EFFector       Vol. 11, No. 11       July 23, 1998
                              [email protected]
  A Publication of the Electronic Frontier Foundation     ISSN 1062-9424

 IN THE 139th ISSUE OF EFFECTOR

    * SENATE PASSES 3 INTERNET CENSORSHIP BILLS
    * EFF DES CRACKER MACHINE BRINGS HONESTY TO CRYPTO-POLICY DEBATE
    * EFF & OTHER GROUPS WARN CONGRESS OF DANGERS IN NEW FBI WIRETAP
      WISHLIST
    * ADMINISTRIVIA

  See http://www.eff.org for more information on EFF activities &
  alerts!
    _________________________________________________________________



 FOR IMMEDIATE RELEASE

   July 21, 1998

   CONTACT:

  Electronic Frontier Foundation, +1 415 436 9333, [email protected]

  Laste minute update: In addition to the McCain & Coats Internet
  censorship bills, a piece of legislation to ban most forms of online
  gambling Web sites also passed as an amendment to the appropriations
  bill below (which was passed in full by the Senate, July 22, 1998).
  There is presently no action alert issued regarding these bills, but
  one will be forthcoming shortly, when action on the House side is
  clear and we know where to direct our activism. Check
  http://www.eff.org/blueribbon.html periodically for updates.

                 ELECTRONIC FRONTIER FOUNDATION REACTS TO
             SENATE PASSAGE OF TWO INTERNET CENSORSHIP BILLS

                      Statement of Barry Steinhardt
             President of the Electronic Frontier Foundation

  This afternoon the Senate passed two draconian bills that would
  ultimately prevent access to a wide array of content on the Internet.
  The two bills were passed as amendments to an appropriations bill for
  the Commerce, Justice and State Department. They were brought up
  without any notice to those members of the Senate who opposed them and
  without any opportunity for meaningful debate. In effect, free speech
  on the Internet was the victim of an ambush.

  The initial amendment offered by Senators John McCain (R-AZ) and Patty
  Murray (D-WA) would require schools and libraries that receive federal
  funds for Internet connections to install filtering software to block
  "inappropriate" material. The second, "the CDA II" bill sponsored by
  Senator Dan Coats (R-IN) would enact a wide ranging ban on Web posting
  of material deemed "harmful to minors."

  The two bills represent a real and present danger to free speech on
  the Internet. The McCain/Murray amendment will force libraries and
  schools to use all-too-frequently crude and overbroad filters that
  block out a wide array of non-"harmful" speech -- everything from the
  Quaker home page to the American Association of University Women has
  been blocked by these programs.

  Indeed, you can no more create a computer program to block out one
  community's view of "indecency" or "obscenity" than you can devise a
  filtering program to block out misguided proposals by members of
  Congress. Both may be desirable, but neither are possible.

  At first glance, the Coats' CDA II bill appears to be a relatively
  benign provision that purportedly applies only to commercial
  pornographers who market to minors. But it is a Trojan horse. Beneath
  the veneer, it covers any Web site that has a commercial component and
  which has material that some community will consider "harmful to
  minors", even if that is not the material for sale. This ranges from
  the electronic bookseller Amazon.com to EFF's site, which sells books
  and T-Shirts.
                   ___________________________________

  The Electronic Frontier Foundation is one of the leading civil
  liberties organizations devoted to ensuring that the Internet remains
  the world's first truly global vehicle for free speech, and that the
  privacy and security of all on-line communication is preserved.
  Founded in 1990 as a nonprofit, public interest organization, EFF is
  based in San Francisco, California. EFF maintains an extensive archive
  of information on encryption policy, privacy, and free speech at
  http://www.eff.org.


      EFF DES CRACKER MACHINE BRINGS HONESTY TO CRYPTO-POLICY DEBATE

       ELECTRONIC FRONTIER FOUNDATION PROVES THAT DES IS NOT SECURE

   CONTACT:

  Electronic Frontier Foundation, +1 415 436 9333, [email protected]

  SAN FRANCISCO, CA -- The Electronic Frontier Foundation (EFF) today
  raised the level of honesty in crypto politics by revealing that the
  Data Encryption Standard (DES) is insecure. The U.S. government has
  long pressed industry to limit encryption to DES (and even weaker
  forms), without revealing how easy it is to crack. Continued adherence
  to this policy would put critical infrastructures at risk; society
  should choose a different course.

  To prove the insecurity of DES, EFF built the first unclassified
  hardware for cracking messages encoded with it. On Wednesday of this
  week the EFF DES Cracker, which was built for less than $250,000,
  easily won RSA Laboratory's "DES Challenge II" contest and a $10,000
  cash prize. It took the machine less than 3 days to complete the
  challenge, shattering the previous record of 39 days set by a massive
  network of tens of thousands of computers. The research results are
  fully documented in a book published this week by EFF and O'Reilly and
  Associates, entitled "Cracking DES: Secrets of Encryption Research,
  Wiretap Politics, and Chip Design."

  "Producing a workable policy for encryption has proven a very hard
  political challenge. We believe that it will only be possible to craft
  good policies if all the players are honest with one another and the
  public," said John Gilmore, EFF co-founder and project leader. "When
  the government won't reveal relevant facts, the private sector must
  independently conduct the research and publish the results so that we
  can all see the social trade-offs involved in policy choices."

  The nonprofit foundation designed and built the EFF DES Cracker to
  counter the claim made by U.S. government officials that governments
  cannot decrypt information when protected by DES, or that it would
  take multimillion-dollar networks of computers months to decrypt one
  message. "The government has used that claim to justify policies of
  weak encryption and 'key recovery,' which erode privacy and security
  in the digital age," said EFF Executive Director Barry Steinhardt. It
  is now time for an honest and fully informed debate, which we believe
  will lead to a reversal of these policies."

  "EFF has proved what has been argued by scientists for twenty years,
  that DES can be cracked quickly and inexpensively," said Gilmore. "Now
  that the public knows, it will not be fooled into buying products that
  promise real privacy but only deliver DES. This will prevent
  manufacturers from buckling under government pressure to 'dumb down'
  their products, since such products will no longer sell." Steinhardt
  added, "If a small nonprofit can crack DES, your competitors can too.
  Five years from now some teenager may well build a DES Cracker as her
  high school science fair project."

  The Data Encryption Standard, adopted as a federal standard in 1977 to
  protect unclassified communications and data, was designed by IBM and
  modified by the National Security Agency. It uses 56-bit keys, meaning
  a user must employ precisely the right combination of 56 1s and 0s to
  decode information correctly. DES accounted for more than $125 million
  annually in software and hardware sales, according to a 1993 article
  in "Federal Computer Week." Trusted Information Systems reported last
  December that DES can be found in 281 foreign and 466 domestic
  encryption products, which accounts for between a third and half of
  the market.

  A DES cracker is a machine that can read information encrypted with
  DES by finding the key that was used to encrypt that data. DES
  crackers have been researched by scientists and speculated about in
  the popular literature on cryptography since the 1970s. The design of
  the EFF DES Cracker consists of an ordinary personal computer
  connected to a large array of custom chips. It took EFF less than one
  year to build and cost less than $250,000.

  This week marks the first public test of the EFF DES Cracker, which
  won the latest DES-cracking speed competition sponsored by RSA
  Laboratories ( http://www.rsa.com/rsalabs/ ). Two previous RSA
  challenges proved that massive collections of computers coordinated
  over the Internet could successfully crack DES. Beginning Monday
  morning, the EFF DES Cracker began searching for the correct answer to
  this latest challenge, the RSA DES Challenge II-2. In less than 3 days
  of searching, the EFF DES Cracker found the correct key. "We searched
  more than 88 billion keys every second, for 56 hours, before we found
  the right 56-bit key to decrypt the answer to the RSA challenge, which
  was 'It's time for those 128-, 192-, and 256-bit keys,'" said Gilmore.

  Many of the world's top cryptographers agree that the EFF DES Cracker
  represents a fundamental breakthrough in how we evaluate computer
  security and the public policies that control its use. "With the
  advent of the EFF DES Cracker machine, the game changes forever," said
  Whitfield Diffie, Distinguished Engineer at Sun Microsystems and famed
  co-inventor of public key cryptography. "Vast Internet collaborations
  cannot be concealed and so they cannot be used to attack real, secret
  messages. The EFF DES Cracker shows that it is easy to build search
  engines that can."

  "The news is not that a DES cracker can be built; we've known that for
  years," said Bruce Schneier, the President of Counterpane Systems.
  "The news is that it can be built cheaply using off-the-shelf
  technology and minimal engineering, even though the department of
  Justice and the FBI have been denying that this was possible." Matt
  Blaze, a cryptographer at AT&T Labs, agreed: "Today's announcement is
  significant because it unambiguously demonstrates that DES is
  vulnerable, even to attackers with relatively modest resources. The
  existence of the EFF DES Cracker proves that the threat of "brute
  force" DES key search is a reality. Although the cryptographic
  community has understood for years that DES keys are much too small,
  DES-based systems are still being designed and used today. Today's
  announcement should dissuade anyone from using DES."

  EFF and O'Reilly and Associates have published a book about the EFF
  DES Cracker, "Cracking DES: Secrets of Encryption Research, Wiretap
  Politics, and Chip Design." The book contains the complete design
  details for the EFF DES Cracker chips, boards, and software. This
  provides other researchers with the necessary data to fully reproduce,
  validate, and/or improve on EFF's research, an important step in the
  scientific method. The book is only available on paper because U.S.
  export controls on encryption potentially make it a crime to publish
  such information on the Internet.

  EFF has prepared a background document on the EFF DES Cracker, which
  includes the foreword by Whitfield Diffie to "Cracking DES." (See
  http://www.eff.org/descracker/ ). The book can be ordered for
  worldwide delivery from O'Reilly & Associates via the Web
  ( http://www.ora.com/catalog/crackdes ), or phone (1 800 998 9938, or
  +1 707 829 0515.)
    _________________________________________________________________

  The Electronic Frontier Foundation is one of the leading civil
  liberties organizations devoted to ensuring that the Internet remains
  the world's first truly global vehicle for free speech, and that the
  privacy and security of all on-line communication is preserved.
  Founded in 1990 as a nonprofit, public interest organization, EFF is
  based in San Francisco, California. EFF maintains an extensive archive
  of information on encryption policy, privacy, and free speech at the
  EFF Web site ( http://www.eff.org ).

    _________________________________________________________________



   EFF & OTHER GROUPS WARN CONGRESS OF DANGERS IN NEW FBI WIRETAP WISHLIST

  July 17, 1998

  The Honorable Ted Stevens
  Chairman
  Committee on Appropriations
  United States Senate
  Washington, D.C. 20510

  Dear Mr. Chairman:

  We are writing to urge you to reject any efforts by the Federal Bureau
  of Investigation to use the appropriations process to expand its
  electronic surveillance powers through amendments to the
  Communications Assistance for Law Enforcement Act (CALEA). Four years
  ago, FBI Director Freeh hailed CALEA as achieving "a delicate but
  critical balance between public safety and privacy and constitutional
  rights." Director Freeh praised CALEA:

    "I think we have reached a remarkable compromise and achievement in
    preserving that tool [wiretapping] as it has existed since 1968 and
    yet balancing all the technology and privacy concerns which are so
    precious to all of us."

  - FBI Director Louis Freeh, Congressional testimony, August 1994.

  But ever since the law was enacted, the FBI has tried to use it not
  merely to preserve its surveillance capabilities as Congress intended,
  but to expand them, demanding that companies build expensive new
  surveillance features. Using the checks and balances in the law, the
  undersigned privacy groups have asked the FCC to reject the FBI's
  demands.

  We understand that the FBI is now asking Congress for major revisions
  of the 1994 law, to mandate the FBI's requests for expanded
  surveillance capabilities and strike from the Act key provisions
  intended to ensure a balance between privacy and law enforcement. We
  understand that the FBI has asked that there be attached to the CJS
  appropriations bill an amendment that would:
    * Codify the FBI's entire list of enhanced surveillance capabilities
      -- For over a year, industry and privacy groups have opposed the
      FBI's efforts to use CALEA to expand government surveillance
      capabilities. The FBI's proposed expansions are now being
      challenged before the FCC. The FBI amendment would terminate the
      FCC proceeding by ordering the Commission to adopt without
      revision the entire FBI wish list, including the capabilities to
      track wireless phone users without meeting constitutional
      standards and to continue monitoring all parties to a conference
      call after the suspect has dropped off the call.
    * Eliminate public accountability - The proposed amendment states
      that the FCC shall enact the FBI wish list immediately and
      "without notice and comment." This means that privacy groups would
      have no right to have their concerns heard. When Congress set up
      the CALEA process, it required the FCC to protect privacy and
      minimize cost. The FBI amendment would render those considerations
      irrelevant.
    * Require carriers to disclose "the exact physical location" of
      wireless phone users without any court approval - In 1994, FBI
      Director Freeh testified that CALEA "does not include any
      information which might disclose the general location of a mobile
      [phone]... There is no intent whatsoever...tto acquire anything
      that could properly be called 'tracking' information." Now the FBI
      is seeking "exact" physical location, going beyond even the cell
      site information industry has offered to provide law enforcement
      in its CALEA plan now under challenge on privacy grounds at the
      FCC.
      Furthermore, the FBI amendment, in a provision that purports to
      address privacy concerns, requires carriers to provide tracking
      information on any wireless phone user for up to two days without
      a court order, upon the mere request of any police officer. This
      is less protection than current law.
    * Establish a bogus standard for access to location information - In
      what the FBI will undoubtedly characterize as a concession to
      privacy, the amendment would require wireless carriers to provide
      location information whenever presented with a court order "based
      upon a finding that there is probable cause to believe that the
      location information is relevant to a legitimate law enforcement
      objective." This is actually weaker than current law, which
      requires at least that the information be relevant and material to
      an ongoing investigation. "Legitimate law enforcement objective"
      doesn't even require that police have an ongoing case. The use of
      the words "probable cause" do not make this provision acceptable.
      The issue is "probable cause" to believe what?
    * Write "reasonableness" out of the statute - In 1994, Director
      Freeh testified that CALEA "reflects reasonableness in every
      provision." The statute specifically said that carriers could be
      required to modify their systems for law enforcement purposes only
      if the changes were "reasonably achievable." Now the FBI amendment
      would amend the Act to state that compliance with the FBI's wish
      list is "deemed reasonably achievable." To "deem" something means
      that we pretend it is so even when it isn't. This amendment
      deprives the FCC of jurisdiction to assess the feasibility and
      cost of CALEA compliance.
    * Packet networks - In another provision that will be characterized
      as a concession to privacy, the amendment states that carriers "to
      the extent possible" shall separate call-identifying information
      from content when transmitted as packet-mode data. Privacy groups
      have asked the FCC to determine how and when this can be done. By
      depriving the Commission of authority over implementation of
      CALEA, the FBI amendment may be precluding privacy groups and
      others from having any input in deciding how surveillance is to be
      conducted in the packet networks that represent the future of
      telephony.

  In short, the FBI is trying to rewrite CALEA to get what it failed to
  get from Congress four years ago, and what it has failed to get since
  from industry and through the FCC. The FBI's efforts are under
  challenge at the FCC and in the courts. The FBI's proposed amendment
  is an effort to cut off those challenges.

  It is appropriate for Congress at this time to extend the CALEA
  compliance and "grandfather" dates, in order to allow resolution of
  the substantive issues pending before the FCC. It would be
  inappropriate for Congress to grant FBI the authority that it was
  denied four years ago after a lengthy hearing and negotiation process.

  The FBI may try to characterize its proposal as a compromise. It is
  not. The granting of a one-time extension to industry and the
  purported concessions to privacy do not come close to justifying a
  fundamental rewriting of CALEA, which is what the FBI amendment would
  do.

  We would be happy to meet with you or your staff to discuss our
  concerns more fully.

  Sincerely,

  Laura W. Murphy
  American Civil Liberties Union

  James P. Lucier, Jr.
  Americans for Tax Reform

  Jerry Berman
  Center for Democracy and Technology

  Barry Steinhardt
  Electronic Frontier Foundation

  Marc Rotenberg
  Electronic Privacy Information Center

  Lisa S. Dean
  Free Congress Foundation

  Cc: The Honorable Robert C. Byrd
      The Honorable Judd Gregg
      The Honorable Ernest F. Hollings
      The Honorable Patrick J. Leahy


    _________________________________________________________________

ADMINISTRIVIA

  EFFector is published by:

  The Electronic Frontier Foundation
  1550 Bryant St., Suite 725
  San Francisco CA 94103 USA
  +1 415 436 9333 (voice)
  +1 415 436 9993 (fax)

  Editor: Stanton McCandlish, Program Director/Webmaster ([email protected])

  Membership & donations: [email protected]
  Legal services: [email protected]
  General EFF, legal, policy or online resources queries: [email protected]

  Reproduction of this publication in electronic media is encouraged.
  Signed articles do not necessarily represent the views of EFF. To
  reproduce signed articles individually, please contact the authors for
  their express permission. Press releases and EFF announcements may be
  reproduced individually at will.

  To subscribe to EFFector via email, send message body of:
  subscribe effector-online
  to [email protected], which will add you to a subscription list for
  EFFector. To unsubscribe, send a similar message body, like so:
  unsubscribe effector-online

  Please tell [email protected] to manually remove you from the list if this
  does not work for some reason.

  Back issues are available at:
  http://www.eff.org/pub/EFF/Newsletters/EFFector

  To get the latest issue, send any message to
  [email protected] (or [email protected]), and it will be mailed to
  you automagically. You can also get:
  http://www.eff.org/pub/EFF/Newsletters/EFFector/current.html

You are viewing proxied material from gopher.meulie.net. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.