Computer underground Digest Wed Mar 2, 1994 Volume 6 : Issue 20 ISSN 1004-042X Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) Archivist: Brendan Kehoe (He's lurking in the archives now) Acting Archivist: Stanton McCandlish Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Clipper Editor: Hank O'Haira CONTENTS, #6.20 (Mar 2, 1994) File 1--Re: File 5--Criticism of CuD post on Virus Contest File 2--Response to Canadian Regulation of BBS (Re CuD 6.18) File 3--Re: "Entrapment Scam" (CuD 6.19) File 4--Computer Science "Security" Seminar?? File 5--Cyberspace against repression: some suggestions File 6--Encryption and Law Enforcement (by Dorothy Denning) Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost electronically. To subscribe, send a one-line message: SUB CUDIGEST your name Send it to LISTSERV@UIUCVMD.BITNET or LISTSERV@VMD.CSO.UIUC.EDU The editors may be contacted by voice (815-753-0303), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115. Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT libraries and in the VIRUS/SECURITY library; from America Online in the PC Telecom forum under "computing newsletters;" On Delphi in the General Discussion database of the Internet SIG; on RIPCO BBS (312) 528-5020 (and via Ripco on internet); and on Rune Stone BBS (IIRGWHQ) (203) 832-8441. CuD is also aaailable via Fidonet File Request from 1:11/70; unlisted nodes and points welcome. UNITED STATES: etext.archive.umich.edu (141.211.164.18) in /pub/CuD/ [etext.archive.umich.edu aql.gatech.edu (128.61.10.53) in /pub/eff/cud/ EUROPE: nic.funet.fi in pub/doc/cud/ (Finland) [nic.funet.fi does NOT have phrack either] ftp.warwick.ac.uk in pub/cud/ (United Kingdom) COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Authors hold a presumptive copyright, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: 28 Feb 94 13:57:26 GMT From: frisk@COMPLEX.IS(Fridrik Skulason) Subject: File 1--Re: File 5--Criticism of CuD post on Virus Contest A poster in CuD #6.19 wrote: >I even created a virus or two in my years of computing, but never with >the purpose of trying to harm another user's system! I create them only >for testing purposes, and when I find one that fails a scanned test, I >forward it to the company that created the anti-virus software. Do you really think you are doing anybody a favour by doing that ? Anti-virus companies already receive on the average 7 new viruses per day right now...we really don't need any more. >My main concern on this issue is will this company (American Eagle) >forward all the viruses to all the possible anti-virus companies? If >they don't then this is considered an illegal activity. No. Whether the viruses are sent-to anti-virus companies or not does not matter, with respect with respect to legality... the questions to consider are: 1) is virus-writing illegal ? 2) is encouraging virus-writing illegal ? 3) does submitting a virus to a "competition" make the author liable if the virus ever spreads "into the wild". >**NOTE: It is ok to write a virus for your own use, but illegal if >someone else gets your program and causes damage** possibly, possibly not - it depends on where in the world you are, and in the US, in which state you are in, and computer crime laws vary significantly from one state to another. -frisk Fridrik Skulason Frisk Software International phone: +354-1-617273 Author of F-PROT E-mail: frisk@complex.is fax: +354-1-617274 ------------------------------ From: John_Stevenson@MAGIC-BBS.CORP.APPLE.COM Date: Sat, 26 Feb 1994 14:27:23 EST Subject: File 2--Response to Canadian Regulation of BBS (Re CuD 6.18) I should not have been taken aback to hear that my rather hastily written reply to Lord Qorthon's post concerning possible regulation of BBSes in Canada ended up getting published in the CUDigest. Nor should I be upset that some questionable assertions about the history of broadcasting or FCC regulation of radio have been called into question. However, I am afraid I must disagree with bigsteve@DORSAI.DORSAI.ORG(Steve Coletti) on a couple of points. My attempt to give a general overview of the reason for the creation of the CBC and CRTC should not be taken as exhaustive. The 1920s did see the Canadian government concerned about American content on Canadian radio stations. Indeed, the CBC was modeled after the BBC, and had the right to both broadcast _and_ regulate licences. Whether these licences came through the post office or not (and I haven't come across this in my research) the CBC retained control over the sector as a whole, requiring commercial stations to become CBC affiliates and present CBC programming to certain quotas. Insofar as "control" of stations was concerned, there was a concern that Canadian stations would become affiliates of American networks such as NBC and CBS in the 1920s. Ownership was another issue altogether, and became the province of the CRTC when it came into existence in the 1960s. I'm afraid Steve is incorrect concerning Canadian content regs. The CRTC has never required that any broadcaster in Canada present "mostly Canadian content". Canadian content for music programming was established in the early 1970s at somewhere around 20%, and was only recently raised to 30%. This had very little to do with American pressure and everything to do "subsidizing" the Canadian music industry. > Only those persons who have to monitor or control the transmitter >needs some sort of certification. You no longer need a license to read >the meters or turn the transmitter off in an emergency, or on if the >Chief Engineer tells you to. This is done by a permit. You fill out >the form, the C.E. signs it, you mail it to the FCC with a processing >fee, ($5.00?), and you are a flunky. You can bet most of your famous on >air personalities and not allowed near a transmitter and therefore don't >need a license or operator permit. Steve's point concerning the "restrictiveness" of American licencing is well taken. However, in recent conversations with community broadcasters in the US, I have been told that if the on-air DJ is the individual "in control" of the transmitter, they must have a licence. I assume this means having the ability to turn the transmitter on and off in case of harmful interference with aviation and navigation radio systems. There was a proposal, long dead now from what I understand, to charge $35 for these licences. This would have caused quite a problem for volunteer-run stations, where the staff would have been asked to pay to be on the air. Here in Canada, you don't need a licence of any kind to be "the DJ who is also in control of the transmitter". There is a fairly large non-commercial radio sector here, with many stations programmed by volunteers. A typical campus station, for example, might have more than 100 people who at one time or another during the week have control of the transmitter. I would expect that keeping track of all these folks and there friends who might fill in for them would be a pain in the ass. As well, the CRTC does not fine people - for anything. The FCC, in contrast, has a long list of fines for various technical and other reg violations. The "seven words" are an example - we don't have to worry about them in Canada. I've had complaints at my station about some "objectionable" material that has been _defended_ by the CRTC. Those FCC fines could cripple a small noncommercial station. Oh well, you folks don't have Canadian content, POPs, max repeat factors and the like. Eye of the beholder, I guess! > What is unfortunate is that while the "standards" for broadcasting may >attempt to regulate morality, the division of the regulatory body that >issues those rules is a separate entity from the one that regulates the >wire/fiber based telecommunications industry. Each set their own rules >and penalties. While it may be illegal to "broadcast" something >indecent, there is nothing stopping you from being a foul mouth over a >private telephone conversation, analog or data, in either country's >regulations. This is an excellent point. In Canada, these two areas are quite distinct within the CRTC. > Instead of having anxiety attacks the next time a BBS's regulation fee >is proposed or rumored, we should all begin to think that it will be >inevitable and how we would like the money to be spent. Before the >commercial users try to legislate the local BBS out of business, just >like the cell phone industry made it illegal for radio scanners to tune >in the cellular band, we might want to beat them to the punch and have >some sort of self perpetuating small BBS support system in place they >can't stop. Maybe regulation is a good thing, if we can do it right. I am very skeptical about the possibility of BBS regulation in Canada at the moment, as I think I made clear in my reply to the Lord's post. Afterall, where is the pressing public need to regulate BBSes? We are not dealing with a broadcast spectrum of limited size, requiring a careful allocation of the resource. Unlike other media, the audience for BBSes is growing but still quite small. Aren't current laws against, say, distributing illegal material (such as certain kinds of pornography) or pirated software enough? As I raised in my reply, how much would it cost to keep on top of the "illegal" boards? It all seems like too much trouble for overburdened Canadian regulators. ------------------------------ Date: Mon, 28 Feb 1994 02:48:42 -0600 (CST) From: Bob Socrates Subject: File 3--Re: "Entrapment Scam" (CuD 6.19) re: entrapment scam I came across a similar thing on the Macintosh side of the world. I bought a programming language called Prograph CPX. Instead of the typical Business Response card where you fill out a survey and list your reg# etc, they sent along a registration disk (which is processed by a separate company, not Prograph International -- something like MultiMedia Works or some-such). Well, you do all the stuff you -have- to do in order to register this product. Then, using a quick scan with Resedit, I found an invisible file called 'Exploding Pink Poodles' which listed the majority of desk-accessories and inits I had running on my machine. Personally, I think that since I simply wanted to register this program, and was not participating in a voluntary survey, I believe this is an invasion of my privacy. I quickly delete the file, then mailed the disk in. ------------------------------ Date: Mon, 28 Feb 1994 12:59:04 -0800 (PST) From: tomj@WPS.COM(Tom Jennings) Subject: File 4--Computer Science "Security" Seminar?? Unsolicited junkmail received today. I almost tossed it. It's a three-fold, two-color card, impossible to reproduce correctly in ASCII, but I'll do the best I can. It's worth looking over (for all the wrong reasons). Your employees may be cyber terrorists! I wonder whose BBS is about to become famous... I'll wait for the movie, thanks. JUNKMAIL FLYER RECEIVED TODAY: INSTITUTE OF DATA SECURITY & INTEGRITY Box 249 Washington DE 19899-0249 (DE not DC) VOICE: 1-800-351-5888 FAX: 1-302-762-6411 "THE DARK SIDE OF COMPUTER TECHNOLOGY" information assets at risk An in depth seminar you can't afford to miss. (*) Computer Underground releases 250 viruses targeting anti-virus software [tj: their capitalization] (*) Air Force Institute of Technology study proves scanner technology can't cope with the real threat (*) Deadly stealth and polymorphic viruses cost companies billions. (**) THE Computer Underground Exposed ...an in-depth seminar. "A quality education opportunity: (*) Everyone is telling you something different!!! Some "experts" and OEMs are saying the virus threat is all hype and the work of mischievous adolescents. Find out the truth!!! Know what the real threat is and who contributes to the astronomical number of viruses currently in existence. Figures can be deceiving. Look into the heart, mind and arsenal of the enemy!!! IDSI is presenting the most in depth seminar on computer viruses in the PC environment. The development of progressively more sophisicated viruses continues to accelerate at a phenomenal rate. Today, powerful new strains of viruses -- stealth, polymorphic, the Dark Avenger Mutation Engine, do it yourself virus kits -- present a sinister threat to the computing world. This is not the run of the mill classroom type seminar. You will see real screens from an undergrounds virus bulletin board and the demonstration of the same cirus creation software widely available to cyber terrorists, as well as to your own employees. FACULTY: Joe Piazza, CDRP (footnote *) (Certified Disaster Recovery Planner) Mr. Piazza's background includes internal loss prevention, security systems, card access, closed circuit television, data storage, information management, electronic vaulting, LAN disaster avoidance and recover, and business contingency planning. Mr. Piazza has been a key faculty member for seminars or symnposiums at: ISSA, Baltimore PC EXPO, Temple Univ., DVDRIEG, MADRA, PHMA (Penn. Health Info. Mgt. Assoc.), AHIMA (Assoc. of Hosp. Info. Mgt & Admin) (* footnote) In the event the scheduled presenter is unavailable due to extraordinary conditions, a speaker of comparable expertise may be substituted. YOURS FOR ATTENDING: (*) COmplete presentation in hard copy. (*)NCSA (Nat'l Comp. Sec. Assoc) newsletter and membership application. (*) List of reference material and pubs. (*) Certificate of attendance. REGISTRATION INFORMATION: blah blah blah... name date etc $159 (Place/dates: Mar 7 - Apr 22) ------------------------------ Date: 24 Feb 1994 11:44:39 U From: "Brian Martin" Subject: File 5--Cyberspace against repression: some suggestions ((MODERATORS' NOTE: Brian Martin sends the following post over for comment. It's part of an on-going project, and he's looking for substantive feedback to help shape the ideas and suggestions. Readers can reply to him directly)). CYBERSPACE AGAINST REPRESSION: SOME SUGGESTIONS PREAMBLE Communications are crucially important in nonviolent resistance to repression, which includes intimidation, imprisonment, torture and murder by governments. Network means of communication, including telephone, short-wave and CB radio as well as computer networks, are generally best for a popular nonviolent resistance to aggression and repression. Mass media, by contrast, actually make it easier for an aggressor to take power; they are often the first targets for takeover in a coup. Computer networks can be used to send alerts about human rights violations, to mobilise opposition to oppressors and to provide information to activists. In addition, computer networks themselves may need to be defended against repressive governments. AIM To prepare computer networks and users to maintain open communication channels that can be used against repression. SUGGESTED PRINCIPLES * All methods used should be nonviolent. * Suitable action should be worked out by the participants, not by uncritical adherence to rules. The key is the aim of ending repression. Tee points below are suggestions only. SUGGESTIONS FOR INDIVIDUAL ACTION * Make back-ups of all crucial information, including data and addresses. Keep copies in secure places, perhaps including another country. * Build trust with others, near and far. Trusted others are the most reliable allies in action against repression. * Learn and practise encryption. * Use other media besides computer networks, such as telephone, short-wave radio, fax and face-to-face discussions! Don't rely on a single communications medium. * Set up contingency plans for what you will do in case of an emergency, either a threat to you or a threat to someone else. Practise using them. SUGGESTIONS FOR COLLECTIVE ACTION * Work with system administrators and others to configure local computer systems in the most suitable way to oppose repression, ensure access, deal with emergencies, etc. * Liaise with groups opposing repression, such as Amnesty International. * Organise workshops and discussion groups on learning networking skills, including both technical and social dimensions. * Set up contingency plans with others you trust for action in case of an emergency. Run simulations. * Push for network-wide policies that help struggles against repression, such as secure encryption, facilities available to the public (for example, in libraries), user-friendly technologies and low prices for basic services and equipment. * Link network actions with other actions against repression, including rallies, boycotts, strikes, etc. REFERENCES Schweik Action Wollongong. "Telecommunications for nonviolent struggle," Civilian-Based Defense: News & Opinion, Vol. 7, No. 6, August 1992, pp. 7-10. (available electronically on request from b.martin@uow.edu.au) Brian Glick, War at Home: Covert Action against U.S. Activists and What We Can Do about It (Boston: South End Press, 1989). CONTACT Send comments to Brian Martin, Department of Science and Technology Studies, University of Wollongong, NSW 2522, Australia, phone: +61-42-287860 home, +61-42-213763 work, fax: +61-42-213452, e-mail: b.martin@uow.edu.au. This version 24 February 1994. ------------------------------ Date: Wed, 2 Mar 94 16:29:46 EST From: denning@CHAIR.COSC.GEORGETOWN.EDU(Dorothy Denning) Subject: File 6--Encryption and Law Enforcement (by Dorothy Denning) ((MODERATORS' NOTE: We invited Dorothy Denning to respond to our critique of the Newsday piece, but her time constraints may not allow it. She did, however, send over the following article on "Encryption and Law Enforcement" that elaborates her position. We remind readers that there is considerable room for honest disagreement on Clipper, and people can support it with the same honorable motives that others of us oppose it. The CuD editors remind those who disagree with Dorothy the personal attacks on her are quite unjustified. Those who have been involved in the "computer underground" over the years recognize that she has been a major force in attacking injustice and false stereotypes and has spoken out when others were silent. She raises questions and issues. We, the opponents of Clipper, can address them. Her points, as are our criticisms, are legitimate, and we thank her for raising them.)) Encryption and Law Enforcement Dorothy E. Denning Georgetown University February 21, 1994 Summary Although encryption can protect information from illegal access, it can also interfere with the lawful interception of communications by government officials. The goal of this report is to describe the effect of encryption technology and the government's new Escrowed Encryption Standard [EES] on law enforcement, mainly from the perspective of law enforcement. The information presented here was obtained from public documents and testimonials by law enforcement officials, from private conversations with people in the FBI and other law enforcement agencies, and from comments I received by people in law enforcement on an earlier version of this report. Some of this research was performed in conjunction with my earlier study of the FBI's proposal on Digital Telephony [DT, Denning]. The following summarizes the key points, which are discussed in greater depth in the sections that follow: 1. The need for wiretaps: Court-authorized interception of communications is essential for preventing and solving many serious and often violent crimes. Electronic surveillance not only provides information that often cannot be obtained by other means, but it yields evidence that is considerably more reliable and probative than that obtained by most other methods of investigation. No other investigative method can take its place. 2. The threat of encryption to lawful surveillance: Because encryption can make communications immune from lawful interception, it threatens a key law enforcement tool. The proliferation of high quality, portable, easy-to-use, and affordable encryption could be harmful to society if law enforcement does not have the means to decrypt lawfully intercepted communications. Although encryption of stored files is also of concern, 99% of the issue is telephone communications (voice, fax, and data). 3. Digital Telephony: Encryption is not the only threat to lawful electronic surveillance. Advances in telecommunications also threaten the ability of law enforcement to conduct authorized interceptions. 4. Encryption policy and the EES: The government's Escrowed Encryption Standard offers a balanced solution to the encryption problem that takes into account the equities of public safety, effective law enforcement, and national security along with those of privacy, security, and industry success. The technology and accompanying procedures provide strong encryption and a high level of security, while accommodating the need for real-time or near real-time decryption of intercepted communications. The program is the best known solution, at least for the intended initial application, mainly voice, fax, and data encryption over the public switched network. 5. Criminal use of Non-EES Encryption: Although some criminals may seek to use other forms of encryption, the escrowed encryption standard may succeed and become ubiquitous as the chief form of encryption, making it much harder for criminals to evade interceptions by using non-standard, non-interoperable encryption. 6. International problem: The impact of encryption on law enforcement is an international problem. The U.S. government exercised strong leadership by recognizing the problem and developing a solution before it becomes serious. 1. The Need for Wiretaps Law enforcement views court-authorized interception of communications as essential for preventing and solving many serious and often violent crimes, including terrorism, organized crime, drugs, kidnaping, major white collar crime brought against the government, and political corruption [DT, DT Cases, Kallstrom]. In testimony before the Computer Systems Security and Privacy Board, James Kallstrom, former Chief of the FBI's Engineering Section, estimated that wiretaps are used in excess of 90% of all cases involving terrorism, often with the result of preventing a terrorist act. For example, in a Chicago case code-named RUKBOM, the FBI successfully prevented the El Rukn street gang, which was acting on behalf of the Libyan government, from shooting down a commercial airliner using a stolen military weapons system [Kallstrom, DT Cases]. Examples of other terrorist attacks successfully prevented with the help of electronic surveillance include the bombing of a foreign consulate in the U.S. and a rocket attack against a U.S. ally. Electronic surveillance is used against organized crime, widespread fraud, bribery, and extortion. It was used to help solve a case involving corruption associated with organized crime control of the International Longshoremen's Union, which cost the citizens of New York city 10-12 cents on every dollar spent on consumer items coming through the port of New York, and to help solve another case involving organized crime control over the construction trade of New York City, which had led to 3-5% of all construction contracts being escalated by that percentage [Kallstrom]. Evidence obtained from electronic surveillance in a case involving the Concrete and Cement Workers Union prevented an economic loss to the public of $585 million [DT Cases]. According to the FBI, the hierarchy of La Cosa Nostra has been neutralized or destabilized through the use of electronic surveillance, and thirty odd years of successes would be reversed if the ability to conduct court-authorized electronic surveillance was lost. Almost two thirds of all court orders for electronic surveillance are used to fight the war on drugs, and electronic surveillance has been critical in identifying and then dismantling major drug trafficking organizations. In an operation code named "PIZZA CONNECTION," an FBI international investigation into the importation and distribution of $1.6 billion worth of heroin by the Sicilian Mafia and La Cosa Nostra resulted in the indictment of 57 high-level drug traffickers in the U.S. and 5 in Italy [DT Cases]. The FBI estimates that the war on drugs and its continuing legacy of violent street crime would be substantially, if not totally, lost if law enforcement were to lose its capability for electronic surveillance. Wiretaps are used for cases involving murders and kidnapings. As the result of wiretaps, sufficient evidence was obtained to arrest and convict a serial-murderer who had been operating for three to four years, and to locate and subsequently convict two other persons who had been involved with the murders [DT Cases]. By intercepting voice, fax, and communications on a local bulletin board system, the FBI prevented the proposed kidnaping and murder of a young child for the purpose of making a "snuff murder" film [Kallstrom]. Through wiretaps, the FBI prevented a group from bombing a man's house and killing him and his family [Kallstrom]. Electronic surveillance has been used to investigate aggravated governmental fraud and corruption. A recent military-procurement fraud case ("Ill-Wind") involving persons in the Department of Defense and defense contractors has so far led to 64 convictions and about $260 million in fines, restitutions, and recoveries ordered. In another case, U.S.District Court Judge Robert Collins was convicted of soliciting and accepting bribes [DT Cases]. John Kaye, Prosecutor for Monmouth County, New Jersey, reported that almost every police officer indicted in his county has been indicted because of a wiretap [Kaye]. In the decade from 1982 to 1991, state and federal agencies were granted 7,467 court orders for interceptions under Title III of the Omnibus Crime Control and Safe Streets Act and equivalent state statutes. At the end of 1991, these had led to 35,851 arrests and 19,259 convictions. Convictions resulting from interceptions conducted in the last few years are still accumulating, as trials regarding those subjects are held. Because the number of arrests associated with wiretaps is a small fraction of all arrests each year, some people have questioned whether wiretaps are necessary or worthwhile given the availability of other investigative techniques. By law, wiretapping cannot be used if other methods of investigation could reasonably be used instead. Such normal investigative methods usually include visual surveillance, interviewing subjects, the use of informers, telephone record analysis, and Dialed Number Recorders (DNRs). However, these techniques often have limited impact on an investigation. Continuous surveillance by police can create suspicion and therefore be hazardous; further, it cannot disclose the contents of telephone conversations. Questioning identified suspects or executing search warrants at their residence can substantially jeopardize an investigation before the full scope of the operation is revealed, and information can be lost through interpretation. Informants are useful and sought out by police, but the information they provide does not always reveal all of the players or the extent of an operation, and great care must be taken to ensure that the informants are protected. Moreover, because informants are often criminals themselves, they may not be believed in court. Telephone record analysis and DNRs are helpful, but do not reveal the contents of conversations or the identities of parties. Other methods of investigation that may be tried include undercover operations and stings. But while effective in some cases, undercover operations are difficult and dangerous, and stings do not always work. Law enforcers claim that no other method can take the place of wiretaps [Kallstrom]. Each court order must provide evidence for the need to wiretap by demonstrating that normal investigative procedures have been tried and have failed or reasonably appear unlikely to succeed or would be too dangerous [USC 18, DDKM]. This does not mean that the other methods are not used in those cases, as indeed they are, but only that they are inadequate to successfully investigate and prosecute the cases. Wiretaps not only provide information that cannot be obtained by other means, but yield evidence that is considerably more reliable and probative than that obtained by most other methods of investigation. A wiretap is also less dangerous than sending in a civilian informant or undercover agent who is wired since the risk of discovery puts that person's life in jeopardy. Finally, a wiretap may be less invasive of privacy than placing a bug in a subject's home or using an undercover agent to establish an intimate relationship with the subject. Although the number of arrests from wiretaps is relatively small compared to the total of all arrests, those criminals that are arrested and convicted with the aid of wiretaps are often the leaders of major organized crime, drug trafficking, and terrorist groups. In reviewing a proposal for a wiretap, law enforcement agencies determine whether the subjects of the proposed interception are worthy targets of investigation and whether the interception is worth doing. The law enforcement community views electronic surveillance as essential to effective law enforcement, and law enforcement as essential not only to public safety and our economic well-being, but to a free society. In his remarks at the Computer Ethics Conference, Alan McDonald of the FBI summed it up: "We have been fortunate as a society to enjoy unparalleled freedom. It has resulted because we live under a compact of ordered liberty. One need only consider the number of countries where law enforcement is ineffective and where the violence and corruption of organized crime reign to see true diminishments of freedom, liberty, and personal privacy" [McDonald]. 2. The Threat of Encryption to Lawful Surveillance Encryption has been available to criminals for a long time. Until recently, however, voice encryptors were extremely bulky and the quality of the voice low, so criminals who tried encryption would typically cease using it [Kallstrom]. But recent advances in encryption technology are leading to products such as the AT&T 3600 Telephone Security Device that are small, portable, easy-to-use, affordable, and have high quality audio. Law enforcers expect that criminals will flock to such devices, not only to hide their communications from the government, but to safeguard them from their competitors [Kallstrom, Meeks]. The effect could be that criminals are able to make their communications immune from government search and seizure even under probable cause of criminal activity. The proliferation of such encryption products ultimately could be harmful to society if government officials do not have the means to decrypt lawfully intercepted communications, at least in most cases. On behalf of the National District Attorney's Association, President Robert Macy writes: "In an increasingly dangerous world, law enforcement cannot afford to be blindfolded by advanced technologies including encryption devices" [Macy]. Roy Kime, Legislative Counsel for the International Association of Chiefs of Police, makes the analogy that people in law enforcement are being "outgunned" by the criminals with respect to advances in technology [Kime]. In testimony before Congress, Donald Delaney, Senior Investigator with the New York State Police, said he believed that if we adopted an encryption standard that did not permit lawful intercepts, we would have havoc in the United States [Delaney]. Although there are no "dead bodies" as yet, Kallstrom believes there will be a "horror show" if the encryption tht proliferates in the market does not factor in an equity for law enforcement [Kallstrom]. Criminals can use encryption to conceal stored information as well as communications. In a child pornography case on the West coast, encrypted data files have slowed down the investigation of a large international ring dealing with child pornography and the possible smuggling of children [Kallstrom]. However, although law enforcement is concerned about the use of encryption to conceal computer files, their primary concern is with communications, particularly telephone conversations. This is because intercepts play a much more important role in investigations than documents. Real-time intercepts pick up the criminal dialogue, the plotting and planning that glues crimes together. By revealing conversations about possible future activities, wiretaps also may be used to prevent crimes from occurring. Thus, while being able to decrypt files is valuable, 99% of the issue today is telephone conversations [Kallstrom]. In addition, while communications over high speed computer networks are expected to become an issue, the primary concern today is with voice, fax, and data over the public switched network (telephone system). 3. Digital Telephony Encryption is not law enforcement's only concern about wiretaps. They are also concerned about changes in telecommunications technologies. Many of the new digital-based technologies and services such as ISDN, fiber optic transmissions, and the increasing number of mobile telecommunication networks and architectures cannot be tapped using the traditional methods usedto intercept analogue voice communications carried over copper wire. In addition, increases in transmission speed have made interceptions more difficult. Although it is technically feasible to intercept the new communications, not all systems have been designed or equipped to meet the intercept requirements of law enforcement. According to the FBI, numerous court orders have not been sought, executed, or fully carried out because of technological problems. To address these problems, the Department of Justice proposed Digital Telephony legislation [DT] that would require service providers and operators to meet their statutory assistance requirements by maintaining the capability to intercept particular communications. So far, the proposal has not been introduced in Congress. 4. Encryption Policy and the EES Law enforcement seeks an encryption policy that takes into account the equities of public safety, effective law enforcement, and national security along with those of privacy, security, and industry success [Kallstrom]. They support the use of encryption by law abiding citizens and organizations to protect sensitive information, and recognize the importance of encryption to safeguarding information assets [Settle]. They generally favor strong encryption over weak or "dumbed down" encryption [Kallstrom]. To implement lawful interceptions of encrypted communications, they need a real-time or near real-time decryption capability in order to keep up with the traffic and prevent potential acts of violence. Since there can be hundreds of calls a day on a tapped line, any solution that imposes a high overhead per call is impractical. These requirements for strong encryption and near real-time decryption led to the Escrowed Encryption Standard [EES] and its related key escrow system. Upon receiving a chip's unique key components from the two escrow agents, law enforcers can readily decrypt all conversations encrypted with the chip until the wiretap terminates, at which time all chip-related keys are destroyed. The escrow agents need not get involved in the decryption of each conversation, which would be overly cumbersome. Law enforcers consider the EES to be the best known approach for addressing the dual need for secure communications and court-ordered access, at least for the intended initial application, namely voice, fax, and data encryption of telephone communications transmitted over the public switched network. The EES will significantly enhance communications security by making strong encryption available in a way that makes illegal wiretaps virtually impossible, while permitting those that are lawfully authorized. The key escrow mechanisms and procedures are being designed to provide a high level of protection for keys and to protect against compromises or abuses of keys, thereby assuring that no person or entity, including government, can improperly access one's EES communications. Although there is no evidence of widespread abuse of wiretaps by law enforcement officials, the EES will effectively thwart any potential abuse, thereby providing greater protection from illegal government wiretaps than currently exists. The Presidential Decision Directive [PDD] on escrowed encryption is viewed as offering a balanced solution to the encryption problem that is consistent with basic tenets found in the Constitution and in the Bill of Rights, which does not grant an absolute right to privacy, but rather seeks to balance individual privacy with the need to protect society as a whole [McDonald]. William A. Bayse, Chief Scientist of the FBI, observed: "It is well recognized that Anglo-American law has historically balanced the personal privacy of the individual with the legitimate needs of Government. ... As can be seen from a review of the Fourth Amendment to the U.S. Constitution ..., an individual's privacy rights are not absolute, and they give way to more compelling Governmental rights when criminality is demonstrated or suspected." [Bayse]. Similarly, Alan McDonald noted "... the dictum of the Bill of Rights, and the Fourth Amendment in particular, is a balance between individual liberty and privacy and the legitimate need of Government to protect society as a whole -- a balance to prevent the tyranny of absolutist Government and the tyranny of lawlessness and anarchy. ... The electronic surveillance statutes, like the Fourth Amendment, are founded on the concept of balancing fundamental individual and governmental interests -- personal privacy and the public safety. ... Encryption technology creates no legal rights under our Constitution, the Fourth Amendment, or under our electronic surveillance statutes" [McDonald]. 5. Criminal Use of Non-EES Encryption Some people have argued that criminals will not use EES, but rather will use encryption methods that defeat law enforcement. While acknowledging that some criminals may use other means, law enforcers assume most vendors will not manufacture an encryption device unless they perceive a large, legal market [Kallstrom]. The hope is that the EES, or some other approach that takes into account the law enforcement equities, will proliferate in the legitimate encryption market in this country and become transparent, thereby cutting down on the availability and use of encryption that does not include the law enforcement equities [Kallstrom]. There is some evidence that through market forces and government purchasing power, the EES may become the de facto national standard for telephone encryption. When AT&T announced its 3600 Telephone Security Device in Fall 1992, the device used a DES chip for encryption, and did not include a capability for law enforcement access. Priced at $1200, it would have been attractive to criminals, and could have led to the promulgation of encryption technology that would have posed a major threat to law enforcement. However, when the government announced the key escrow initiative on April 16, 1993, AT&T simultaneously announced that the TSD would use instead the new Mykotronx MYK-78 chip, aka "Clipper", which uses the EES. The government ordered several thousand of the modified devices. Since EES products can be exported to most places, there is an additional incentive for vendors to incorporate the EES into their products rather than, say, the DES, which is subject to stricter export controls. However, there are other factors relating to the nature of the technology and to public acceptance that could interfere with widespread adoption of EES by vendors. Criminals need to talk with many people outside their circle in order to carry out their activities, for example to rent or purchase needed goods and services. To conduct those conversations, which may be incriminating, they will either need to use an encryption method identical to that used by the other parties or else forego encryption entirely. Assuming EES dominates in the legitimate market, criminals may prefer to use it over communicating in the clear since the EES will at least protect them from their competitors. Criminals are often sloppy in protecting their conversations from law enforcement, making incriminating statements over the phone while acknowledging their phones may be tapped. Even if criminals do not use the EES, the government's objective of making strong encryption available to the public in a way that is not harmful to society will be achieved. Criminals will not be able to take advantage of the strong algorithm to thwart law enforcement. Since it is extremely difficult to develop high quality, strong encryption products, law enforcement may be able to access many non-EES encrypted criminal communications. 6. An International Problem The impact of encryption on effective law enforcement is an international problem, and U.S. law enforcers have observed other countries looking at solutions based on "dumbing down" the encryption or on key escrow. The U.S. government exercised strong leadership by recognizing the problem and developing a solution before it became serious. While the U.S. solution will not necessarily provide an international solution, it as a starting point for solving a global problem. References [Bayse] Bayse, William A., Written statement presented at Part I of the Forum on Rights and Responsibilities of Participants in Networked Communities, panel on Privacy and Proprietary Interests, Computer Science and Telecommunications Board, National Research Council, October 1992. [Delaney] Delaney, Donald P., statement in "Hearings before the Subcommittee on Telecommunications and Finance of the Committee on Energy and Commerce, House of Representatives," June 9, 1993; Serial No. 103-53, pp. 163-164. [DDKM] Delaney, Donald P; Denning, Dorothy E.; Kaye, John; and McDonald, Alan R., "Wiretap Laws and Procedures: What Happens When the Government Taps a Line," September 23, 1993; available from Georgetown University, Department of Computer Science, Washington DC, or by anonymous ftp from cpsr.org as cpsr/privacy/communications/wiretap/ denning_wiretap_procedure.txt. [EES] "Escrowed Encryption Standard," Federal Information Processing Standard Publication (FIPS PUB) 185, National Institute for Standards and Technology, 1994. [Denning] Denning, D. E., "To Tap or Not to Tap," Comm. of the ACM, Vol. 36, No. 3, March 1993, pp. 25-35, 42-44. [DT] "Digital Telephony," U.S. Department of Justice, Federal Bureau of Investigation. [DT Cases] "Digital Telephony Case Examples," distributed with press packet for Presidential Decision Directive on "Public Encryption Management." [Kallstrom] Kallstrom, James K., Presentation at the Computer System Security and Privacy Advisory Board Meeting, National Institute of Standards and Technology, July 29, 1993. [Kaye] Kaye, John, Presentation at the Computer System Security and Privacy Advisory Board Meeting, National Institute of Standards and Technology, July 29, 1993. [Kime] Kime, Roy, Presentation at the Computer System Security and Privacy Advisory Board Meeting, National Institute of Standards and Technology, July 29, 1993. [Macy] Macy, Robert H., Letter submitted to the Computer System Security and Privacy Advisory Board on behalf of the National District Attorneys Association for June 2-4 Meeting, May 27, 1993. [McDonald] McDonald, Alan R., Written statement presented at 2nd National Computer Ethics Conference, April 29, 1993. [Meeks] Meeks, Bud, Presentation at the Computer System Security and Privacy Advisory Board Meeting, National Institute of Standards and Technology, July 29, 1993. [PDD] Presidential Decision Directive on "Public Encryption Management," and Statement by the Press Secretary, The White House, April 16, 1993. [Settle] Settle, James C., Presentation at INFOEXPO '93, Information Security and Virus Prevention Conference and Exhibition, National Computer Security Association, June 11, 1993. [USC 18] Title 18 USC, Sections 2510-2521. (These sections codify Title III of the Omnibus Crime Control and Safe Streets Act of 1968, as amended by the Electronic Communications Privacy Act of 1986.) ------------------------------ End of Computer Underground Digest #6.20 ************************************