The new regulations governing crypto export are dubbed EAR (Export Administration Regulations) -- for the hypertext version [1] thank John Young <jya at jya dot com>: the full text [2] weighs in at 109K. EAR replaces the ITAR (International Trafficking in Arms Regulations), administered by the State Department since the early days of the Cold War. The revised regulations contain the same "prior restraint" features that got the ITAR declared unconstitutional in Federal court in December [3]. The plaintiff in that case, Daniel Bernstein, has requested [4] that the government delay implementing the new rules until a judge rules on their constitutionality; if such a delay is not stipulated [5] then Bernstein will ask for an injunction. Bernstein is scheduled to begin teaching a class on encryption next Monday 1997-01-13, and unless the EAR is delayed he could face prosecution if he posts course materials on the Internet.

Posters to the Cryptography mailing list, particularly Lucky Green <shamrock at netcom dot com>, have uncovered the following wrinkles in the new regulations. In each post Green cautions "IANAL" (I am not a lawyer), and I hereby do the same.

• The EAR bans the export of certain non-crypto data security software such as virus checkers and firewalls. Any U.S. company offering a virus checker for download on its Web or FTP site is probably in violation of the EAR.

• Key-recovery provisions stipulate that keys be made available without knowledge of the user. Some suggested key-recovery schemes would alert the user when keys were requested; such schemes are presumably now out of bounds.

• The new rules forbid U.S. entities from entering into foreign contracts for cryptographic work, closing the loophole long used by C2 and others [6]. The prohibition against "financing, contracting, service, support, transportation, freight forwarding, or employment" can be found about halfway down [7]; search for "General Prohibition Seven."

[1] <http://www.jya.com/eartoc.htm>
[2] <http://www.eff.org/pub/Privacy/ITAR_export/961230_commerce.regs>
[3] <http://www.tbtf.com/archive/1996-12-24.html>
[4] <http://www.eff.org/bernstein/Legal/961230.letter>
[5] <http://www.eff.org/bernstein/Legal/961230_proposed.stipulation>
[6] <http://www.tbtf.com/archive/1996-08-08.html>
[7] <http://jya.com/bxa123096.txt>

Carl M. Ellison <cme at acm dot org> has put considerable thought into clarifying the debate over cryptography, and his distillation of the central issue [8] is one of the more clearheaded pieces of writing you'll find anywhere in this emotional landscape. As Ellison sees it, a fundamental question goes unaddressed by either side: do citizens of a country have a right to attempt to achieve privacy from their government, or should they be forced to submit to covert surveillance? Both sides vigorously behave as if the answer to this question were obvious, but their assumed answers are diametrically opposed.

If anyone wishes to contribute an analysis based on quantum complementarity, I'll publish any such essay that illuminates the debate.

[8] <http://www.clark.net/pub/cme/html/cdebate.html>

A panel of security experts convened by the Defense Department recommended spending an additional $3 billion over the next 5 years to stiffen U.S. telecom/computing infrastructure resistance to an anticipated "electronic Pearl Harbor." The story appeared in the Wall Street Journal for 1997-01-06; you will need to sign up for a trial subscription to follow this link [9]. The report is bluntly worded and calls the current military information-security practices and assumptions "ingredients in a recipe for a national security disaster." (Military spokesmen demur, anxious not to countenance outside kibitzing on their current $1.6B annual info-security budget.)

The task force's chairman, Duane Andrews, noted in an interview that U.S. law forbids the military from implementing strong countermeasures, such as a program to "repel and pursue" those who try to hack into DoD computer systems. He wants the law changed so the Pentagon can respond by injecting attackers' computers with "a polymorphic virus that wipes out the system, takes it down for weeks." Fans of due process will be gratified that there is no report of such a technique (William Gibson called it "ice") being mentioned in the study proper.

Andrews added, "Most of the stuff in [the report] is a message to industry, too. A large international bank has exactly the same problems and challenges as the Defense Department."

Dan Farmer <zen at trouble dot org> would probably agree. The man whose 1994 release of the SATAN security-scanning program [10] got him dismissed from SGI has recently published the results of a study [11] in which he examined the vulnerability of 1700 high-profile, commerce-oriented Web sites. These are the kind of sites we'd like to believe are exquisitely sensitized to security concerns. Farmer did nothing illegal, he claims: "I barely electronically breathed on these hosts." Nevertheless he found over 60% of the sites vulnerable to compromise or destruction by simple and widely known breakin techniques. He estimates that a further 10% to 20% would yield to more sophisticated attacks.

Thanks to Dan Kohn <dan at teledesic dot com> for pointing me to the military study and to Keith Bostic <bostic at bsdi dot com> for the civilian.

[9] <https://interactive3.wsj.com/edition/current/articles/SB852510741339022000.htm>
[10] <http://www.trouble.org/~zen/satan/satan.html>
[11] <http://www.trouble.org/survey/>

RSA wants to demonstrate the relative vulnerability of the 56-bit Data Encryption Standard (approved for export, with key recovery under the new EAR) against the company's own RC5 Symmetric Block Cipher algorithm. RSA will award $10,000 to the first sender of the secret DES key used to encode a target "ciphertext," which they will post to their Web site on 1/27. At the same time the company will initiate 12 shots at RC5, (summary at [12], details at [13]). Participants are challenged to discover RC5 keys ranging in length from 40 to 128 bits in steps of 16 bits; prizes offered range from $200 to several thousand dollars based on key length.

Peter Trei <trei at process dot com> has been working on code to make it easy for PC users across the Net to participate in these challenges. He notes in a work-in-progress report to the Cryptography list that code should be available by mid-to-late January.

[12] <http://www.rsa.com/rsalabs/97challenge/>
[13] <http://www.rsa.com/rsalabs/97challenge/secret-key.htm>

If you use email you're in no doubt that spam is on the rise. Zero Junk Mail Inc. [14] offers the service of removing your name from the spammers' lists; they claim they can reduce your junk mail by 75% within a year. The catch is that even those spam practitioners who follow the recommendations of the Direct Marketing Association by offering their victims a way off their lists may not accept third-party "unsubscribe" requests. Media Daily spotlights ZJM and two other antispam products at [15].

TSW offers a $10 shareware package called eFilter [16] for PCs that previews the email waiting on your POP server and deletes messages containing keywords that you specify, leaving a log for your examination. The drawback here is that it only works for repeat offences from a particular spammer. Don't know about you, but the bulk of the spam I receive is one-shot.

Rosalind Resnick <rosalind at netcreations dot com>, one of the early practitioners who helped us all to figure out how online marketing could be done within the best traditions of the Net, may have invented a better way. Her NetCreations site offers a service [17] at which users can sign up for online solicitations that they actually want to read. At the time of my visit the site listed 1327 areas of interest. I sincerely hope that the online direct-marketing community flocks to Resnick's service and she becomes very rich. The gloomy alternative is spelled out by John C. Dvorak <dvorak at aol dot com> in the December 1996 Boardwatch magazine:

> In direct mail, you lose money if you solicit people who do not want
> to buy. So you are careful [to target your messages] or you go broke.
> With email marketing, this natural selection process will never hap-
> pen... Why should anyone care about targeting when mail is free?...
> I wonder what we will do when thousands of spams show up in our email
> each and every day?

Aside : speaking of early practitioners, I recently recrossed the traces of Christopher Locke <clocke at panix dot com>, whose writings while he was at Mecklermedia, in 1994, laid the foundations for my thinking about online marketing. Locke is now VP Business Development and webmaster at Displaytech [18], a Colorado manufacturer of "portable displays that don't suck." His breathlessly postmodern press release begins:

> Displaytech makes miniature high-resolution full-color multi-hyphen-
> modified displays that fit on a computer chip the size of your thumb-
> nail. magnifying the image yields a virtual screen as good as any
> desktop monitor. the tech is fast and small enough so that it can
> be embedded in head mounted color displays that don't make the people
> wearing them look as if they just landed from mars.

Aside : speaking of Boardwatch magazine, their third quarterly guide to U.S. ISPs is now available; it contains the best answer, in technical detail, that I have ever read to the question: What is the Internet? This article (written by editor Jack Rickard), like the rest of the ISP guide, is available on the Web [19] (53K) -- but I suggest you obtain [20] the dead-trees edition and give it close study.

[14] <http://www.zerojunkmail.com/email.htm>
[15] <http://www.mediacentral.com/Magazines/MediaDaily/OldArchives/199612/1996122706.html>
[16] <http://catalog.com/tsw/efilter/>
[17] <http://www.netcreations.com/postdirect/business.html>
[18] <http://www.displaytech.com>
[19] <http://www.boardwatch.com/isp/fallisp/archi.htm>
[20] <http://www.boardwatch.com/isp/isporder.htm>

A rumor to this effect was carried in ComputerGram some time before 1997-01-09. If you have a subscription (I don't, myself) you can follow this link [21]. Rumors over the last six months have suggested that Compaq, desiring to be taken seriously as an enterprise-capable computer company, wanted to buy Digital's systems support business. These talks came to a halt and were renewed recently, again according to rumor, this time with the aim of a full acquisition. ComputerGram runs through a money exercise to demonstrate that at current stock prices such a deal would make sense even if Compaq closed down the Alpha chip business and wrote it off.

[21] <http://www.computerwire.com/cgi-bin/gram/print_hit_bold.pl/computergram/1997/2592_1CE.HTM?Compaq+acquire+DEC#first_hit>

Domain name policy See also TBTF for 2000-04-19, 03-31, 1999-12-16, 10-05, 08-30, 08-16, 07-26, 07-19, 07-08, 06-14, 05-22, more...

IAHC domain-name plan is drawing fire

TBTF for 1996-12-24 [22]

TechWire reports [23] that opposition is mounting to the draft International Ad Hoc Committee plan for extending the number of top-level domains. Complaints include the 60-day waiting period for new names and the proposed lottery system for choosing the initial suppliers. The president of one Web-design firm, who has invested to develop the unofficial top-level name .web, says he is "unwilling to roll the dice" on this sunk cost. An overall criticism is that the committee's recommendations are unbalanced, favoring large tradename holders at the expense of smaller players -- a charge that is frequently levelled against InterNIC, the current monopoly holder in the granting of top-level names.

[22] <http://www.tbtf.com/archive/1996-12-24.html>
[23] <http://192.215.107.71/wire/news/0105domain.html>

Worldwide roaming access

TBTF for 1996-11-12 [24]

Netcom, one of the largest U.S. ISPs, has signed with AimQuest [25] to provide global roaming access to its customers. AimQuest's program is one of several sources of "virtual tunneling" among a network of ISPs to extend the geographical reach of all the members.

[24] <http://www.tbtf.com/archive/1996-11-12.html>
[25] <http://www.aimquest.com/ncrel.html>

Microsoft backpedals on license wording

TBTF for 1996-12-14 [26]

Microsoft will reword its Java SDK license agreement to assuage user fears that their applications might be legally bound to run exclusively on Microsoft's Java Virtual Machine. According to TechWire [27], some user organizations have told their engineers to de-install the Visual J++ Java development environment, worried that under deadline pressure engineers might succumb to the temptation offered by existing ActiveX (i.e., OLE) components -- thus rendering important aplications Windows-specific and obviating the "write-once, run-anywhere" promise of Java.

[26] <http://www.tbtf.com/archive/1996-12-14.html>
[27] <http://192.215.107.71/wire/news/0105java.html>

FC97 conference, Anguilla, BWI: bandwidth on a beach

TBTF for 1996-09-23 [28]

Preparations continue apace for the first refereed conference on financial cryptography. Robert Hettinga <rah at shipwright dot com>, one of the organizers, reports that Community Connexion is about to make the world's largest ecash transaction to date by purchasing its exhibition space using DigiCash's ecash [29].

Below is an excerpt from a Hettinga rant in which he expounds, with storied prolixity, on the reasons why you must attend this conference. Reason number 8:

> FC97 is chance for those of us who only know each other on the net
> to actually meet face to face and start to develop the kind of per-
> sonal relationships and trust we'll all need to create the future
> of finance on the Internet... And, while the whole point to finan-
> cial cryptography is that we won't need to have face-to-face contact
> for financial relationships, much less regulation, there's still,
> currently, more bandwidth in a conversation on an Anguillan beach
> to develop that trust relationship than there is anywhere on the
> Internet.

I've got my reservations in (settlement by First Virtual) -- if you're going I'll see you on the beach in February.

[28] <http://www.tbtf.com/archive/1996-09-23.html>
[29] <http://www.digicash.com/>

Herewith two examples of corporate moves that the PR firms of PGP, Inc. and Viacom should have warned their clients away from.

Mark Rosen <mrosen at peganet dot com> is developing a program he has been calling Very Good Privacy. He received a complaing letter from PGP, Inc. and was casting about for a new name. Posting a call for alternatives to the cypherpunks mailing list (subject: "The product formerly known as VGP") netted these not terribly helpful suggestions:

>>From Timothy C. May <tcmay at got dot net>:
> How about something like "Really Secure Algorithm"? (I doubt
> people would confuse your program with the Republic of South
> Africa, usually abbreviated as "RSA," so there should be no
> further collision problems.)

>>From <snow at smoke dot suba dot com>:
> Call it Prince Cypher, the product formerly known as VGP.

A tip of the Tasty Hat to Peter S. Langston <psl at acm dot org> for this one. Further credit where due: Langston titled his email "Pretty bad publicity."

From Edupage (1997-01-05):

> Viacom, which owns the copyright to "Star Trek" products, is ordering
> Web sites to remove any Star Trek artistic renderings, sound files,
> video clips, and book excerpts they are now presenting. There is an
> official Star Trek site available on the Microsoft Network, available
> only to MSN subscribers. (Atlanta Journal-Constitution 3 Jan 97 F3)

(For a .gif image of the sort of letter Viacom has been sending see [29a].) An Infoseek search turns up 84,618 sites that contain the phrase "Star Trek," and 8,044 with this phrase in their title. That's a lot of Tribbles to stomp.

[29a] <http://www.loskene.com/letter.gif>

Comet Hale-Bopp is now separating from the sun in the morning sky and is expected to make a spectacular showing over much of the world in March and April. It may even be The Comet of the Century, though astronomers are touchingly reticent to say so after the over-hyped and disappointing displays of Kohoutek in 1974 and Halley in 1986.

Riley Rainey <rrainey at ix dot netcom dot com> sent along a fine piece (titled Tasty Bits from the Astronomical Front) regarding the comet and the furor that erupted around it last November. Three days later the Red Rock Eater News Service carried an account of the affair by Paul Saffo, emphasizing that the Internet can be used to quash a rumor that happens not to be true, as well as it can be used to fan one.

Last November an amateur astronomer named Chuck Shramek took a photograph that had him puzzled: it seemed to show a "Saturn-like object" in the field of view with the comet. Shramek could not find any corresponding bright star with his PC-based "sky" software, MegaStar. Making the assumption that the unknown object was near the comet when imaged, Shramek concluded that this was a UFO four times as large as the Earth. He called a late-night national talk-radio show hosted by Art Bell and, as Rainey describes it:

> Lots of furor followed. The San Jose Mercury News covered it. MS-NBC
> covered it. Megabytes of netnews traffic. Outraged scientists. Out-
> raged conspiracy buffs. Outraged aliens...

[ Joe Bob says "Check it out." -- ed. ]

Russell Sipe <rsipe at sipe dot com> had been growing an award-winning site [30] devoted to the comet with contributions from its discovers, Alan Hale and Tom Bopp. Within a couple of days he had pulled together a definitive debunk [31] of the Saturn-Like Object: identifying it (it was the 8th-magnitude star SAO 141894), explaining its apparent ring-like spokes, and guessing plausibly why Shramek had failed to identify it using MegaStar.

The comet will make its closest approach to the sun in late March and its closest approach to Earth on April 1. It will then be about 100 million miles away. See [32] for help in visualizing Hale-Bopp's path through the inner solar system.

[30] <http://www.halebopp.com:80/>
[31] <http://www.halebopp.com:80/slo1a.htm>
[32] <http://www.halebopp.com:80/hb3dpath.gif>

TBTF for 1996-05-20 [33]

Microsoft Word macro viruses are on the rise. This URL [34] details six macro viruses that infect Word documents or templates; a further 152 are listed but not described in full. DataFellows sells products for Windows and OS/2 environments that detect and remove these viruses, as well as the numberless infinities of more conventional viruses tied to a single platform [35].

[33] <http://www.tbtf.com/archive/1996-05-20.html>
[34] <http://www.datafellows.com/macro/word.htm>
[35] <http://www.datafellows.com/vir-info/>

At the round earths imagin'd corners, blow
Your trumpets, Angells, and arise, arise
From death, you numberlesse infinities
Of soules, and to your scattred bodies goe...

TBTF alerts you weekly to bellwethers in computer and communications tech-
nology, with special attention to commerce on the Internet. Published since
1994. See the archive at <http://www.tbtf.com/>. To subscribe send the mes-
sage "subscribe" to tbtf-request@world.std.com. TBTF is Copyright 1996 by
Keith Dawson, <dawson dot tbtf at gmail dot com>. Commercial use prohibited. For non-
commercial purposes please forward and post as you see fit.
_______________________________________________
Keith Dawson    dawson dot tbtf at gmail dot com
Layer of ash separates morning and evening milk.