, (212) 944-9800 ext.426 _________________________________________________________________ Media Relations Office 132 W 43rd Street, NYC 10036 (212) 944-9800 ext. 414 ------------------------------ Date: Wed, 20 Mar 1996 13:04:41 -0600 (CST) From: Crypt Newsletter <crypt@sun.soci.niu.edu> Subject: File 2--Shimomura's "Takedown" v. Littman's "Fugitive Game" Mitnick reviewed: Shimomura's "Takedown" v. Littman's "Fugitive Game" Through spring at least two books will probably catch your eye as US publishers vie for position in the Kevin Mitnick-money chase: Tsutomu Shimomura's "Takedown," an auto-hagiography of the author that only incidentally deals with the dark-side hacker, and writer John Littman's "The Fugitive Game" which holds up much better than "Takedown" in terms of human interest, computer shenanigans and controversy. "Takedown" (Hyperion) is an unpleasant, tedious read revolving around the reality that while Shimomura may have been able to track Kevin Mitnick, he can barely write an interesting story even with New York Times reporter John Markoff to prop him up. "Takedown's" turgid quality is magnified by Shimomura's intent to sing a paean to himself and his computer feats. He's so hell-bent on it, in fact, he comes off unselfconsciously repellent. In "Takedown," everyone but Shimomura and his cohort, John Markoff, are criminal worms, in the way, or country bumpkins and dolts. The reader will feel particularly sorry for the FBI's Levord Burns. As written up in "Takedown," Burns is a fossilized piece of wood, intermittently described as either always home in bed fast asleep when the game's afoot, baffled to the point of silence by the technical nature of the pursuit of Mitnick, or falling into a doze on the telephone while being badgered to perform some minor duty connected with the chase. The Computer Emergency Response Team is a vague, inefficient, slow-moving bureaucracy. The NSA is another big, dumb government institution to Shimomura, even though he's trying to squeeze funding from it at the beginning of the tale. Andrew Gross, Shimomura's Renfield, is always screwing things up, tampering with files, messing up evidence or being a stumblebum for our cyber-Poirot. Julia Menapace, the girlfriend, is a co-dependent who can't decide to throw over her ex-paramour - John Gilmore of Sun Microsystems - fast enough for our hacker tracker, even while Shimomura's being a cad with her in Gilmore's home. At least fifty percent of "Takedown" is devoted to Shimomura explaining his life of privilege in the same detail he uses to describe the names of his computers. Eventually, the battle is joined and our cyber-sleuth and his entourage light out on the trail of Mitnick, blamed for invading Shimomura's computer over Christmas. It would be exaggerating to say this is interesting. The details of the Mitnick-hysteria and Shimomura chase have been repeated so often in the media already none of the story is fresh except for parts near the end where Shimomura grudgingly admits that it might not have been Mitnick who was into his computers in the first place, but an unknown collaborator who finally panicked and begged him off the chase in a message on his answering service after Mitnick was in custody. Yes, but Mitnick and his collaborator called Shimomura names and made dirty jokes about our hero on an Internet talk channel, dammnit!! That made it personal! Nyahh, nyahh, nyahh! And Mitnick was reading other people's mail on the Well and into Netcom! Of course, Kevin Mitnick is no hero but Shimomura's a thin, thin choice for a celebrity cybersavior. Ultimately, "Takedown" is completely lacking in the kind of humanity, self-effacing wit and style of Cliff Stoll's "The Cuckoo's Egg," a prior classic on hacker takedown, mostly because its author can't help being a boor. However, there is a choice on bookshelves. Jonathan Littman's "The Fugitive Game" (Little, Brown) is better. For reasons probably having to do with the general knowledge that Littman was writing a book about hackers, Mitnick started calling the reporter regularly during the same period of time Shimomura was on his case. And unless Littman's making everything up, the result makes Shimomura and John Markoff look like turds. Littman's book bolsters the idea that it wasn't Mitnick who was into Shimomura's system and that what the San Diego scientist did wasn't particularly special -- a Seattle man, Todd Young, had tracked and spotted the hacker in that city long before Shimomura came along but allowed him to escape through a combination of ignorance, bad luck and disinterest in the gravity of Mitnick's alleged criminal doings. In "The Fugitive Game," Littman accuses Markoff and Shimomura of a cozy relationship stemming from an old article in WIRED magazine on cellular phone crime. Markoff's original article anonymized the identities of the cell phone hackers because they were playing around with illegality. Littman insists they were Shimomura and Mark Lottor, an acquaintance of the author and hacker Kevin Poulsen. The story goes that Shimomura reverse-engineered code designed to program an Oki cellular phone for the purpose of reprogramming it into a transmission snooper, or something like that. When Shimomura's computer was broken into, the material was copied off it. Littman draws the conclusion in "The Fugitive Game" that Shimomura, in addition to being fired up over the invasion of his system, was also embarrassed by the loss of this software, software he engineered, the author implies, under quasi-legal circumstances. Indirectly, "Takedown" supports this argument. Shimomura obsesses over the loss of a file which a reader of both books might guess contained the Oki software. Throughout "The Fugitive Game," for the first time in book, Mitnick is portrayed as a real human being, not a caricature. He has a sense of humor, regrets, weaknesses, and a pack of serious neuroses stemming from his jail-time and uncontrollable cyber-fame. But the author isn't easy on him: Mitnick also comes off as a hardened con-man who relishes snooping other people's privates, cruel treachery, and duping the unwitting into compromising themselves or their places of employment. At one point Mitnick indicates something very interesting about users of Pretty Good Privacy. Some users of it on the 'Net, particularly those running services hooked directly to it, keep their PGP software on the public host. Mitnick laughs at the lapse - he implies it's been a simple matter for him to put a backdoor into the PGP source which deliver the keys and passphrase of the user to another spot on the host he's invaded, compile it and replace the original host copies. From here, it's simple, he maintains, to read their encrypted mail -- this in a conversation on Mark Lottor in which the hacker says he's read Lottor's electronic correspondence. If there's a need for a bona fide, hiss-able villain in "The Fugitive Game," Littman produces one: Justin Petersen. Petersen aka Agent Steal, is a side-plot in the book: a pathological liar, car thief, and con-man who portrays himself as a combination cyberpunk/heavy metal rock 'n' roller. Fond of artificially busty stripper/hookers from the sleazy end of Sunset in Hollywood, Littman paints Petersen as the maximum disinformer and criminal -- a squealer for the FBI who embarrassed the agency by embezzling Social Security funds and then going on the lam when lawmen tried to reel him in. "The Fugitive Game" has him bargaining with the FBI for tidbits on Mitnick's whereabouts. Littman wraps up "The Fugitive Game" with broadsides at Shimomura and Markoff. With Markoff playing Mitnick as the enemy of all computerized civilization on the front page of the New York Times, the stage was set to ensure maximum hysteria and the subsequent introduction of the reporter's friend, Tsutomu Shimomura, into a carefully arranged media spotlight. Behind the scenes, Markoff's agent was negotiating a big money deal - approximately $2 million, says Littman - for the reporter and Shimomura, three days before Markoff put the physicist on the front page of the New York Times. Ironically, the increasing cynicism which is the natural crop sown and cultivated by this type of media rigging for the benefit of men of privilege is a tale of treachery and contempt, too, but one that goes well beyond hacker Kevin Mitnick. Crypt Newsletter 35 (http://www.soci.niu.edu/~crypt) ------------------------------ Date: Wed, 20 Mar 1996 18:23:32 (CST) From: Jim Thomas <jthomas@well.sf.ca.us> Subject: File 3--"Takedown": A Postmodernist Romance TAKEDOWN: The Pursuit and Capture of Kevin Mitnick, America's Most Wanted Computer Outlaw--by the Man who did it. Tsutomu Shimomura (with John Markoff). 1995. New York: Ballantine. 324 pp. $24.95 (cloth). Reviewed by: Jim Thomas. Despite the pretentious title, TAKEDOWN is a subtle and complex narrative of emotional angst, indecision, alienation, and romance. Against the backdrop of the seamy underside of computer culture, TAKEDOWN deconstructs gender relations in contemporary society by depicting a lovers' triangle of dependence and co-dependence played out in hot tubs, ski lodges, and at computer consoles. John Markoff cleverly uses the "as told to" literary style to create distance between author, story narrator, and the subject, a young California woman named Julia. This ingenious layering further heightens the isolation of Julia from the reader, creating a pathos rarely found in contemporary literature. Markoff skillfully combines irony with a playful stylistic pastiche in juxtaposing Julia's dramatic complexity with the mundane vision of the unsympathetic narrator. Small wonder, then, that TAKEDOWN made it to seventh place on the New York Times Business Best Sellers and may eventually be a movie. We learn that Julia (to be played by Claudine Longet) is beautiful, in her mid-30s: A tall, graceful woman who is strong and wiry, and who often wears her hair drawn back in a braid...With an intense gaze and blue-gray eyes, Julia was often introspective but also quick to laugh. She was a talented yoga teacher and had an ethereal quality...." (p. 7-8). She's also very bright (a computer programmer). But, as we learn from Skiamour, the tale's narrator (to be played by Spider Sabitch), who depicts her as an emotional flake even while lauding her feminine charms while trying to woo her affections from her boyfriend, she's co-dependant on her boyfriend's hangups and has a few of her own. But, her primary character flaw seems to be that she won't leave her boyfriend for the skier. The story opens with Julia flying back from Bangkok, looking for someone to pick her up at the airport. Julia's boyfriend John, a nationally-respected computer wizard (to be played by Andy Williams), is visiting relatives over Christmas. In his absence, she asks a friend of her boyfriend to pick her up, maybe because he drives fast (310 klicks in a snowstorm in under two hours?) or because he's macho (he even carried is ice pick through airport security and "nobody even blinked"). Or, maybe Julia likes self-absorbed skiers who race, serve in the Nordic ski patrol, teach skiing, and in their spare time do computer programming. Or, maybe she's a sucker for guys who speak in "kilometers" instead of miles. Julia quickly ends up in the jacuzzi with Skiamour at John's house, splashing amidst fronds of fern and four overhead spotlights that dimly illuminate each corner of the tub and steamy air. "This is just amazing," murmurs Julia (p. 13), relating tales of Sherpa guides, mountain trekking, and birthday blessings from a Tibetan Lama. Skiamour, in turn, told tales of unforthcoming research grants and stupid bureaucrats. Then, lost in thought and perhaps overcome by the steamy silence (and, of course, the absence of her boyfriend), he proposed. Well, almost: "I want to tell you something I've been thinking about," I said. "I've thought about a lot of things while you were away. I'd really like to try having a committed relationship with you, if you're willing to." (p. 20). Julia remained silent, but reached over and held him closely. "Why don't you come with me and live in the mountains?" he asked. "You can come ski and it will be good to be outside." Careless readers might see such dialogue as simply banal. But, in fact the dialogue--and it occurs throughout the book--further illustrates Markoff's ability to heighten the contrasts between the sympathetic Julia and the shallowness of Skiamour. The idyllic love-fest, however, is interrupted by one or more computer hackers breaking into the boyfriend's computer, then into Skiamour's computer, and even into his voicemail. One of the hackers was Kevin Mitnick (to be played by Matthew Broderick), which sets up the chase in which Julia follows him (Skiamour, not Mitnick) around the Bay area, and eventually across the country, as they pursue their quarry from system to system. Things heat up when the boyfriend returns. Skiamour calls John to ask about the computer probes, and learns that "he had become increasingly uncomfortable about my contact with Julia. It was a strained conversation." Now, if a friend of mine had been snookering up to my girlfriend in my hot tub professing love to her and steamily proposing a committed relation while I was away, I'm not sure that "uncomfortable" about his "contact" is quite how I'd describe it. Let's see--Skiamour has taken Julia down in the hot tub in John's house, in ski resorts, in....well, you get the idea. The book is, after all, called TAKEDOWN. Contra the narrator's judgment, the boy friend seems to be handling things remarkably well. Julia remains torn between her two men. This doesn't make Skiamour jealous. He's above such things, spending as much time with her as he can, while simultaneously wondering if she's not being self-destructive in her unwillingness to break off with her boyfriend, presumably to spend more time on the slopes with him. The boyfriend, however, seems to act jealous, despite "politically correct" protestations to the contrary. At least, this is Skiamour's interpretation. So, it must be true--he is, after all, a detached, objective paragon of judgment in affairs of the heart and loins. The yarn continues, with Julia and Skiamour hopping in bed, riding in cars, hiking, and meeting hither and yon. Markoff (to be played by Brock Meeks) paints a stark picture of an independent woman dependent upon her men, unable to chose between them, unwilling to give up one and commit to another. Julia is portrayed as the archetypical new-age "gypsy professional," semi-rootless, no established career or plans, and living on the economic precipice, needing the strong hand and wisdom of a good man to guide her. But, this isn't a Roshomon tale, and a reader might wonder how the tale's denouement would differ if told through her eyes. How does it all end? Ah...this is Markoff's mastery. His naturalistic narrative shifts to a final trope of realism: Relationships are never easily defined, resolutions are rarely clear, and emotional angst isn't dissolved in a few hundred pages. And, as in any good work, the reader is left wanting more of Julia. Oh yeah. TAKEDOWN also has some stuff in it about Tsutomu Shimomura, a Silicon Valley computer wizard obsessed with tracking down Kevin Mitnick, who hacked into his computer and maybe (or maybe not) harassed him via voice mail. The guy seems unlikable, perhaps because he comes across like a megalomaniac who likes to ski and slam everybody who he thinks is dumber than he, which seems to be almost everybody, including The Well personnel, the FBI, hackers, students who play practical jokes, bureaucrats, former employers, and most other lesser mortals. Even John Markoff receives a few hits. Markoff does an admirable job with the material available. But, frankly, Shimomura simply is neither likeable nor interesting, and other than his computer skills, there isn't enough "there" there to pull the reader in. From his self-descriptions, I was left with the impression that Shimomura is the Martha Grant of the computer world--he does everything so much better than us. His tracking of Mitnick is impressive, but lacks the flair and drama of Cliff Stoll's chase in THE CUCKOO'S EGG. Other than the aura of Julia, there is little humanity, compassion, or even a sense of a strong morality play. Even Markoff's considerable writing skills can't spin silk from a sow's ear. And, even one mixed metaphor--hell, any(!) metaphor--might have broken the monotonous self-righteousness of Shimomura's occasional mean-spirited self-absorption. Still, Markoff's writing salvages the work, and if one is able to focus on the subtexts and avoid Shimomura's cloying egoism, reading it is not an unpleasant way to spend an evening. Hopefully, there will be a sequel sans Shimomura, and we can catch up on Julia's life. Both it and she seem far more interesting. Oh--and if, as one insider warns, you bump into Shimomura, don't introduce him to your girlfriend. ------------------------------ Date: Tue, 19 Mar 96 11:40:54 EST From: Robert Prior <prior@MIT.EDU> Subject: File 4--CFP96 - the Sixth Conference on Computers, Freedom, and Privacy CFP96 - The Sixth Conference on Computers, Freedom & Privacy For immediate release Contact: Robert V. Prior March 19, 1996 (617) 253-1584 prior@mit.edu MIT to Host Internet and Civil Liberties Conference CAMBRIDGE, MA -- From electronic commerce--to access to information--to participation in electronic democracy, computer and telecommunications technologies can enrich our lives by enhancing our freedom to speak, to associate, to be left alone, and to exercise political power. At the same time, these technologies and the organizations that control them pose threats to these same freedoms. Personal privacy is increasingly at risk, as is the privacy of our electronic communications and transactions. Societal gaps between haves and have-nots are widening. These technological advances enable new forms of illegal activity, creating new challenges for the legal and law enforcement communities. Yet the technologies used to combat these new cybercrimes can themselves threaten the freedoms we take for granted. The Sixth Conference on Computers Freedom and Privacy (CFP), which will explore these issues, will be hosted by Massachusetts Institute of Technology from March 27-30 at the Cambridge Hyatt Regency. Hosted this year in conjunction with the MIT Laboratory for Computer Science and the World Wide Web Consortium, the conference has, since its inception in 1991, brought together international experts from the fields of computer science, law, business, public policy, law enforcement, and government to confront controversial issues that have dominated public discussions of computer communications policy over the past year. Highlights of the conference include: - FBI/DOJ law-enforcement training on computer crime. On the afternoon of March 27th, Peter Toren of the US Department of Justice Computer Crime Unit and Richard Ress, Head of the FBI's National Computer Crime Squad, will run a training session on crime and law in cyberspace. Admission to this tutorial will be free for law-enforcement personnel, so long as they pre-register. On Thursday, March 28th - The Constitutional challenge to the Communications Decency Act. Computer companies, internet service providers, publishing and library associations, and civil liberties groups have filed suit in Federal court to overturn the Communications Decency Act of 1996 on the grounds that it violates the First Amendment. A judgment is expected in April. Lawyers involved in the ongoing suit will discuss the suit's progress and analyze the Constitutional arguments raised by the challengers and by the Department of Justice. One basis for the challenge is the existence of less restrictive means to protect children from indecent material on-line, including filtering software developed at MIT. - Freedom and Privacy in the Information Age: A European Perspective will be the keynote address by George Metakides, Director of Research and Development in Information Technologies for the European Union. - Can the US government outlaw unauthorized encryption? In cooperation with the Criminal Justice Section of the American Bar Association, there will be a moot Court hearing on the Constitutionality of a proposed law that criminalizes the use of encryption methods that have not been authorized by the government. The arguments, which pit former federal prosecutors against noted civil liberties lawyers, will be conducted before a distinguished panel of federal appellate and district court judges. - Export-controlled encryption software on the Internet. Jeff Schiller, Manager of the MIT Network, and Ron Lee, General Counsel of the National Security Agency, will describe the legal and technical procedures for distributing software over the Internet in compliance with US export controls. - "Ancient Humans in the Information Age." Michael Dertouzos, Director of the MIT Laboratory for Computer Science, will address: Will the Information Market increase the gap between rich and poor? Will it affect democracy and our tribal aggregation into nations? And what influence might it have on human relationships? Our assessment of these issues will be informed by the value of information and electronic proximity, acting under an ancient and powerful constant --human nature. On Friday, March 29th - Freedom of expression in digital networked environments, will copyright law be an enabler or an impediment? Does digitizing information so fundamentally change the economics of creating and disseminating information products as to render copyright law obsolete? Pamela Samuelson of Cornell Law School will explore this topic with an international panel of copyright experts. - Limiting on-line speech on campus. Harvard Law School's Arthur Miller will moderate a panel of university administrators, lawyers, and journalists to explore the conflicts between universities and the free-speech rights of their students. - Electronic Money. Should on-line payments be anonymous or traceable? David Chaum of DigiCash, the American Bankers Association's Kawika Daguio, Stan Morris of FINCEN (the Financial Crimes Enforcement Network) and other experts will compare perspectives. - The struggle to control controversial content on the Internet is being waged in the U.S. Congress and in open and restrictive societies around the world. Will conflicts among governments over what and how to censor restrict the flow of ideas for all? Moderator Danny Weitzner of the Washington-based Center for Democracy and Technology and an international panel will offer their views. On Saturday, March 30th - Data privacy in the Global Information Infrastructure will be a discussion of the roles of governments and technology with privacy advocate Marc Rotenberg and a panel of international experts. - China and the Internet. The Chinese expression "may you live in interesting times" clearly applies to issues of computers and society as the Internet spreads explosively throughout China and the rest of Asia. Sociologist Gary Marx and a panel that includes officials of the China Education and Research Network (CERNET) discuss the likely social impacts of the Internet on China and of China's Internet policies on the rest of the Internet. - We Know Where You Will Live... To close the conference, noted science fiction authors Pat Cadigan, Tom Maddox, Bruce Sterling, and Vernor Vinge will present their unique perspectives on the future of freedom and privacy in an increasingly computerized world. CFP96 http://web.mit.edu/cfp96 For additional information or to request a press pass, please contact: Robert V. Prior, CFP96 Press Coordinator prior@mit.edu / (617) 253-1584 For general registration, call (617) 253-1700 --------------------------------------------------------------- CFP96 - THE SIXTH CONFERENCE ON COMPUTERS, FREEDOM, AND PRIVACY --------------------------------------------------------------- Robert V. Prior CFP96 Press Coordinator prior@mit.edu The MIT Press (617) 253-1584 55 Hayward Street Fax: (617) 258-6779 Cambridge, MA 02142 http://web.mit.edu/cfp96 ------------------------------ Date: Tue, 19 Mar 1996 21:44:59 -0800 (PST) From: Declan McCullagh <declan@WELL.COM> Subject: File 5--Dorothy Denning attacks Leahy's crypto bill I may have to adjust my position on Leahy's bill. Any legislation that Dorothy Denning attacks so virulently must be worth passing. -Declan ------------------------------------------------------------ Date--Tue, 19 Mar 96 14:53:35 EST From--denning@cs.cosc.georgetown.edu (Dorothy Denning) To--farber@central.cis.upenn.edu March 14, 1996 The Honorable Patrick Leahy United States Senate Russell Building, Room 433 1st and C Streets, NE Washington, DC 20510 Dear Senator Leahy: As author, scholar, lecturer, researcher, and consultant to the government and industry in cryptography and information security, I am concerned that S.1587, the "Encrypted Communications Privacy Act of 1996," is not in balance with society's needs. By removing practically all export controls on encryption, the bill will make it far easier for criminals, terrorists, and foreign adversaries to obtain and use encryption that is impenetrable by our government. The likely effect will be to erode the ability of our law enforcement and intelligence agencies to carry out their missions. This is not consistent with your own findings in the bill which recognize the need for a "national encryption policy that advances the development of the national and global information infrastructure, and preserves Americans' right to privacy and the Nation's public safety and national security." I am concerned that the proposed legislation responds only to a loud cry for assistance and is not the reasoned and practiced position of our multinational corporations. At the International Cryptography Institute, which I chaired in September 1994 and 1995, our discussions did not find that this unrestricted distribution of encryption technology was required to satisfy business objectives. Our corporations recognize the need to respect the legitimate interests of governments and the need for encryption methods that use "key escrow" or "trusted third parties" with data recovery capabilities to protect their own information assets. Businesses are moving in the direction of key escrow, and key escrow is becoming a standard feature of commercial products. I have recently summarized the features of thirty products and proposals for key escrow in a taxonomy which I developed with Dennis Branstad. Because of the need to address information security at an international level, the Organization for Economic Cooperation Development, through its Committee for Information, Computer, and Communications Policy, is bringing together the international business community and member governments to develop encryption policy guidelines that would respect the interests of businesses, individuals, and governments. In support of that objective, the INFOSEC Business Advisory Group (IBAG), an association of associations representing the information security interests of users, issued a statement of principles recognizing the needs of governments, industry, and individuals, and supporting approaches based on trusted third parties. A similar statement was issued by a quadripartite group consisting of EUROBIT (European Association of Manufacturers of Business Machines and Information Technology Industry), ITAC (Information Technology industry Association of Canada), ITI (Information Technology Industry Council, U.S.), and JEIDA (Japan Electronic Industry Development Association), which accounts for more than 90% of the worldwide revenue in information technology. X/Open is pursuing a public key infrastructure project aimed at creating specifications and possibly operating manuals that could be used in conformance testing and site accreditation of trusted parties. The European Commission has proposed a project to establish a European-wide network of trusted parties that would be accredited to offer services that support digital signatures, notarization, confidentiality, and data integrity. The trust centers, which would be under the control of member nations, would hold keys that would enable them to assist the owners of data with emergency decryption or supply keys to their national authorities on production of a legal warrant. Within the U.S., the Clinton Administration is developing federal standards for key escrow encryption (these are in addition to and more general than the original Clipper standard, FIPS 185), adopting escrowed encryption within the federal government, and liberalizing export controls on encryption products that include an acceptable system of key escrow. The Administration's policy has considerable flexibility, allowing for both hardware and software implementations, classified and unclassified algorithms, and government and private sector key holders. Some companies have submitted products for review under the liberalized export controls for key escrow encryption. Trusted Information Systems has already received approval for their Gauntlet firewall. Industry is also developing cryptographic application programming interfaces (CAPIs), which will facilitate the inclusion of cryptographic services in applications, networks, and operating systems. This approach, recently demonstrated by Microsoft, will allow U.S. software companies to develop exportable applications and systems that run with separate security modules. These modules can provide either domestic grade encryption or exportable encryption. The impact of export controls will thus be limited to those companies selling encryption modules, not the entire U.S. hardware and software industry. Even this impact can be made negligible by allowing companies to export security modules with strong encryption where the keys are held with escrow agents in the purchaser's country. Bilateral mutual assistance agreements could ensure that U.S. law enforcement agencies are able to obtain decryption assistance if the exported module is used in a crime against the U.S. CAPIs are providing the technological base for experiments under the International Cryptography Experiment (ICE), an informal international alliance of individuals and organizations working together to promote the international use of encryption within import and export regulations that respect law enforcement and national security interests. As these examples illustrate, businesses and governments are working hard to establish policies and technologies that respect the needs of users, industry, and governments in the furtherance of a secure global information infrastructure. Considerable progress has been made during the past year. The export provisions in S.1587 are likely to undermine those efforts by satisfying the immediate export demands of a few U.S. companies at the expense of other stakeholders and society at large. It will undermine the ability of governments worldwide to fight global organized crime and terrorism. Although some U.S. companies have lost sales because of export controls on encryption, the overall impact of these controls on the U.S. information technology industry as a whole is much less clear. In the most comprehensive study of export controls to date, the Department of Commerce and National Security Agency found that in all but three countries surveyed, sources indicated that U.S. market share (about 75% overall) was keeping pace with overall demand. Most of the impact was found to be on the sale of security-specific products, which account for only a small percentage of the total market, rather than general-purpose software products. Sales of security-specific products are generally few and mostly to customers within the country where the product originates. Visits to 50 computer and software stores in Canada, France, Germany, Japan, S. Korea, Thailand, and the U.K. found that all the general-purpose software products with encryption were from U.S. manufacturers. The study concluded that "the impact of U.S. export controls on the international market shares of general-purpose products is probably negligible" and that "the export licensing process itself is not a major obstacle to U.S. competitiveness." This is in stark contrast to the dire prediction of the Computer Systems Policy Project that U.S. industry stands to lose $30-60 billion in revenues by the year 2000 because of export controls. The Commerce/NSA study did acknowledge that the existence of foreign products claiming strong encryption could have a negative effect on U.S. competitiveness. However, by allowing encryption services to be sold separately from the applications software that uses them, CAPIs will make it extremely unlikely that general-purpose software will be substantially effected by export controls. Even security-specific products, which are a growing industry, can use CAPIs to separate out the encryption component from the main product (e.g., firewall). Moreover, if keys can be held in other countries under appropriate bilateral agreements as noted earlier, export controls need not substantially impact encryption products. Export controls are often blamed for the lack of security in our public infrastructure. The Commerce/NSA study found "little evidence that U.S. export controls have had a negative effect on the availability of products in the U.S. marketplace," although they "may have hindered incorporation of strong encryption algorithms in some domestic mass-market, general-purpose products." There are many factors which have played an even larger role in the general lack of security we find on the Internet: the high cost and low demand for security, the difficulty of designing systems that are secure, pressure to bring new products to market before their security implications are understood, the willingness of users to take risks in favor of acquiring new tools and services, and lack of a public key infrastructure to support encryption on a national and international basis. Many systems are so riddled with security holes that any would-be attacker can gain access to the system itself, and from there access to plaintext data and keys. Malicious code can be injected into a victim's system through electronic mail, documents, images, and web browsers; once there, it can transmit sensitive data back to its owner. Keyboard sniffers can capture a user's keystrokes before they are ever encrypted. Thus, while export controls have played a part in the slow integration of strong encryption into software and systems, they are not responsible for most of the security vulnerabilities we see today. Moreover, most of these vulnerabilities are remedied with non-cryptographic controls (e.g., process confinement, trusted systems engineering, biometrics, and location-based authentication) or with cryptographic techniques for authentication, data integrity, and non-repudiation, which are exempt from State Department export controls. I do not mean to suggest that encryption is not important. In fact, it is essential to protect against certain threats. However, it must be kept in perspective. The use of encryption for confidentiality protection is but one small, albeit important, piece of an information security program. The provisions is S.1587 regarding trusted key holders could have the benefit of increasing public trust in key holders. However, I have some concern that the current provisions may be overly restrictive. Thus far, we have practically no experience with the operation of third party key holders and the circumstances under which they will be called upon to provide keys or decryption assistance. It will be extremely important that the provisions allow enough flexibility to accommodate legitimate use of the data recovery services of key holders for criminal investigations, civil litigation, and intelligence operations. The liability risks to key holders should not be onerous. The definition of key holder and exact wording in the bill may also need some refinement in order to accommodate existing and proposed methods of trusted third party encryption. Encryption policy is a difficult and often emotional issue. It is important that Congress work closely with the Administration, industry, and other interested parties to develop the best legislative strategy for promoting information security on the national and global information infrastructure without diminishing the ability of our law enforcement and intelligence agencies to protect the public safety and national security. Export liberalization should proceed cautiously, tied to key escrow or other methods that accommodate the needs of the government as well as those of users and industry. The Administration's plans to liberalize export controls on software key escrow is a good next step. As trust and confidence in key escrow grows, the export of virtually unlimited strength encryption systems may be possible. Because export controls are our only lever for controlling the spread of encryption, they should be used to their full advantage. Decisions to liberalize these controls must be fully informed by classified national security information as well as by economic analysis and market studies. Law enforcement agencies are encountering encryption with ever greater frequency. Within a few years, the successful execution of practically all court-ordered intercepts and searches and seizures is likely to depend on their ability to decrypt communications and stored information. If the encryption cannot be broken, it could be impossible to successfully investigate or prosecute those cases. Crimes of terrorism and white collar crime, including fraud, embezzlement, and money laundering, would be facilitated and perhaps impossible to solve. Even crimes of economic espionage, which often involve insiders with access to company secrets, are facilitated with encryption. It will be important for Congress to closely monitor the impact of encryption on law enforcement and use that information to guide any encryption legislation. In summary, our national policy can and must promote the legitimate use of strong encryption for information protection without unnecessarily hindering the ability of our law enforcement and intelligence agencies to do their jobs. In so doing, the policy can accommodate reasonable liberalization of export controls and business objectives without undermining other national objectives. Such a policy is consistent with your own guiding principle for the bill: "Encryption is good for American business and good business for Americans." But it goes further in order to be equally guided by the principle that law and order and national security are essential for the American economy and the American people. It is not necessary to so radically lift export controls on encryption in order to accommodate both principles. I will be pleased to meet with you and the committee for comment and questioning, or to assist in any way I can with the development of a balanced approach to encryption legislation. Yours respectfully, Dr. Dorothy E. Denning Professor of Computer Sciences Georgetown University denning@cs.georgetown.edu http://www.cosc.georgetown.edu/~denning ------------------------------ Date: Sun, 16 Dec 1995 22:51:01 CDT From: CuD Moderators <cudigest@sun.soci.niu.edu> Subject: File 6--Cu Digest Header Info (unchanged since 16 Dec, 1995) Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost electronically. CuD is available as a Usenet newsgroup: comp.society.cu-digest Or, to subscribe, send post with this in the "Subject:: line: SUBSCRIBE CU-DIGEST Send the message to: cu-digest-request@weber.ucsd.edu DO NOT SEND SUBSCRIPTIONS TO THE MODERATORS. The editors may be contacted by voice (815-753-0303), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115, USA. To UNSUB, send a one-line message: UNSUB CU-DIGEST Send it to CU-DIGEST-REQUEST@WEBER.UCSD.EDU (NOTE: The address you unsub must correspond to your From: line) Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT libraries and in the VIRUS/SECURITY library; from America Online in the PC Telecom forum under "computing newsletters;" On Delphi in the General Discussion database of the Internet SIG; on RIPCO BBS (312) 528-5020 (and via Ripco on internet); and on Rune Stone BBS (IIRGWHQ) (860)-585-9638. CuD is also available via Fidonet File Request from 1:11/70; unlisted nodes and points welcome. EUROPE: In BELGIUM: Virtual Access BBS: +32-69-844-019 (ringdown) Brussels: STRATOMIC BBS +32-2-5383119 2:291/759@fidonet.org In ITALY: ZERO! BBS: +39-11-6507540 In LUXEMBOURG: ComNet BBS: +352-466893 UNITED STATES: etext.archive.umich.edu (192.131.22.8) in /pub/CuD/ ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/ aql.gatech.edu (128.61.10.53) in /pub/eff/cud/ world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/ wuarchive.wustl.edu in /doc/EFF/Publications/CuD/ EUROPE: nic.funet.fi in pub/doc/cud/ (Finland) ftp.warwick.ac.uk in pub/cud/ (United Kingdom) The most recent issues of CuD can be obtained from the Cu Digest WWW site at: URL: http://www.soci.niu.edu/~cudigest/ COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Authors hold a presumptive copyright, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ------------------------------ End of Computer Underground Digest #8.22 ************************************