Computer underground Digest Sun Mar 9, 1997 Volume 9 : Issue 17 ISSN 1004-042X Editor: Jim Thomas (cudigest@sun.soci.niu.edu) News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu) Archivist: Brendan Kehoe Shadow Master: Stanton McCandlish Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Field Agent Extraordinaire: David Smith Cu Digest Homepage: http://www.soci.niu.edu/~cudigest CONTENTS, #9.17 (Sun, Mar 9, 1997) File 1--Computer Security Script and Software Database File 2--EFF-Online 10.02-Burns introduces new Pro-CODE Crypto Bill File 3-- Open Internet Policy Principles File 4--Cu Digest Header Info (unchanged since 13 Dec, 1996) CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION APPEARS IN THE CONCLUDING FILE AT THE END OF EACH ISSUE. --------------------------------------------------------------------- Date: Wed, 5 Mar 1997 11:01:26 -0600 (CST) From: "Scott A. Davis" Subject: File 1--Computer Security Script and Software Database On March 13, 1997, The Banzai Institute will make available a Computer Security Script and Software Database. Initially, there will be over 600 scripts and programs available that will allow system admins to test the weakness of the networks and systems that they are responsible for. Any and all information provided in this database is distributed for INFORMATION AND EDUCATIONAL PURPOSES ONLY. You can sign up now and have your account activated on the same day the databse opens by visiting our home page! www.banzai-institute.org/sdavis for PGP Public Key (ALL SECURE MESSAGES) ------------------------------ Date: Thu, 27 Feb 1997 22:22:00 -0800 (PST) From: Stanton McCandlish Subject: File 2--EFF-Online 10.02-Burns introduces new Pro-CODE Crypto Bill EFFector Vol. 10, No. 02 Feb. 27, 1997 editor@eff.org A Publication of the Electronic Frontier Foundation ISSN 1062-9424 * See http://www.eff.org/hot.html or ftp.eff.org, /pub/Alerts/ for more information on current EFF activities and online activism alerts! * ---------------------------------------------------------------------- Subject--Pro-CODE Bill Announced Today: Free Crypto From Cold-War Regs ----------------------------------------------------------------- Below is a joint advisory from CDT, EFF and VTW about the re-introduction of Sen. Conrad Burns's "Pro-CODE" encryption export deregulation bill. EFF commends Burns and co-sponsors for continuing to raise this issue in Congress, and for their opposition to the Administration's obsolete (and unconstitutional) policies. Though EFF does not *endorse* this legislation (principally because it may perpetuate a policy of excluding the public from government decision-making on encryption policy), we do recognize and laud the bill as an improvement over the status quo in almost all respects. Pro-CODE would turn the current export process upside down, permitting export of most encryption, and requiring reportage of an encryption program's capabilities only *after* export. The bill also creates no new or redundant crime categories. PRO-CODE BILL ANNOUNCED TODAY BILL WOULD LIBERATE ENCRYPTION FROM ANTIQUATED COLD-WAR REGULATIONS February 27, 1997 Please widely redistribute this document with this banner intact until March 15, 1997 From the Center for Democracy and Technology (CDT), the Electronic Frontier Foundation (EFF), and the Voters Telecommunication Watch (VTW) ________________________________________________________________________ CONTENTS The Latest News What You Can Do Now Background On Pro-CODE What's At Stake For More Information / Supporting Organizations ________________________________________________________________________ THE LATEST NEWS Today, a bi-partisan group of seventeen United States Senators, led by Conrad Burns (R-MT) and Patrick Leahy (D-VT), introduced the "Promotion of Commerce Online in the Digital Era (Pro-CODE) Act", a bill designed to promote privacy and security on the Internet by relaxing government controls on encryption technologies. Encryption technologies are the locks and keys of the Information age -- enabling individuals and businesses to protect sensitive information as it is transmitted over the Internet. Pro-CODE aims to enable this by removing some of the regulations that currently prevent Americans from using this technology. A short summary of the bill and background on the encryption policy debate are attached below, along with information on what you can do to help ensure that Congress takes action on this important issue. ________________________________________________________________________ WHAT YOU CAN DO NOW 1. CALL THE Pro-CODE SPONSORS AND THANK THEM FOR THEIR EFFORTS Members of Congress tend to hear from their constituents only when they do something constituents don't like. Today however, several Senators have taken a stand on an issue of critical importance to Internet users. It's crucial that we encourage them with phone calls of support. If you live in any of the states listed below, please take a moment to give these Senators a call. Allard (R-CO) Ashcroft (R-MO) Boxer (D-CA) Brownback (R-KS) Burns (R-MT) Craig (R-ID) Dominici (R-NM) Dorgan (D-ND) Faircloth (R-NC) Grahms (R-MN) Hutchison (R-TX) Inhoffe (R-OK) Kempthorne (R-ID) Leahy (D-VT) Lott (R-MS) Murray (D-WA) Nickles (R-OK) Thomas (R-WY) Wyden (D-OR) Please take a moment to give these Senators a call. You:Senator Mojo's office please! Sen:Hello, Senator Mojo's office! You: SAY I heard that the Senator introduced Pro-CODE to add more privacy on THIS-> the Internet. Please thank the Senator for me and I support efforts to fix antiquated encryption export laws. I live in . Sen: Ok, thanks! 2. ADOPT YOUR LEGISLATOR If you were one of the thousands of people that have adopted their legislator at http://www.crypto.com/, you would have received a personalized letter telling you that your legislator announced his or her sponsorship of Pro-CODE today. These personalized letters contain all the phone numbers you need, and we'll send them to you any time your legislator takes any action that would have a significant impact on the net. The Adopt Your Legislator campaign is the most effective method of mobilizing grass-roots support available today. Since late last year, VTW and CDT have been building a network of thousands of Internet users who are active and engaged in the fight for privacy and security on the Internet. By focusing our efforts on the constituents of specific legislators as well as on the net as a whole, we can ensure that members of Congress know that they have support within their district as well as throughout the Internet community. You can adopt your legislator at http://www.crypto.com/adopt/ ________________________________________________________________________ BACKGROUND ON THE PRO-CODE BILL The Promotion of Commerce Online in the Digital Era (Pro-CODE) Act is similar to a bill introduced by Senators Burns (R-MT) and Leahy (D-VT) last year (then S.1726). Pro-CODE enjoyed broad bi-partisan support in the Senate and was the subject of 3 hearings, including 2 which were cybercast live on the Internet. This year's Pro-CODE bill (no bill number yet available) is designed to encourage the widespread availability of strong, easy-to-use encryption technologies to protect privacy and security on the Internet. Specifically, Pro-CODE would: 1. Encourage the widespread availability of strong privacy and security products by relaxing export controls on encryption technologies that are already available on the mass market or in the public domain. This would include popular programs like Pretty Good Privacy (PGP) and World Wide Web browsers like those made by Netscape and Microsoft. Current US encryption policy restricts export of encryption products with key-lengths of more than 40 bits. A recent study by renowned cryptographers including Whit Diffie (one of the fathers of modern cryptography), Matt Blaze, and others concluded that 40 bits is "woefully inadequate" to protect personal and business communications. Over the last eighteen months, several examples of the weakness of 40-bit encryption have been demonstrated by college students with spare personal computers. 2. Prohibit the federal government from imposing mandatory key-escrow or key-recovery encryption policies on the domestic market and limit the authority of the Secretary of Commerce to set standards for encryption products. 3. Require the Secretary of Commerce to allow the unrestricted export of other encryption technologies if products of similar strength are generally available outside the United States. For more information on the Pro-CODE bill, background information on efforts to pass encryption policy reform legislation last year, and other materials please visit: For more information, see the Encryption Policy Resource Page at http://www.crypto.com/ ________________________________________________________________________ WHAT'S AT STAKE Encryption technologies are the locks and keys of the Information age -- enabling individuals and businesses to protect sensitive information as it is transmitted over the Internet. As more and more individuals and businesses come online, the need for strong, reliable, easy-to-use encryption technologies has become a critical issue to the health and viability of the Net. Current US encryption policy, which limits the strength of encryption products US companies can sell abroad, also limits the availability of strong, easy-to-use encryption technologies in the United States. US hardware and software manufacturers who wish to sell their products on the global market must either conform to US encryption export limits or produce two separate versions of the same product, a costly and complicated alternative. The export controls, which the NSA and FBI argue help to keep strong encryption out of the hands of foreign adversaries, are having the opposite effect. Strong encryption is available abroad, but because of the export limits and the confusion created by nearly four years of debate over US encryption policy, strong, easy-to-use privacy and security technologies are not widely available off the shelf or "on the net" here in the US. Because of this policy problem, US companies are now at a competitive disadvantage in the global marketplace. All of us care about our national security, and no one wants to make it any easier for criminals and terrorists to commit criminal acts. But we must also recognize encryption technologies can also aid law enforcement and protect national security by limiting the threat of industrial espionage and foreign spying. What's at stake in this debate is nothing less than the future of privacy and the fate of the Internet as a secure and trusted medium for commerce, education, and political discourse. ________________________________________________________________________ FOR MORE INFORMATION / SUPPORTING ORGANIZATIONS This alert was brought to you by the Center for Democracy and Technology, the Electronic Frontier Foundation, and the Voters Telecommunications Watch. http://www.cdt.org http://www.eff.org http://www.vtw.org There are many excellent resources online to get up to speed on the crypto issue including the following WWW sites: http://www.crypto.com http://www.privacy.org Please visit them often. Press inquiries should be directed to: Jonah Seiger of CDT at jseiger@cdt.org or +1.202.637.9800 Stanton McCandlish of EFF at mech@eff.org or +1.415.436.9333 Shabbir J. Safdar of VTW at shabbir@vtw.org or +1.917.978.8430 (beeper). ________________________________________________________________________ End alert -------------------------- From--Conrad Burns Subject--An Open Letter to the Internet Community from Senator Burns --------------------------------------------------------- February 27, 1997 Today I am pleased to announce that I have reintroduced legislation to reform US encryption policy in a way that recognizes the realities of the global information infrastructure and the need for strong privacy and security protections on the Internet. The "Promotion of Commerce Online in the Digital Era (Pro-CODE) Act" would promote the growth of electronic commerce, encourage the widespread availability of strong privacy and security technologies for the Internet, and repeal the cold war-era regulations limiting the export of encryption technologies. The bill enjoys widespread support from both my Republican and Democratic colleagues and was introduced with 20 cosponsors. As a fellow Internet user, I am excited by the vast potential of the Net to facilitate new forms of commerce and communication. In order for the Net to reach its potential as a trusted medium for personal communications and proprietary business transactions however, Internet users must have access to strong privacy and security technologies. Yet for years, the federal government has pursued an encryption policy which has limited the availability of privacy and security products -- leaving Internet users and businesses out in the cold. Last year, the Pro-CODE bill (then S. 1726) received broad bipartisan support in the Senate. Internet users, rallying to the cry of "My Lock, My Key," expressed their support for the bill in meetings members of Congress in live interactive chat sessions. Netizens also participated in the first interactive online Senate hearings and provided valuable testimony for the Committee on this issue. Yet almost a year after Congress entered this critical Internet policy debate, and despite the overwhelming call for encryption policy reform, the Administration remains committed to an outdated and unworkable approach to US Encryption policy. In November of 1996, the Administration announced yet another effort to reform US encryption policy. The proposal, which would allow the export of strong encryption programs only if they include government-approved "key-recovery" mechanisms, has met with uniform criticism from Internet users, privacy experts, and the computer and communications industry. Current export controls are serving only to limit the availability of privacy and security technologies for Internet users inside the US and disadvantage US industry on the competitive global market, while doing nothing to keep strong encryption out of the hands of foreign adversaries. By relaxing encryption export controls, the Pro-CODE bill will reform US encryption policy in a way that recognizes the realities of the information revolution and the competitive global marketplace. The Internet community has been instrumental in helping to educate my colleagues in the Congress about the importance of encryption policy reform. In the coming months I will need your help and support as this bill makes its way through the legislative process. As the bill moves forward, I want to invite you to take advantage of several online resources set up to educate the Congress and the public about the need for encryption policy reform. You can find out more by visiting my web page at http://www.senate.gov/~burns/. Thank you for your support, Conrad Burns United States Senator . The Open Society Institute--New York is a private operating and grantmaking foundation that promotes the development of open societies around the world, both by running its own programs and by awarding grants to others. The Open Society Institute--New York develops and implements a variety of U.S.-based and international programs in the areas of educational, social, and legal reform, and encourages public debate and policy alternatives in complex and often controversial fields. The Open Society Institute--New York is part of an informal network of more than 24 autonomous nonprofit foundations and other organizations created and funded by philanthropist George Soros. The Open Society Institute can be found on the World Wide Web at . # # # *Experts included representatives from: European Commission, European Parliament, Netscape Communications Corp., Oracle Corp., Ministry of Education and Science (Latvia), Ministry of Transportation and Communications (Estonia), Ministry of Transportation and Communications (Latvia), Electronic Frontier Foundation, American Civil Liberties Union, Voters Telecommunications Watch, Electronic Privacy Information Center, Computer Professionals for Social Responsibility, Center for Democracy and Technology, Riga Information and Technology Institute (Latvia), PT Finland, Baltic Institute of Finland, University of Leuven (Belgium), University of Groningen (Netherlands), Villanova School of Law (USA), Ghent University (Belgium), Levicom Ltd. (Estonia), Xs4all Internet BV (Netherlands), National Criminal Intelligence Service (Netherlands), Open Society Institute/Soros foundations network, Parliamentary Human Rights Foundation, and Parliamentary Human Rights Foundation/Europe. PHRF CONFERENCE Brussels, Belgium 23 November 1996 OPEN INTERNET POLICY PRINCIPLES A broad consensus was reached on the following points: Preamble The Internet is an inherently open, decentralized communications infrastructure which is ideally suited to support the free exchange of ideas, a rich political discourse, and a vibrant economy. The decentralized architecture of the Internet provides an abundance of communication opportunities, and gives users an unprecedented degree of control over the information that they receive. As organizations devoted to basic human rights, the growth of the Internet, and the flourishing of democratic culture, we believe that the foregoing principles will ensure that the Internet remains open and continues to support basic democratic values. I. Policymaking and the Internet In recognition of the novel and rapidly changing nature of the Internet, policymaking ought to be undertaken: * by policymakers who are well informed about the unique nature of the Internet and have direct experience with its use; and, * with substantial input and comment from the Internet user community. II. Internet Access and Market Structures A. Access to infrastructure 1) Access to the global Internet and other interactive communications infrastructures is essential for all citizens of the world to enable full participation in the global society and developing digital economy. 2) Government and the industry have a shared responsibility in building the Global Information Infrastructure ("GII"), and in ensuring as wide an access as possible to its services. 3) Competition, open systems and interoperability are the best way to enlarge access. 4) In particular, access to the Internet by schools, libraries and other public institutions should be viewed as a policy goal, subsidized as necessary. B. Access to Government Information: 1) Governments should enable citizens access to legislative, judicial and executive branch information through the Internet. Such access should be backed up by a legal right to public information, without any showing of need or intended use. Such information should be available in standard formats to promote broad and effective access. C. Market structures 1) There should be no a priori limitation to market entry for Internet service providers (ISPs), and ISPs should not be prevented from using or establishing their own terrestrial or wireless infrastructure. 2) In particular, licensing should not be used as a method of restricting market entry. 3) ISPs and other intermediaries have responsibilities, but those responsibilities should be enforced other than through licensing mechanisms. D. Overseas Development Assistance 1) Overseas development assistance programs should strive to promote full access to the Internet. Such programs should include support for the development of public policy environments consistent with these Open Internet Policy Principles, and adequate resources for training and ongoing support. III. The Rights and Responsibilities of Internet Users Internet users have rights and responsibilities which should shape the way the law addresses the Internet. A. General Legal Framework 1) The Internet does not exist in a legal vacuum. For the most part, existing laws can and should regulate conduct on the Internet to the same degree as other forms of conduct. Such laws may differ from country to country, but should conform with the applicable binding human rights obligations contained in the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights and the European Convention on Human Rights. 2) The legality of publishing activity on the Internet should be judged according to the law in the country in which the publisher originally acts to publish the material. While this "law of the place of origin" is consistent with the "Television Without Borders" policy of the European Commission, strong public policies in places of reception may necessitate negotiation of an international convention on this choice-of-law question. B. Objectionable Content 1) To enable users to shield themselves and their families from objectionable or unwanted content, priority should be given to "downstream filtering" by users. There should be no government censorship of Internet content. 2) Filtering should empower users to be responsible for the content they access. 3) Filtering can promote freedom of choice through a variety of rating systems. 4) Filtering systems should make clear what sites they block (or select) and what criteria they use to block (or select) sites. 5) Access to multiple 3rd party content labeling systems, as opposed to government censorship, can support the great diversity of cultural and moral values of Internet users around the world. IV. Law, Human Rights and the Internet Legal regulation of the Internet should implement the foregoing principles relating to rights and responsibilities of Internet users, while also recognizing international human rights law and legitimate national law enforcement interests. A. Freedom of Expression There should be no regulation of Internet content by government. We understand the fundamental rights of freedom of expression, as embodied in Art. 19 of the Universal Declaration of Human Rights ("Everybody has the right ... to seek, receive and impart information and ideas through any media and regardless of frontiers" ) and in Art. 19(2) of the International Covenant on Civil and Political Rights ("Everyone shall have the right to freedom of expression; this right shall include freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers, either orally, in writing or in print, in the form or art or through any other media of his choice") -- to apply with full force to Internet communication. B. Civil and Criminal Law Enforcement Enforcing existing laws in the international Internet environment raises specific challenges. In general,combating online crime, while protecting civil liberties, can best be accomplished with additional resources and training for law enforcement agencies, not by enactment of new laws. In carrying out their duties, law enforcement agencies should: *be fully aware of the unique characteristics of the Internet; *adhere to internationally recognized principles of human rights; *Ô.