Interesting People mailing list archives
Government Encryption Policies Simplify Internet Break-ins Distribution
From: David Farber <farber () central cis upenn edu>
Date: Sun, 6 Feb 1994 10:15:55 -0500
comp.org.eff.talk,comp.security.misc,talk.politics.crypto,alt.security,alt.a ctivism The news from the Information Superhighway hasn't been good this week. Major breakins have been occurring from someone who's been stealing users' passwords as they log in across the net, using them to break into their machines, and using their machines to watch the net for more passwords. It's not really that hard to stop - encryption technology has been available for several years that sends passwords across the net in encrypted form the eavesdroppers can't use - but most people haven't deployed encryption. Why not? Well, part of it's just laziness, but in large part the use of encryption has been restricted by the government's Cold War era policies against developing, using, or distributing encryption software. Encryption is the mathematical privacy coding that lets people send their passwords and conversations privately. If you want to sell encryption software overseas, you have to get a munitions export license, just as you would for exporting assault rifles or nuclear weapon parts, and they'll only give you a license for crippled software that the NSA can break easily, unless you're a bank or selling to a "friendly" government's military. If you want to sell encryption software in the US, you can't export it, which means you have to sell separate US and export versions. And if you want to give it away free, like lots of university and public domain software, you can't just post it to the net or make it available for ftp (the Internet version of the public library), without risking years in jail or at least having your computers confiscated while the government tries to decide whether to indict you - and you'd better be able to afford some *very* good lawyers. Can this sort of free speech really be illegal? Nobody's really sure, the government won't give you permission and few people want to risk the jail time to find out if they'll give you forgiveness. Meanwhile, most computer systems have simple password systems that can't protect against wiretappers. It's especially a problem on international long-distance circuits, where the connections are more exposed, because export rules say your business can't ship it the package you use on your US computers to your foreign branches. The Clinton Administration has announced that they're going to relax the export rules a bit, if you use their new Escrow Encryption Chip (which has built-in wiretapping capabilities) or simple encryption systems with short, easy-to-guess keys. The paperwork will be simpler, and you won't need an arms dealer license to carry your cellular phone or laptop computer on a business trip, but the NSA still retains control over what technology you can use. Proposed legislation in Congress would transfer control of crypto exports to the Commerce Department, which handles most other export licensing. Without the Communist Party to kick around, U.S. Administration press releases bring up spectres of drug dealers, terrorists, and pornographers, but some of the major applications for the wiretapping capabilities of the new Escrow Chip appear to be financial transactions and tax evasion, since banks will need to replace their current encryption systems with something newer, as faster generations of computer technology will make the present systems insecure over the next 5-10 years. Because the Escrow Chip is a hardware-only approach, it's adequate for automatic teller machines, but you'd need to buy a government encryption module if you want to do your banking over the Information Superhighway - more secure encryption can be done cheaply, in software, but the NSA's 55 mph speed limit won't let you - for now. On the other hand, the Cold War's over and you can get good encryption software from Finland, Moscow, Bulgaria, Switzerland, or Australia, often free, and it's becoming widely used by political activists in post-Communist countries. --------- The preceding has been the personal opinion of Bill Stewart, and does not necessarily represent the views of the EFF, CPSR, Cypherpunks, or my employer, but I'll be happy to have my rhetoric stolen :-) ---------
Current thread:
- Government Encryption Policies Simplify Internet Break-ins Distribution David Farber (Feb 06)