Computer underground Digest    Wed  Mar 20, 1996   Volume 8 : Issue 22
                           ISSN  1004-042X

       Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
       News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
       Archivist: Brendan Kehoe
       Shadow Master: Stanton McCandlish
       Field Agent Extraordinaire:   David Smith
       Shadow-Archivists: Dan Carosone / Paul Southworth
                          Ralph Sims / Jyrki Kuoppala
                          Ian Dickinson
       Cu Digest Homepage: http://www.soci.niu.edu/~cudigest

CONTENTS, #8.22 (Wed, Mar 20, 1996)

File 1--The CDA challenge is about to begin!
File 2--Shimomura's "Takedown" v. Littman's "Fugitive Game"
File 3--"Takedown": A Postmodernist Romance
File 4--CFP96 - the Sixth Conference on Computers, Freedom, and Privacy
File 5--Dorothy Denning attacks Leahy's crypto bill
File 6--Cu Digest Header Info (unchanged since 16 Dec, 1995)

CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION APPEARS IN
THE CONCLUDING FILE AT THE END OF EACH ISSUE.

---------------------------------------------------------------------

Date: Wed, 20 Mar 1996 13:32:48 -0800 (PST)
From: Declan McCullagh <declan@EFF.ORG>
Subject: File 1--The CDA challenge is about to begin!

Read on for more information on the details of the court challenge.

-Declan


// declan@eff.org // I do not represent the EFF // declan@well.com //



March 20, 1996

 _____________________________________________________
News from the ACLU National Headquarters


                 ACLU V. RENO:  Background Briefing

              Three-Judge Panel to Hear ACLU Testimony in
           Landmark Challenge to Internet Censorship Law

PHILADELPHIA, PA--Beginning tomorrow, a three-judge panel in
federal district court in Philadelphia will hear testimony in the
consolidated cases of ACLU et al v. Reno and American Library
Association et al v. Reno, the landmark challenge to censorship
provisions of the Telecommunications Law of 1996.

Free speech in cyberspace is at stake as the first major legal
challenge to censorship on the Internet gets underway.  The case began
when the ACLU filed a motion for a temporary restraining order against
indecency provisions of the Telecommunications Bill immediately after
it was signed into law by President Clinton on February 8.  The suit
challenges provisions of the law that criminalize making available to
minors "indecent" or "patently offensive" speech.

Acting on behalf of 20 individuals and organizations that provide
information via the Internet -- including itself -- the ACLU said it
was moving quickly because it feared that the telecommunications
legislation would have an immediate impact on the Internet.

Following this action, a second legal challenge was filed on
February 26 by a coalition of more than 20 corporate and trade
organizations known as the Citizens Internet Empowerment Coalition
(CIEC).  The CIEC suit, organized by the American Library Association,
America Online and the Center for Democracy and Technology, was
formally consolidated  with ACLU v. Reno.

The CIEC lawsuit, which addresses essentially the same issues as
the ACLU challenge, further illustrates the broad spectrum  of
individuals and organizations that would be affected by the censorship
provisions, and strengthens the case for a finding that the law is
unconstitutional.


The Court Case

According to procedures laid out by the judges, direct testimony
in ACLU v. Reno is to be submitted via affidavit.  During the three
days of testimony allowed, which will take place over March 21 and 22
and April 1, lawyers for the Department of Justice will cross-examine
coalition witnesses, after which lawyers for the ACLU and ALA
coalitions will have an opportunity to redirect, i.e., question their
witnesses in response to the government's cross-examination.

In preparation for the case, lawyers for the Department of Justice
have been deposing all the ACLU and CIEC witnesses it may choose to
cross-examine.  So far, government lawyers have declined to cross-
examine only two witnesses: Christine Soto and Hunter Allen, teenagers
whose affidavits attest to the importance of uncensored access to the
Internet by minors.

The government is scheduled to present its witnesses for cross-
examination on April 11 and 12, 1996.  A fourth day of testimony has
been scheduled for April 26, to allow the ACLU and ALA coalitions to
present witnesses rebutting the government's testimony.   Following
these six days of trial,  the judges will issue a ruling.  Depending
on the outcome, either side may seek an appeal to the U.S. Supreme
Court.


The Witnesses

Thursday, March 21:
--Scott  O. Bradner, senior technical consultant, Information Technology
Services, Harvard University (ALA)
--Ann W. Duvall, president, SurfWatch Inc.  (ALA)
--Patricia Nell Warren, author and publisher, WildCat Press (ACLU)

Friday, March 22
--Donna Hoffman, associate professor of management, Owen Graduate School
of Management, Vanderbilt University (ACLU)
--William Stayton, psychologist and Baptist minister (ACLU)
--Robert B. Cronenberger, director, Carnegie Library of Pittsburgh
Professor (ALA)
--Kiyoshi Kuromiya, director, Critical Path AIDS Project (ACLU)

Monday, April 1
--Howard Rheingold, author and cyberspace expert
--Barry Steinhardt, associate director, ACLU
--Stephen Donaldson, Stop Prisoner Rape

(*Note: schedule is subject to change)


Chronology

February 7
-- At a news conference in Washington, D.C., the ACLU announces plans
to seek a temporary restraining order against indecency provisions of
the Telecommunications Bill immediately after it is signed into law
by President Clinton on February 8.
--The ACLU announces the launch of its new "Freedom Network" World
Wide Web site, <http://www.aclu.org>, with a home page declaring,
"Keep Cyberspace Free."  Over 200,000 hits are recorded in the first
48 hours of the launch.

February 8
--The ACLU files its legal challenge in federal district court in
Philadelphia before Judge Ronald L. Buckwalter.
-- In the first court action over the constitutionality of the
Communications Decency Act , Judge   Buckwalter directs the government
to refrain from prosecuting for so-called indecent or patently
offensive material online until the motion for a TRO is decided.
-- The judge instructs the government to file a reply brief to the
ACLU's request for a TRO within one week.
--Government lawyers conceded that the abortion speech restrictions
of the CDA are unconstitutional.

February 15
-- Judge Buckwalter grants a temporary restraining order on the
indecency provisions of  the Communications Decency Act, and denies
the TRO motions on prosecution for "patently offensive material" and
on the "Comstock Law" abortion speech provisions of the CDA.
--A three-judge panel is convened to hear the case: Chief Judge
Dolores K. Sloviter, Judge Stuart Dalzell, and Judge Ronald L.
Buckwalter.

February 21
--More than 5,000 visitors to the ACLU website use the "instant action"
feature to e-mail or fax Attorney General Janet Reno, urging her not
to prosecute under the new law.

February 23
 -- ACLU announces that government lawyers have agreed not to initiate
investigations or prosecute Internet "indecency" until three-judge
court rules on the case.
--Hearing dates set for the case; the ACLU will present its evidence
on March 21 and 22, with April 1 reserved.  The government's dates
are April 11 and 12, 1996.  The total trial is scheduled to last five days.

February 26
--More than 20 corporate and trade organizations, known as the Citizens
Internet Empowerment Coalition (CIEC),  initiate a second legal
challenge to the Communications Decency Act.

February 27
--The CIEC suit, organized by the American Library Association, America
Online and the Center for Democracy and Technology, is formally
consolidated  with ACLU v. Reno.

March 21
--Trial opens at 9:30 a.m. in the ceremonial courtroom in federal
district court in Philadelphia.

                                 ###

Contact: Emily Whitfield, (212) 944-9800 ext.426

_________________________________________________________________
Media Relations Office 132 W 43rd Street, NYC 10036 (212) 944-9800 ext. 414

------------------------------

Date: Wed, 20 Mar 1996 13:04:41 -0600 (CST)
From: Crypt Newsletter <crypt@sun.soci.niu.edu>
Subject: File 2--Shimomura's "Takedown" v. Littman's "Fugitive Game"

Mitnick reviewed: Shimomura's "Takedown" v. Littman's "Fugitive Game"

Through spring at least two books will probably catch your eye
as US publishers vie for position in the Kevin Mitnick-money chase:
Tsutomu Shimomura's "Takedown," an auto-hagiography of the author that
only incidentally deals with the dark-side hacker, and writer John
Littman's "The Fugitive Game" which holds up much better than
"Takedown" in terms of human interest, computer shenanigans and
controversy.

"Takedown" (Hyperion) is an unpleasant, tedious read revolving
around the reality that while Shimomura may have been able to track
Kevin Mitnick, he can barely write an interesting story even with
New York Times reporter John Markoff to prop him up.

"Takedown's" turgid quality is magnified by Shimomura's intent
to sing a paean to himself and his computer feats.   He's so
hell-bent on it, in fact, he comes off unselfconsciously repellent.
In "Takedown," everyone but Shimomura and his cohort, John Markoff, are
criminal worms, in the way, or country bumpkins and dolts.

The reader will feel particularly sorry for the FBI's Levord Burns. As
written up in "Takedown," Burns is a fossilized piece of wood,
intermittently described as either always home in bed fast asleep when
the game's afoot, baffled to the point of silence by the technical
nature of the pursuit of Mitnick, or falling into a doze on the
telephone while being badgered to perform some minor duty connected
with the chase. The Computer Emergency Response Team is a vague,
inefficient, slow-moving bureaucracy. The NSA is another big, dumb
government institution to Shimomura, even though he's trying to squeeze
funding from it at the beginning of the tale. Andrew Gross, Shimomura's
Renfield, is always screwing things up, tampering with files, messing up
evidence or being a stumblebum for our cyber-Poirot. Julia Menapace, the
girlfriend, is a co-dependent who can't decide to throw over her
ex-paramour - John Gilmore of Sun Microsystems - fast enough for our
hacker tracker, even while Shimomura's being a cad with her in Gilmore's
home.

At least fifty percent of "Takedown" is devoted to Shimomura explaining
his life of privilege in the same detail he uses to describe the
names of his computers.  Eventually, the battle is joined and our
cyber-sleuth and his entourage light out on the trail of Mitnick,
blamed for invading Shimomura's computer over Christmas.  It would be
exaggerating to say this is interesting. The details of the
Mitnick-hysteria and Shimomura chase have been repeated so often in the
media already none of the story is fresh except for parts near the
end where Shimomura grudgingly admits that it might not have been
Mitnick who was into his computers in the first place, but an unknown
collaborator who finally panicked and begged him off the chase
in a message on his answering service after Mitnick was in custody.
Yes, but Mitnick and his collaborator called Shimomura names and made
dirty jokes about our hero on an Internet talk channel, dammnit!!
That made it personal! Nyahh, nyahh, nyahh! And Mitnick was reading
other people's mail on the Well and into Netcom!  Of course, Kevin
Mitnick is no hero but Shimomura's a thin, thin choice for
a celebrity cybersavior.  Ultimately, "Takedown" is completely lacking
in the kind of humanity, self-effacing wit and style of Cliff Stoll's
"The Cuckoo's Egg," a prior classic on hacker takedown, mostly because
its author can't help being a boor.

However, there is a choice on bookshelves. Jonathan Littman's
"The Fugitive Game" (Little, Brown) is better.  For reasons probably
having to do with the general knowledge that Littman was writing a
book about hackers, Mitnick started calling the reporter regularly
during the same period of time Shimomura was on his case.  And unless
Littman's making everything up, the result makes Shimomura and John
Markoff look like turds.

Littman's book bolsters the idea that it wasn't Mitnick who was
into Shimomura's system and that what the San Diego scientist did
wasn't particularly special -- a Seattle man, Todd Young, had
tracked and spotted the hacker in that city long before Shimomura
came along but allowed him to escape through a combination of
ignorance, bad luck and disinterest in the gravity of Mitnick's
alleged criminal doings.

In "The Fugitive Game," Littman accuses Markoff and Shimomura of
a cozy relationship stemming from an old article in WIRED
magazine on cellular phone crime.  Markoff's original article
anonymized the identities of the cell phone hackers because they
were playing around with illegality.  Littman insists they were
Shimomura and Mark Lottor, an acquaintance of the author and hacker
Kevin Poulsen.  The story goes that Shimomura reverse-engineered
code designed to program an Oki cellular phone for the purpose of
reprogramming it into a transmission snooper, or something like
that.  When Shimomura's computer was broken into, the material
was copied off it. Littman draws the conclusion in "The Fugitive
Game" that Shimomura, in addition to being fired up over the invasion
of his system, was also embarrassed by the loss of this software,
software he engineered, the author implies, under quasi-legal
circumstances. Indirectly, "Takedown" supports this argument.
Shimomura obsesses over the loss of a file which a reader of both
books might guess contained the Oki software.

Throughout "The Fugitive Game," for the first time in book, Mitnick
is portrayed as a real human being, not a caricature. He has a sense of
humor, regrets, weaknesses, and a pack of serious neuroses stemming from
his jail-time and uncontrollable cyber-fame. But the author isn't
easy on him: Mitnick also comes off as a hardened con-man who relishes
snooping other people's privates, cruel treachery, and duping the
unwitting into compromising themselves or their places of employment.

At one point Mitnick indicates something very interesting about
users of Pretty Good Privacy.  Some users of it on the 'Net,
particularly those running services hooked directly to it,
keep their PGP software on the public host.  Mitnick laughs at the
lapse - he implies it's been a simple matter for him to put a
backdoor into the PGP source which deliver the keys and passphrase
of the user to another spot on the host he's invaded, compile it and
replace the original host copies.  From here, it's simple, he maintains,
to read their encrypted mail -- this in a conversation on Mark Lottor
in which the hacker says he's read Lottor's electronic correspondence.

If there's a need for a bona fide, hiss-able villain in "The
Fugitive Game," Littman produces one: Justin Petersen.  Petersen
aka Agent Steal, is a side-plot in the book: a pathological
liar, car thief, and con-man who portrays himself as a
combination cyberpunk/heavy metal rock 'n' roller.  Fond of
artificially busty stripper/hookers from the sleazy end of Sunset in
Hollywood, Littman paints Petersen as the maximum disinformer
and criminal -- a squealer for the FBI who embarrassed the agency
by embezzling Social Security funds and then going on the lam when
lawmen tried to reel him in. "The Fugitive Game" has him
bargaining with the FBI for tidbits on Mitnick's whereabouts.

Littman wraps up "The Fugitive Game" with broadsides at Shimomura
and Markoff. With Markoff playing Mitnick as the enemy of all
computerized civilization on the front page of the New York Times,
the stage was set to ensure maximum hysteria and the subsequent
introduction of the reporter's friend, Tsutomu Shimomura, into
a carefully arranged media spotlight. Behind the scenes, Markoff's
agent was negotiating a big money deal - approximately $2 million,
says Littman - for the reporter and Shimomura, three days before
Markoff put the physicist on the front page of the New York Times.

Ironically, the increasing cynicism which is the natural crop sown
and cultivated by this type of media rigging for the benefit of men
of privilege is a tale of treachery and contempt, too, but one that
goes well beyond hacker Kevin Mitnick.

Crypt Newsletter 35 (http://www.soci.niu.edu/~crypt)

------------------------------

Date: Wed, 20 Mar 1996 18:23:32 (CST)
From: Jim Thomas <jthomas@well.sf.ca.us>
Subject: File 3--"Takedown": A Postmodernist Romance

TAKEDOWN: The Pursuit and Capture of Kevin Mitnick, America's Most
Wanted Computer Outlaw--by the Man who did it.  Tsutomu Shimomura
(with John Markoff). 1995. New York:  Ballantine. 324 pp. $24.95
(cloth).  Reviewed by: Jim Thomas.

Despite the pretentious title, TAKEDOWN is a  subtle and complex
narrative of emotional angst, indecision, alienation, and
romance.  Against the backdrop of the seamy underside of computer
culture, TAKEDOWN deconstructs gender relations in contemporary
society by depicting a lovers' triangle of dependence and
co-dependence played out in hot tubs, ski lodges, and at computer
consoles.  John Markoff cleverly uses the "as told to" literary
style to create distance between author, story narrator, and the
subject, a young California woman named Julia.  This ingenious
layering further heightens the isolation of Julia from the
reader, creating a pathos rarely found in contemporary
literature.  Markoff skillfully combines irony with a playful
stylistic pastiche in juxtaposing Julia's dramatic complexity
with the mundane vision of the unsympathetic narrator.

Small wonder, then, that TAKEDOWN made it to seventh place on the New
York Times Business Best Sellers and may eventually be a movie.

We learn that Julia (to be played by Claudine Longet) is beautiful,
in her mid-30s:

     A tall, graceful woman who is strong and wiry, and who often
     wears her hair drawn back in a braid...With an intense gaze and
     blue-gray eyes, Julia was often introspective but also quick to
     laugh. She was a talented yoga teacher and had an ethereal
     quality...." (p. 7-8).

She's also very bright (a computer programmer). But, as we learn from
Skiamour, the tale's narrator (to be played by Spider Sabitch), who
depicts her as an emotional flake even while lauding her feminine
charms while trying to woo her affections from her boyfriend, she's
co-dependant on her boyfriend's hangups and has a few of her own.
But, her primary character flaw seems to be that she won't leave her
boyfriend for the skier.

The story opens with Julia flying back from Bangkok, looking for
someone to pick her up at the airport.  Julia's boyfriend John, a
nationally-respected computer wizard (to be played by Andy Williams),
is visiting relatives over Christmas. In his absence, she asks a
friend of her boyfriend to pick her up, maybe because he drives fast
(310 klicks in a snowstorm in under two hours?) or because he's macho
(he even carried is ice pick through airport security and "nobody
even blinked").  Or, maybe Julia likes self-absorbed skiers who race,
serve in the Nordic ski patrol, teach skiing, and in their spare time
do computer programming.  Or, maybe she's a sucker for guys who speak
in "kilometers" instead of miles.

Julia quickly ends up in the jacuzzi with Skiamour at John's house,
splashing amidst fronds of fern and four overhead spotlights that
dimly illuminate each corner of the tub and steamy air.  "This is
just amazing," murmurs Julia (p. 13), relating tales of Sherpa
guides, mountain trekking, and birthday blessings from a Tibetan
Lama.  Skiamour, in turn, told tales of unforthcoming research grants
and stupid bureaucrats. Then, lost in thought and perhaps overcome by
the steamy silence (and, of course, the absence of her boyfriend), he
proposed. Well, almost:

     "I want to tell you something I've been thinking about," I said.
     "I've thought about a lot of things while you were away.  I'd
     really like to try having a committed relationship with you, if
     you're willing to." (p. 20).

Julia remained silent, but reached over and held him closely.  "Why
don't you come with me and live in the mountains?" he asked. "You can
come ski and it will be good to be outside."

Careless readers might see such dialogue as simply banal. But,
in fact the dialogue--and it occurs throughout the book--further
illustrates Markoff's ability to heighten the contrasts between
the sympathetic Julia and the shallowness of Skiamour.

The idyllic love-fest, however, is interrupted by one or more
computer hackers breaking into the boyfriend's computer, then into
Skiamour's computer, and even into his voicemail.  One of the hackers
was Kevin Mitnick (to be played by Matthew Broderick), which sets up
the chase in which Julia follows him (Skiamour, not Mitnick) around
the Bay area, and eventually across the country, as they pursue their
quarry from system to system.

Things heat up when the boyfriend returns. Skiamour calls John to ask
about the computer probes, and learns that "he had become
increasingly uncomfortable about my contact with Julia. It was a
strained conversation." Now, if a friend of mine had been snookering
up to my girlfriend in my hot tub professing love to her and steamily
proposing a committed relation while I was away, I'm not sure that
"uncomfortable" about his "contact" is quite how I'd describe it.
Let's see--Skiamour has taken Julia down in the hot tub in John's
house, in ski resorts, in....well, you get the idea.  The book is,
after all, called TAKEDOWN. Contra the narrator's judgment, the boy
friend seems to be handling things remarkably well.

Julia remains torn between her two men. This doesn't make Skiamour
jealous. He's above such things, spending as much time with her as he
can, while simultaneously wondering if she's not being
self-destructive in her unwillingness to break off with her
boyfriend, presumably to spend more time on the slopes with him. The
boyfriend, however, seems to act jealous, despite "politically
correct" protestations to the contrary. At least, this is Skiamour's
interpretation.  So, it must be true--he is, after all, a detached,
objective paragon of judgment in affairs of the heart and loins.

The yarn continues, with Julia and Skiamour hopping in bed, riding in
cars, hiking, and meeting hither and yon.  Markoff (to be played by
Brock Meeks) paints a stark picture of an independent woman dependent
upon her men, unable to chose between them, unwilling to give up one
and commit to another.  Julia is portrayed as the archetypical
new-age "gypsy professional," semi-rootless, no established career or
plans, and living on the economic precipice, needing the strong hand
and wisdom of a good man to guide her.

But, this isn't a Roshomon tale, and a reader might wonder how the
tale's denouement would differ if told through her eyes.

How does it all end? Ah...this is Markoff's mastery.  His
naturalistic narrative shifts to a final trope of realism:
Relationships are never easily defined, resolutions are rarely clear,
and emotional angst isn't dissolved in a few hundred pages.  And, as
in any good work, the reader is left wanting more of Julia.

Oh yeah. TAKEDOWN also has some stuff in it about Tsutomu Shimomura,
a Silicon Valley computer wizard obsessed with tracking down Kevin
Mitnick, who hacked into his computer and maybe (or maybe not)
harassed him via voice mail. The guy seems unlikable, perhaps because
he comes across like a megalomaniac who likes to ski and slam
everybody who he thinks is dumber than he, which seems to be almost
everybody, including The Well personnel, the FBI, hackers, students
who play practical jokes, bureaucrats, former employers, and most
other lesser mortals.  Even John Markoff receives a few hits. Markoff
does an admirable job with the material available.  But, frankly,
Shimomura simply is neither likeable nor interesting, and other than
his computer skills, there isn't enough "there" there to pull the
reader in.  From his self-descriptions, I was left with the
impression that Shimomura is the Martha Grant of the computer
world--he does everything so much better than us.

His tracking of Mitnick is impressive, but lacks the flair and drama
of Cliff Stoll's chase in THE CUCKOO'S EGG.  Other than the aura of
Julia, there is little humanity, compassion, or even a sense of a
strong morality play. Even Markoff's considerable writing skills
can't spin silk from a sow's ear.  And, even one mixed
metaphor--hell, any(!) metaphor--might have broken the monotonous
self-righteousness of Shimomura's occasional mean-spirited
self-absorption.

Still, Markoff's writing salvages the work, and if one is able to
focus on the subtexts and avoid Shimomura's cloying egoism, reading
it is not an unpleasant way to spend an evening.  Hopefully, there
will be a sequel sans Shimomura, and we can catch up on Julia's life.
Both it and she seem far more interesting.

Oh--and if, as one insider warns, you bump into Shimomura, don't
introduce him to your girlfriend.

------------------------------

Date: Tue, 19 Mar 96 11:40:54 EST
From: Robert Prior <prior@MIT.EDU>
Subject: File 4--CFP96 - the Sixth Conference on Computers, Freedom, and Privacy

CFP96  -  The Sixth Conference on Computers, Freedom & Privacy


For immediate release                                   Contact: Robert V. Prior
March 19, 1996                                                    (617) 253-1584
                                                                   prior@mit.edu

MIT to Host Internet and Civil Liberties Conference

CAMBRIDGE, MA -- From electronic commerce--to access to information--to
participation in electronic democracy, computer and telecommunications
technologies can enrich our lives by enhancing our freedom to speak, to
associate, to be left alone, and to exercise political power. At the same
time, these technologies and the organizations that control them pose
threats to these same freedoms. Personal privacy is increasingly at risk,
as is the privacy of our electronic communications and transactions.
Societal gaps between haves and have-nots are widening.

These technological advances enable new forms of illegal activity, creating
new challenges for the legal and law enforcement communities. Yet the
technologies used to combat these new cybercrimes can themselves threaten
the freedoms we take for granted.

The Sixth Conference on Computers Freedom and Privacy (CFP), which will
explore these issues, will be hosted by Massachusetts Institute of
Technology from March 27-30 at the Cambridge Hyatt Regency. Hosted this
year in conjunction with the MIT Laboratory for Computer Science and the
World Wide Web Consortium, the conference has, since its inception in 1991,
brought together international experts from the fields of computer science,
law, business, public policy, law enforcement, and government to confront
controversial issues that have dominated public discussions of computer
communications policy over the past year. Highlights of the conference
include:

- FBI/DOJ law-enforcement training on computer crime.  On the afternoon of
March 27th, Peter Toren of the US Department of Justice Computer Crime Unit
and Richard Ress, Head of the FBI's National Computer Crime Squad, will run
a training session on crime and law in cyberspace.  Admission to this
tutorial will be free for law-enforcement personnel, so long as they
pre-register.

On Thursday, March 28th

- The Constitutional challenge to the Communications Decency Act. Computer
companies, internet service providers, publishing and library associations,
and civil liberties groups have filed suit in Federal court to overturn the
Communications Decency Act of 1996 on the grounds that it violates the
First Amendment. A judgment is expected in April.  Lawyers involved in the
ongoing suit will discuss the suit's progress and analyze the
Constitutional arguments raised by the challengers and by the Department of
Justice. One basis for the challenge is the existence of less restrictive
means to protect children from indecent material on-line, including
filtering software developed at MIT.

- Freedom and Privacy in the Information Age: A European Perspective will
be the keynote address by George Metakides, Director of Research and
Development in Information Technologies for the European Union.

- Can the US government outlaw unauthorized encryption?  In cooperation
with the Criminal Justice Section of the American Bar Association, there
will be a moot Court hearing on the Constitutionality of a proposed law
that criminalizes the use of encryption methods that have not been
authorized by the government.  The arguments, which pit former federal
prosecutors against noted civil liberties lawyers, will be conducted before
a distinguished panel of federal appellate and district court judges.

- Export-controlled encryption software on the Internet.  Jeff Schiller,
Manager of the MIT Network, and Ron Lee, General Counsel of the National
Security Agency, will describe the legal and technical procedures for
distributing software over the Internet in compliance with US export
controls.

- "Ancient Humans in the Information Age." Michael Dertouzos, Director of
the MIT Laboratory for Computer Science, will address: Will the Information
Market increase the gap between rich and poor? Will it affect democracy and
our tribal aggregation into nations? And what influence might it have on
human relationships? Our assessment of these issues will be informed by the
value of information and electronic proximity, acting under an ancient and
powerful constant --human nature.

On Friday, March 29th

- Freedom of expression in digital networked environments, will copyright
law be an enabler or an impediment? Does digitizing information so
fundamentally change the economics of creating and disseminating
information products as to render copyright law obsolete? Pamela Samuelson
of Cornell Law School will explore this topic with an international panel
of copyright experts.

- Limiting on-line speech on campus.  Harvard Law School's Arthur Miller
will moderate a panel of university administrators, lawyers, and
journalists to explore the conflicts between universities and the
free-speech rights of their students.

- Electronic Money.  Should on-line payments be anonymous or traceable?
David Chaum of DigiCash, the American Bankers Association's Kawika Daguio,
Stan Morris of FINCEN (the Financial Crimes Enforcement Network) and other
experts will compare perspectives.

- The struggle to control controversial content on the Internet is being
waged in the U.S. Congress and in open and restrictive societies around the
world.  Will conflicts among governments over what and how to censor
restrict the flow of ideas for all?  Moderator Danny Weitzner of the
Washington-based Center for Democracy and Technology and an international
panel will offer their views.

On Saturday, March 30th

- Data privacy in the Global Information Infrastructure will be a
discussion of the roles of governments and technology with privacy advocate
Marc Rotenberg and a panel of international experts.

- China and the Internet.  The Chinese expression "may you live in
interesting times" clearly applies to issues of computers and society as
the Internet spreads explosively throughout China and the rest of Asia.
Sociologist Gary Marx and a panel that includes officials of the China
Education and Research Network (CERNET) discuss the likely social impacts
of the Internet on China and of China's Internet policies on the rest of
the Internet.

- We Know Where You Will Live... To close the conference, noted science
fiction authors Pat Cadigan, Tom Maddox, Bruce Sterling, and Vernor Vinge
will present their unique perspectives on the future of freedom and privacy
in an increasingly computerized world.


CFP96                                                   http://web.mit.edu/cfp96

For additional information or to request a press pass, please contact:
Robert V. Prior, CFP96 Press Coordinator          prior@mit.edu / (617) 253-1584

For general registration, call (617) 253-1700

   ---------------------------------------------------------------
CFP96 - THE SIXTH CONFERENCE ON COMPUTERS, FREEDOM, AND PRIVACY
   ---------------------------------------------------------------
Robert V. Prior
CFP96 Press Coordinator                                          prior@mit.edu
The MIT Press                                                   (617) 253-1584
55 Hayward Street                                          Fax: (617) 258-6779
Cambridge, MA  02142                                  http://web.mit.edu/cfp96

------------------------------

Date: Tue, 19 Mar 1996 21:44:59 -0800 (PST)
From: Declan McCullagh <declan@WELL.COM>
Subject: File 5--Dorothy Denning attacks Leahy's crypto bill

I may have to adjust my position on Leahy's bill. Any legislation that
Dorothy Denning attacks so virulently must be worth passing.

-Declan

   ------------------------------------------------------------

Date--Tue, 19 Mar 96 14:53:35 EST
From--denning@cs.cosc.georgetown.edu (Dorothy Denning)
To--farber@central.cis.upenn.edu
                                                   March 14, 1996

The Honorable Patrick Leahy
United States Senate
Russell Building, Room 433
1st and C Streets, NE
Washington, DC 20510

Dear Senator Leahy:

As author, scholar, lecturer, researcher, and consultant to the
government and industry in cryptography and information security, I am
concerned that S.1587, the "Encrypted Communications Privacy Act of
1996," is not in balance with society's needs.  By removing practically
all export controls on encryption, the bill will make it far easier for
criminals, terrorists, and foreign adversaries to obtain and use
encryption that is impenetrable by our government.  The likely effect
will be to erode the ability of our law enforcement and intelligence
agencies to carry out their missions.  This is not consistent with your
own findings in the bill which recognize the need for a "national
encryption policy that advances the development of the national and
global information infrastructure, and preserves Americans' right to
privacy and the Nation's public safety and national security."

I am concerned that the proposed legislation responds only to a loud
cry for assistance and is not the reasoned and practiced position of
our multinational corporations.  At the International Cryptography
Institute, which I chaired in September 1994 and 1995, our discussions
did not find that this unrestricted distribution of encryption
technology was required to satisfy business objectives.  Our
corporations recognize the need to respect the legitimate interests of
governments and the need for encryption methods that use "key escrow"
or "trusted third parties" with data recovery capabilities to protect
their own information assets.  Businesses are moving in the direction
of key escrow, and key escrow is becoming a standard feature of
commercial products.  I have recently summarized the features of thirty
products and proposals for key escrow in a taxonomy which I developed
with Dennis Branstad.

Because of the need to address information security at an international
level, the Organization for Economic Cooperation Development, through
its Committee for Information, Computer, and Communications Policy, is
bringing together the international business community and member
governments to develop encryption policy guidelines that would respect
the interests of businesses, individuals, and governments.  In support
of that objective, the INFOSEC Business Advisory Group (IBAG), an
association of associations representing the information security
interests of users, issued a statement of principles recognizing the
needs of governments, industry, and individuals, and supporting
approaches based on trusted third parties.  A similar statement was
issued by a quadripartite group consisting of EUROBIT (European
Association of Manufacturers of Business Machines and Information
Technology Industry), ITAC (Information Technology industry Association
of Canada), ITI (Information Technology Industry Council, U.S.), and
JEIDA (Japan Electronic Industry Development Association), which
accounts for more than 90% of the worldwide revenue in information
technology.  X/Open is pursuing a public key infrastructure project
aimed at creating specifications and possibly operating manuals that
could be used in conformance testing and site accreditation of trusted
parties.

The European Commission has proposed a project to establish a
European-wide network of trusted parties that would be accredited to
offer services that support digital signatures, notarization,
confidentiality, and data integrity.  The trust centers, which would be
under the control of member nations, would hold keys that would enable
them to assist the owners of data with emergency decryption or supply
keys to their national authorities on production of a legal warrant.

Within the U.S., the Clinton Administration is developing federal
standards for key escrow encryption (these are in addition to and more
general than the original Clipper standard, FIPS 185), adopting
escrowed encryption within the federal government, and liberalizing
export controls on encryption products that include an acceptable
system of key escrow.  The Administration's policy has considerable
flexibility, allowing for both hardware and software implementations,
classified and unclassified algorithms, and government and private
sector key holders.  Some companies have submitted products for review
under the liberalized export controls for key escrow encryption.
Trusted Information Systems has already received approval for their
Gauntlet firewall.

Industry is also developing cryptographic application programming
interfaces (CAPIs), which will facilitate the inclusion of
cryptographic services in applications, networks, and operating
systems.  This approach, recently demonstrated by Microsoft, will allow
U.S. software companies to develop exportable applications and systems
that run with separate security modules.  These modules can provide
either domestic grade encryption or exportable encryption.  The impact
of export controls will thus be limited to those companies selling
encryption modules, not the entire U.S. hardware and software
industry.  Even this impact can be made negligible by allowing
companies to export security modules with strong encryption where the
keys are held with escrow agents in the purchaser's country.  Bilateral
mutual assistance agreements could ensure that U.S.  law enforcement
agencies are able to obtain decryption assistance if the exported
module is used in a crime against the U.S.  CAPIs are providing the
technological base for experiments under the International Cryptography
Experiment (ICE), an informal international alliance of individuals and
organizations working together to promote the international use of
encryption within import and export regulations that respect law
enforcement and national security interests.

As these examples illustrate, businesses and governments are working
hard to establish policies and technologies that respect the needs of
users, industry, and governments in the furtherance of a secure global
information infrastructure.  Considerable progress has been made during
the past year.  The export provisions in S.1587 are likely to undermine
those efforts by satisfying the immediate export demands of a few U.S.
companies at the expense of other stakeholders and society at large.
It will undermine the ability of governments worldwide to fight global
organized crime and terrorism.

Although some U.S. companies have lost sales because of export controls
on encryption, the overall impact of these controls on the U.S.
information technology industry as a whole is much less clear.  In the
most comprehensive study of export controls to date, the Department of
Commerce and National Security Agency found that in all but three
countries surveyed, sources indicated that U.S. market share (about 75%
overall) was keeping pace with overall demand.  Most of the impact was
found to be on the sale of security-specific products, which account
for only a small percentage of the total market, rather than
general-purpose software products.  Sales of security-specific products
are generally few and mostly to customers within the country where the
product originates.  Visits to 50 computer and software stores in
Canada, France, Germany, Japan, S. Korea, Thailand, and the U.K. found
that all the general-purpose software products with encryption were
from U.S. manufacturers.  The study concluded that "the impact of U.S.
export controls on the international market shares of general-purpose
products is probably negligible" and that "the export licensing process
itself is not a major obstacle to U.S. competitiveness."  This is in
stark contrast to the dire prediction of the Computer Systems Policy
Project that U.S.  industry stands to lose $30-60 billion in revenues
by the year 2000 because of export controls.

The Commerce/NSA study did acknowledge that the existence of foreign
products claiming strong encryption could have a negative effect on
U.S. competitiveness.  However, by allowing encryption services to be
sold separately from the applications software that uses them, CAPIs
will make it extremely unlikely that general-purpose software will be
substantially effected by export controls.  Even security-specific
products, which are a growing industry, can use CAPIs to separate out
the encryption component from the main product (e.g., firewall).
Moreover, if keys can be held in other countries under appropriate
bilateral agreements as noted earlier, export controls need not
substantially impact encryption products.

Export controls are often blamed for the lack of security in our public
infrastructure.  The Commerce/NSA study found "little evidence that
U.S. export controls have had a negative effect on the availability of
products in the U.S. marketplace," although they "may have hindered
incorporation of strong encryption algorithms in some domestic
mass-market, general-purpose products."  There are many factors which
have played an even larger role in the general lack of security we find
on the Internet: the high cost and low demand for security, the
difficulty of designing systems that are secure, pressure to bring new
products to market before their security implications are understood,
the willingness of users to take risks in favor of acquiring new tools
and services, and lack of a public key infrastructure to support
encryption on a national and international basis.  Many systems are so
riddled with security holes that any would-be attacker can gain access
to the system itself, and from there access to plaintext data and
keys.  Malicious code can be injected into a victim's system through
electronic mail, documents, images, and web browsers; once there, it
can transmit sensitive data back to its owner.  Keyboard sniffers can
capture a user's keystrokes before they are ever encrypted.  Thus,
while export controls have played a part in the slow integration of
strong encryption into software and systems, they are not responsible
for most of the security vulnerabilities we see today.  Moreover, most
of these vulnerabilities are remedied with non-cryptographic controls
(e.g., process confinement, trusted systems engineering, biometrics,
and location-based authentication) or with cryptographic techniques for
authentication, data integrity, and non-repudiation, which are exempt
from State Department export controls.  I do not mean to suggest that
encryption is not important.  In fact, it is essential to protect
against certain threats.  However, it must be kept in perspective.  The
use of encryption for confidentiality protection is but one small,
albeit important, piece of an information security program.

The provisions is S.1587 regarding trusted key holders could have the
benefit of increasing public trust in key holders.  However, I have
some concern that the current provisions may be overly restrictive.
Thus far, we have practically no experience with the operation of third
party key holders and the circumstances under which they will be called
upon to provide keys or decryption assistance.  It will be extremely
important that the provisions allow enough flexibility to accommodate
legitimate use of the data recovery services of key holders for
criminal investigations, civil litigation, and intelligence
operations.  The liability risks to key holders should not be onerous.
The definition of key holder and exact wording in the bill may also
need some refinement in order to accommodate existing and proposed
methods of trusted third party encryption.

Encryption policy is a difficult and often emotional issue.  It is
important that Congress work closely with the Administration, industry,
and other interested parties to develop the best legislative strategy
for promoting information security on the national and global
information infrastructure without diminishing the ability of our law
enforcement and intelligence agencies to protect the public safety and
national security.  Export liberalization should proceed cautiously,
tied to key escrow or other methods that accommodate the needs of the
government as well as those of users and industry.  The
Administration's plans to liberalize export controls on software key
escrow is a good next step.  As trust and confidence in key escrow
grows, the export of virtually unlimited strength encryption systems
may be possible.  Because export controls are our only lever for
controlling the spread of encryption, they should be used to their full
advantage.  Decisions to liberalize these controls must be fully
informed by classified national security information as well as by
economic analysis and market studies.

Law enforcement agencies are encountering encryption with ever greater
frequency.  Within a few years, the successful execution of practically
all court-ordered intercepts and searches and seizures is likely to
depend on their ability to decrypt communications and stored
information.  If the encryption cannot be broken, it could be
impossible to successfully investigate or prosecute those cases.
Crimes of terrorism and white collar crime, including fraud,
embezzlement, and money laundering, would be facilitated and perhaps
impossible to solve.  Even crimes of economic espionage, which often
involve insiders with access to company secrets, are facilitated with
encryption.  It will be important for Congress to closely monitor the
impact of encryption on law enforcement and use that information to
guide any encryption legislation.

In summary, our national policy can and must promote the legitimate use
of strong encryption for information protection without unnecessarily
hindering the ability of our law enforcement and intelligence agencies
to do their jobs.  In so doing, the policy can accommodate reasonable
liberalization of export controls and business objectives without
undermining other national objectives.  Such a policy is consistent
with your own guiding principle for the bill: "Encryption is good for
American business and good business for Americans."  But it goes
further in order to be equally guided by the principle that law and
order and national security are essential for the American economy and
the American people.  It is not necessary to so radically lift export
controls on encryption in order to accommodate both principles.

I will be pleased to meet with you and the committee for comment and
questioning, or to assist in any way I can with the development of a
balanced approach to encryption legislation.

Yours respectfully,

Dr. Dorothy E. Denning
Professor of Computer Sciences
Georgetown University
denning@cs.georgetown.edu
http://www.cosc.georgetown.edu/~denning

------------------------------

Date: Sun, 16 Dec 1995 22:51:01 CDT
From: CuD Moderators <cudigest@sun.soci.niu.edu>
Subject: File 6--Cu Digest Header Info (unchanged since 16 Dec, 1995)

Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost electronically.

CuD is available as a Usenet newsgroup: comp.society.cu-digest

Or, to subscribe, send post with this in the "Subject:: line:

     SUBSCRIBE CU-DIGEST
Send the message to:   cu-digest-request@weber.ucsd.edu

DO NOT SEND SUBSCRIPTIONS TO THE MODERATORS.

The editors may be contacted by voice (815-753-0303), fax (815-753-6302)
or U.S. mail at:  Jim Thomas, Department of Sociology, NIU, DeKalb, IL
60115, USA.

To UNSUB, send a one-line message:   UNSUB CU-DIGEST
Send it to  CU-DIGEST-REQUEST@WEBER.UCSD.EDU
(NOTE: The address you unsub must correspond to your From: line)

Issues of CuD can also be found in the Usenet comp.society.cu-digest
news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of
LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT
libraries and in the VIRUS/SECURITY library; from America Online in
the PC Telecom forum under "computing newsletters;"
On Delphi in the General Discussion database of the Internet SIG;
on RIPCO BBS (312) 528-5020 (and via Ripco on  internet);
and on Rune Stone BBS (IIRGWHQ) (860)-585-9638.
CuD is also available via Fidonet File Request from
1:11/70; unlisted nodes and points welcome.

EUROPE:  In BELGIUM: Virtual Access BBS:  +32-69-844-019 (ringdown)
         Brussels: STRATOMIC BBS +32-2-5383119 2:291/759@fidonet.org
         In ITALY: ZERO! BBS: +39-11-6507540
         In LUXEMBOURG: ComNet BBS:  +352-466893

  UNITED STATES:  etext.archive.umich.edu (192.131.22.8)  in /pub/CuD/
                  ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/
                  aql.gatech.edu (128.61.10.53) in /pub/eff/cud/
                  world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/
                  wuarchive.wustl.edu in /doc/EFF/Publications/CuD/
  EUROPE:         nic.funet.fi in pub/doc/cud/ (Finland)
                  ftp.warwick.ac.uk in pub/cud/ (United Kingdom)


The most recent issues of CuD can be obtained from the
Cu Digest WWW site at:
  URL: http://www.soci.niu.edu/~cudigest/

COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views.  CuD material may  be reprinted for non-profit as long
as the source is cited. Authors hold a presumptive copyright, and
they should be contacted for reprint permission.  It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified.  Readers are encouraged to submit reasoned articles
relating to computer culture and communication.  Articles are
preferred to short responses.  Please avoid quoting previous posts
unless absolutely necessary.

DISCLAIMER: The views represented herein do not necessarily represent
            the views of the moderators. Digest contributors assume all
            responsibility for ensuring that articles submitted do not
            violate copyright protections.

------------------------------

End of Computer Underground Digest #8.22
************************************