TBTF for 1997-06-16: Joshua fit the battle of Jericho
Keith Dawson (dawson dot tbtf at gmail dot com)
Sun, 15 Jun 1997 23:07:11 -0500
A recent accelerating cascade of events in the battle for
encryption export all point toward defeat for the Clinton
Administration's policies. What began as straws in the wind have given way,
to extend the metaphor, to trashcan lids, automobiles, and house
And the walls come a-tumblin' down
- 5/19: Sun Goes Around
. Sun Microsystems, in a move that
seems calculated to apply maximum torque to the noses of B.
Clinton and A. Gore, announced that it will sell, worldwide,
strong crypto products developed in conjunction with a Russian
company in which Sun has invested. The company, Elvis+, will
supply cryptographic components for Sun's virtual-tunnel
technology. This puts Sun in a position to offer 128-bit and
triple-DES (168-bit) crypto anywhere in the world, without key escrow
or key recovery. Sun did not apply for an export license,
because it will not export the Russian software from US sites.
Sun had no hand in its development, beyond publishing the specs
to which it was written.
- 5/21: Sybase Gets a Walk
. The current export rules,
effective last January, stipulate that companies may apply for
permission to export 56-bit crypto only if at the same time
they file a plan for implementing key recovery within two years.
Sybase announced that it had won approval to export database and
server products with 56-bit DES encryption, even though the
company has no model for key recovery.
- 5/28: VeriFone Gets OK for SET
. VeriFone announced that
its Secure Electronic Transaction -based product suite has
received export approval from the Commerce Department. This is
the first time a SET-based, end-to-end, full-strength-crypto Net
commerce solution has been cleared for export.
- 5/28: PGP Obtains a Blanket Waiver
. Well, sort of. The
export rules always contained exceptions for software
distributed to the overseas subsidiaries of US corporations. The news
is that PGP does not have to apply one at a time for permission
to ship its strong crypto products to anyone who works for one
of the 107 companies on this list
- 6/2: A Longtime Administration Backer Rethinks
Denning, long the only cryptographer the Administration could
count on for support, is starting to waver in her position.
"Maybe export controls should be lifted," she said. "But I'm
not saying that all controls should be lifted. I've gotten
into a state where I don't know and I'm not sure that I ever
- 6/11: SJ Mercury News Editorializes
. In an editorial entitled
"Feds have lost the battle against encryption," the San Jose
newspaper says "Government warriors should pack up their rusty cannons,
admit that they've lost this battle, and learn to live in the
- 6/11: Overheard in the Halls. Declan McCullagh wrote to the
Cryptography list: "I ran into Mike Nelson, the Clinton
administration's former crypto-spokesperson. Now he's at the FCC...
'I'm so glad to be away from crypto,' he told me."
For past coverage of the debate over cryptography export policy, see
TBTF Threads .
By now you've probably heard the one about the Danish bounty hunter
and the Netscape bug. You haven't? Well, then. Christian Orellana
<bug at cabocomm dot dk> is one of two people in CaboComm, a Danish
Internet solutions provider in Aarhus, west of Copenhagen. He
discovered a way for a Web-site administrator to copy files from the
disk of any user of any version of Netscape Navigator or Netscape
Communicator, on any platform. Firewalls offer no protection. The
user apparently needs to access a password-protected page on the
bad guy's site (this is my inference from the various press reports),
and the miscreant needs to know or guess a file's exact path and
name in order to steal it.
A Dane finds a nasty Netscape bug but gets no bounty
Orellana contacted Netscape on 6/9 but claims he was unsatisfied at
the level of seriousness accorded his report. Netscape claims that
Orellana refused to share technical details of the bug unless he was
paid "a large unspecified amount" of money
remembers it differently
 -- Orellana says he did not
consider Netscape's offer of a $1,000 "bug bounty" an appropriate way
to deal with a serious product issue.) Netscape refused to pay up,
and later compared Orellana's demands to those of a terrorist.
Orellana contacted the press, CNNfn and PC Magazine, and proved to
their satisfaction that the bug exists as claimed. CNNfn reported
 the bug on 6/12, on the final day of Netscape's developers'
conference, and Netscape stock dropped about 5 percent. (It has
By 6/13 Netscape had located and fixed the bug with no help from
CaboComm; no bounty will be paid. The company will deliver fixes
first for Communicator, then for Navigator, beginning this week.
Here is a thoughtful piece
 on the drawbacks and risks of
Netscape's bug bounty program.
The Federal Trade Commission held hearings last week on consumer
privacy. Keith Lynch <kfl at clark dot net> attended the session on email
spam on the morning of 6/12 and posted an account
 to several
Net-abuse newsgroups. Lynch concludes that the FTC is in no mood
to regulate spam at this time. Congress, on the other hand, is
pondering three separate anti-spam measures.
- 5/21, Sen. Frank Murkowski, R-Alaska
Unsolicited Commercial Electronic Mail Choice Act of 1997
- 5/22, Chris Smith, R-NJ
Netizens Protection Act of 1997
- 6/11, Sen. Robert Torricelli, D-NJ
Electronic Mailbox Protection Act of 1997
(You can get the latest status on any of these bills from the Thomas
site ; search
by "Bill/Amendment No." I don't provide URLs here
because the search results are cached only temporarily.)
The Murkowski bill as filed has been widely critizized because it
puts the burden of filtering spam onto ISPs; one observer called it
an "unfunded mandate." Worse, it makes a content-based distinction
on the commercial nature of spam. First Amendment advocates consider
this a no-no. The Smith bill takes the tack of extending the
junk-fax ban to cover advertisements delivered by email.
Torricelli's bill is the most Net-friendly of the three: it aims
directly at the worst practices of the spammers. S.875 restricts
the harvesting of email addresses, and it requires senders of
unsolicited email (including noncommercial messages) to use valid
reply addresses, to honor "remove" requests, and to comply with
Nettiquete regarding spam. Torricelli's bill also opens up spammers
to class-action lawsuits. Sad but true: in the US the quick route
to social change often involves appealing to lawyers' remunerative
Six states also have anti-spam legislation pending. Here is a
valuable site 
for tracking both state and federal legislation.
Finally, for those who can't wait for legislative relief, peruse this
collection of anti-spam sites and resources:
- Outlaw Junk E-mail Now! 
- No Junk E-mail 
- Blacklist of Internet Advertisers 
- Stop Junk E-Mail 
- Private Citizen anti-junk e-mail site 
No, we're not talking climate-type weather here on earth as reported
via the Internet. We're talking bitwise weather. Storms in the aether.
The ebb and flow, the squalls and bottlenecks on the largest Net
backbone carriers. The folks at ClearInk
, a California "E-vertising"
agency, offer the indispensible Internet Weather Report
quick-loading tabular summary, updated every 15 minutes, of packet loss and
"ping" round-trip times from their location to 15 nationwide carriers.
At this moment AGIS is losing 8% of the packets ClearInk sends them.
Why? Perhaps it's due to the hackings, flames, and vandalism
directed against this ISP, the only remaining safe haven for "spam king"
Sanford Wallace's Cyber Promotions. (For more on CyberPromo, visit
 and follow one of the two spam topics.)
The Internet weather report
The latest addition to Religion on the Net
 relates only obliquely
to religion: it's a page celebrating the NunBun, a cinnamon bun that
emerged from the ovens of the Bongo Java coffee shop, in Nashville,
Tennesee, molded into an unmistakable likeness of the good woman of
Calcutta  -- one of
only five people ever voted by Congress to the
distinction of honorary citizen of the United States of America, in the
company of William Penn and Raoul Wallenberg. Christopher Hitchens
reflects pithily on the story in The Nation
his article is entitled "Mother Theresa on a Roll."
Joshua fit the battle of Jericho (sometimes spelled "fought" and
occasionally "fit de") is a spiritual of American origin. You can get
a sense, if only a dim one, of the tune from this soulless rendition
. The song tells the Biblical story of Joshua reducing to rubble
the walls of a contemporaneous city (from Joshua 4.1
Those of you who have visited TBTF on the Web in the last few days
have noticed that I've begun producing this newsletter in daily
installments. The Tasty Bit of the Day will be posted on
each day by 9:00 am in my time zone
(GMT -0400 / -0500). The
retro-push (email) edition should be in your mailboxes each Monday
morning. This new regime will allow me to begin producing TBTF on a
predictable schedule despite my own somewhat unpredictable one.
My consulting business now has a name -- The Technology Front -- and
a home page -- <http://www.technologyfront.com/>.
Do visit if you're curious about what I do for a living or if you think you
might be able to use my services.
Please welcome The Technology Front's first partner company,
Ingenius Technologies, Inc.
, and check out their
service. javElink was reviewed in TBTF for 1997-03-21
For a complete list of TBTF's (mostly email) sources, see
E.Commerce Today -- this commercial publication provided background
information for some of the pieces in this issue of TBTF. For
complete subscription details see
Cryptography -- mail firstname.lastname@example.org without subject and with message:
subscribe cryptography [ email@example.com ] .
TBTF home and archive at <http://www.tbtf.com/>. To subscribe
send the message "subscribe" to firstname.lastname@example.org. TBTF is
Copyright 1994-1997 by Keith Dawson, <dawson dot tbtf at gmail dot com>. Com-
mercial use prohibited. For non-commercial purposes please forward,
post, and link as you see fit.
Keith Dawson dawson dot tbtf at gmail dot com
Layer of ash separates morning and evening milk.
include ("../inc/foot-ar") ?>