(A Javascript-enabled browser is required to email me.)
TBTF logo

TBTF for 1999-09-11: Here's how it works

Keith Dawson (dawson dot tbtf at gmail dot com)
Mon, 11 Sep 20:03:09 -0400


Contents


EU moving rapidly to open export of strong crypto

Ahead of European Parliament discussions of accusations of US industrial espionage raised by the IC2000 report [1], EU countries are moving one-by-one to liberalize their encryption laws. They aim to inoculate the EU against the threat of organized and unaccountable spying posed by the US-led Echelon system. This movement toward the free export of 128-bit crypto will put further pressure on an ever-more-isolated US policy of export control. This Nando Times article [2] gives a good brief overview of worldwide concerns over Echelon.

(Note: turn off graphics before following [1]. The text alone downloads 332K and the graphics add little to the report.)

[1] http://www.iptvreports.mcmail.com/interception_capabilities_2000.htm
[2] http://www.nandotimes.com/technology/story/body/0,1634,89923-142316-981920-0,00.html

bul Sweden: general license for 128-bit crypto

Sten Linnarsson <sten at cajal dot mbb dot ki dot se> of the Karolinska Institute published this note to the EUcrypto mailing list.

I finally managed to confirm that the decision taken on June 23rd [3] [this link is in Swedish] to liberalize crypto export takes the form of a general export license which allows you to export 128-bit mass-market crypto to a list of approved countries.

The EU is not considered "export," you can distribute any crypto you like within it. The general license extends to about 60 countries, including USA, most of South America, China, Japan, Israel, Egypt, India, the Baltic states, Russia, Indonesia, and Mexico. Absent are, among others: Serbia, Libya, Afghanistan, Colombia, most African countries, and some Central American countries.

"Mass-market" has the same definition as in Wassenaar (sold in mass-market channels, accessible to the public, crypto not modifiable, installable without support).

With Germany and France already moving, this probably means that most EU countries will move toward free strong crypto.

The general license can be found in Tullverkets Författningssamling TFS 1999:40, July 1st 1999.

[3] http://www.ud.se/pressinf/pressmed/1999/juni/990623_5.htm

bul Germany deregulates crypto exports

A German technology magazine published a brief piece [4] (in German) stating that the German government intends to remove most of the red tape from the export of commercial crypto products. Here is a rough translation of the article, courtesy of TBTF Irregulars [5] Justin Mason <jm at netnoteinc dot com> and Mark Kraml <kraml at ibm dot net>:

German encryption software to be freely exportable. The Federal Republic eases the export of encoding technique. Exporters of [crypto products], which can be qualified as mass-market goods, will no longer need individual permits starting September 1st for third country markets. "There are no limits based on any specific key lengths" said secretary of state for the economy [Siegmar Mosdorf] on Friday in Berlin. Rather, for mass-market products a basic export control requirement will be defined in the future, this however is reduced to the absolute minimum necessary.

The new regulation applies to all but a few countries worldwide, if goods are not intended for "a sensitive use as in military work or for weapons of mass destruction." [Exporters] must decide in the future whether their products qualify for the exemption and maintain documentation to that effect. There is no longer a general requirement to register.

[4] http://www.heise.de/newsticker/data/cp-27.08.99-003/
[5] http://tbtf.com/the-irregulars.html

___

Sorting out the Microsoft _NSAkey flap

Did Microsoft build a back door into Windows for the NSA? I'm doubting it

By now you've heard all about the extra signing key found in Microsoft's CryptoAPI in all Win95, 98, NT, and 2000 systems. Here's the posting by Andrew Fernandes that started all the fuss [6]. The BBC has an annotated screen shot [7] of a debugger session showing the variable named, portentously, _NSAkey. Microsoft's official response [8] to the flap makes a whole lot more sense than assuming that the National Security Agency had somehow weakened Microsoft's crypto and tagged the fix "_NSAkey." To put a few authoritative nails in this coffin, read the thoughts of Russ Cooper [9], proprietor of NTBugTraq, and of the noted cryptographer Bruce Schneier [10].

The investigations of Fernandes (building on work last year by Nicko van Someren and Adi Shamir) have publicized a way to disable crypto export control in Windows. Anyone outside the US can replace _NSAkey with their own key, and use that key to sign a crypto module of any strength, and then use that strong crypto under the auspices of Windows. But note that this impotence of Microsoft's CryptoAPI to control what crypto gets run is not new news. Bruce Schneier pointed out this Windows weakness in his CRYPTO-GRAM newsletter last April [11], before anybody discovered the name of the replaceable second key.

Over the weekend Brian Gladman <gladman at seven77 dot demon dot co dot uk> posted a note [12] to the UK Crypto list demonstrating that the Microsoft CryptoAPI had been a serious political issue in Britain 3-1/2 years ago. He worked with British authorities to make sure that Microsoft UK was able to sign cryptographic modules separately from the US authority.

The _NSAkey fiasco raises four separate issues, and little of the commentary I've read makes much effort to disentangle them. The issues are:

  1. Did Microsoft collude with the NSA? (Answer: who knows? Probably not.)

  2. Will Microsoft's actions allow the NSA to penetrate the computers of Windows users? (Answer: almost certainly not.)

  3. Did the US government, represented by the NSA, work with Microsoft to assure that only weak crypto is exportable in the Windows framework? (Answer: absolutely.)

  4. Does Microsoft's CryptoAPI implementation allow anyone to circumvent the restrictions imposed by US crypto export rules? (Answer: yes, demonstrably.)

What will be the fallout of this tangle? Even more people will be made aware that Microsoft security is porous. Even more people will learn of the utter inability of US controls to stop the export of technology which truly escaped a decade ago. And even fewer people will believe what Microsoft says, even though in the matter of the _NSAkey the company is probably telling the truth. A few years back Nicholas Petreley, the IDG pundit, summed up the common perception this way:

If you threw Microsoft into a room with truth, you'd risk a matter / anti-matter explosion.
[6] http://www.cryptonym.com/hottopics/msft-nsa.html
[7] http://news.bbc.co.uk/olmedia/435000/images/_437967_nsa300.gif
[8] http://www.microsoft.com/security/bulletins/backdoor.asp
[9] http://ntbugtraq.ntadvice.com/_nsakey.asp
[10] http://www.deja.com/getdoc.xp?AN=520853963
[11] http://www.counterpane.com/crypto-gram-9904.html#certificates
[12] http://jya.com/msnsa-not.htm

___

US Army moves from NT to Macintosh Web server

They picked your locks? Then put up a brick wall

After the hacker group Global Hell defaced the US Army's Web site [13] (note: link may deactivate after 1999-09-15), the Army investigated ways to secure their Web presence. One action the service took was to shut down their public-facing Windows NT server and replace it with a Macintosh [14] running the WebStar server. As one poster noted in the Slashdot discussion [15], one factor that renders MacOS secure is its "quaint" (his word) native reliance on the AppleTalk protocol over TCP/IP. An out-of-the-box Macintosh on the Net presents no open ports through which attackers may enter, just port 80 to the Web server. Two years ago the Crack-a-Mac Challenge [16] survived thousands of break-in attempts over 6 weeks before succumbing to a hole (immediately fixed) in a 3rd-party add-on to the WebStar server.

The White House server was also cracked by Global Hell, which may motivate this Federal Times story's claim [17] (note: this looks like a temporary URL) that the executive is studying how best to diversify the government's infrastructure away from reliance on Microsoft in favor of open source systems.

Look for a marked dip in Windows sales to the US government and, over time, to other organizations with high security needs. The introduction of Windows 2000, with its reportedly immense learning curve, might make a natural break-point.

[13] http://www.washingtonpost.com/wp-srv/feed/articles/a656-1999sep1.htm
[14] http://www.dtic.mil/armylink/news/Sep1999/a19990901hacker.html
[15] http://slashdot.org/comments.pl?sid=99%2F09%2F10%2F1034202&...
[16] http://tbtf.com/archive/1997-08-18.html#s01
[17] http://www.federaltimes.com/topstory.html

___

Swedish teen on trial for linking to music files

Digital technology is the universal solvent of intellectual property rights

Is it piracy to put up a page of links to music files? Tommy Olsson is waiting to hear a Swedish court's ruling on that question [18]. Olsson didn't create any music files, copy them, or send them to anyone. The case is the first to go to trial of some 1000 Web sites challenged over the last two years by the Swedish branch of the International Federation of the Phonographic Industry, which represents record companies. If convicted Olsson could be fined a few hundred dollars, which is about how much he made from ads on his Web site. But a conviction could leave him liable for damages. Thanks to TBTF Irregular [5] Chuck Bury <cbury at softhome dot net> for the tipoff. And thanks, indirectly, to Tom Parmenter <tompar at world dot std dot com> for the subtitle -- it's been his tag line on the now-revived Desperado mailing list since the early 1980s. (Send the message subscribe to desperado-request@world.std.com.)

[18] http://www.mercurycenter.com/svtech/news/breaking/merc/docs/043449.htm

___

Robot misbehavior

In recent days I've seen two instances of the effect a runaway robot can have on a Web site. The first was close to home: for eight days beginning on 1999-08-27, up to a third of the bytes in my log file were failed attempts by someone inside Microsoft's firewall to use my site as a proxy for a content channel at real.com. This was merely annoying and inconvenient. The second instance was potentially more serious: a commercial Web site was discovered transferring its costs onto an uninvolved Netizen. The current informal standard governing how robots act on a site, the robots.txt file, is silent on these sorts of abuses.

bul Log-file pollution

Someone at Microsoft was polluting my Web log file. Every minute of every day, at 18 seconds after the minute, someone at Microsoft was depositing the following 339-character string into my Web log (nearly 1/2 MB per day). I've broken it into 60-character chunks for convenience.

  tide78.microsoft.com - - [01/Sep/1999:23:59:18 -0500] "GET h
  ttp://channels.real.com/getlatest.glh?PV=6.0.6.45&OS=WIN&L=e
  n-US, en, *&LID=1033&ch=70+132+0+0+programs=intro,52,33,50&c
  h=52+425+0+0+0&ch=72+30+0+0+0&ch=16+358+0+0+0&ch=44+281+0+0+
  0&ch=33+327+0+0+0&ch=47+386+0+0+0&ch=73+18+0+0+0&ch=94+167+0
  +0+0&ch=98+24+0+0+0 HTTP/1.0" 403 220 -
tide78 is one of Microsoft's gateways; traffic from such an address means that someone at microsoft.com is calling. The 403 near the end means that my server refused the proxy request. So this impolite behavior gained its perpetrator not a fig. TBTF's host ISP wrote to Microsoft asking them to locate and stop this logfile polluter, but got back only a form letter.

My guess is that someone with a channel-enabled browser (IE5?) happened to be looking at tbtf.com when setting up a channel request, and somehow ended up proxying the once-a-minute request through my site.

I posted my dilemma as a Tasty Bit of the Day with the title Please make it stop and implored any reader within Microsoft to forward it to the IS department. Three readers wrote in with helpful comments; one had forwarded my problem to the appropriate Microsoft group. The barrage ceased 20 hours later. (The power of the press belongs to him as owns one.)

bul Cost transfer

After I posted the above, a reader sent in the following note that Linus Gelber <linus at panix dot com> had posted to a local list. It is excerpted here by permission.

So I'm browsing our logs from the Home Office Records site [19] yesterday and I note that our Gigometer page of local concert listings is being downloaded every 15 minutes by a certain netmind.com, which turns out to be a service that alerts customers when web pages of their choice have been updated.

Our stats for the first four days of September show that netmind.com made 501 file requests from our site before we blocked them, for a total of nearly 5 megs of transfer (it appears that we caught them very early). Had this gone unchecked, they would ultimately have been downloading 120 to 150 megs a month for their commercial service, for which of course we would be footing the bill. I've written them concerning theft of services and general inappropriate behavior.

[19] http://www.web-ho.com/

___

Smart dust

News from the micro- and nano-scale frontiers

The German publication Telepolis caught the Net's attention with a story [20], possibly picked up from the New Scientist [21], about Berkeley researchers and their smart dust [22]. The 5-mm devices they have constructed can sense local conditions and communicate using beams of light. Though the devices are far too large to be called "dust" -- what they are is Micro Electro-Mechanical Systems, or MEMS -- Slashdot was alive with speculation about invisible FBI bugs wafting in the open window. One poster quipped:

Hey, I can see a nice combination of borderline schizophrenia and obsessive-compulsive behaviour emerging here: keep cleaning everything because the FBI may be spying on you.
Research leading even deeper into Neal Stephenson territory [23] is being carried out at Boston College. Scientists there have constructed the beginnings of a motor using just 78 atoms [24]. It is powered by ATP, the molecule that your mitochondria and mine use to power cells. The same issue of Nature that carried news of the BBC nano-scale motor also reported on another molecular motor constructed by German, Dutch, and Japanese scientists [25]. This one runs on light.

[20] http://www.heise.de/tp/english/inhalt/co/5269/1.html
[21] http://www.newscientist.com/ns/19990828/newsstory2.html
[22] http://robotics.eecs.berkeley.edu/~pister/SmartDust/
[23] http://www.amazon.com/exec/obidos/ASIN/0553573314/tbtf/
[24] http://news.bbc.co.uk/hi/english/sci/tech/newsid_441000/441670.stm
[25] http://abcnews.go.com/sections/science/DailyNews/nanomotors990908.html

___

Dark matter annihilation at the galaxy's core

Probing a giant black hole, quite indirectly

The center of our galaxy contains, scientists assume, a black hole several million times as massive as our own sun. Such an object makes conditions highly interesting for light-years around. Now a pair of physicists have calculated [26] how the (putative) black hole would affect the (putative) halo of "dark" matter in its vicinity. They suggest the black hole would sculpt any dark matter into a dense spike where particle interactions would be more frequent. If hypothetical particles called neutralinos (you read that right) make up the bulk of the dark matter, as a leading hypothesis supposes, they would self-annihilate like crazy. The neutralino is its own antiparticle, you see. I am not making this up. The annihilations would produce, in addition to the expected gamma rays [27], a soup of energetic particles including neutrinos, which would be most useful for probing the galactic core. These neutrinos could be detected in tiny numbers by vast "telescopes" composed of thousands of gallons of purified water or perhaps dry-cleaning fluid.

Do you see why I love this stuff?

[26] http://www.aip.org/enews/physnews/1999/physnews.446.htm
[27] http://www.compart.fi/~flc/right.html

___

Partial eclipse on the noon line

The partial eclipse at the Duomo

Natural phenomenon meets ancient scientific instrument

Three weeks before last month's solar eclipse, Mark Gingrich <grinch at rahul dot net> posted a request to several astronomy newsgroups. Gingrich knew that many central European churches and cathedrals are set up as giant pinhole cameras -- they feature a tiny hole in the dome or cupola and an inscribed meridian line somewhere inside. When the sun's projected image crosses the "noon mark," it's noon local time. The most famous such arrangement was designed 350 years ago by the astronomer Gian Domenico Cassini for the Church of San Petronio in Bologna, Italy. Gingrich asked for photos of the partially eclipsed sun as it crossed the meridian lines in these historical scientific instruments. Gingrich's request bore fruit and Franco Martinelli has put up this page [28] with the results. Many thanks to TBTF Irregular [5] Mary Ellen Zurko for the pointer.

[28] http://www.nauticoartiglio.lu.it/almanacco/Aa_ecli_13.htm

___

Here's how it works

A wake-up call to PR flaks everywhere

Rebecca Eisenberg, net.skink [29] and one of the top 25 women on the Web [30], wrote up her advice [31] to public relations specialists in the Internet industry. It is squarely on target.

If you send in paper what obviously should have been sent in email, I assume that you don't understand your own product. Then why would I ever take your word for anything? Have you ever been on line? Here's how it works: you send a message, it reaches me without bothering me, and I click on the URLs you include.
I had occasion last week to refer a PR person to this page. Oddly, she never did get back in touch to thank me.
Note added 2000-09-10: Found an independent page [31a] by a Dutch journalist offering much the same advice.

[29] http://eXaminer.com/skink/
[30] http://www.wired.com/news/print_version/culture/story/17451.html?wnpg=all
[31] http://www.bossanova.com/rebeca/clips/prletter.html
[31a] http://www.vanderzande.com/rtfm/pers-e.html


Sources

bul For a complete list of TBTF's email and Web sources, see http://tbtf.com/sources.html.

Benefactors

bul TBTF is free. If you get value from this publication, please visit the TBTF Benefactors page and consider contributing to its upkeep.

TBTF home and archive at http://tbtf.com/ . To (un)subscribe send
the message "(un)subscribe" to tbtf-request@tbtf.com. TBTF is Copy-
right 1994-1999 by Keith Dawson, <dawson dot tbtf at gmail dot com>. Commercial
use prohibited. For non-commercial purposes please forward, post,
and link as you see fit.
_______________________________________________
Keith Dawson    dawson dot tbtf at gmail dot com
Layer of ash separates morning and evening milk.

___

Most recently updated 2000-09-10