[ Previous Article | Next Article | Index of Articles]

This article first appeared in the August 1999 issue of the Louisville Computer News. It was written by Lee Larson.

George Orwell would probably have enjoyed the strange debate being waged in Congress over who should be allowed to read your e-mail. The argument is about strong encryption and the right to send coded messages. In a bizarre turnabout, conservatives, who usually say they're against big brother government looking over our shoulders, have sided with the Clinton administration in saying that, for security reasons, strong encryption software cannot be exported. Liberals, on the other hand, are siding with the software industry and the banks in saying that such controls are violations of free speech and privacy.

The argument basically boils down to what qualifies as "strong" encryption. Modern coding schemes such as DES and RC5 require keys to unlock a message. A key is nothing more than a string of bits known only to people who are authorized to read the message. Longer keys make for more secure messages. Current U.S. law permits the export of encryption software with keys up to 56 bits long.

The problem with the whole debate is that nobody wants to be confused by facts. The genie is already out of the bottle, and even Congress can't put him back.

The first big encryption controversy to make it big in the press was the government's long legal battle with Phil Zimmerman, author of the freeware Pretty Good Privacy (PGP), a 128 bit encryption program for e-mail. The government fought with Zimmerman for more than three years in an effort to keep PGP from being freely distributed.

During this time, it was illegal to take a disk with the source code for PGP outside the U.S. and Canada. So, in 1998, Zimmerman wrote a book containing the source code. Strangely, books containing source code can be legally exported, and the source, scanned from his book, promptly and legally appeared on many European Internet sites.

PGP has become the standard cross-platform encryption method for e-mail. A free version for the Mac, including plug-ins for Eudora and Emailer can be downloaded from web.mit.edu/network/pgp.html.

While Zimmerman was fighting his battle, RSA Data Security (www.RSA.com), a commercial publisher of encryption software, was arguing that 56 bit encryption is not strong enough. To make its argument, RSA placed several coded messages on the 'Net and offered prizes to anyone who could read them.

In October 1997, the Bovine Group used the idle time of over 4000 personal computers scattered all over the world to break open the 56 bit RC5 message in 96 days. Decoding this first message took several months, but 'Net time moves very quickly. By February, another distributed computing effort, Distributed.Net (www.distributed.net) had broken another RSA 56 bit DES message in 41 days.

The next 56 bit DES challenge showed what could happen if a little money and expertise were thrown at the problem. The Electronic Freedom Foundation (www.eff.org) spent less than $250,000 to build a computer called Deep Crack designed to break DES encoded messages. It won the RSA 56 bit DES Challenge II in July 1998 by breaking the code in less than three days.

The final RSA 56 bit DES contest, called DES-III, was held on January 19 of this year. To claim the full prize, the message had to be cracked in under a day. In this contest, Distributed.Net and the Electronic Freedom Foundation worked together. Distributed.Net had about 10,000 computers linked via the Internet and the Electronic Freedom Foundation had Deep Crack.

The two of them combined checked over 250 billion keys per second for a bit less than 23 hours, until Deep Crack finally found the right key. In the end, Deep Crack alone had done about half the work.

Distributed.Net has moved on to a more difficult RSA challengeÑan RC5 64 bit code. They're welcoming anyone who wants to help. A Macintosh client is available from their web site (www.distributed.net).

Deep Crack is designed for DES encoding and can't help with RC5 encoded messages. But, it did its job, showing that 56 bit DES messages are not secure. If the tiny Electronic Freedom Foundation can build a machine like Deep Crack, imagine what serious money from a government, big company, or drug cartel could build.

The argument in Congress right now is over Rep. Bob Goodlatte's (R-Virginia) Security and Freedom Through Encryption Act (SAFE). The key points of SAFE are

• Guarantees all Americans the freedom to use any type of encryption anywhere in the world, and allows the sale of any type of encryption domestically.
• Prohibits the government from requiring a backdoor into peoples' email and computer files ("mandatory key recovery").
• Modernizes U.S. export controls to permit the export of generally available software and hardware, if a product with comparable security is commercially available from foreign suppliers.
• Creates criminal penalties for the knowing and willful use of encryption to conceal evidence of a crime, but specifies that the use of encryption does not constitute probable cause of a crime.
• Calls upon the Attorney General to compile examples in which encryption has interfered with law enforcement.
• Calls upon the President to convene an international conference to draft encryption policy agreement.

During testimony before the House Armed Services Committee on July 14, Attorney General Janet Reno said "Unless Congress recognizes the needs of law enforcement soon, it will become far more difficult for the FBI, DEA, and other federal, state, and local law enforcement agenciesÉto protect the public from crimes such as terrorism, narcotics trafficking, economic fraud, and child pornography,"

In the same hearing, it was pointed out that a George Washington University study counted at least 805 products from 35 countries outside the United States using strong encryption. These products can be legally imported into the U.S., but comparable products from U.S. manufacturers often cannot be exported.

Miscellaneous

Continuing in the same vein as above, it was noted in early July that the encryption scheme used to protect passwords in Mac OS has been broken. Programs written in AppleScript and C to extract passwords from the Users & Groups Data File in the Preferences folder are available on the 'Net. For more information, see the Security Focus site (www.securityfocus.com).

There is a secure enhancement to the standard Users & Groups security file for AppleShare IP. It is a plug-in called PGPuam, and is available as a free download from www.vmeng.com/vinnie/pubs.html. A fix for the regular Mac OS will have to be provided by Apple.

There have been several programs over the last few years with a view of Earth from space showing where the sun is shining. My favorite of this genre, Planet Earth, just got updated to version 2.1.

Planet Earth is a real-time 3D model of the Earth with continuously updating night shadows and clouds. It gets information over the Internet from weather satellites in order to show where its cloudy. Planet Earth comes with a database of over 500 cities, so you can hover over your home. (Louisville is one of them.) More cities can easily be added. It can be used as a screen-saver, or just a stand-alone program.

Planet Earth is $30 shareware from Lunar Software.

Casady & Greene had a busy month.

First, they released a long overdue update to their excellent universal spelling program Spell Catcher. The upgrade, called Spell Catcher 8, has a larger dictionary, more auto-substitution features and more compatibility with Mac OS 8.6. I've been using Spell Catcher as the only spell checker in all my programs for years, and highly recommend it. The cost is $39.95 for a download, $49.95 for a box and $19.95 for upgrades.

Their major announcement was the release of the new product, SoundJam MP, the first full-featured, all-in-one, MP3 player and encoder for the Macintosh. SoundJam MP converts music quickly into MP3's from CD, AIFF, QuickTime, and WAV formats. It's also apparently the first Mac program to support MP3 streaming sites. Casady and Greene has a time limited free demo available for download. The cost is $39.95 for a downloaded version and $49.95 for shrinkwrap.

You've got to like a company whose motto is "Software that doesn't suck!" In this case they're telling the truth. Bare Bones Software publishes BBEdit, the premiere programming and text editor for the Macintosh. Version 5.1.1 was released recently, and is a free upgrade for owners of version 5.0 and newer. Version 5.1.1 contains many minor bug fixes and improvements. The upgrader is available on Bare Bones web site.

Louisville Computer Society

The August 24 meeting of the Louisville Computer Society will feature representatives from several local banks to discuss their policies for on-line access to accounts.

The Louisville Computer Society meets from 7:00-9:00 P.M. at Pitt Academy, 4605 Poplar Level Road, at the intersection of Poplar Level Road and Gilmore Lane. Everyone is welcome to attend. For more information, on the web go to www.aye.net/~lcs, or e-mail lcs@aye.net.

[ Previous Article | Next Article | Index of Articles]

/home2/lee/www/cgi-bin/textcounterdata/ [TextCounter Fatal Error: Could Not Write to File __lee_macwritings_LCN9908_shtml]