Echelon and the UKUSA signals intelligence franchise
See also TBTF for 2000-07-20, 1999-09-11, 07-08, 06-14, 1998-12-23, 03-09
(Note: turn off graphics before following . The text alone downloads 332K and the graphics add little to the report.)
Sweden: general license for 128-bit crypto
Sten Linnarsson <sten at cajal dot mbb dot ki dot se> of the Karolinska Institute published this note to the EUcrypto mailing list.
The EU is not considered "export," you can distribute any crypto you like within it. The general license extends to about 60 countries, including USA, most of South America, China, Japan, Israel, Egypt, India, the Baltic states, Russia, Indonesia, and Mexico. Absent are, among others: Serbia, Libya, Afghanistan, Colombia, most African countries, and some Central American countries.
"Mass-market" has the same definition as in Wassenaar (sold in mass-market channels, accessible to the public, crypto not modifiable, installable without support).
With Germany and France already moving, this probably means that most EU countries will move toward free strong crypto.
The general license can be found in Tullverkets Författningssamling TFS 1999:40, July 1st 1999.
Germany deregulates crypto exports
A German technology magazine published a brief piece  (in German) stating that the German government intends to remove most of the red tape from the export of commercial crypto products. Here is a rough translation of the article, courtesy of TBTF Irregulars  Justin Mason <jm at netnoteinc dot com> and Mark Kraml <kraml at ibm dot net>:
The new regulation applies to all but a few countries worldwide, if goods are not intended for "a sensitive use as in military work or for weapons of mass destruction." [Exporters] must decide in the future whether their products qualify for the exemption and maintain documentation to that effect. There is no longer a general requirement to register.
Did Microsoft build a back door into Windows for the NSA? I'm doubting it
By now you've heard all about the extra signing key found in Microsoft's CryptoAPI in all Win95, 98, NT, and 2000 systems. Here's the posting by Andrew Fernandes that started all the fuss . The BBC has an annotated screen shot  of a debugger session showing the variable named, portentously, _NSAkey. Microsoft's official response  to the flap makes a whole lot more sense than assuming that the National Security Agency had somehow weakened Microsoft's crypto and tagged the fix "_NSAkey." To put a few authoritative nails in this coffin, read the thoughts of Russ Cooper , proprietor of NTBugTraq, and of the noted cryptographer Bruce Schneier .
The investigations of Fernandes (building on work last year by Nicko van Someren and Adi Shamir) have publicized a way to disable crypto export control in Windows. Anyone outside the US can replace _NSAkey with their own key, and use that key to sign a crypto module of any strength, and then use that strong crypto under the auspices of Windows. But note that this impotence of Microsoft's CryptoAPI to control what crypto gets run is not new news. Bruce Schneier pointed out this Windows weakness in his CRYPTO-GRAM newsletter last April , before anybody discovered the name of the replaceable second key.
Over the weekend Brian Gladman <gladman at seven77 dot demon dot co dot uk> posted a note  to the UK Crypto list demonstrating that the Microsoft CryptoAPI had been a serious political issue in Britain 3-1/2 years ago. He worked with British authorities to make sure that Microsoft UK was able to sign cryptographic modules separately from the US authority.
The _NSAkey fiasco raises four separate issues, and little of the commentary I've read makes much effort to disentangle them. The issues are:
What will be the fallout of this tangle? Even more people will be made aware that Microsoft security is porous. Even more people will learn of the utter inability of US controls to stop the export of technology which truly escaped a decade ago. And even fewer people will believe what Microsoft says, even though in the matter of the _NSAkey the company is probably telling the truth. A few years back Nicholas Petreley, the IDG pundit, summed up the common perception this way:
They picked your locks? Then put up a brick wall
After the hacker group Global Hell defaced the US Army's Web site  (note: link may deactivate after 1999-09-15), the Army investigated ways to secure their Web presence. One action the service took was to shut down their public-facing Windows NT server and replace it with a Macintosh  running the WebStar server. As one poster noted in the Slashdot discussion , one factor that renders MacOS secure is its "quaint" (his word) native reliance on the AppleTalk protocol over TCP/IP. An out-of-the-box Macintosh on the Net presents no open ports through which attackers may enter, just port 80 to the Web server. Two years ago the Crack-a-Mac Challenge  survived thousands of break-in attempts over 6 weeks before succumbing to a hole (immediately fixed) in a 3rd-party add-on to the WebStar server.
The White House server was also cracked by Global Hell, which may motivate this Federal Times story's claim  (note: this looks like a temporary URL) that the executive is studying how best to diversify the government's infrastructure away from reliance on Microsoft in favor of open source systems.
Look for a marked dip in Windows sales to the US government and, over time, to other organizations with high security needs. The introduction of Windows 2000, with its reportedly immense learning curve, might make a natural break-point.
Digital technology is the universal solvent of intellectual property rights
Is it piracy to put up a page of links to music files? Tommy Olsson is waiting to hear a Swedish court's ruling on that question . Olsson didn't create any music files, copy them, or send them to anyone. The case is the first to go to trial of some 1000 Web sites challenged over the last two years by the Swedish branch of the International Federation of the Phonographic Industry, which represents record companies. If convicted Olsson could be fined a few hundred dollars, which is about how much he made from ads on his Web site. But a conviction could leave him liable for damages. Thanks to TBTF Irregular  Chuck Bury <cbury at softhome dot net> for the tipoff. And thanks, indirectly, to Tom Parmenter <tompar at world dot std dot com> for the subtitle -- it's been his tag line on the now-revived Desperado mailing list since the early 1980s. (Send the message subscribe to email@example.com.)
Someone at Microsoft was polluting my Web log file. Every minute of every day, at 18 seconds after the minute, someone at Microsoft was depositing the following 339-character string into my Web log (nearly 1/2 MB per day). I've broken it into 60-character chunks for convenience.
tide78.microsoft.com - - [01/Sep/1999:23:59:18 -0500] "GET h ttp://channels.real.com/getlatest.glh?PV=188.8.131.52&OS=WIN&L=e n-US, en, *&LID=1033&ch=70+132+0+0+programs=intro,52,33,50&c h=52+425+0+0+0&ch=72+30+0+0+0&ch=16+358+0+0+0&ch=44+281+0+0+ 0&ch=33+327+0+0+0&ch=47+386+0+0+0&ch=73+18+0+0+0&ch=94+167+0 +0+0&ch=98+24+0+0+0 HTTP/1.0" 403 220 -
My guess is that someone with a channel-enabled browser (IE5?) happened to be looking at tbtf.com when setting up a channel request, and somehow ended up proxying the once-a-minute request through my site.
I posted my dilemma as a Tasty Bit of the Day with the title Please make it stop and implored any reader within Microsoft to forward it to the IS department. Three readers wrote in with helpful comments; one had forwarded my problem to the appropriate Microsoft group. The barrage ceased 20 hours later. (The power of the press belongs to him as owns one.)
After I posted the above, a reader sent in the following note that Linus Gelber <linus at panix dot com> had posted to a local list. It is excerpted here by permission.
Our stats for the first four days of September show that netmind.com made 501 file requests from our site before we blocked them, for a total of nearly 5 megs of transfer (it appears that we caught them very early). Had this gone unchecked, they would ultimately have been downloading 120 to 150 megs a month for their commercial service, for which of course we would be footing the bill. I've written them concerning theft of services and general inappropriate behavior.
News from the micro- and nano-scale frontiers
The German publication Telepolis caught the Net's attention with a story , possibly picked up from the New Scientist , about Berkeley researchers and their smart dust . The 5-mm devices they have constructed can sense local conditions and communicate using beams of light. Though the devices are far too large to be called "dust" -- what they are is Micro Electro-Mechanical Systems, or MEMS -- Slashdot was alive with speculation about invisible FBI bugs wafting in the open window. One poster quipped:
Probing a giant black hole, quite indirectly
The center of our galaxy contains, scientists assume, a black hole several million times as massive as our own sun. Such an object makes conditions highly interesting for light-years around. Now a pair of physicists have calculated  how the (putative) black hole would affect the (putative) halo of "dark" matter in its vicinity. They suggest the black hole would sculpt any dark matter into a dense spike where particle interactions would be more frequent. If hypothetical particles called neutralinos (you read that right) make up the bulk of the dark matter, as a leading hypothesis supposes, they would self-annihilate like crazy. The neutralino is its own antiparticle, you see. I am not making this up. The annihilations would produce, in addition to the expected gamma rays , a soup of energetic particles including neutrinos, which would be most useful for probing the galactic core. These neutrinos could be detected in tiny numbers by vast "telescopes" composed of thousands of gallons of purified water or perhaps dry-cleaning fluid.
Do you see why I love this stuff?
Natural phenomenon meets ancient scientific instrument
Three weeks before last month's solar eclipse, Mark Gingrich <grinch at rahul dot net> posted a request to several astronomy newsgroups. Gingrich knew that many central European churches and cathedrals are set up as giant pinhole cameras -- they feature a tiny hole in the dome or cupola and an inscribed meridian line somewhere inside. When the sun's projected image crosses the "noon mark," it's noon local time. The most famous such arrangement was designed 350 years ago by the astronomer Gian Domenico Cassini for the Church of San Petronio in Bologna, Italy. Gingrich asked for photos of the partially eclipsed sun as it crossed the meridian lines in these historical scientific instruments. Gingrich's request bore fruit and Franco Martinelli has put up this page  with the results. Many thanks to TBTF Irregular  Mary Ellen Zurko for the pointer.
A wake-up call to PR flaks everywhere
TBTF home and archive at http://tbtf.com/ . To (un)subscribe send the message "(un)subscribe" to firstname.lastname@example.org. TBTF is Copy- right 1994-1999 by Keith Dawson, <dawson dot tbtf at gmail dot com>. Commercial use prohibited. For non-commercial purposes please forward, post, and link as you see fit. _______________________________________________ Keith Dawson dawson dot tbtf at gmail dot com Layer of ash separates morning and evening milk.
Most recently updated 2000-09-10