lambda 5.02 / 18 mai 1999

ShortCuts

 

&laqno; An Internet service provider in Dublin, Ireland, a couple weeks ago was forced to shut down temporarily after a cyberattack on its computers. Topping the list of suspects is Indonesia. The Internet company was hosting a ''virtual nation'' on behalf of people who want to end the brutal Indonesian occupation of East Timor, the eastern half of a South Pacific island the size of Massachusetts. In late 1997 Connect-Ireland joined forces with Nobel laureates Jose Ramos-Hort and Bishop Carlos Belo. The idea behind their East Timor Project was to create what amounted to a virtual nation. To do this, they took advantage of the way Internet domains are created, and succeeded to obtain the country code domain "tp". Creating an East Timor TLD effectively established a semiofficial presence. An Indosesian spokesman told the Irish Times newspaper, that the government was "concerned that this freedom has been misused ... to spread a campaign against Indonesia. »

o Source: Repressive regimes may be targeting Net service providers. 02/09/99. By Dan Gillmor / San Jose Mercury News.
o Lambda 4.03

EuroTaps

The European Parliament voted on May 7 a series of amendments to harmonize wiretapping schemes in the 15 members of the EU. It would give the capacity of euro-police forces to exchange snooping capability for mobile and internet communications.

 

o Telepolis, German magazine and Enfopol sentinel (ge)
o Le Monde Diplo, avril 99 (fr)
o ZDNet, edition du 15 mai 1999 (fr)
o Lambda 3.02 April 97 (en)

Contents 5.02

HISTORY: Crypto AG / NSA - was the famous Swiss locksmith an agent for the NSA? From a Covert Action Quaterly article.

TECHNO: Microsoft's security flaws and PR mechanics. Wintel's Sniper Snoops breached EU directives.

Plus : Filterfanatics + Crypto Updates.

Archives - Search


 

Switzerland's Crypto A.G.

The NSA's secret locksmith?

The Canadian Covert Action Quaterly recently published the secret history of Crypto AG (cover above), in which a Swiss encryption company is described to have been totally manipulated by the US National Security Agency and its equivalent in West Germany (BND) for almost four decades. It helped the NSA to learn a lot in the Middle East, where all major nations (including those, like Iran, who were arch enemies of the US) acquired Crypto AG untrustful products.

Abstracts:

&laqno; For decades, the US has routinely intercepted and deciphered top secret encrypted messages of 120 countries. These nations had bought the world's most sophisticated and supposedly secure commercial encryption technology from Crypto AG, a Swiss company that staked its reputation and the security concerns of its clients on its neutrality. The purchasing nations, confident that their communications were protected, sent messages from their capitals to embassies, military missions, trade offices, and espionage dens around the world, via telex, radio, teletype, and facsimile. (...) All the while, because of a secret agreement between the National Security Agency (NSA) and Crypto AG, they might as well have been hand delivering the message to Washington. Their Crypto AG machines had been rigged so that when customers used them, the random encryption key could be automatically and clandestinely transmitted with the enciphered message. NSA analysts could read the message traffic as easily as they could the morning newspaper.

...

&laqno; A document released in 1995 by Britain's Public Records Office indicates that Switzerland and NATO concluded a secret deal in 1956. The "Top Secret" document, dated February 10, 1956, with the reference "prem 11/1224," was written by the famous British World War II figure, Field Marshal Bernard L. Montgomery. While "Monty" was a vice-commander of NATO, he discussed a secret alliance with Swiss Defense Minister Paul Chaudet. In peacetime, Switzerland would be officially neutral, but in wartime, it would side with NATO. ... »

One of Crypto AG's smart cipher appliance

The cover-up ended in March 1992, the author Wayne Madsen explains how the Iranian intelligence succeeded to find the Trojan Horse out after the "1991 assassination in Paris of former Iranian Prime Minister Shahpour Bakhtiar."

"On August 7, 1991, one day before Bakhtiar was found dead with his throat slit, the Teheran headquarters of the Iranian Intelligence Service, VEVAK, transmitted a coded message to Iranian diplomatic missions in London, Paris, Bonn, and Geneva, inquiring "Is Bakhtiar dead?" The Iranians concluded from Western press reports that British and American SIGINT operators had intercepted and decoded the message (as reported by L'Express of Paris) and knew that Teheran was behind the assassination. They realized that their code had been broken, looked to their Crypto AG cipher machines... ."

People aware of the Promis software - another bugged software (by a DOJ-CIA cover-up, used to spy on European allies in the 80's - should not be surprised at all.


o See also, in the same issue of Covert Action, a reminder of Nicky Hager's book Secret Power about the Echelon surveillance network.

 

SNIPER

SNOOPERS

 

Everybody knows that Intel and Microsoft were accused some weeks ago of privacy misconducts for their hidden functions inside the Pentium III chip and Office 98 registration process. After apologies, what could we expect of a lawsuit?

Lambda learned that the French data protection agency CNIL launched an investigation to find out if Wintel had violated European directives regarding private data protection online. The inquiry goes on, told the Lambda a CNIL official on May 15th. Back earlier this year, on February 23, the Data Protection Working Party (European Commission's DG-XV) published two "recommendations"

o Processing of Personal Data on the Internet;

o Invisible and Automatic Processing of Personal Data on the Internet Performed by Software and Hardware.

All these framework was inspired by the 1995 and 1997 European directives that came into law in the EU last October.

Here's some abstracts of what Intel and Microsoft ignored:

&laqno; The Working Party encourages the software and hardware industry to work on Internet privacy-compliant products that provide the necessary tools to comply with the European data protection rules.

"A condition for legitimate processing of personal data is the requirement that the data subject is informed and thus made aware of the processing in question. Therefore, the Working Party is especially concerned about all kinds of processing operations which are presently being performed by software and hardware on the Internet without the knowledge of the person concerned and hence are "invisible" to him/her.

"Typical examples of such invisible processing are the "chattering" at the HTTP level, automatic hyperlinks to third parties, active content (like Java, ActiveX or others client based scripting technologies) and the cookies mechanism as currently implemented in the common browsers.

"Internet software and hardware products should provide the Internet users information about the data that they intend to collect, store or transmit and the purpose for which they are necessary.

"Internet software and hardware products should also give the capacity to the data user to easily access any data collected about him/her at any later stage. »

o Check also about the US'99 Orwells - Big Brother Awards who have been bestowed on April 7 (see 4.03 for the 98 UK Edition).

 

 

==================

o CLOSED OFFICE o

==================

The March issue of Bruce Schneier's "Crypto-Gram" we noticed a short notice, providing "further proof, if you needed it, that Microsoft prefers to treat security holes as a public relations problem, rather than fixing the actual problem":

&laqno; In December 1997, David Foster discovered a security hole in Office 97. This bug allows any Web page to contain executable code that will run without warning on the user's machine. For anyone who knows Word and VBA (Word 97's macro language), the problem is obvious.

" Foster went to the bug reporting Web pages for Internet Explorer and Word, and reported the problem. There was no response from Microsoft. In late 1998, he discovered that not only had MS still not fixed the problem in Word 97, but the bug also existed in the beta version of Word 2000. He posted a further message to Microsoft, and received the following: "Microsoft appreciates your input regarding this issue, however in lieu of modern technology being what it is, we all need to be personally responsible for knowing what we are downloading off the internet." In case it's not immediately obvious, this is arrant nonsense.

" It wasn't until Woody Leonhard, Word guru and Office 97 iconoclast, heard about the problem and threatened to publish particulars of the security hole in the next issue of "Woody's Office Watch," with a readership of 140,000, that Microsoft finally did something. With that incentive, Microsoft had a patch available on their Web site within days. »

o David Foster's story of the bug

 

 

FILTER FANATICS

UPDATE

 

 

From the Wall Street Journal. May 6, 1999

... SurfWatch, an Internet-filtering company that aims to protect children from online pornography and violence, boasts that it only blocks objectionable sites after "thoughtful analysis" by its staff. This left James Tyre, a Pasadena lawyer and Internet activist opposed to filtering, more than a little bemused when SurfWatch blocked his newly registered site, www.plugandpray.com for "sexually explicit content." [The software confused Mr. Tyre's site with a pornography site that shares the same IP number]. ... Martin Minow, a silicon valley programmer, recently discovered that his new site www.minow.org, was also blocked by SurfWatch for alleged explicit content. The site bears only the words, "This site is under construction."

 

From The Censorware Project, March 23:

&laqno; The Censorware Project released his report, "Censored Internet Access in Utah Schools and Libraries". (It) examines the state of Utah's use of a commercial internet censoring product in all Utah public schools and some public libraries, as recorded in the log files generated by the software itself.

"The log files prove incriminating - they reveal that Utah students are highly unlikely to use the internet for non-scholastic purposes, and that when students or adults are banned from a site by the software, more likely than not, the site was completely innocent.

"Among the documents banned by Utah: the Holy Bible, the Book of Mormon, the Declaration of Independence, the United States Constitution, all of Shakespeare's plays, and The Adventures of Sherlock Holmes."

 

Meanwhile in France, some universities are using filtering technology from the US to block 'non-academic' content. See for example in Toulouse (SquidGuard software + Berkeley Database), where network operators are quoting the Penal Code to justify their "right" to blindfully discriminate between "good" and "bad" content.

o See also lambda 4.01

 

CRYPTO UPDATE

FRENCH CONNECTION: The new French decrees expressing the government's will to soften encryption policy were published on March 28:

The legal level of key length that any one can use rose from 40-bit to 128-bit, the plans for a trusted-third-party-based recovery scheme were abandoned, and a new law that should free all crypto systems should follow, the governement said.

 

But an industry group called AFUU (French Group of Unix Users, www.afuu.fr)) said afterward that the new rules are a good step but still ask software publishers to get a licence ("declaration prealable") and to furnish a complext factbook about their cipher systems, if they want to trade freely with privacy-enhanced consumers.

"These obligations have no equivalence anywhere among our main trading and politic allies. ... It would be a bad thing if crypto products which are international standards are not still allowed in France, or are allowed about six month after its worldwide launch."

o Décret n° 99-199 du 17 mars 1999 définissant les catégories de moyens et de prestations de cryptologie pour lesquelles la procédure de déclaration préalable est substituée à celle d'autorisation.

o Décret n° 99-200 du 17 mars 1999 définissant les catégories de moyens et de prestations de cryptologie dispensées de toute formalité préalable.

 

The privacy watchdog EPIC was enthousiastic after the Appeals verdict of Daniel Bernstein case's.

"The U.S. Court of Appeals for the Ninth Circuit ruled on May 6 that federal regulations that prohibit the dissemination of encryption source code violate the First Amendment. The court found that the regulations are an unconstitutional prior restraint on speech because they "grant boundless discretion to government officials" and have "effectively chilled [cryptographers] from engaging in valuable scientific expression." The case was initiated by researcher Daniel Bernstein, who sought government permission to export source code he had written."

Further comments by the Ninth Circuit were seen as a support for encryption as a weapon to protect privacy:

... &laqno; Whether we are surveilled by our government, by criminals, or by our neighbors, it is fair to say that never has our ability to shield our affairs from prying eyes been at such a low ebb. The availability and use of secure encryption may offer an opportunity to reclaim some portion of the privacy we have lost. Government efforts to control encryption thus may well implicate not only the First Amendment rights of cryptographers intent on pushing the boundaries of their science, but also the constitutional rights of each of us as potential recipients of encryption's bounty. . . . [I]t is important to point out that Bernstein's is a suit not merely concerning a small group of scientists laboring in an esoteric field, but also touches on the public interest broadly defined. ... »

 

Meanwhile in Australia, a short report that has not been fully verified said that RSA opened an Australis office, staffing with with well known SSLeay developers. "Australia's Defence Department had awarded Security Dynamics a licence -- thought to be the first of its type in Australia -- to export uncrackable, commercial versions of SSLeay from the Brisbane centre, and Security Dynamics would use the office as its global export centre for SSL technology, bypassing US military bans."

 

FreeS/WAN - A free IPSEC crypto system for extranets. From Salon Magazine, 19 April 99:

On April 14th, the Internet took a giant step toward such a future after the release of FreeS/WAN 1.0, a free software program aimed at facilitating the secure encryption of data on the Net. It's the brain-child of two libertarian philanthropists, at least one of whom, John Gilmore, has long advocated using encryption to resist government intrusions.

As it stands now, FreeS/WAN is designed to run on a computer inserted between a local area network and the Internet. It also requires, according to FreeS/WAN programmer Henry Spencer, "prearrangement" with another network running the software for it to work. But Spencer predicts that FreeS/WAN functionality will eventually be included in software that can run on a single user's computer.

The FreeS/WAN software was written outside of the United States, primarily in Canada, in order to get around U.S. laws that forbid the export of powerful encryption tools. Could the software be, eventually, a tool for making such laws meaningless? That's certainly the hope of its designers. Although not all citizens of cyberspace may regard this sort of crypto-libertarian utopia as the ideal future society, such a future certainly seems more plausible now.

o SALON piece



lambda / arQuemuse
avril-mai 1999
Réactions I Home