From 100557.3537@compuserve.com Tue, 1 Jun 1999 08:14:51 -0400 Date: Tue, 1 Jun 1999 08:14:51 -0400 From: Michael Thick 100557.3537@compuserve.com Subject: PIU report on Encryption and Law enforcement RELEASED Dear All, could I tap the collective wisdom? I am a member of the "Caldicott and Babies validation group" (the only connection appears to = be the title!) which is charged with producing and signing off the business case for issuing and recording NHS numbers to babies at birth. They are proposing a number of worrying things: 1) NHSnet will be used to communicate between the issuing authority and maternity without any form of additional security. 2) They are planning to hold a "linkage" between mother and baby at NSTS level to "facilitate" epidemiology of paediatric and neonatal morbidity, again with no plans for additional controls for confidentiality. Medical members of the panel registered disquiet, but I feel that some additional pressure will be useful. Any thoughts? Michael Thick From jei@zor.hut.fi Tue, 1 Jun 1999 15:34:32 +0300 (EEST) Date: Tue, 1 Jun 1999 15:34:32 +0300 (EEST) From: Jukka E Isosaari jei@zor.hut.fi Subject: FW:Clinton Foreign Policy (fwd) :) ---------- Forwarded message ---------- Date: Tue, 11 May 1999 09:58:59 -0400 From: Peter Capelli Subject: FW:Clinton Foreign Policy U.S. TO BEGIN BOMBING ENGLAND UNLESS PEACE ACCORD IS RATIFIED BY ENGLAND AND BREAK-AWAY PROVINCE OF N. IRELAND The White House -- President Clinton announced today that an all out bombing offensive against England will begin in two weeks, unless a peace accord is ratified by England and its break-away province of Northern Ireland. Along with liberating Northern Ireland, the President said that all British culinary institutes would be fair game for bombing. After the attack, NATO peace keeping troops will be sent in to ensure that all dentists can operate safely and without the threat of attack. "Using the fine logic we crafted in the Kosovo intervention, we have decided to add, incrementally, to the list of peace initiatives around the world," he said in a prepared statement. A background briefing indicated that on a weekly schedule, the Clinton administration would intervene in the following areas: Week one -- Bombing of England to free Northern Ireland, and to destroy the legendarily bad cuisine fabrication facilities. Week two -- Bombing of Ankara, Baghdad and Teheran to free the Kurds. Oh yeah, let's not forget all of the oil reserves we would gain. Week three -- Bombing of several random African countries to stop the Hutus from killing Tutsis. Week four -- Bombing of both Istanbul and Athens to solve the Cyprus problem, and end the argument over whether Socrates was actually homosexual or not. Week five -- Bombing of Madrid to free the Basque Country, also to shut up the people at PETA because one target would be the bull fighting rings. Week six -- Bombing of Ottawa to free the Quebecois. Week seven -- Bombing of Jakarta to free the Timor Islands. Week eight -- Bombing of Switzerland because it is due time that they were bullied. Week nine -- Bombing of Paris to free Corsica, and those wishing to use deodorant and razors. Week ten -- Bombing of Washington, D.C. to free the Confederate of Southern States, held captive for 139 years, and to free up more Senate seats for Hillary to possibly run for. Week eleven -- Bombing of North Dakota so that South Dakota might finally be recognized as a "real" state. "This schedule will do until we can come up with others," said Madeline Albright, Secretary of State. When asked whether or not the US would bomb Beijing in order to free Tibet she responded, "something that practical would never be on a military agenda." Pete Capelli - NSEC - pcapelli@nsec.net "Those who would give up essential liberty for temporary safety deserve neither liberty nor safety" - Benjamin Franklin, 1759 PGP Key ID:3AD72805 From jei@zor.hut.fi Tue, 1 Jun 1999 16:34:36 +0300 (EEST) Date: Tue, 1 Jun 1999 16:34:36 +0300 (EEST) From: Jukka E Isosaari jei@zor.hut.fi Subject: Echelon Story on Australian TV (fwd) ---------- Forwarded message ---------- Date: Sun, 23 May 1999 11:33:08 +1000 (EST) From: James Morris Subject: Echelon Story on Australian TV The cover story for this week's "Sunday" program in Australia (a mainstream news & current affairs show here) was titled "Big Brother is Watching". It covered Australia's role in Echelon with some very interesting admissions from the DSD and various ex-spooks. Here's an excerpt from the Web transcript: In an unprecedented statement to the Sunday program, the director of Australia's Defence Signals Directorate (DSD), Martin Brady, reveals what spying the DSD allows on Australian citizens and companies. DSD also officially acknowledges for the first time that it is a signatory of the hitherto secret UK-USA alliance, that endorses cooperation with counterpart intel ligence organisations in the United Kingdom, the US, Canada and New Zealand. See the rest online at http://sunday.ninemsn.com.au/ - James. -- James Morris From 100557.3537@compuserve.com Tue, 1 Jun 1999 08:14:51 -0400 Date: Tue, 1 Jun 1999 08:14:51 -0400 From: Michael Thick 100557.3537@compuserve.com Subject: PIU report on Encryption and Law enforcement RELEASED Dear All, could I tap the collective wisdom? I am a member of the "Caldicott and Babies validation group" (the only connection appears to = be the title!) which is charged with producing and signing off the business case for issuing and recording NHS numbers to babies at birth. They are proposing a number of worrying things: 1) NHSnet will be used to communicate between the issuing authority and maternity without any form of additional security. 2) They are planning to hold a "linkage" between mother and baby at NSTS level to "facilitate" epidemiology of paediatric and neonatal morbidity, again with no plans for additional controls for confidentiality. Medical members of the panel registered disquiet, but I feel that some additional pressure will be useful. Any thoughts? Michael Thick From jei@zor.hut.fi Tue, 1 Jun 1999 16:34:36 +0300 (EEST) Date: Tue, 1 Jun 1999 16:34:36 +0300 (EEST) From: Jukka E Isosaari jei@zor.hut.fi Subject: Echelon Story on Australian TV (fwd) ---------- Forwarded message ---------- Date: Sun, 23 May 1999 11:33:08 +1000 (EST) From: James Morris Subject: Echelon Story on Australian TV The cover story for this week's "Sunday" program in Australia (a mainstream news & current affairs show here) was titled "Big Brother is Watching". It covered Australia's role in Echelon with some very interesting admissions from the DSD and various ex-spooks. Here's an excerpt from the Web transcript: In an unprecedented statement to the Sunday program, the director of Australia's Defence Signals Directorate (DSD), Martin Brady, reveals what spying the DSD allows on Australian citizens and companies. DSD also officially acknowledges for the first time that it is a signatory of the hitherto secret UK-USA alliance, that endorses cooperation with counterpart intel ligence organisations in the United Kingdom, the US, Canada and New Zealand. See the rest online at http://sunday.ninemsn.com.au/ - James. -- James Morris From jya@pipeline.com Tue, 01 Jun 1999 10:23:50 -0400 Date: Tue, 01 Jun 1999 10:23:50 -0400 From: John Young jya@pipeline.com Subject: Citizens' Right to Know The New York Times, June 1, 1999, p. A22. Editorial The Citizens' Right to Know After years of talk from the Labor Party about ending Britain's culture of secrecy, Tony Blair's Government has just proposed a sadly inadequate law governing the disclosure of government information. In effect, Britain is bucking a trend that has helped citizens elsewhere learn what their governments are doing and prevent official misconduct. In other nations, freedom of information laws have improved the policy-making process and provided a check against government abuses. The laws, most of which have been adopted in the past quarter-century, emphasize that government information belongs to the people. They accompany other transparency laws, which require Web-site publication of government data or publication of proposed laws in documents such as the Federal Register or Congressional Record. Together these laws have nourished democracy by restricting government powers to withhold important information. Sweden approved the first freedom of information law in 1766, saying that anyone could go to a government agency and look up documents in the files. Today at least 15 countries and Hong Kong have such laws, including Hungary and several Western European and Asian countries and former British colonies. South Africa's new democratic government put freedom of information in the country's new Constitution, and is now facing the challenge of financing a law and developing ways for citizens who cannot read or write to make oral requests. Japan is the latest to pass a freedom of information law, spurred in part by its Health Ministry's slowness in dealing with H.I.V.-tainted blood products, a scandal in which at least 400 people died. The United States passed a weak law in 1966, but it was greatly strengthened in 1974, after Watergate. It requires government agencies to publish many kinds of information, and allows anyone in the world to request the release of specific documents. The government may withhold several types of information, including material that violates privacy or damages the national security. Mr. Blair's new bill is weaker than previous proposals that both of Britain's major parties have made, and in some areas even softens current disclosure laws. It gives public officials the right to withhold information that relates to the formulation of government policy, material they believe could prejudice the workings of government, and even any request they consider "vexatious." No law is perfect. America's Freedom of Information Act works best for the businesses that are its biggest users and have long relationships with the agencies they query. Industries the government regulates, like pharmaceuticals, want early information about new standards and whatever the government can tell them about the competition. Some agencies with crucial information, such as the Central Intelligence Agency and the Pentagon, can take five years to respond to a disclosure request. Agencies routinely underfinance their information offices, and suffer no penalties for defying the disclosure law. They also abuse the permitted exceptions, using them to hide embarrassing behavior. Despite these flaws, however, Americans have been able to use freedom of information laws to learn about matters as diverse as the Bay of Pigs, housing discrimination and safety problems at nuclear plants. Many government officials admit that even though they resent disclosure provisions, the laws have given citizens a fundamental tool to expose and restrain government arrogance. ----- Archived at: http://jya.com/rtk.htm From jei@zor.hut.fi Wed, 2 Jun 1999 03:52:52 +0300 (EEST) Date: Wed, 2 Jun 1999 03:52:52 +0300 (EEST) From: Jukka E Isosaari jei@zor.hut.fi Subject: PIU report on Encryption and Law enforcement RELEASED (fwd) On Tue, 1 Jun 1999, Michael Thick wrote: > Dear All, could I tap the collective wisdom? I am a member of the > "Caldicott and Babies validation group" (the only connection appears to be > the title!) which is charged with producing and signing off the business > case for issuing and recording NHS numbers to babies at birth. They are > proposing a number of worrying things: > 1) NHSnet will be used to communicate between the issuing authority and > maternity without any form of additional security. > 2) They are planning to hold a "linkage" between mother and baby at NSTS > level to "facilitate" epidemiology of paediatric and neonatal morbidity, > again with no plans for additional controls for confidentiality. > Medical members of the panel registered disquiet, but I feel that some > additional pressure will be useful. Any thoughts? > Michael Thick Speaking of babies, how about this for a death-toll in the US vs Iraq war: 1,500,000 people dead, including 750,000 children under five. ============================================================= From: New Worker Online Subject: Sanctions -- war by other means! Sanctions -- war by other means! Book review by Karen Dabrowska Imposing economic sanctions -- Legal remedy or genocidal tool? by Geoff Simons, published by Pluto Press, 1999, pp256, =A312.99 (pbk). DO sanctions work? This is the question asked by Geoff Simons in the preface to his latest book. He concludes that sanctions are so diverse -- in their type, ambition and manner of applicalion -- that no general answer is possible. Sanctions are variously porous, ineffectual, counterproductive, misdirected, persuasive, effectual and devastating. They invariably have some impact, and they may achieve covert objectives different to those that are publicly proclaimed: the deliverers of sanctions often have hidden agendas. For example, United States efforts to keep Iraqi oil off world markets may have more to do with regulating energy prices than with any worry about weapons of mass destruction. The book has three main aims: *To illustrate the historical continuity of the economic sanctions option as a powerful means of coercion. The emphasis is primarily on sanctions as a means of economic warfare, a concomitant to naked violence, though it should be equally obvious that economic measures call be used to drastic effect also within a purely domestic context; *To illustrate the character and impact of particular sanctions regimes. It is one thing to block the shipment of arms (and not much else) to an apartheid South Africa, quite another to subject a mediaeval city or a modern Arab country to a total years-long economic blockade. Any attempt to judge the morality or efficacy of the sanctions option must consider the range of possible measures set against the goals to be achieve= d; *To indicate that the use of the sanctions option has many implications in ethics and law. Sanctions have a long history dating back to the Megarian Decree in Greece enacted by Pericles in 432BC. The specific reasons for the decree are debated but some commentators have noted that it followed the kidnapping of three Aspasian women. In the 19th century sieges generally involved land-based targets, though action was often taken against coastal fortifications and garrisons receiving supplies by river. The 20th century witnessed the imposition of sanctions by both the League of Nations and the United Nations which proved largely ineffectual as no attempt was made to impose comprehensive economic sanctions on plainly recalcitrant states. During the colonial era the most powerful members of the Security Council were directly supporting Portugal in its struggle to maintain colonial control. The United Slates has played a major role in the imposition of sanctions. The cases of Cuba, Vietnam, Libya, Iran and Iraq are discussed, suggesting that the United Nations is like a little dog on the American lead. America's influence in the Security Council is plain: resolutions are blocked or adopted largely according to how Washington judges their likely impact on US foreign policy. The United states, like the other permanent members of the Council, has the power of veto which means that American approval is essential for any resolution to stand. However, there are important limits to US sway in the Security Council: resolutions that Washington would welcome are not always adopted. The United States would have a UN-mandated embargo against Libyan oil, but was blocked by the energy appetites of the European powers; Washington would have liked tough UN sanctions against north Korea in the early 1990s but was blocked by the threat of a Chinese veto in the Security Council. In such circumstances the US resorts to the option of imposing unilateral sanctions, following Ihe exercise of defined presidential powers or, according to new domestic legislation. In short, Washington will exploit its unrivalled influence in international bodies where it can; when blocked it will take independent action -- which in turn may irritate other influential states and groups in the international community. The book ends with a case study of Iraq where sanctions imposed following the invasion of Kuwait in 1990 have caused the deaths of more than 1,500,000 people including 750,000 children under five. Simons concludes that the use of virtual economic siege has reduced the Iraqis to penury, disease and starvation. The United States was able to contrive international measures of a geoocidal nature for the gradual exterminatian of a national people in violation of UN conventions, other elements of international law and all human decency. (Please mention the New Worker Online when ordering the book) From jya@pipeline.com Wed, 02 Jun 1999 15:00:28 -0400 Date: Wed, 02 Jun 1999 15:00:28 -0400 From: John Young jya@pipeline.com Subject: Germany Frees Crypto The German cabinet today released a policy statement on the unrestricted use of encryption (an English translation would be welcome): http://www.bmwi.de/presse/1999/0602prm1.html It says, pardon my German, that for worldwide protection against economic espionage and electronic interception strongest encryption is to be allowed Germans, and the German crypto industry will be supported to develop superior products. And, though unrestricted encryptoon that may mean its increased usage for criminal purposes, the need for protection of commerce overrides; a report on criminal use is to be prepared and submitted within two years. Echelon is not specifically mentioned, but it hovers. France and Germany, who would have thought they'd feel threatened by UKUSA. Thanks to the online publication Future Zone for pointing: http://futurezone.orf.at/futurezone.orf?read=detail&id=1513&tmp=75421 From shavital@netvision.net.il Wed, 2 Jun 1999 23:17:47 +0300 Date: Wed, 2 Jun 1999 23:17:47 +0300 From: Shalom Avital shavital@netvision.net.il Subject: Germany Frees Crypto I value the information, which looks too good to be true. I thank in advance for an English translation, if somebody is willing to take care of that. Charly At 3:00 PM -0400 6/2/99, John Young wrote: >The German cabinet today released a policy statement on >the unrestricted use of encryption (an English translation >would be welcome): > > http://www.bmwi.de/presse/1999/0602prm1.html > >It says, pardon my German, that for worldwide protection >against economic espionage and electronic interception >strongest encryption is to be allowed Germans, and the >German crypto industry will be supported to develop >superior products. And, though unrestricted encryptoon >that may mean its increased usage for criminal purposes, the >need for protection of commerce overrides; a report on >criminal use is to be prepared and submitted within two >years. > >Echelon is not specifically mentioned, but it hovers. France >and Germany, who would have thought they'd feel threatened >by UKUSA. > >Thanks to the online publication Future Zone for pointing: > > http://futurezone.orf.at/futurezone.orf?read=detail&id=1513&tmp=75421 --- Shalom Avital From rguerra@interlog.com Wed, 2 Jun 1999 23:04:44 -0400 Date: Wed, 2 Jun 1999 23:04:44 -0400 From: Robert Guerra rguerra@interlog.com Subject: Fwd: Treasury Board approved a Policy for Public Key Infrastructure Management thought this might be of interest... >Date: Sun, 30 May 1999 13:35:04 -0300 (ADT) >From: M Taylor >To: efc-talk@efc.ca >Subject: Treasury Board approved a Policy for Public Key Infrastructure > Management >Reply-To: M Taylor >X-EFC-Web-Site: http://www.efc.ca >X-EFC-Archive: gopher://insight.mcmaster.ca/11/org/efc >Status: RO > > Fri, 28 May 1999 > >For those who may be interested, the Treasury Board (a committee of Cabinet) >approved yesterday evening a Policy for Public Key Infrastructure Management >in the Government of Canada. The policy provides direction to government >departments with respect to the issuance and use of certificates and >provides a governance structure for the Government of Canada PKI. >... > >-- >M Taylor mctaylor@ / privacy.nb.ca Robert Guerra WWW Page PGPKeys From Theodor.SCHLICKMANN@DG3.cec.be Thu, 3 Jun 1999 09:52:04 +0200 Date: Thu, 3 Jun 1999 09:52:04 +0200 From: Theodor.SCHLICKMANN@DG3.cec.be Theodor.SCHLICKMANN@DG3.cec.be Subject: Re(2): Germany Frees Crypto Just as a test, I tried the machine translation ... !!! Raw Machine Translation !!! =BBEr hat!=AB=20 Christiane Schulzki-Haddouti 02.06.99=20 Also Schily signs; Federal Government for liberal Kryptopolitik.=20 The last weeks were for the German network municipality an exciting tim= e. Already three weeks ago collar Economics Minister Mueller had settled h= is signature under the cabinet presentation to the German Kryptopolitik. A= lone the signature of petrols Schily took time. There would be still "clarificat= ion requirement" was called it mysterious from the ministry of the Interior= - one day after the window camber of Ulrich Sandl, not clarified still - the departmental head in the collar Ministry of Economic Affairs, who had c= reated the cabinet presentation. Allegedly secret service co-ordinator Uhlau w= as not merged zureichend into the negotiations. Also there were protest faxes = on the part of the punishing pursuers against the presentation. Starting enoug= h for the surprise, which flowed in the case of some observers into deserts consp= iracy theories. Nevertheless there had been discussions and meetings lasting = for months of various working groups - and not least a drastic change of go= vernment. But also the new Federal Minister of the Interior was considered to las= t as an uncertain candidate. "Does it have now, or doesn't it have ? "the last = code question in the German Kryptodiskussion was. Finally the day before yes= terday the releasing message: "It has ! "=20 Today it is official: The Federal Cabinet referred clear placing in the= matter of Kryptopolitik. The agreement negotiated between collar Ministry of E= conomic Affairs and Federal Ministry of the Interior puts its main interest on = the economic interests. Quintessential point and motive of the German polic= y are situated in the "improved protection German user in the world-wide info= rmation networks by application of probably cryptographic procedures". In the consideration between the interests of the punishing pursuers, conditio= n protection and Federal Intelligence Agency, as well as who believe them= selves by the application of encoding in their reconnaissance work disabled the endangerment by "illegal reconnoitering, manipulating or destroying dat= a" - with damages in billion level - decided the cabinet for intensified user pro= tection against foreign feeler gauges, Hacker and other intruders.=20 In five "corner points of the German Kryptopolitik" the development coo= rdinates for the next two years harden: Also in the future encoding procedures a= nd products without restriction may be developed, established, marketed an= d used in Germany. German Kryptohersteller are to be strengthened in their effici= ency as well as in the international competitiveness. Although the Wassenaar-Exportregime imposes certain limitations, one abolished withi= n the European Union with a first revision of the EG-Dual-Use-Verordnung the intra-Community export check for cryptographic bulk goods. The office f= or collar export checks at present whether the existing export inspection procedu= res can be simplified.=20 Important step into the information society=20 !!! Raw Machine Translation !!! Thomas Roessler, speakers of the "pumping association information techn= ology and society" (FITUG) welcomed the decision. The cabinet took thereby "an im= portant step into the information society". He hopes that the Federal Governmen= t advocates now "also in the international limit - for example with the Wassenaar-Verhandlungen - a free world-wide Exportierbarkeit of cryptog= raphic products at least for the frame market. The Federal Government wants to= pump also the "previously only low awareness of the users" in the future. A = first step was already taken for this by the initiative for "safety in the In= ternet".=20 The Kryptodebatte, which assumed ideological trains in the last years s= ometimes, is not completed yet however with the signatures under the cabinet pres= entation. The Federal Ministry of the Interior granted itself a temporal reservat= ion: After two years a report is to be submitted, in which is to be evaluate= d, to which extent the abuse of Kryptoverfahren for illegal purposes takes pl= ace. At the same time however also the technical configuration of the criminal investigation and police authorities is to be improved. Thomas Roessler= sees therein a reorientation:=20 "The decision of the Federal Government for an evaluation of the actual= influence of procedures for the confidentiality protection on the prose= cution shows that the Federal Government refrained from the partly paralysing Kryptodebatte of the last years."=20 Germany does not go a national special way with its Kryptopolitik. Only= two weeks ago the g8 working group "High Tech criminality" in Paris decided= to carry out an evaluation study in each state. Among other things the following= questions are to be answered: In how much cases do punishing pursuers d= iscover with searchings and seizings encoded material ? To what extent the clar= ification of criminal offences prevented by the use of encoding procedures ? In o= ne year already results are to be present. If then the debate starts again arou= nd an adjustment of encoding procedures, she will be able to refer to strong experiences and no more only to fears.=20 The corner points in detail:=20 !!! Raw Machine Translation !!! 1. The Federal Government does not intend to limit the free availabilit= y of encoding products in Germany. She sees a crucial condition for the data= security of the citizens, for the development of the electronic course of busine= ss as well as for the protection of company secrets in the applying of safe e= ncoding. The Federal Government becomes therefore the distribution of safe encod= ing in Germany actively supported. Among it in particular pumping the security= awareness ranks with the citizens, the economy and the administration. = 2. The Federal Government aims at strengthening the confidence of the u= sers into the safety of the encoding. Measures therefore taking, in order to crea= te a confidence limit for safe encoding, in particular by it the Ueberpruefb= arkeit of encoding products on its safety functions improves and the use of check= ed products recommends.=20 3. The Federal Government considers the ability of German manufacturers= for reasons of the safety of state, economics and society for the developme= nt and manufacture of safe and efficient encoding products unrenouncable. It w= ill take measures, in order to strengthen the international competitiveness of t= his sector.=20 4. The legal powers of the criminal investigation and police authoritie= s may not be eroded by the distribution of strong encoding procedures for telecommunication monitoring. The responsible Federal Ministries will t= herefore keep an eye further attentively and will report the development after t= he end of two years for this. Independently of it the Federal Government advocate= s in the limit of its possibilities the improvement of the technical competences= of the criminal investigation and police authorities.=20 5. The Federal Government attaches big importance to the international cooperation in the area of the encoding politics. She enters for open s= tandards developed at the market and interoperable systems and will advocate the= strengthening of the multilateral and bilateral cooperation.=20 Copyright =A9 in 1996-99 ALL Rights Reserved. All rights reserve publis= hing house for Heinz Heise, Hanover read modified: 02.06.99=20 !!! Raw Machine Translation !!! http://www.heise.de/tp/deutsch/inhalt/te/2908/1.html=20 =20 =20 TEXT W98463=20 SYSTRAN-RTF-INFORMATIONS =20 CELEX =20 DATE=3D99/06/03 TIME=3D09.36.00=20 =20 =20 = From roessler@guug.de Thu, 3 Jun 1999 12:06:56 +0200 Date: Thu, 3 Jun 1999 12:06:56 +0200 From: Thomas Roessler roessler@guug.de Subject: Germany Frees Crypto Shalom Avital wrote on ukcrypto: > I value the information, which looks too good to be true. > I thank in advance for an English translation, if somebody is willing to > take care of that. The text is rather lengthy. I'll try to give a translation of the actual framework ("Eckpunkte" in German). I beg your pardon for the mistakes I'll undoubtedly make; I'm not a native English speaker. ------------------------------ cut 1. The Federal Government does not plan to limit the free availability of encryption products in Germany. It considers the application of secure encryption to be a crucial requirement for the citizens' privacy, for the development of electronic commerce, and for the protection of business secrets. The Federal Government will therfore actively support the distribution of secure encryption. This includes in particular increasing the security consciousness of citizens, business, and administration. 2. The Federal Government strives for strengthening users' trust in the security of encryption. It will therefore take measures to create a framework for trustworthy secure encryption, in particular by improving the possibilities for reviewing encryption products for their security, and by recommending the use of reviewed products. 3. For reasons of national security, and the security of business and society, the Federal Government considers the ability of German manufacturers to develop and manufacture secure and efficient encryption products indispensible. It will take measures to strenghten the international competitiveness of this sector. 4. The spreading of strong encryption must not undermine the legal possibilities of prosecution and security authorities [police and intelligence communities may be a better translation]. The responsible Federal Ministries will cautiously watch the development and present a report after two years. Additionally, the Federal Government will work on improving the technical skills of prosecution and security authorities. 5. The Federal Government attaches importance to international cooperation on encryption policy. It encourages market-driven, open standards and interoperable systems and will work to strengthen multilateral and bilateral cooperation. ------------------------------ cut I hope this somewhat rough translation is precise enough for your purposes. From Brian.Randell@newcastle.ac.uk Thu, 3 Jun 1999 12:40:50 +0100 Date: Thu, 3 Jun 1999 12:40:50 +0100 From: Brian Randell Brian.Randell@newcastle.ac.uk Subject: Germany Frees Crypto Re the message from Thomas Roessler : .... >The text is rather lengthy. I'll try to give a translation of the >actual framework ("Eckpunkte" in German). I beg your pardon for the >mistakes I'll undoubtedly make; I'm not a native English speaker. .... >I hope this somewhat rough translation is precise enough for your >purposes. Excellent - many thanks. I would like to think your translation was precise enough to prompt comments to UKCRYPTO on the German Government's new policy from our DTI colleagues. Mind you, I can't recall any such comments regarding the earlier French policy change! :-) Cheers Brian Randell Dept. of Computing Science, University of Newcastle, Newcastle upon Tyne, NE1 7RU, UK EMAIL = Brian.Randell@newcastle.ac.uk PHONE = +44 191 222 7923 FAX = +44 191 222 8232 URL = http://www.cs.ncl.ac.uk/~brian.randell/ From david@crimbles.demon.co.uk Thu, 03 Jun 1999 13:59:23 +0100 Date: Thu, 03 Jun 1999 13:59:23 +0100 From: David Crookes david@crimbles.demon.co.uk Subject: Germany Frees Crypto At 12:06 PM 6/3/99 +0200, you wrote: > >The text is rather lengthy. I'll try to give a translation of the >actual framework ("Eckpunkte" in German). I beg your pardon for the >mistakes I'll undoubtedly make; I'm not a native English speaker. > Thank's for the translation. It was very useful. Your English is fine! One thing that wasn't mention in your translation was whether there is a policy change regarding the export of strong encryption products from Germany. Was this covered at all? Regards, Dave From shavital@netvision.net.il Thu, 3 Jun 1999 16:03:55 +0300 Date: Thu, 3 Jun 1999 16:03:55 +0300 From: Shalom Avital shavital@netvision.net.il Subject: Germany Frees Crypto At 12:06 PM +0200 6/3/99, Thomas Roessler wrote: >Shalom Avital wrote on ukcrypto: > >> I value the information, which looks too good to be true. > >> I thank in advance for an English translation, if somebody is willing to >> take care of that. > >The text is rather lengthy. I'll try to give a translation of the >actual framework ("Eckpunkte" in German). I beg your pardon for the >mistakes I'll undoubtedly make; I'm not a native English speaker. [cut] Thank you indeed for your time and work. I'm not a native English speaker, either, but I'll venture to say your English is outstanding. Charly --- Shalom Avital From rguerra@interlog.com Wed, 2 Jun 1999 23:04:44 -0400 Date: Wed, 2 Jun 1999 23:04:44 -0400 From: Robert Guerra rguerra@interlog.com Subject: Fwd: Treasury Board approved a Policy for Public Key Infrastructure Management thought this might be of interest... >Date: Sun, 30 May 1999 13:35:04 -0300 (ADT) >From: M Taylor >To: efc-talk@efc.ca >Subject: Treasury Board approved a Policy for Public Key Infrastructure > Management >Reply-To: M Taylor >X-EFC-Web-Site: http://www.efc.ca >X-EFC-Archive: gopher://insight.mcmaster.ca/11/org/efc >Status: RO > > Fri, 28 May 1999 > >For those who may be interested, the Treasury Board (a committee of Cabinet) >approved yesterday evening a Policy for Public Key Infrastructure Management >in the Government of Canada. The policy provides direction to government >departments with respect to the issuance and use of certificates and >provides a governance structure for the Government of Canada PKI. >... > >-- >M Taylor mctaylor@ / privacy.nb.ca Robert Guerra WWW Page PGPKeys From david@crimbles.demon.co.uk Thu, 03 Jun 1999 13:59:23 +0100 Date: Thu, 03 Jun 1999 13:59:23 +0100 From: David Crookes david@crimbles.demon.co.uk Subject: Germany Frees Crypto At 12:06 PM 6/3/99 +0200, you wrote: > >The text is rather lengthy. I'll try to give a translation of the >actual framework ("Eckpunkte" in German). I beg your pardon for the >mistakes I'll undoubtedly make; I'm not a native English speaker. > Thank's for the translation. It was very useful. Your English is fine! One thing that wasn't mention in your translation was whether there is a policy change regarding the export of strong encryption products from Germany. Was this covered at all? Regards, Dave From david.hayes@wcom.com Thu, 03 Jun 1999 10:45:49 -0500 Date: Thu, 03 Jun 1999 10:45:49 -0500 From: David Hayes david.hayes@wcom.com Subject: Germany Frees Crypto The really interesting thing about this is that Germany does not seem to demand that a criminal suspect decrypt anything, even with a warrant/subpoena. Neither does Germany make use of crypto a separate criminal offense when used to evade prosecution for a more traditional crime. Is there some point of German law that already covers this? If not, then Germany is clearly distinguished from France (who does require decryption on court order), and I believe all of the proposed liberalizations of U.S. law presently in Congress. Who would have thought that ECHELON would turn out to be a program to improve civil liberties? David Hayes, exercising the right of free typing on my own behalf. My employer pays no attention to my opinions. david@hayes-family.org From David_Conrad@isc.org Thu, 03 Jun 1999 10:29:47 -0700 Date: Thu, 03 Jun 1999 10:29:47 -0700 From: David R. Conrad David_Conrad@isc.org Subject: Germany Frees Crypto Hi, > 5. The Federal Government attaches importance to international > cooperation on encryption policy. It encourages market-driven, > open standards and interoperable systems and will work to > strengthen multilateral and bilateral cooperation. Does this mean the German government will not allow export of strong crypto developed within Germany? Regards, -drc From roessler@guug.de Thu, 3 Jun 1999 19:01:36 +0200 Date: Thu, 3 Jun 1999 19:01:36 +0200 From: Thomas Roessler roessler@guug.de Subject: Germany Frees Crypto On 1999-06-03 13:59:23 +0100, David Crookes wrote: > One thing that wasn't mention in your translation was whether there > is a policy change regarding the export of strong encryption > products from Germany. Was this covered at all? In the somewhat lengthy text accompanying the framework, there is a note that strengthening the international competitiveness of German crypto manufacturers is an important goal of the Federal Government. The text then references the European Directive On Dual-Use-Goods - this year's edition of that Directive has taken crypto from the list of goods whose export is controlled even inside the European Union. Additionally, there is a note that Germany's equivalent of the BXA (it's called Bundesausfuhramt) is considering a simplification of export control procedures. There is no explicit reference to this year's Wassenaar negotiations. From jya@pipeline.com Thu, 03 Jun 1999 13:58:08 -0400 Date: Thu, 03 Jun 1999 13:58:08 -0400 From: John Young jya@pipeline.com Subject: Germany Frees Crypto David Conrad wrote: >> 5. The Federal Government attaches importance to international >> cooperation on encryption policy. It encourages market-driven, >> open standards and interoperable systems and will work to >> strengthen multilateral and bilateral cooperation. > >Does this mean the German government will not allow export of strong >crypto developed within Germany? My reading of the full statement, via Babelfish, is that Germany will abide the Wassenaar Arrangement export controls on encryption but will work to loosen them in concert with other signators. This is not a novel, for there are several countries which claim to hold the same position -- Denmark, Sweden, others -- but have not been able heretofore to budge the US-dominated members -- which, ta da, turn out to be those 2nd and 3rd tier members of UKUSA. So, while Echelon-favoritism may eventually fracture Wassenaar, it could also turn out that the whole gang of 33 will be seduced by those special upper tier membership privileges of real-time access. As someone working on an Echelon story asked elsewhere, just what strength of crypto can NSA crack these days. From nbohm@ernest.net Thu, 03 Jun 1999 19:37:27 +0100 Date: Thu, 03 Jun 1999 19:37:27 +0100 From: Nicholas Bohm nbohm@ernest.net Subject: Germany Frees Crypto At 01:58 PM 6/3/1999 -0400, John Young wrote: >David Conrad wrote: > >>> 5. The Federal Government attaches importance to international >>> cooperation on encryption policy. It encourages market-driven, >>> open standards and interoperable systems and will work to >>> strengthen multilateral and bilateral cooperation. >> >>Does this mean the German government will not allow export of strong >>crypto developed within Germany? > >My reading of the full statement, via Babelfish, is that Germany will >abide the Wassenaar Arrangement export controls on encryption but >will work to loosen them in concert with other signators. It is sometimes overlooked that the Wassenaar Arrangement requires its members to control the export of cryptography, but does not require them to prohibit it. It is perfectly compliant for a member state to place cryptography on its export control lists but to grant an open general export licence for it. (Even the UK applies an open general export licence to much Wassenaar controlled material, although not to cryptography.) [snip] Regards, Nicholas Bohm Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 871272 (+44 1279 871272) Fax 01279 870215 (+44 1279 870215) Mobile 0860 636749 (+44 860 636749) PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: 9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF From jei@zor.hut.fi Thu, 3 Jun 1999 22:15:12 +0300 (EEST) Date: Thu, 3 Jun 1999 22:15:12 +0300 (EEST) From: Jukka E Isosaari jei@zor.hut.fi Subject: [ISN] U.K. Crypto Policy May Have Hidden Agenda (fwd) ---------- Forwarded message ---------- Date: Thu, 3 Jun 1999 10:50:28 -0600 (MDT) From: cult hero To: InfoSec News Subject: [ISN] U.K. Crypto Policy May Have Hidden Agenda http://www.nytimes.com/techweb/TW_U_K_Crypto_Policy_May_Have_Hidden_Agenda.html June 3, 1999 U.K. Crypto Policy May Have Hidden Agenda Filed at 5:06 a.m. EDT By Madeleine Acey for TechWeb, CMPnet Despite its abandonment of key escrow, the U.K. could be counting on the ignorance of new Internet users to provide law enforcement easy access to private communications, according to privacy campaigners. Following a meeting in London on Wednesday, where ISPs drafted a code of practice for protecting user privacy, ISP and civil liberties groups both derided British and European Union attempts to regulate the use of encryption, caching and unsolicited email. ISP organizations, such as the London Internet Exchange -- or LINX -- described government policy as "extremely stupid," "misguided" and "infeasible." But some said they found it hard to believe incompetence was behind it. LINX chairman Keith Mitchell said the latest version of proposed legislation regarding law enforcement access to encrypted email and computer files was based on a "misguided conception" that ISPs would provide users with encryption. A senior government official said last week the government expected most warrants demanding keys to encrypted material would be served on service providers. "The only encryption of any use on the Internet is end-to-end. The keys are generated between the users. All the ISP is going to see is an encrypted data stream," Mitchell said. "I still don't know a single Home Office employee that has an email address," he said. But of the encryption warrant policy, he said the government "either doesn't understand or is deliberately misunderstanding." "I think they are deliberate," said Yaman Akdeniz of Cyber-Rights & Cyber-Liberties. "They don't want to give away what they want to do." He said there was a lot of pressure on lawmakers from the National Criminal Intelligence Service, which wanted easy access. "The Home Office believes users will go to [third parties], like the Post Office, to get keys," said Nicholas Bohm, spokesman for the Foundation for Information Policy Research. "They should not be promoting a policy where private keys are generated by anybody but the user." He, along with Akdeniz, said it was possible the government was planning to create a new market, favorable to easy law enforcement access, where new Internet users -- unaware of the tradition of free user-to-user encryption -- would go to "trusted third parties" for encryption services because they were endorsed by the government as safe. "If these new services are there, many people will use them," Akdeniz said. -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: OSAll [www.aviary-mag.com] From nigelhickson@compuserve.com Thu, 3 Jun 1999 17:20:27 -0400 Date: Thu, 3 Jun 1999 17:20:27 -0400 From: Nigel Hickson nigelhickson@compuserve.com Subject: Germany Frees Crypto Colleagues = Many thanks for translation; saves the DTI purse. Policy looks very similar to ours (DTI). = Nigel = From jbrazier@proproco.co.uk Thu, 3 Jun 1999 23:38:59 +0100 Date: Thu, 3 Jun 1999 23:38:59 +0100 From: John R T Brazier jbrazier@proproco.co.uk Subject: Germany Frees Crypto Dear Thomas et al, Thanks for your excellent translation. One hopes that Stephen Byers (who = has had a rough few weeks and is probably sick of this topic) will take = note for the UK legislation. By the way, does anyone know what has = happened to this? It was all terribly urgent during the consultation = period. One other interesting thing is Point (3) of the framework: is this a = nice way of saying that Wassenaar is dead? At least from the German = government point of view? Cheers, JB -----Original Message----- From: owner-ukcrypto@maillist.ox.ac.uk = [mailto:owner-ukcrypto@maillist.ox.ac.uk] On Behalf Of Thomas Roessler Sent: Thursday, June 03, 1999 11:07 AM To: ukcrypto@maillist.ox.ac.uk Cc: Cryptography List Subject: Re: Germany Frees Crypto Shalom Avital wrote on ukcrypto: > I value the information, which looks too good to be true. > I thank in advance for an English translation, if somebody is willing = to > take care of that. The text is rather lengthy. I'll try to give a translation of the actual framework ("Eckpunkte" in German). I beg your pardon for the mistakes I'll undoubtedly make; I'm not a native English speaker. ------------------------------ cut 1. The Federal Government does not plan to limit the free availability of encryption products in Germany. It considers the application of secure encryption to be a crucial requirement for the citizens' privacy, for the development of electronic commerce, and for the protection of business secrets. The Federal Government will therfore actively support the distribution of secure encryption. This includes in particular increasing the security consciousness of citizens, business, and administration. 2. The Federal Government strives for strengthening users' trust in the security of encryption. It will therefore take measures to create a framework for trustworthy secure encryption, in particular by improving the possibilities for reviewing encryption products for their security, and by recommending the use of reviewed products. 3. For reasons of national security, and the security of business and society, the Federal Government considers the ability of German manufacturers to develop and manufacture secure and efficient encryption products indispensible. It will take measures to strenghten the international competitiveness of this sector. 4. The spreading of strong encryption must not undermine the legal possibilities of prosecution and security authorities [police and intelligence communities may be a better translation]. The responsible Federal Ministries will cautiously watch the development and present a report after two years. Additionally, the Federal Government will work on improving the technical skills of prosecution and security authorities. 5. The Federal Government attaches importance to international cooperation on encryption policy. It encourages market-driven, open standards and interoperable systems and will work to strengthen multilateral and bilateral cooperation. ------------------------------ cut I hope this somewhat rough translation is precise enough for your purposes. From jbrazier@proproco.co.uk Thu, 3 Jun 1999 23:57:56 +0100 Date: Thu, 3 Jun 1999 23:57:56 +0100 From: John R T Brazier jbrazier@proproco.co.uk Subject: Germany Frees Crypto -----Original Message----- From: owner-ukcrypto@maillist.ox.ac.uk = [mailto:owner-ukcrypto@maillist.ox.ac.uk] On Behalf Of John Young Sent: Thursday, June 03, 1999 6:58 PM To: ukcrypto@maillist.ox.ac.uk Cc: cryptograph@c2.net; David_Conrad@isc.org Subject: Re: Germany Frees Crypto As someone working on an Echelon story asked elsewhere, just what=20 strength of crypto can NSA crack these days. Dear John &c, Because of another discussion on another list, I think I can put = together an argument for an NSA capability of breaking 80 bit keys (or = perhaps longer) within a few days for block ciphers like RC5. Of course, = it's full of assumptions, and will take me a few days to check a few = things, but if you're interested ... Cheers, John B From jya@pipeline.com Thu, 03 Jun 1999 18:16:01 -0400 Date: Thu, 03 Jun 1999 18:16:01 -0400 From: John Young jya@pipeline.com Subject: Germany Frees Crypto Peter Haefner has provided an English translation of the full German statement, "Cornerstones of German Encryption Policy": http://jya.com/de-crypto-all.htm From david@crimbles.demon.co.uk Fri, 04 Jun 1999 09:05:29 +0100 Date: Fri, 04 Jun 1999 09:05:29 +0100 From: David Crookes david@crimbles.demon.co.uk Subject: Germany Frees Crypto At 11:57 PM 6/3/99 +0100, John R T Brazier wrote: > >Because of another discussion on another list, I think I can put together an >argument for an NSA capability of breaking 80 bit keys (or perhaps longer) >within a few days for block ciphers like RC5. Of course, it's full of >assumptions, and will take me a few days to check a few things, but if >you're interested ... > I'm interested...... Cheers, Dave From jei@zor.hut.fi Fri, 4 Jun 1999 12:18:22 +0300 (EEST) Date: Fri, 4 Jun 1999 12:18:22 +0300 (EEST) From: Jukka E Isosaari jei@zor.hut.fi Subject: [ISN] U.K. Crypto Policy May Have Hidden Agenda (fwd) http://www.nytimes.com/techweb/TW_U_K_Crypto_Policy_May_Have_Hidden_Agenda.html June 3, 1999 U.K. Crypto Policy May Have Hidden Agenda Filed at 5:06 a.m. EDT By Madeleine Acey for TechWeb, CMPnet Despite its abandonment of key escrow, the U.K. could be counting on the ignorance of new Internet users to provide law enforcement easy access to private communications, according to privacy campaigners. Following a meeting in London on Wednesday, where ISPs drafted a code of practice for protecting user privacy, ISP and civil liberties groups both derided British and European Union attempts to regulate the use of encryption, caching and unsolicited email. ISP organizations, such as the London Internet Exchange -- or LINX -- described government policy as "extremely stupid," "misguided" and "infeasible." But some said they found it hard to believe incompetence was behind it. LINX chairman Keith Mitchell said the latest version of proposed legislation regarding law enforcement access to encrypted email and computer files was based on a "misguided conception" that ISPs would provide users with encryption. A senior government official said last week the government expected most warrants demanding keys to encrypted material would be served on service providers. "The only encryption of any use on the Internet is end-to-end. The keys are generated between the users. All the ISP is going to see is an encrypted data stream," Mitchell said. "I still don't know a single Home Office employee that has an email address," he said. But of the encryption warrant policy, he said the government "either doesn't understand or is deliberately misunderstanding." "I think they are deliberate," said Yaman Akdeniz of Cyber-Rights & Cyber-Liberties. "They don't want to give away what they want to do." He said there was a lot of pressure on lawmakers from the National Criminal Intelligence Service, which wanted easy access. "The Home Office believes users will go to [third parties], like the Post Office, to get keys," said Nicholas Bohm, spokesman for the Foundation for Information Policy Research. "They should not be promoting a policy where private keys are generated by anybody but the user." He, along with Akdeniz, said it was possible the government was planning to create a new market, favorable to easy law enforcement access, where new Internet users -- unaware of the tradition of free user-to-user encryption -- would go to "trusted third parties" for encryption services because they were endorsed by the government as safe. "If these new services are there, many people will use them," Akdeniz said. -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: OSAll [www.aviary-mag.com] From waste@zor.hut.fi Fri, 4 Jun 1999 12:43:40 +0300 (EEST) Date: Fri, 4 Jun 1999 12:43:40 +0300 (EEST) From: Putrefied Cow waste@zor.hut.fi Subject: Germany Frees Crypto On Thu, 3 Jun 1999, John R T Brazier wrote: > One other interesting thing is Point (3) of the framework: is this > a nice way of saying that Wassenaar is dead? At least from the > German government point of view? I'd say no. The WA was, and still is serving it's purpose in the sense that UKUSA managed to enforce other nations to adopt their policies on what they should be allowed to export and where. Very nice work by the UKUSA, I'd say. BTW, A long time ago in Finland, I remember reading that the GSM phones could have had strong enough crypto that the NSA couldn't crack it, and that because of it the UKUSA forced Nokia's hand and made them adopt a weak crypto that is easily cracked. So essentially now every GSM phone is insecure as they can be listened into from spy-satellites. Is this really the case? Is there anything that could be done about it? ++ J From david.hayes@wcom.com Thu, 03 Jun 1999 10:45:49 -0500 Date: Thu, 03 Jun 1999 10:45:49 -0500 From: David Hayes david.hayes@wcom.com Subject: Germany Frees Crypto The really interesting thing about this is that Germany does not seem to demand that a criminal suspect decrypt anything, even with a warrant/subpoena. Neither does Germany make use of crypto a separate criminal offense when used to evade prosecution for a more traditional crime. Is there some point of German law that already covers this? If not, then Germany is clearly distinguished from France (who does require decryption on court order), and I believe all of the proposed liberalizations of U.S. law presently in Congress. Who would have thought that ECHELON would turn out to be a program to improve civil liberties? David Hayes, exercising the right of free typing on my own behalf. My employer pays no attention to my opinions. david@hayes-family.org From David_Conrad@isc.org Thu, 03 Jun 1999 10:29:47 -0700 Date: Thu, 03 Jun 1999 10:29:47 -0700 From: David R. Conrad David_Conrad@isc.org Subject: Germany Frees Crypto Hi, > 5. The Federal Government attaches importance to international > cooperation on encryption policy. It encourages market-driven, > open standards and interoperable systems and will work to > strengthen multilateral and bilateral cooperation. Does this mean the German government will not allow export of strong crypto developed within Germany? Regards, -drc From jei@zor.hut.fi Thu, 3 Jun 1999 22:15:12 +0300 (EEST) Date: Thu, 3 Jun 1999 22:15:12 +0300 (EEST) From: Jukka E Isosaari jei@zor.hut.fi Subject: [ISN] U.K. Crypto Policy May Have Hidden Agenda (fwd) ---------- Forwarded message ---------- Date: Thu, 3 Jun 1999 10:50:28 -0600 (MDT) From: cult hero To: InfoSec News Subject: [ISN] U.K. Crypto Policy May Have Hidden Agenda http://www.nytimes.com/techweb/TW_U_K_Crypto_Policy_May_Have_Hidden_Agenda.html June 3, 1999 U.K. Crypto Policy May Have Hidden Agenda Filed at 5:06 a.m. EDT By Madeleine Acey for TechWeb, CMPnet Despite its abandonment of key escrow, the U.K. could be counting on the ignorance of new Internet users to provide law enforcement easy access to private communications, according to privacy campaigners. Following a meeting in London on Wednesday, where ISPs drafted a code of practice for protecting user privacy, ISP and civil liberties groups both derided British and European Union attempts to regulate the use of encryption, caching and unsolicited email. ISP organizations, such as the London Internet Exchange -- or LINX -- described government policy as "extremely stupid," "misguided" and "infeasible." But some said they found it hard to believe incompetence was behind it. LINX chairman Keith Mitchell said the latest version of proposed legislation regarding law enforcement access to encrypted email and computer files was based on a "misguided conception" that ISPs would provide users with encryption. A senior government official said last week the government expected most warrants demanding keys to encrypted material would be served on service providers. "The only encryption of any use on the Internet is end-to-end. The keys are generated between the users. All the ISP is going to see is an encrypted data stream," Mitchell said. "I still don't know a single Home Office employee that has an email address," he said. But of the encryption warrant policy, he said the government "either doesn't understand or is deliberately misunderstanding." "I think they are deliberate," said Yaman Akdeniz of Cyber-Rights & Cyber-Liberties. "They don't want to give away what they want to do." He said there was a lot of pressure on lawmakers from the National Criminal Intelligence Service, which wanted easy access. "The Home Office believes users will go to [third parties], like the Post Office, to get keys," said Nicholas Bohm, spokesman for the Foundation for Information Policy Research. "They should not be promoting a policy where private keys are generated by anybody but the user." He, along with Akdeniz, said it was possible the government was planning to create a new market, favorable to easy law enforcement access, where new Internet users -- unaware of the tradition of free user-to-user encryption -- would go to "trusted third parties" for encryption services because they were endorsed by the government as safe. "If these new services are there, many people will use them," Akdeniz said. -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: OSAll [www.aviary-mag.com] From david@crimbles.demon.co.uk Fri, 04 Jun 1999 09:05:29 +0100 Date: Fri, 04 Jun 1999 09:05:29 +0100 From: David Crookes david@crimbles.demon.co.uk Subject: Germany Frees Crypto At 11:57 PM 6/3/99 +0100, John R T Brazier wrote: > >Because of another discussion on another list, I think I can put together an >argument for an NSA capability of breaking 80 bit keys (or perhaps longer) >within a few days for block ciphers like RC5. Of course, it's full of >assumptions, and will take me a few days to check a few things, but if >you're interested ... > I'm interested...... Cheers, Dave From waste@zor.hut.fi Fri, 4 Jun 1999 12:43:40 +0300 (EEST) Date: Fri, 4 Jun 1999 12:43:40 +0300 (EEST) From: Putrefied Cow waste@zor.hut.fi Subject: Germany Frees Crypto On Thu, 3 Jun 1999, John R T Brazier wrote: > One other interesting thing is Point (3) of the framework: is this > a nice way of saying that Wassenaar is dead? At least from the > German government point of view? I'd say no. The WA was, and still is serving it's purpose in the sense that UKUSA managed to enforce other nations to adopt their policies on what they should be allowed to export and where. Very nice work by the UKUSA, I'd say. BTW, A long time ago in Finland, I remember reading that the GSM phones could have had strong enough crypto that the NSA couldn't crack it, and that because of it the UKUSA forced Nokia's hand and made them adopt a weak crypto that is easily cracked. So essentially now every GSM phone is insecure as they can be listened into from spy-satellites. Is this really the case? Is there anything that could be done about it? ++ J From ptemple@onlinemagic.com Fri, 04 Jun 1999 15:14:54 +0100 Date: Fri, 04 Jun 1999 15:14:54 +0100 From: Phillip Temple ptemple@onlinemagic.com Subject: Germany Frees Crypto At 12:43 PM 6/4/99 +0300, Putrefied Cow wrote: > >BTW, A long time ago in Finland, I remember reading that the GSM >phones could have had strong enough crypto that the NSA couldn't >crack it, and that because of it the UKUSA forced Nokia's hand and >made them adopt a weak crypto that is easily cracked. > >So essentially now every GSM phone is insecure as they can be >listened into from spy-satellites. The original specs for GSM had strong crypto. From the previous discussions I remember, it was rather a case of different national interests having different agendas re: eavesdropping. I don't think it applied to any one manufacturer, it was rather across the board. Hence handsets sold to different nations had different levels of being crippled (by blanking xxx of the top bits of the key). There was also the story of the Sicily Mafia buying German mobile phones to stop the Italian law enforcement from listening in. I'm sure someone can come up with more accurate details than my vague recollections. The UKUSA alliance probably also had a hand in these dealings? Phillip. From waste@zor.hut.fi Fri, 4 Jun 1999 17:18:10 +0300 (EEST) Date: Fri, 4 Jun 1999 17:18:10 +0300 (EEST) From: Putrefied Cow waste@zor.hut.fi Subject: [IWAR] CRYPTO Germany Endorses Strong Crypto (fwd) Sorry about forwarding. ---------- Forwarded message ---------- Date: Thu, 3 Jun 1999 21:29:52 -0700 (PDT) From: 7Pillars Partners Reply-To: iwar@sirius.infonex.com To: g2i list , IWAR list Subject: [IWAR] CRYPTO Germany Endorses Strong Crypto Germany Endorses Strong Crypto Wired News Report 5:20 p.m. 3.Jun.99.PDT In an apparent response to corporate spying allegedly conducted in Europe by the United States, Germany is encouraging citizens and businesses to use strong cryptography. "[Germany] considers the application of secure encryption to be a crucial requirement for citizens' privacy, for the development of electronic commerce, and for the protection of business secrets," reads a translated version of a policy framework document released Wednesday by Germany's Federal Department of Business and Technology (BMWI). "The federal government will therefore actively support the distribution of secure encryption. This includes in particular increasing the security consciousness of citizens, business, and administration." Australia recently became the first nation to admit it participates in Echelon, a previously secret global surveillance network capable of intercepting electronic communications anywhere in the world. Echelon is said to be principally operated by the United States' National Security Agency and its UK equivalent, the Government Communications Headquarters. In addition to Australia, the system relies on cooperation with other signals-intelligence agencies in Canada and New Zealand. Earlier this month, UK investigative journalist Duncan Campbell submitted Interception Capabilities 2000, his report on Echelon, to the European Parliament's Science and Technology Options Assessment Panel. Campbell had been asked to investigate the system in the wake of charges made last year in the European Parliament that Echelon was being used to funnel European government and industry secrets into US hands. In the wake of the report, the Australian government confirmed the Echelon alliance to media in follow-up interviews. Though Wednesday's German government statement does not mention Echelon, the document alludes to the specter of industrial espionage. "For reasons of national security, and the security of business and society, the federal government considers the ability of German manufacturers to develop and manufacture secure and efficient encryption products indispensable," the statement said. The government added that it would take additional measures to strengthen its domestic crypto software industry. The policy also cautioned that while encryption may be used to criminal ends, the need to protect electronic commerce overrides any such concerns. The department said it would prepare and release a report on the criminal uses of cryptography within two years. The US government restricts the export of strong crypto on the grounds that it might be used by terrorists and hostile nations to conceal communications. From waste@zor.hut.fi Fri, 4 Jun 1999 17:34:47 +0300 (EEST) Date: Fri, 4 Jun 1999 17:34:47 +0300 (EEST) From: Putrefied Cow waste@zor.hut.fi Subject: God Save the Keys God Save the Keys June 03, 1999 The United States may have been the first country to guarantee its citizens freedom of speech, but when it comes to guaranteeing private speech in the digital age, jolly old England may be one step ahead. Unlike its U.S. Justice Department counterpart, the United Kingdom's Home Office recently softened its position on requiring companies that use strong encryption to deposit a copy of their "keys" with an agency of the government or a "trusted" third party. Last week, while in London, I was briefed by a Home Office representative about the agency's change of heart in this classic battle between law enforcement's desire to catch bad guys and British subjects' right to communicate in privacy. Just as in the United States, British law-enforcement officials and businesses have locked horns over the issue of encryption. Companies that do business over the Internet insist they must be able to use the strongest encryption available and that they--not any government--should decide who keeps the keys to unlock that data. The Clinton administration and its counterparts in the United Kingdom have long argued that the government needs the ability to access a "key" to privately encrypted messages. They argue that this allows warrant-wielding law-enforcement officials to fight crime by breaking the encrypted code of terrorists, pedophiles and other criminals. The FBI remains steadfast in its pursuit of the right to peer into your data, regardless of whether you're suspected of breaking the law. But the U.K.'s Home Office is expected to announce later this week that it has given up in its efforts to require British subjects--even suspected criminals--to turn over their encryption keys to the government, third parties or law-enforcement officials. The new proposal is an amendment to a March proposal disseminated by the Department of Trade and Industry. Under the March proposal, users weren't required to deposit keys into escrow, but they would be forced to turn over keys when so ordered by a court. Even that somewhat more liberal procedure, however, could jeopardize a company's security, because it could reveal codes that could be used to decipher other encrypted data that wasn't the subject of the court order. The new proposal, which has not yet been presented to Parliament, wouldn't require any disclosure of encryption keys, just a legible copy of encrypted material. Rather than ask for the combination to a suspected criminal's safe, the government would require the criminal to open the safe and turn over a copy of whatever the government wanted to see. Failure to comply with a lawful order could result in a two-year prison sentence. It will call for penalties to individuals who refuse to turn over legible copies of suspected data when presented with a warrant or court order. Cyberlibertarians Although the proposal falls short for cyberlibertarians on both sides of the Atlantic, it's a move in the right direction from British officials' previous demands and the tactics promulgated by the Clinton administration. Shari Steele, Staff Counsel for the Electronic Frontier Foundation agrees that the British proposal is a "step in the right direction" but feels that it falls short of what is needed to assure secure communications in the digital age. "We don't like the idea of making encryption a greater crime," she says. Today, even if you're handed a search warrant in the United States or Britain, "you're not required to open the safe." If the police want to break it open, that's one thing, but with encryption, "they want their job to be easier." Steele's arguments are consistent with the EFF's strong support of civil liberties in cyberspace, yet I can understand where law enforcement is coming from in its desire to have tools that can break down the digital safes of suspected criminals. Cops (and bobbies) are afraid criminals will gain the upper hand if they are able to use encryption to make it virtually impossible for law enforcement to gather the evidence needed to prosecute crimes. Yet, one of the greatest crimes I can imagine is one that would undermine freedom of speech. True, the First Amendment is a U.S. ordinance, but the British adopted many of the same concepts once they became a constitutional monarchy. I've always felt that if one is to err, it's better to err on the side of freedom. Nevertheless, the Brits may be onto something. By focusing on the data of suspected criminals rather than the keys of legitimate businesses, they are at least putting the onus where it belongs. While it may not be enough, it's a significant step in the right direction. From jei@zor.hut.fi Fri, 4 Jun 1999 19:25:26 +0300 (EEST) Date: Fri, 4 Jun 1999 19:25:26 +0300 (EEST) From: Jukka E Isosaari jei@zor.hut.fi Subject: Germany Frees Crypto On Thu, 3 Jun 1999, David Hayes wrote: > Who would have thought that ECHELON would turn out to be a program to > improve civil liberties? Well, I did for one. Let's just hope it doesn't stop with Germany. Keep publishing more reports and information about Echelon! ;-) Even if most governments don't care about civil liberties, they do care about economic espionage and the fact that they are losing billions of dollars to US if they don't protect themselves and their citizens from their spy-systems. Which means, that governments will have to get their citizens to use crypto and spook-secure systems. :-) National crypto-industries can expect huge benefits the better these facts about echelon spying are conveyed and presented to the local governments. ++ J From paul@hedonism.demon.co.uk 04 Jun 1999 19:08:55 +0100 Date: 04 Jun 1999 19:08:55 +0100 From: Paul Crowley paul@hedonism.demon.co.uk Subject: More on fortifying Lotus Notes Ian BROWN writes: > Paul Crowley wrote: > >Is that because Lotus has been engineered such that it's harder to > >reverse-engineer or modify? Because presumably if we could find > >where the NSA's public key is stored in the binary, a Lotus-Fortify > >program could replace it with a randomly-generated one for which the > >private key has been discarded? > > "Playing hide and seek with stored keys" by Adi Shamir and Nicko van > Someren describes how to use the high entropy of keys compared to > program instructions and data to find an embedded key... > > http://www.ncipher.com/products/files/papers/anguilla/keyhide2.pdf I've finally fetched and read this paper, and it seems to be pretty straightforward to implement. A few questions: * What legal hurdles stand in the way of (a) using a bunch of tools to search the binary files that come with Notes to find the embedded public key, (b) publishing the key, and (c) writing a program to find the key and scramble it? * How do I tell when I've found it? Do we have an example of plaintext and ciphertext encrypted with this key, do we know what public key algorithm they use and what key formats that might imply? * What should be done to the key once it's found? Is it sufficient to replace most of it with random noise, or is it important that it be replaced with a real key? cheers, -- __ \/ o\ paul@hedonism.demon.co.uk http://www.hedonism.demon.co.uk/paul/ \ / /\__/ Paul Crowley Upgrade your legacy NT machines to Linux /~\ From lists@notatla.demon.co.uk Sat, 5 Jun 1999 00:16:11 +0100 Date: Sat, 5 Jun 1999 00:16:11 +0100 From: lists@notatla.demon.co.uk lists@notatla.demon.co.uk Subject: More on fortifying Lotus Notes Paul Crowley > * What legal hurdles stand in the way of (a) using a bunch of tools to > search the binary files that come with Notes to find the embedded > public key, (b) publishing the key, and (c) writing a program to find > the key and scramble it? The tools are already here. od will show you the content dd if=INPUT_FILE of=df bs=1 count=3 seek=10374 conv=notrunc I've just writen 3 'A's into a binary of 'df'. 002882: 64 20 41 76 41 41 41 61 62 6c 65 20 43 61 70 61 d AvAAAable Capa Writing a real binary editor is not that hard either. * What should be done to the key once it's found? Is it sufficient to > replace most of it with random noise, or is it important that it be > replaced with a real key? Experiment ought to find that out. It would be fairly easy for them to have some built-in check at encryption time, but they may not have bothered. Not much is really worth doing in a model where someone can make arbitrary changes to the binaries you ship. From duncan@gn.apc.org Sat, 05 Jun 1999 01:21:10 +0100 Date: Sat, 05 Jun 1999 01:21:10 +0100 From: Duncan Campbell duncan@gn.apc.org Subject: More on fortifying Lotus Notes 4 June 99 The issue of the NSA trapdoor in the International Edition of Lotus Notes 4 is attracting a number of argumentative strands in different places : http://www.heise.de/tp/english/inhalt/te/2898/1.html http://www.heise.de/bin/tp/forum/get/telepolis/2115.html Its also been one of the more commented on issues arising from the new European Parliament report on Echelon. http://www.iptvreports.mcmail.com/ic2kreport.htm#_Toc448565572 One of the features there and in private correspondence I've had is that IBM/Lotus folk feel aggrieved because their crypto system is better than MS Mail and other US competitors, so I'm being unfair in pointing out how it has been tailored to suit NSA surveillance. That position is understandable. MS Mail (and Netscape, etc) are completely crypto-crippled, while Lotus pretends not to be, by having an NSA trapdoor instead. Choose (a) MS (b) Lotus or (c) something not made in the US (or other UKUSA nation) and not required to be NSA surveillance - friendly. Now that the crypto barriers are coming down completely within the EU, there can be no justification for EU customers buying export-controlled US-licensed software for any communications or information security application. This is the nightmare that US manufacturers warned the US goverment about. Now they have to face the consequences. Duncan Campbell >Paul Crowley > > > * What legal hurdles stand in the way of (a) using a bunch of tools to > > search the binary files that come with Notes to find the embedded > > public key, (b) publishing the key, and (c) writing a program to find > > the key and scramble it? > >The tools are already here. > > od will show you the content > > dd if=INPUT_FILE of=df bs=1 count=3 seek=10374 conv=notrunc > I've just writen 3 'A's into a binary of 'df'. >002882: 64 20 41 76 41 41 41 61 62 6c 65 20 43 61 70 61 d AvAAAable Capa > >Writing a real binary editor is not that hard either. > > >* What should be done to the key once it's found? Is it sufficient to > > replace most of it with random noise, or is it important that it be > > replaced with a real key? > >Experiment ought to find that out. It would be fairly easy for them to >have some built-in check at encryption time, but they may not have >bothered. Not much is really worth doing in a model where someone can >make arbitrary changes to the binaries you ship. From nbohm@ernest.net Sun, 06 Jun 1999 11:42:54 +0100 Date: Sun, 06 Jun 1999 11:42:54 +0100 From: Nicholas Bohm nbohm@ernest.net Subject: More on fortifying Lotus Notes At 07:08 PM 6/4/1999 +0100, Paul Crowley wrote: >Ian BROWN writes: >> Paul Crowley wrote: >> >Is that because Lotus has been engineered such that it's harder to >> >reverse-engineer or modify? Because presumably if we could find >> >where the NSA's public key is stored in the binary, a Lotus-Fortify >> >program could replace it with a randomly-generated one for which the >> >private key has been discarded? >> >> "Playing hide and seek with stored keys" by Adi Shamir and Nicko van >> Someren describes how to use the high entropy of keys compared to >> program instructions and data to find an embedded key... >> >> http://www.ncipher.com/products/files/papers/anguilla/keyhide2.pdf > >I've finally fetched and read this paper, and it seems to be pretty >straightforward to implement. A few questions: > >* What legal hurdles stand in the way of (a) using a bunch of tools to >search the binary files that come with Notes to find the embedded >public key, (b) publishing the key, and (c) writing a program to find >the key and scramble it? Check the terms of the Notes licence. Unless the licence imposes an explicit contractual prohibition, neither searching a file nor modifying it (manually or automatically) are copyright infringements. Publishing the key would be a copyright infringement; but why bother? Also check that the licence does not prohibit the user from modifying the program or running the program as modified. Users concerned about the risk of invalidating their Notes licences by making its encryption secure against the NSA may wish to raise the matter with Lotus. >* How do I tell when I've found it? Do we have an example of plaintext >and ciphertext encrypted with this key, do we know what public key >algorithm they use and what key formats that might imply? > >* What should be done to the key once it's found? Is it sufficient to >replace most of it with random noise, or is it important that it be >replaced with a real key? Presumably a single change to one bit of a public key would prevent decipherment with the private key, since the two no longer correspond. (If the program somehow tests for the correctness of the public key, however, then presumably the test must also be modified to provide the right answer for the modified key.) >cheers, >-- > __ >\/ o\ paul@hedonism.demon.co.uk http://www.hedonism.demon.co.uk/paul/ \ / >/\__/ Paul Crowley Upgrade your legacy NT machines to Linux /~\ > > > Regards, Nicholas Bohm Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 871272 (+44 1279 871272) Fax 01279 870215 (+44 1279 870215) Mobile 0860 636749 (+44 860 636749) PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint: 9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07 PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF From duncan@gn.apc.org Sun, 06 Jun 1999 12:41:03 +0100 Date: Sun, 06 Jun 1999 12:41:03 +0100 From: Duncan Campbell duncan@gn.apc.org Subject: More on fortifying Lotus Notes Edinburgh 6 June 99 NSA Workfactor Restoration (NWR ???) for Lotus Notes NSA Trapdoor Edition Sorry folks, its a little bit harder than you think. At 06/06/99 11:42 , you wrote: >At 07:08 PM 6/4/1999 +0100, Paul Crowley wrote: > >Ian BROWN writes: > >> Paul Crowley wrote: > >> >Is that because Lotus has been engineered such that it's harder to > >> >reverse-engineer or modify? Because presumably if we could find > >> >where the NSA's public key is stored in the binary, a Lotus-Fortify > >> >program could replace it with a randomly-generated one for which the > >> >private key has been discarded? [...] >Presumably a single change to one bit of a public key would prevent >decipherment with the private key, since the two no longer correspond. (If >the program somehow tests for the correctness of the public key, however, >then presumably the test must also be modified to provide the right answer >for the modified key.) To prevent you giving NSA its present of the WRF, Lotus Notes 4 International Edition works as follows. 1. The full session key is sent encrypted - presumably as part of the RSA session set up. 2. The recipient programme looks for the WRF and extracts it. 3. Using NSA's public key, it re-encrypts the 24 bit section of the session key. 4. It then compares the result of that encryption with the WRF. If the two do not match, then it will refuse to decrypt the incoming message. Therefore, your Lotus Fortify patch will have to operate on both sender and recipient. If you can get to the NSA public key inside both functions, and change each in the same way, then does that work? I would presume so but list members will know if that intuition is right. From lists@notatla.demon.co.uk Sun, 6 Jun 1999 14:07:35 +0100 Date: Sun, 6 Jun 1999 14:07:35 +0100 From: lists@notatla.demon.co.uk lists@notatla.demon.co.uk Subject: More on fortifying Lotus Notes Duncan Campbell > 3. Using NSA's public key, it re-encrypts the 24 bit section of the session > key. > 4. It then compares the result of that encryption with the WRF. If the two > do not match, then it will refuse to decrypt the incoming message. > Therefore, your Lotus Fortify patch will have to operate on both sender and > recipient. If you can get to the NSA public key inside both functions, > and change each in the same way, then does that work? I'd expect so, but it may be easier than that. There is likely to be a section of code that makes a yes-no decision on whether the two WRFs match. Replacing the few bytes concerned with the same comparison in the opposite sense (i.e. approve if different) or with inactivity (NOP) instructions may do the job. I read a paper a few years ago where somebody described using these techniques to defeat copy protection and it never took above 4 hours. It requires some familiarity with the assembly language involved. The programmer can make life a bit more complicated by having more than one check, and by not flagging the relevant instructions by putting them close to the bail_with_error function. Really subtle people don't rely on an explicit yes-no decision but use some result of the calculation in an important place later during execution. Wrong numbers then cause some unrelated-looking failure. Unfortunately I don't know any modern assembly language - nobody knows how to write books these days. Books hundreds of pages long omit the few page appendix which is all you really want. From dave@xemu.demon.co.uk Sun, 6 Jun 1999 14:49:16 +0100 Date: Sun, 6 Jun 1999 14:49:16 +0100 From: Dave Bird dave@xemu.demon.co.uk Subject: More on fortifying Lotus Notes In article <199906061307.OAA08481@notatla.demon.co.uk>, lists@notatla.demon.co.uk writes >The programmer can make life a bit more complicated by having more than one >check, and by not flagging the relevant instructions by putting them close >to the bail_with_error function. Another trick is to figure on automatic dis-assembly going straight down the text (and put a valid load-with-32bit-constant opcode in front) rather than jumped to (where it executes as a conditional junp). -- ^-^-^-@@-^-;-^ http://www.xemu.demon.co.uk/ (..)__u news:alt.smoking.mooses From ben@algroup.co.uk Sun, 06 Jun 1999 14:57:16 +0100 Date: Sun, 06 Jun 1999 14:57:16 +0100 From: Ben Laurie ben@algroup.co.uk Subject: More on fortifying Lotus Notes Dave Bird wrote: > > In article <199906061307.OAA08481@notatla.demon.co.uk>, > lists@notatla.demon.co.uk writes > >The programmer can make life a bit more complicated by having more than one > >check, and by not flagging the relevant instructions by putting them close > >to the bail_with_error function. > > Another trick is to figure on automatic dis-assembly going straight > down the text (and put a valid load-with-32bit-constant opcode in > front) rather than jumped to (where it executes as a conditional junp). Good disassemblers can spot this trick. Besides, the wise reverse engineer reverse-engineers with a debugger (or an ICE if budget permits :-), not a disassembler. Cheers, Ben. -- http://www.apache-ssl.org/ben.html "My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi From ben@algroup.co.uk Sun, 06 Jun 1999 15:00:23 +0100 Date: Sun, 06 Jun 1999 15:00:23 +0100 From: Ben Laurie ben@algroup.co.uk Subject: More on fortifying Lotus Notes lists@notatla.demon.co.uk wrote: > Unfortunately I don't know any modern assembly language - nobody knows how > to write books these days. Books hundreds of pages long omit the few page > appendix which is all you really want. Unfortunately, modern assemblers take a few hundred pages just to describe the instructions! For example, the i486 instruction set takes 289 pages! Cheers, Ben. -- http://www.apache-ssl.org/ben.html "My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi From lists@notatla.demon.co.uk Sun, 6 Jun 1999 15:36:50 +0100 Date: Sun, 6 Jun 1999 15:36:50 +0100 From: lists@notatla.demon.co.uk lists@notatla.demon.co.uk Subject: More on fortifying Lotus Notes I found the article I referred to. I got it from an ftp server in Italy, maybe in September 1994. Let me know off list of you want it. I also thought I should explain why in my last post I thought it was easier to act on a program by neutralising a test than by making the (bogus) public keys match at both ends of the communication. The session-key leakage is 24 bits (2^24=16777216). If the same bogus public key gets into wide circulation among L-Fortify users then the NSA only has to compute 2^24 encryptions with that key and they are in a position about as good as they already have. This is a lookup table that can be stored on a single disk even if it is stored in full which should not be necessary. If all versions of Notes are using different keys for the NSA, and changing them periodically then this is much better. To attack a single user they will then have to crack the whole 64-bit session key and derive what information they can from that (perhaps from serveral messages) about the public key. Only when studying the public key becomes pointless and they attack only session keys (itself not a major task) will the Lotus trapdoor be removed. From I.Brown@cs.ucl.ac.uk Sun, 06 Jun 1999 15:51:46 +0100 Date: Sun, 06 Jun 1999 15:51:46 +0100 From: Ian Brown I.Brown@cs.ucl.ac.uk Subject: The great white e-bird has landed The Times, Friday 4 June 1999 Opinion By James Woodhuysen Has the Government fallen victim to a cargo cult? Like South Sea Islanders bowing down before a piece of engineering washed up on their shores, ministers exhibit irrational awe in the face of information technology. Like the Islanders, they know that this alien but exotic development is powerful; but their confused reaction betrays a failure to understand the technology they revere... E-commerce has flourished without government intrusion. Now that it has grown big enough to attract ministerial attention, the dead hand of the State constricts the modest success which the market nurtured... http://www.the-times.co.uk/news/pages/tim/99/06/04/timopnope01002.html?1044816 From lists@notatla.demon.co.uk Sun, 6 Jun 1999 15:58:45 +0100 Date: Sun, 6 Jun 1999 15:58:45 +0100 From: lists@notatla.demon.co.uk lists@notatla.demon.co.uk Subject: More on fortifying Lotus Notes Ben Laurie : > Good disassemblers can spot this trick. Besides, the wise reverse > engineer reverse-engineers with a debugger (or an ICE if budget permits > :-), not a disassembler. Wrox Press "Assembly Language Master Class" ISBN 1-874416-34-6 See page 126ff. The trick I like most is on p129 where the Pentium pipeline stores the next few instructions of a self-modifying program. The pipeline is unwriteable by the program in normal execution. It can tell whether it is being run under a single-step debugger in which case the pipeline would not be in use. and > Unfortunately, modern assemblers take a few hundred pages just to > describe the instructions! For example, the i486 instruction set takes > 289 pages! rats! From duncan@gn.apc.org Sun, 06 Jun 1999 16:26:40 +0100 Date: Sun, 06 Jun 1999 16:26:40 +0100 From: Duncan Campbell duncan@gn.apc.org Subject: More on fortifying Lotus Notes There is only one NSA public key for all of Lotus IE, wherever, SFAIK. The Lotus position on preventing tampering with the WRF, as follows "You might wonder what's to prevent someone from deleting the Workfactor Reduction Field from a document or the setup protocol of a network connection. This is similar to the problem faced in the Clipper design to assure that the LEAF field was not removed from a conversation. In a software only implementation, it is not possible to prevent tampering entirely. The easiest form of tampering would be to smuggle the North American Edition CD out of the U.S. or pass it to someone over the Internet. The best a software implementation can do in terms of tamper resistance is to make it impossible to remove the Workfactor Reduction Field without modifying both the source of the data and the destination.. This can be done by having the destination check for the presence of the Workfactor Reduction Field and refuse to decrypt the data if it is not there or not correct. The destination can't decrypt the Workfactor Reduction Field to check it, but knowing the bulk data key and the government public key, it can regenerate the WRF and compare the result with the supplied value. RSA has the convenient property that the same value encrypted twice produces the same result; it would be somewhat more complex (but still possible) to duplicate this functionality with other public key algorithms. [Note: for this to work, the random pad that was used in creating the WRF must be delivered to the recipient of the message. For it to be secure, it must be delivered encrypted since a clever attacker who knew the pad could do 2^24 trial encryptions to get 24 bits of the key and then do 2^40 trial decryptions to recover the rest.]" Another Lotus NSA-friendly point : The International Edition is limited to 512 bit RSA keys for data confidentiality (ie, the session generating and passing the bulk data key. Duncan From ben@algroup.co.uk Sun, 06 Jun 1999 16:45:36 +0100 Date: Sun, 06 Jun 1999 16:45:36 +0100 From: Ben Laurie ben@algroup.co.uk Subject: More on fortifying Lotus Notes lists@notatla.demon.co.uk wrote: > > Ben Laurie : > > Good disassemblers can spot this trick. Besides, the wise reverse > > engineer reverse-engineers with a debugger (or an ICE if budget permits > > :-), not a disassembler. > > Wrox Press "Assembly Language Master Class" ISBN 1-874416-34-6 > See page 126ff. The trick I like most is on p129 where the Pentium pipeline > stores the next few instructions of a self-modifying program. The pipeline > is unwriteable by the program in normal execution. It can tell whether it > is being run under a single-step debugger in which case the pipeline would > not be in use. Yep, but I can tell (by thinking hard) that it is using this trick, and simulate the results. This is why an ICE is preferred, of course - less thought involved! BTW, I remember this was used years ago to distinguish 386 SX and DX models - they had different length prefetch queues. And if you want to see some _really_ bizarre stuff that pipelines can do, see the code in OpenSSL where adding instructions that do nothing useful gives huge performance gains on P2s! Cheers, Ben. -- http://www.apache-ssl.org/ben.html "My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi From ben@algroup.co.uk Sun, 06 Jun 1999 16:50:43 +0100 Date: Sun, 06 Jun 1999 16:50:43 +0100 From: Ben Laurie ben@algroup.co.uk Subject: More on fortifying Lotus Notes Duncan Campbell wrote: > Another Lotus NSA-friendly point : The International Edition is limited to > 512 bit RSA keys for data confidentiality (ie, the session generating and > passing the bulk data key. That's a general requirement for export. Until recently, that is. 1024 bit keys are now permitted. As are 56 bit symmetric keys. In the case of SSL/TLS certs can have bigger keys, but an ephemeral 512 bit key is generated to secure the sessions. Because of the cost of key generation, this key is typically reused for many sessions. TLS has grown some new ciphersuites to support the relaxed restrictions, BTW. I think MS even shipped them in MSIE5 (but I could be wrong). Cheers, Ben. -- http://www.apache-ssl.org/ben.html "My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi From gladman@seven77.demon.co.uk Sun, 6 Jun 1999 19:30:07 +0100 Date: Sun, 6 Jun 1999 19:30:07 +0100 From: Brian Gladman gladman@seven77.demon.co.uk Subject: Germany Frees Crypto From: John Young To: Cc: ; Sent: 03 June 1999 18:58 Subject: Re: Germany Frees Crypto [snip] > As someone working on an Echelon story asked elsewhere, just what > strength of crypto can NSA crack these days. > In my view this question has to be posed and answered carefully. The reality is that most crypto cracks are not done by breaking the algorithms but by exploiting weaknesses in their implementation. It fairly clear that we are already using algorithms that would be way beyond NSA's ability to break by brute force if they were implemented perfectly and operated in a perfect environment. We already use 128+ bit keys in many of our algorithms and yet it is very clear that few if any applications come even close to the levels of security that such key lengths offer. In the work on AES several papers show how easy it is to get at keys on smartcards and Markus Kuhn at Cambridge has recently published an excellent paper on this. And, of course, software is several orders of magnitude easier to subvert so we can see that we really do not have to worry about algorithm strength but rather the strength of implementations. These have a ***LONG*** way to go before they even come close to matching the security offered by current algorithms and key lengths. Having worked on military systems the one thing that I can with confidence is that the only area in crypto where the 'government machine' remains ahead of the open world is in the issue of implementation assurance. Governments have learnt from a lot of practical experience how easy it is to undermine algorithm security during implementation. The open world still has to learn much of this. I believe that this will happen at a rapidly increasing rate so I don't think this advantage will last much more than a few more years but it is there now and it means that key length just gives an unlikely upper limit on the security that applications offer. But a wider issue is that the question has to be asked in a context. If NSA conducts a targeted attack on a specific message it can clearly break keys a great deal longer than 56 bits (using DES as a benchmark). But if we achieved a situation in which all email was truly protected to even 40 bits then much of the internet would be instantly out of NSA's reach since to do 'keyword' searches and the like requires a huge volume of traffic to be decrypted and here even 40 bit encryption would pose an insurmountable barrier. So if we could find ways of achieving, as a matter of routine, ***ACTUAL*** cryptographic security at even DES strength, much of the 'State Sponsored Information Piracy' we currently hear about would not be possible. IMHO this won't happen, not because it cannot be done, but rather because most users prefer functionality over security and, given the chance to put processor and software improvements into one or the other, the market will, for the present at least, continue to be driven by functionality. Of course there are applications that, used properly, give good security but they are used by a very small fraction of the user community, most of whom will continue to be content to exchange email in the clear. This is made worse by the fact that most large companies don't seem to be aware of the need for good implementation assurance in offering security solutions and hence provide solutions that seem to offer security performance but which, in reality, are worse than useless because they give user's a comfortable feeling while offering no real protection. My own hope is that a convergence of the open source software and cryptographic communities will now bring a rapid change in this situation. The technical community can offer the world good protection and government's are powerless to stop this happening if we choose to do it. Frankly I have stopped short of pushing this line vigorously in public but I am fed up with the UK government's protestations of being positive about crypto whilst doing all it can 'behind the scenes' to prevent its spread. Good evidence of this is the UK government's stance in Wassenaar, an arrangement that states very that it cannot be used to used to justify actions which impede genuine commercial transactions. Yet despite this clear statement, the UK government - the DTI no less - has continued to use this agreement to seek restrictions on the export of civil cryptographic products that cannot even remotely be considered to fall within its provisions. And if anyone doubts the UK government's desire to hide its actions in Wassenaar from the public eye, just look at the recent paper on 'Encryption and Law Enforcement' issued by the PIU. Here export controls on cryptography are ***not even mentioned*** even though it is very clear that they fall at the heart of the study remit as a major consideration in the relationship between encryption and e-commerce. But worse than simply not covering export controls, this paper actually ***LIES*** about government actions by saying: "However, apart from the OECD Guidelines on Cryptography Policy, there has been remarkably little co-ordination of policy on encryption matters." when almost everyone on this list knows very well that the government has had a long standing role in a host of international efforts designed to restrict the spread of cryptography. I am amazed (maybe I shouldn't be) that the government would tell such deliberate and shameful lies in a document with a preface signed by the Prime Minister. In fact I have been so taken aback by this that I have been at a loss about how best to react to it - it is hard to know where UK citizens can turn when there is such deliberate dishonesty and lack of ethics right at the heart of government. It will be interesting to find out whether the Prime Minister and the Head of the PIU are aware of the fact that a document put out in their name contains such deliberate distortions of the truth. I hope that journalists on the ukcrypto list will do what they can to discover the level within government at which this attempt to mislead the UK public has been orchestrated. Brian Gladman From nigelhickson@compuserve.com Sun, 6 Jun 1999 16:36:31 -0400 Date: Sun, 6 Jun 1999 16:36:31 -0400 From: Nigel Hickson nigelhickson@compuserve.com Subject: Germany Frees Crypto Brian = Just seen; the PIU document was talking about coordination on encryption policy; not on export controls. Why should we lie abou Wassenaar? We we= re simply trying to make point (something I thought you wd be in favour of) that there has been little coordination on broad encryption policies in t= he round. = Nigel Hickson = From georgefoot@oxted.demon.co.uk Sun, 6 Jun 1999 22:29:46 +0100 Date: Sun, 6 Jun 1999 22:29:46 +0100 From: George Foot georgefoot@oxted.demon.co.uk Subject: Germany Frees Crypto To Nigel Hickson: I am baffled by the expression "broad encryption policies in the round". An explanation would be appreciated. Many thanks. George In message <199906061636_MC2-7869-8A8F@compuserve.com>, Nigel Hickson writes >Brian > >Just seen; the PIU document was talking about coordination on encryption >policy; not on export controls. Why should we lie abou Wassenaar? We were >simply trying to make point (something I thought you wd be in favour of) >that there has been little coordination on broad encryption policies in the >round. > >Nigel Hickson > -- George Foot georgefoot@oxted.demon.co.uk http://www.oxted.demon.co.uk From paul@hedonism.demon.co.uk 06 Jun 1999 22:33:46 +0100 Date: 06 Jun 1999 22:33:46 +0100 From: Paul Crowley paul@hedonism.demon.co.uk Subject: More on fortifying Lotus Notes lists@notatla.demon.co.uk writes: > The session-key leakage is 24 bits (2^24=16777216). If the same bogus > public key gets into wide circulation among L-Fortify users then the > NSA only has to compute 2^24 encryptions with that key and they are in > a position about as good as they already have. This is a lookup table > that can be stored on a single disk even if it is stored in full which > should not be necessary. Happily, those 24 bits are padded with random data before encryption to prevent just such an attack. The padding is sent encrypted so the WRF can be checked on receipt. I don't have the skills for poring through binaries reversing tests. Crackers who strip copy-protection mechanisms get very good at this sort of thing, though programmers are also getting good at making the cracker's job harder with some obfuscation tricks. If there's code for checking the integrity of the public key, I'm going to be straight out of my depth. Can anyone think of a way of confirming a guess at which bit of the binary might be the public key more efficient than changing it and seeing what breaks? Notes is so full of bugs that it would be hard to tell whether a particular change had introduced one. Where might I find documentation of the Notes encrypted message format such that I can see whether a given change affects the WRF? -- __ \/ o\ paul@hedonism.demon.co.uk http://www.hedonism.demon.co.uk/paul/ \ / /\__/ Paul Crowley Upgrade your legacy NT machines to Linux /~\ From fmz1@juno.com Sun, 6 Jun 1999 16:03:41 PDT Date: Sun, 6 Jun 1999 16:03:41 PDT From: F. Michael Zimmerman fmz1@juno.com Subject: PERSONAL HORROR STORIES WANTED -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I would like to solicit horror stories from people regarding bad experiences they have had online due to compromises in their privacy. My public key block follows this message. I intend to use these anecdotes to illustrate the importance of encryption and security, but I shall not name names without the express permission of respondents. I am not interested in urban legends. I want incidents which have happened TO the respondents. If the incidents occurred on a local BBS, that is fine but please note the fact. F. Michael Zimmerman * PGP public keys available on request! 29BE 0D90 88FA 9DCD 22A5 DDC0 1751 677A 1B01 CE34 [DSS ]3072/1024 3A46 5DB1 E892 CBEC AD1A 18F2 AA98 6AB9 [RSA 2048] B82F 5F41 4C28 BB8D DA0B 88BA C39E 9883 [RSA 1024] On Sun, 6 Jun 1999 15:12:33 +0200 Jan Bruners writes: > >Sorry, I posted an opinion similar to Brian's again. But I cannot >think >about an effective way to reach computer newbies other than bundling >the >quick start manual with new computers (which would imply cooperating >with...hm... not quite trustable companies) or setting up banners on >web >portals (which would imply cooperating, too, or cost money). > >Maybe (only maybe) the strategy of a well-known online bookstore >would >help: They pay people for putting the comanpany's banner on their >homepage. >If we could get a lot of people in academic institutions and >non-profit-organisations to host the quick start manual (which could >be a >rather small PDF-file) along with an interesting little banner, the >problem >would reach at least a lot of students. The talk-show crowd would be >the >next (and more difficult) step. >Personally, I would like to start now writing a comprehensive PGP for >dummies, or rather translate it to German, and then publish it on as >many >sites as possible. Much work for me, a small step for PGP. >Michael Zimmermann seems to have some talent in writing colourful >examples >for the importance of cryptography. So, would you agree to write the >kind >of foreword you proposed? I could extract a more formal second chapter >from >the PGP manual, if no one else does. > >>Perhaps what I have in mind is something which would be more >effective >>in demonstrating to the average Internet newbie the value of >>encryption. Stories of political repression do little good here. >>Most of the people of whom I speak do not think they have anything >to >>hide, so they are not interested. Horror stories drawn from >everyday >>experiences would be far more effective. This might be more >>accurately termed publicity than documentation, but the two need not >>be mutually exclusive. The publicity aspect would come if and when >>these stories find their way to the places where these ordinary >users >>conduct their activities. The stories should grab them and make >them >>think, "MY GOSH THAT COULD HAVE BEEN ME!" Then they will be looking >>for solutions. >> -----BEGIN PGP SIGNATURE----- Version: 5.5.3a Comment: Why not lie to the government? It lies to you. iQA/AwUBN1r9+BdRZ3obAc40EQJSswCgvv8OSpJyCnpFKy/zc/WLPUp1mYkAoJB/ GvEqOoO7oZTRGGX5Lnj4RJdU =39bl -----END PGP SIGNATURE----- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 5.5.3a Comment: Why not lie to the government? It lies to you. mQGiBDWaSBwRBAD6ms4hiRs0M+JQ6LtV0gl44vBiUGxBNv69pDZ11KfpZtroq/Mj EqKK/aOQZh2hAcJOAEroi9RkmhY1O19950z1A6KnXEzLWEeALPI9/1T/c5vNdZ/m 8XQYnr08QoK+uTMZqiSi0zPMFLbpiDGDsxg+bFxMjSRAwtZh3S+5dfk/uQCg/+lY JGuyxDZBo/uoH9ZFuETCricEAKn+nw8pt2+WMuxf6FJ9p5/d6dEHwwzeQt1sl4qj 8idsrqhMCVAemlgYPXeyXT1rek70F8CzFtleyqqgC2pZpqfO/2PH3OQbM0/TLqbo KAfkzNlqP8F+sZ+tD+vMAR9nj3P6onYA9kIm5Y/quo/Jwe5S9cTi7WOBr+vX5Oxh EYkDBAC1wRpAwwruqunETRyzZ2TR7DDa5Qz6fGz3WNqSpV8xRjfrDnsc0MZOnv81 1paQh+5c7EFiXWY3gmzJHKnNKoYUPuepcRE4udtk+yFI5HtopazIR9xQ5kQDsJPF 9e1tF3z+uXIWOQGjtnPja+M0YBPsvYBJjiVFAoOhE6RlPeIYQokARgQgEQIABgUC Nf6EMwAKCRBJhVZ6Fj3IZP0hAKDUZIV67pfwUZ7mTC89rSbjTTTL7ACcCJK5WWk+ 9VZOl0dp3HY3XHu8iX+0JEZyYW5jaXMgTS4gWmltbWVybWFuIDxmbXoxQGp1bm8u Y29tPokAUQQQEQIAEQUCNZpIHAUJAeKFAAQLAQMCAAoJEEmFVnoWPchkTFkAoPiS 3nuFv7qJ9OZgaOn9dGkCofjXAJ992N/S9cyf2mHGkU6GLx7HwrfSBIkARgQQEQIA BgUCNZquCgAKCRClwXruV5qqVf1jAJ9PcO4ryHpiRrF2PYQwxZRCF3QJdgCgu21S eY80ztv/RSH4gmpWxvnWY7mJAEYEEBECAAYFAjWarjsACgkQIqsaixFHvh/WYACg sfm0fYPxLKwkF7XYtUYB+HVO3l0AoJzYSP6ESswvnWXj5bqIQjVWOTHTiQBGBBAR AgAGBQI1mq6BAAoJECbpFNIB80DOBigAoJtzDcDHiYLKWUL4G3K5pJsfDdoOAKCo RMSRWgkrHyTaU9+lY8dKRThzkYkBFQMFEDX4bTmQPP1gz/PVxQEByl8H/30eF4fl ul2bUIjA3X+4wXVS74LKPTVtzD8Oavf60+APZjD4gGiXDYspZYGyPwKlb4Fy3Tra gmBl/fkL/5CGeOKL33PBmb3svQeH3VlXjmAl7wfxSmL3+wEQff+LrAHrUc9Tr0vy 1hMEkL5P3fGxH9pagJsiTsoOyG66sv6atV44QZLSdAbAeKcRDjn/ffnk9iql2f3D LoHs4DxD8VAF7gNbvSRn7AFp5Yndag0jsPCBw9eiG8j68i7taKcqkjXh/PoTTA5X qW3aUU8/lVsjy5V1NZUcPmk8ozZ8lSy9pPOxeHu2UwyV/aaHRAZKGSHJH8sXZqxX V8S+GgrS62r/bKu5Aw0ENZqhzBAMAP8DxSqL6W0IhBE2z9gSK80xCO5DQARcOYxB lpQE3fJgw0yCDs6Aw/fEegKVGj8XX0cad+P2PeG5D0F8llPsIl+2YtVHIZQze4y1 FCYCJX14xje1+jssKsveTAzY+xJ4/ZgBicvSvcIJQowoqcdgiQICGArWSNEPDJZW 4GDA8wLjWF+5Jo1edXgQs4jkcA+Jcoaljstq7hF5IY7wteXCZKhI4570g1XwiSs+ BewuF8RA3wDVTw30oexjf5bwqhig314QQPC/MT1Q641u7N0hKIcrD50mImudKcDi DAx1nzoNfF6/S93HXx6U/WzxoUatLcy9auyW1u18e4PxWgG/YLKGggFkIPqvqyam +BSXwHaYXUj62weuKpxVTHFVu1oGHkfrjZNmP+Ojh7gOJ/dw8NNfUD65eLUdu40B EDgmKJjpBS4uFxGSYkFDD11rBBuTz+dPU6R6XhYgngg5IYuOcaJ96+WbpR7BOmMX Oh9WiKR6jsdHd4TImLN5A4o2/uKXlwACAgwAk6KHJUz3U4r6IesUgZrfYGOr5YUB cRxKVvCn1r4bn5DR5gKPpGBSLwdwAcC7sP4KJBIyG3/4Ean1nMjuZaPQcxBfyxUG 1Dssnu7u4JC8+j1/uir8l+Z0iDpq92PlQ+mQ3MAcJbkdshUP53Cg/EAsS+I5apYl ablw9PN9/c0UbSHk3PCvWW9pBwzVvbpUO7tw6ZkxL7ez5R6jfgoE6G8u6fFke4zC 0W3JJ0r6qsuSbzSUCMXdFdf/KAE+wiM8H0xzUxxVWCYKi/HvOlESWPt6XnsPcj4/ vQyqAPrxdhwzPHfJR/D2R5SEfM11mP8FGIDVWgSIyC5fqkwwchRYZNeNkmLS2Tjh bz+tNlYRBqwg355M6PGt64uFcxM4n/mVR5gD/kbBKqTm4ttfbl/n5D34n6KOTk0D MMO32YBJPN26uxG8jpegbFYIsEnd3dizHqeQX42d0UzBLm5zdlI0BZ7YxZCsi6uG 10znXoVbEJ0cwEb+CYc1Iy6KIEtOQIEtsqNjiQBMBBgRAgAMBQI1mqHNBQkB4oUA AAoJEEmFVnoWPchkl54AnjVtWwTXpzasnnhogiVDoK5HBgsVAKCFfib3I0FfRKyc Y3+eU0qXfwV4V5kAjQMwwAoLAAABBADOxs9Fa4Ys6IFqUlCFD72y03lK4k670XVR w3fy42pYWvbZnf48NiomRWJVRxAOH0M6IRT4m/6HYNeiHtebc7vInPPNQLFXOmqq qROl+rGq96Dpwgbz2CIJo9Wqo7G8XEJdfiLObAUCrMsSh1bNNJyPFTARJz7T+nHA XTv8V0gpZQAFEYkAlQMFIDX+eFTAXTv8V0gpZQEBjd8D+wTITo4Ojva9u8WtnjTY h8y/BzFUY7TPJQvCwy0amVV1A3AFv015cFVDEhwzTd0sJGJUWZ0wSaJO95JXHATN Mt1q3DgfBUrlqLbjd2BtL9ztMqKdQeiUi2kHi5wPwDOl+yDKPW63ILUOCzIMVvlr xLketYXGFbVjvv+EGDykMZrttCRGLiBNaWNoYWVsIFppbW1lcm1hbiA8Zm16MUBq dW5vLmNvbT6JAJUDBRA1FbYtwF07/FdIKWUBAehgA/9oExT8+lt/QRifgYQHK3T6 K3rib169yg81h7vfbvjXVAYQfUMHxHZjdnE8dgo64MyIMRNs5zvQiXts57gXg8K/ CK8K87AOmwGZmf7kZN0u2Ay0Tk7u4UwcbQ4rO9MZAna0LJx3vrCo64kbSD5IHiKM LSld34tJQlH79dGyDCKksokAPwMFEDVuOuClwXruV5qqVREC/VkAoPuxVewKeFkP vizM373z/88a2VSKAJ9yfseVwWWxLHziw00YYTcsV1A844kAPwMFEDVuO0kiqxqL EUe+HxEC72YAoPk18GsDbbjDeGFxdFG/tWV5tylMAKDjOeesaMv6q5awyekVrIbj G4W4vokAPwMFEDVuO4cm6RTSAfNAzhEC2V8AoKjKAy9Q/LrzaAMorWzc/Q/AHaR6 AKD3QPRNBUdkLhNcfRd5lTMg3t/hMYkAlQMFEDVuPCbIGIF8Gg/vmQEBklAD/3x0 jxGTNkZ8b+3eM9Ljllc3UUQfmlCV0Z2KfScSWa7G3bWt1E4JoE0Dly3VQ/ho7rx6 tUn5dRvn1d8sheVYpQ8A+mC1qbRA3azzEyxrotLZeQHdb05QDKDovOumN1teRVFz oKc7QC3HKW7q4Dr9dZ6lbGxCGKRIOzoEnhPcs0vKiQBGBBARAgAGBQI1mrAWAAoJ EEmFVnoWPchk3yIAnjbOgRt7FUjRSxtnxXg1sDCy6oQpAJkBpm8FHMSr3VQwBSYe DJ+R3BFg2IkBFQMFEDX4bXeQPP1gz/PVxQEBWF8H/ivgmhCqOI9m7Sag8eOy1BzW 6MPHvMmxR0pS9Jw8laKKcZb1Px40iFcYkBYmzI3X1PVUMQK80oXIea7Q2sSoyUNX YlWaavNXSK3j2UDJmdTUbODBkHQmRYbarcYlWIZobJdqAMejanuErw+faC8YGz/a glTAYiJ8vyobv8LiAfYVL+VRbZ1p0QxDaigZGE+xEfhb536+7bL8OVC+humDajkp we7D9BK5F9liJmAUX3kMJutloLlI7MXqwz74QkSVdjPPKXzc3wynKu1kBLjHCtOk 6q3CZ5C0cBccQpElxq3gGYzdcv8NvHFefKOrw2iQIBGSzdMz2U7COV8gkDfA9mK0 FEYuIE1pY2hhZWwgWmltbWVybWFutDZGLiBNaWNoYWVsIFppbW1lcm1hbiA8TWlr ZS5aaW1tZXJtYW5AY29jb251dC5naWdvLmNvbT6ZAaIENT9CyhEEAPT6ZxeY79Hr cB7yIjERsoueWptu/FTBH98t4XGFBerT8A7R2Pz9pqsOdhFbIARNOFiuDE5gqCIT BIUaKQDeCxRzOzdDZ6ZQQe7TQWgIHbKByOKaoizXrRLzC1QsRc6pwBfPEglzDYbt 5pk08so3JsEkIs+bE31xfblOraFwokFPAKD/YTu67B3YWGcC+0GksTaV5fWdOwQA thQDx8wiDMVJxrdh3cpo6mgSnll5w31k6qzNQ2KohGbF7GIT54Rbx39/h5MVc7CD UUVJGef+Qp1448u6ntGqvekunsrlewBD3T16nQiG58AvPX5aEjK5tNGq7ouKpZbE nVW3JK76OytTi+z3g2dzWRVFXirHhX+LmP9leJWkrDED/1T6sqrz3sosL9GZgiRS 6UacWwnRm97KO7HReOhrIVnPEVCyUntJKQgxg9eAIarXMZb7ny+eO2bm1WaUcOKO 1U2P8zcLJ9ERQTDzgnf4fziaYUo37ndoXpDl0Vc9VcSFhjUUCfcTMwn0o5ev8/OV uYdyx2N8TO04BYgfPiVEEBDfiQBGBCARAgAGBQI1/oNXAAoJEKXBeu5XmqpV/DkA oKbji5a1TxtKzJ1Mjf6UQd0EH34rAKDf02dxtZ0qIo1EaFQKbaqJ8lvLnLQiRi4g TWljaGFlbCBaaW1tZXJtYW4gPGZtekBqcHMubmV0PokAUQQQEQIAEQUCNT9CygUJ AeEzgAQLAwECAAoJEKXBeu5XmqpVorIAoNL5RhklgYFSCFglIts8PHOsxrwCAJ9o PYsDqI6gRNMBPWCLjvkZXoltHYkAlQMFEDVuOhrAXTv8V0gpZQEBskID/jhS0qoa MamPfcHqHMbq2zZEyWXmw/KHyWfiEZ+Cktjq9Y+va8Hl+sVm0WrmnuX/UCrl75Cv bMK2KMGHKbaPsvbXLV3xH//rfkFhep7ivjp4ZQtPjsFamlNdGUlmrx0yQuw+a2eZ q9sVf86GJC/h77B6Ul+DBYP5CeaWsyD1gZXoiQA/AwUQNW47RyKrGosRR74fEQL1 eACggb55l79vspBHrN4wO8dOWHW1H5oAoJYBdJ3f6hlaah8mUOCGDVBznZfxiQA/ AwUQNW47hSbpFNIB80DOEQKM9wCeNVBrjQSGUOyIK9KonyKKHRBrsSAAoLkJYc84 VSO199/nTACTQArWg3/diQCVAwUQNW48GcgYgXwaD++ZAQEMbwQAhG6iyKasnXJW J+gYKJSx/9ee72UQD7k2Zwri0cXy6PZjNAiH0fTI72YsCqY0UFQKVBUAxce1rDCK yF+HYspoiBg/mke1fFKnUpAU49qr3PHc24l1nK8/IybFBS0KD6pAxvdWy3JoAG2v 0yQR/CfHVgMXrzk2Bi8kFAp2CW/0aBeJAEYEEBECAAYFAjWasBMACgkQSYVWehY9 yGR8SwCfX3oUAI0UW5RAuKmF8mHlGt5TFr8AnRny2Z6zCN9XorcSkDPBNM/1QO9N iQEVAwUQNfhtVZA8/WDP89XFAQGMaAf9FIvgaAerUjc+yC5IA2qgJYeCUHyYGvpa HcZXcXM8yXZWK7Q9WIwrolGCutVTA3GLPTsBi5Wjsx0F/XkWzFEhWM04W9hj0vXE eSRAPrCc3VQPAxNXnIp0O3sv9s6UQf7zAGm7XmJoo4U9plLRPZmP5gLt2zFeE4L4 C+XLUWI9nV6M2ovqE8VJB9FODhQ6RrZsihJfuWy5ilfLepmBpV0RyBpMKSqigP3T XKd8am0CrZEoDoOIGxT9NswIfi1ZrNO7NU7Q5Hy8bPoAa8jvqztMmMlctGXxmKty lLiwCZJkwnrQhrEJn4h2gRq2YDvT2Q6MTs4jGesZ3M82HT3kEJV3Y7kDDQQ1P70v EAwA4jsI0VxYZlRrimv0fpj/OhBxaXyX2Ndye64w/rvqsvZJPfBMCgL9S1US3N8/ Fm/M82VLF00kPcN7s1rwfQigu/RxupitE3xDxkEjTF7U2qeN0QkRMdIeqGKkNT6L yXgMQrGz6Zm4DC2YbCK+T8TPT8GHMlDOj02GjXtsxePiB1shqt36CPLp/md1NRZE E3PIx+jTaUbjLlBYIVaHXlZc7BaTEeRFN7y5j6snabdlmsoIgKOT5FByiTyDl4V9 1I+Kr2dx8mJ5UODCWVdVYGcG+nUTfK4YYx+oNSFgWupFf/zF+ZYK01OcIxfCHO56 pUHRDKuceoYk7iI/GDl48/NM2p8ofROjd5PBVnrVzh3O8G2+b0r9yFiph42unot/ waQ8JpzJUtQsKp+xRdXDT/To+P898JNrqSAm9sdfHpCsiIFh1ufWCdD6nV3QlhEe j0A/F01XMNcoBxAIFcxDglr1UnV8sgdvP79rPkCL3iCtz4+CSXU7r8SHHCcguxqo 9R9PAAICDADE2f9AiwLOQBu8raRMLWcF/KZZFSPwIqiZXPDrUxnoz+U1glmOLXHH mRk1DqTq1gsNbrZwo3IO1JlCqlyqFQldqE0LWr0oNs4/DkZCoS7Xux/okpA7QEr3 UTFKRpkV5MVrm01Wbmv5onRl2LfxbiFIh5Fw2595yn+T1dpTY5buO345mOqQQNDt DHbOg+9pjTixieNIhl/uABthhgfEZId/zLHNQ1yIu3/ghYW1iL/IaL/O+RCeuVn9 +yMBRamXWrCLOoyglT1E42Z0aROaP0nm2jgV5ZzAKEFP9wtQIHwoJp4Cxv3evvxC zDdYULA6eOONkoEyl8WQKJtOrFr1GopHJru/0Y3SJ2tDRu9JFPl45RVUc6xUg4II ++XdyFY3TmvK8V/fx5CMtUQxyR++IpbGDObpMCOgnxaPS8fhp/XgU2/7Od0wpPBq 7vOG12BfFDx+bdG0N8wcCGgT+46t4644dvVY44YPEIBRPm1pXSidQHYksOrcG30W 1z0s8ZtcuySJAEwEGBECAAwFAjU/vTAFCQHhM4AACgkQpcF67leaqlVvcQCfYW4V z+Y64jFXfI7SQxdGCQOXFBIAoKG8nz95e4yOi1F3gp84TeLNnicCmQGiBDWJyzAR BADMV+WtOr6bYVf558Ia7cQ5skd02VdabWkSZj8RY/K3KqIJtuRBbU9P1VM/9oDV Xof7kISAgN8SSnDeqRuWLuF5/hf/Awwj/qHHGM8b8Tc/sbw8ooi7kkGaItOIdbS3 /o8w2zoWYbMsFKnJjEnP26dqxMGu8M9fK7RA3XQpkhW+mQCg/3qKGRWOrx5uq1Mz FUAjv601B40D/3R1A4izPkoZ9p3OclFZJUyC4pQG38q0pNpUaM2tWJDQ5gIpQxOQ 5R75seDWuMfGgRBi9t3OaUmYMwcB7uQKvgGgzRfFJKTF/XNXbiIf1OUJ4mO7ZtaZ spg2sN+TjqiLVZpSGIzPxQzqIyEyZRKv7M1dk8EE82PhCh8WqogwF9zaA/9ezUtj K2HxpAvtRmN+9LpTfB5Qj0UMSm3dM6em69CDPIln3fn5MtvLqP+QQcg59rUv3Has qZAEFBHs0RvotKPuOwj/+aQEJQJdO2JZJP78sl+N6EqaiQSmtBSWR/nPJ56840c9 g+/BL4fgWjk08s8iqZlV9hBIgUkihtvFigUqQ4kARgQgEQIABgUCNZpFHAAKCRDY 0dcHxjIJgNwHAJ9vcd/6fbTbIxVD/Qrd5Oups5I49QCgyKSnsajv6WzQRSF+CpOf joF50dW0JEZyYW5jaXMgTS4gWmltbWVybWFuIDxmbXoxQGp1bm8uY29tPokASwQQ EQIACwUCNYnLMAQLAwIBAAoJENjR1wfGMgmAcz4AnRlEiwxfJ8CIK54uOVF0QIzF CyYiAJ9jjyE8jV4N1Q/nE8mGhQEOHf95XLkDDQQ1ictKEAwAzB13VyQ4SuLE8OiO E2eXTpITYfbb6yUOF/32mPfIfHmwch04dfv2wXPEgxEmK0Ngw+Po1gr9oSgmC66p rrNlD6IAUwGgfNaroxIe+g8qzh90hE/K8xfzpEDp19J3tkItAjbBJstoXp18mAkK jX4t7eRdefXUkk+bGI78KqdLfDL2Qle3CH8IF3KiutapQvMF6PlTETlPtvFuuUs4 INoBp1ajFOmPQFXz0AfGy0OplK33TGSGSfgMg71l6RfUodNQ+PVZX9x2Uk89PY3b zpnhV5JZzf24rnRPxfx2vIPFRzBhznzJZv8V+bv9kV7HAarTW56NoKVyOtQa8L9G AFgr5fSI/VhOSdvNILSd5JEHNmszbDgNRR0PfIizHHxbLY7288kjwEPwpVsYjY67 VYy4XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM 2Zafq9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpTDJvAAICC/4uEG2oOdUw cYC/1OWmA0VhO+oAXaoxQMK/CJ/ECkcDVe5Q27Qml2tJLkiHFdgQETYyg5sdEnBt nFA2gv1VPl9CMhCOET4ezX3PleLa+QsaLQ3I0Hgi2rfA2i7fWLmRhOZXeCKaq+s0 xcJHzW+J37YqPt5FtLcNW/SaNE/5OPEEpASvBxUqXlb8P0YD5o/UHS7tiZcBawK5 NNk2QsKtKKfGBS73wtPHF9OWpfRN73VQe4CgSCPPE+20JQ9Hr4nmj/4Ih6koKEAR /bKlR0Jrfsls4R9Nd/NtoGIIK6RJ2qxP+VxYutK5OAzHMvt8K+8H99dKpIjujuz2 4xn8F73Y6abFTasy8Hc15XbTUjrnfguX13LQMAki2o5uUXofYJ91R7HJFCkb8guT T3ODy+PNUc+7IyP0PBfKRqFJuigRO7SGRcC8iREKxoiZtu8oXGSCcqlaNzaZHO5W tDUK4/iWxQMjrE/CjjD8ZEww+Y3w6MqhRZwtBwBONNztHwlYVV/wsX6JAEYEGBEC AAYFAjWJy0sACgkQ2NHXB8YyCYCe4ACfUfZeYppgCK6BnVsY+nVg6ppuRPEAn0sZ CrS8mp4/1QBvYezD5sDuI5qKmQENAzX4WXIBbgEIAMQYm2iPplhZ0sNgBocuQ+iz J7QAwpzmEG2k25y0YEoYCAWOErChlSA8ptXMj50dqwwOKjvyOi+6tInpPDWNTPMM IS0xIYIjRHFZ3FFVvC7+sXXLMIpn12sCBvcTCCDsxyuRpwlnTohdMuTpmWX9beee 5Kiookpd7gd+msbIvPp7ySjpBLDJ7DxNxjCWDB9t4JLF2Xv5oMs43NWJHt/GNuaa WJ3wca/XlT3A7BqBLO6ICPK49TwpQpF6gePeblD8EfG6u/q42eDlqz0PcrvwyMN7 3R8701CPg/Ke7a09io9U5NanhgwFDR48doql3/XOv7HLjhf22ITYkDz9YM/z1cUA BRGJARQDBSA1/njhkDz9YM/z1cUBAbfcB/iZCRA9nZMTa3a4fabR8R88W7rudGJD oj8qCdpldKhamAtiV/SfyyG7V5P8R2XBM3Wk26Zhm3w/dh3E3oEGz7rc9wLU7E++ 7W5wGbvNzfPiMputBLU7n4o9ojPhEcLMNSHqjC/VNUxHKLgOzeHhEah7X1kAi+sa DKlN+h849iD2lYB00/mQRzNqWIhkt1Nn+WaW8cWGhWHW/LDrpYULIXKDu6uZQju2 8eS5G236piniPnoBBNHnQwWHw/9E3iMaqX2nVVWl1d6i8MGVaLeaaNHVeQiXybPd Amvct/leEUWUAsOzGHyCoeIC5N3is0yUd+xihdyKB10b4DEoSYD06Mu0IkYuIE1p Y2hhZWwgWmltbWVybWFuIDxmbXpAanBzLm5ldD6JARUDBRA1+FlzkDz9YM/z1cUB ATI+CAC5Xk2x9jCRJ7uvuPcsXg/FNoHeynJBTQw5OteEqnmSSJvsE19L6YEnoJ7R lkFE5Or0MKXU7tF6AFA3lKl5phRFPSWThduhcjDqLpQTdj3PJwNCIgGVcuieZbfT kBdhvfNuj7CN1Gvl/5v4RZc8HU6NU53vgpq4V4xj0QD3/suiothvqhQnmLtSD4M8 MRU9itYv2j3ByGUVo9UEx/8a0M3Eeww2ToI1TfkyRVm0aXsTGgGkpI2ej7femoup 0F519sYC6X/anIzOxRjlVfsW1XJbtLWXU2bxHIKTCWeQmV97ufjinAdl+nzXe2r+ 3/KLRojkVNDnLuZlaNCEFy+/knO2iQCVAwUQNfhb3sBdO/xXSCllAQGYSgP9GfKD k+iRas125Hq/bk1v1hKAdiQQLIKj2aSHWFN+HytTLQ/SIn5t7yQe+KCIBO/U0xkH ZSseqMSikzuqQJJp2hv4G15qsTSpcafPHNX8AGZ94temjSOLBSerpWowuPODVox+ 1HbXhH2oQ8D740rvgFukXqhL7HGvrr3Z5bSsx9WJAEYEEBECAAYFAjX4XMoACgkQ pcF67leaqlXVYgCgnTyEWBfs16gxHHPsrb/LgCFQvV8An1Y5ygyNQ8luxyt7S2ac GlqhqGMwiQBGBBARAgAGBQI1+F5PAAoJECKrGosRR74fG7MAoMo6ThFE/9Y4B/S2 WE/JOeU9lKasAJ9lk4wgJeoPTEvluoDPFdx+kvmS64kARgQQEQIABgUCNfhkagAK CRAm6RTSAfNAztzuAKCl6Zumls17ui62HZtXG2JZF61xVgCfUsMPvEc79BuwYjmE rop9JLJLKO6JAJUDBRA1+GXSyBiBfBoP75kBAW0ZA/9WavE6Ouel1x2V84JLJlMr ARkzBkv1vaBX1oTcPIC2UoBCty2YYlr0p96BYNMdokAyTrCJeiMw20DZ6i8uVQuH +cdMtJX2scG413tQqZt/IQJLLZc8DVVm0PQhE6TdCL9ynv0Lfh/pdlbqZNDID3OZ PVD3FgIPch3IyCC3ajOJ5YkARgQQEQIABgUCNfhpBAAKCRBJhVZ6Fj3IZLtQAKDQ O0nIu719C3ovBWbwdkvuZvLXvgCgjPevZx2z+hB9mHx+kyDjl1ptMdyZAQ0DNf59 8wAAAQgAqq8r2Lt4ncdyvEIA+tak/7GMCCc0thhJEBtiJBv6DhdlbR+zWBDS/3/i XtjTqjksV0tWX90MsNJI5Y2FPid/4xIsHwHdiDgZsoVqIJE+AxOcoA06OuBMPPXn 3LPlNqBx/XGAkt7gywYxKB1FUIDg4rXWZN//3Huc+rtqCs4dXuTg1VaVX+u4E58A 1tcgtxe03Z36+5m+aLao/yMkzrq3f1qeDrU2BqYqFrSthAutabOQYjx5llj6/4Gn SHVGpYtT8k94ksVIq78gw5c7drZ+NjToYTLTuAMz/lli0y5e7tyUugxilV3AFtO8 qbRbL3t63AG+Aj7E+lWpakIxtxM2lwAFEbQkRi4gTWljaGFlbCBaaW1tZXJtYW4g PGZtejFAanVuby5jb20+iQEVAwUQNqvqXKlqQjG3EzaXAQHutQgAmaHdozUKLtfW uV4iu8h8SZpBRX5o9rngH2MS7zCcKURWrCCqw3tWdUn0z1HJU952y0UESRnhf+aQ mgN0XiETthsjvwW9ZBB378ePdovpxq7WUxoVIaVssgXSfxa4DR/iq1iojfszKqkj 1M0Lwap1S6vt9Q3DlhBiPhge7OZ1YA2Y6oelZ56mRf5vba8kKvIQyDGVuJmE5oE4 eJYjsSU6MVOBzVaAK4WvYeiKJEvuadlhoN0YlPmaBoeA/3KXc12z2GcCL0XYX1De NACjVtGVhJuL8yUTdNiIZNA3OHrPOxxljln2qxG4Hh1NpE8jKYGEfeqEybxOZDjw O3uvOzsewbQkRnJhbmNpcyBNLiBaaW1tZXJtYW4gPGZtejFAanVuby5jb20+iQEV AwUQNf5986lqQjG3EzaXAQEhEggAht2ykdHBfrYntlYhe5GZTjY/bxNv4MkRyR8f +pMIAIBEWJ1Bnd5Z4YDkTqArVQM/PIxcVsYQ4PASetnGvIfaxphy48KuDg8TTI8s bqxNPmzK1Q3BhQRSCHgxlMHp4hNR74mbrex9qSKySRX1tyuwQZLx/tem8vlSNzUq 2iPSMTXFTS3MtJ2WBeWlTAZDma9UEaEoVgQboeqhanPp80/ISQ7VDE88Z89WfktU VIRbtIfwyaVYkGN0oT2goqUCpU1IcEIy0rKQKMzTHX9REG+YhW7YxecLA4NJiftB IIxa6GTk2DczOwC1O3fTzP7T1sKw8hJCnN/aJBo3niSS62FaB4kARgQQEQIABgUC Nf76QgAKCRAXUWd6GwHONAEIAJ9XTGmds7y4JCAaSt3CkULXmBKKOACgn8HvB8dN o8HCPgMYzbGiyYJDSg+0IkYuIE1pY2hhZWwgWmltbWVybWFuIDxmbXpAanBzLm5l dD6JARUDBRA1/oBaqWpCMbcTNpcBAe2dCACDX7NykLqT0GHyYIaGy3Sp8amG8UgD vvX/ZwYmLViBqZUzvxMBozm137GlTe8LFRuoGkJiEbvJ1YMy3HVLIxVR7WzEw2Ml yrIGXCgAsopMvlIyK7vsdklZtJMHRvf5pvMDxwIIPAJKVRnzbHmrwD186vpVft+j 1CKljgqRz+D9G2dJW8oUVVjOghG2frec2tqB1Kg2BzlMPHYRLulxh1U7FEBAnt7A cVxe2rnepzyHhg/N1j41n7k/OZsT0FptpRu+dw9UZ9r+Hr3GBkzi91g2L07M0lFB pqvJSeYnoVvVXowLlA7nS6d1vxaVDO9DFIHKr3+Btu0XvtoAnZzEFIKCtCdQLiBD LiBDb25zdWx0aW5nIDxwY2NvbnN1bHRpbmdAanBzLm5ldD6JARUDBRA1/oDdqWpC MbcTNpcBAdKXB/oCe2nxk1yhPKch9WBuaa1FEiE2nz7W9LqGHGoxrX9egjI6gA9B kySPF9j6puK5Ci74XxWmCkQMfsAWU9P5ykDj62McOkf+bA64FfhqHIIcJZQukfP2 79BWWskIi8VRfTXnbmYZOjjuf4nglqNZkhShNk/e9HVCrcUkK6uL0oWDIgxTnqSk MVlyIg3raBhZugnf0TlkFto9bIpe9u0242K6ixg6ITWmv7bf5sv1DT5agGPnspzG q63Bu/g8NQN6L0PZtpe4BqCk6pOkJkObd/xnf2qHbxIDMPg6ZU/+nVB75JHxY8OB gXqkUnr0vjupFgDqVtnpcxuRmu5P9vXzCRaHmQGiBDX+h38RBADS1a5I8DhXCTuI 9lQiIm7Dj+lV3/GSVVtc1YpPLiqejW9+uS3eU9kfW7iBEbMshocqLf6VMYEk6ZJE 3LLmYRPCzOAnaWtRSthc0eu6r8WxRQTyqsnA0hpKzeN8ZUh1XYKCuvMCC1SQjWGV sdL+8tzZzwtnWOCjDY31IMe7OZuZmQCg/x1F/AkZbM/ZVEog9dafAYNFuukD/1mj ndJcEHwvxFS5XFgnNXwm4BliGWtoHoTLPoZCbcm1ph/26yXSlrqPXdMTvRfdzF+P sUbdVV2bDK5m+u3LPlq/UaPVT2C++rJSl3oa8NepKMynXE+lPbklwvumm7vgADWw givMHIQmW23v7eHHU05nfztgJmCFuigRoa5PwVt7BACQL8wsIZNBjaoX1ARHnrCy A2kLFuXrpZbB8ohSEKNUIMddmhIZIC24gDXtnxlKi7iZ6JAGL7tUAFYMki3KhmLt KkEQ2uI8prlA9NW0i8PXi1xtA2INUFNNUkh4vi9sWOhC3PFh1IHkRYbIZJGdHCge 2ffmb16YVQfg1tufeoa4bLQkRi4gTWljaGFlbCBaaW1tZXJtYW4gPGZtejFAanVu by5jb20+iQBLBBARAgALBQI2q+jiBAsBAwIACgkQF1FnehsBzjTrcACgsSzpy0mh GiyZXeZgfUC6Gl7EQSIAoNEGNmrapYn1mfsZtqoARwZvk88jtCRGcmFuY2lzIE0u IFppbW1lcm1hbiA8Zm16MUBqdW5vLmNvbT6JAEsEEBECAAsFAjX+h38ECwEDAgAK CRAXUWd6GwHONHzFAJ9gvSLmQEyXNhfRwuvy04OpBoH/VQCfQiW0bb9rXRI/SuTu Qa6sgFVrg1e0IkYuIE1pY2hhZWwgWmltbWVybWFuIDxmbXpAanBzLm5ldD6JAEsE EBECAAsFAjX++SQECwEDAgAKCRAXUWd6GwHONCs1AJ40sqB3nLH6hb1VL3dMed8Y FUXbQACg3Au0lvprNaEyjgL0aSI/J+jFFge0J1AuIEMuIENvbnN1bHRpbmcgPHBj Y29uc3VsdGluZ0BqcHMubmV0PokASwQQEQIACwUCNf75qgQLAQMCAAoJEBdRZ3ob Ac404DAAn1YLIbBNfiaSz9CIclpTQfPr2lpnAKCa6qUY+PZDka8aY4E5qo+560/G k7kDDQQ1/ugLEAwA5jo52ATv/OtLw/K3CqbPJ17un0D/DkD4o6m93LxBDTxcvwep vvR5tqbc78Osv/7piOEZb3LJ0FVskObDzUjWh4i7CmI0lertbtrTbPvX9Hjo5isi sDFCRbUGZEYz6qRHsuJrrMQlb8CMbie88zRiG5q6vQr4IPtRDTX9oqgwFEcrQ8Lr 6pkkZWBTOdQJzF6AurixPDnC4LkhswlrHb1g27yW/huABQguQFq7N3ONlIored5e Bk//eXjsLrr9jPIgQBVBF8c/VapNy8KUQ0pwnz+QnAqXb/n9F1q56UDWD4Hzlscg A5ZDVrl4FJnTCQbzaqtwUBNxVhN8txAr6K52tBC5kviCJXFpkdVHfCLKzrzGvXq5 p2wuwD9PQDhOEI3989xeMqaNf8p7YjlapWKlNtLqq0HqS5D+eyk84fXOtB4kh3ME lXVO7AT0XxF0jxh+lDNcVROGSTBFBfK4I2XCtwDrcvROTLiWg0dePsiPusbhqmgW MYXY2RCMJrdwYcihAAICDACivTPusggG7yayoNaszrlMTjPaQpV3+TgTdn3soIM5 Gegmo8P9R5kiTOuTa2jObD0OG4UgP+1SugKSbd7sInmY9XCkph08CBg5yaTet+MR sP7jq1xN7wt89oeSyKzl3aEBlYdQIHXTPJp2HYYscoCTQgYZeuG7Xcpdi3P00Th8 RNvDSkPnnqU/C0Ke8IcLmVGezSh9aD9XQkVdeAV3YCEyAqC+4jT4dLbdMX37ruya CHsIwtOFCMyhBiTg8+VLJQ0rJ8IcshKjgIpSqLGSSR/DUr0A12tpRbTJxCf7G5+K kaEhjiad4JJuZZOGWc73KlnKP92TKpQwPJIf4Kpfoo7PymfykhVR8KPHldzVPRzr edMGtCn07yh906zEC2ImNmV5SnmnD8HE0laQ1pFEVsEfFS3Y3glu2+WeWEqB/2Li 7P71b6lVg1KUzTXd27wtMFyebWfkEJirMDGM1AggmDqO9Sapwr9np0Uf1k5I65ZL jJbLfxer9zyy7ExkL0mpIC6JAEYEGBECAAYFAjX+6AwACgkQF1FnehsBzjT+bACg xaoiwnnYG+znXuH/gFhh4UBvKb0An0YQGe+L6ynzkhEiGuy6Tl0xkgmEmQCNAzYC jlMAAAEEAMCdufgGlhwtkciUSigTwgIN+EoXfxy+PaKoImmSEukKZj3oZMjgra2r l3SL98DdpXXHuDT132u8MNeJf3ZZ9KpByllivTvFlNBF60XZqobmVcF6ev48wKhP tqtTyCWy2a4sd7QJ1NHGlq37oGV71SX/CGzYn8f/ZN6T2+wcdEU9AAURtCRGLiBN aWNoYWVsIFppbW1lcm1hbiA8Zm16MUBqdW5vLmNvbT6JAJUDBRA2q+r63pPb7Bx0 RT0BAcY3A/9bQ/EWOf8K/YXPwTbCA2+kSoXyX9serBIhKKGghYlJePELB1YvAU7f DaDSds3hpVT08TbC8EJRI1rG/CXTUgu9qD3uLE1UBnHHETTa2RKwW0U7xJ6u+Jl7 Wi+QzItr1/+pdAand7TR1822EnhDoJJT7J9CPlRMImMZOJu6qNREebQkRnJhbmNp cyBNLiBaaW1tZXJtYW4gPGZtejFAanVuby5jb20+iQCVAwUQNgKOU96T2+wcdEU9 AQEgnwP/SxAmvoCCiawiNHoY4lwNMrkDzbO1DIHn9n9wFh8ssuQ25seYvfzD9wq6 CqlKWREmx42dq8ZtyfMAIk0JapFU0qbRkg32TO3baAHVdYbsioWkUsJegjHidrlH etNFAu1iUY8sp2CnyBG0zuiUGpcm+xgSvkW4lPCsfDjeiJfMJde0IkYuIE1pY2hh ZWwgWmltbWVybWFuIDxmbXpAanBzLm5ldD6JAJUDBRA2Ao8j3pPb7Bx0RT0BAT8+ A/0XAiB6LD+HS8tfjjK2NbWX5+WWYy5kEawfCRFbYX3qgEem/ErcKlXGqoK0hO66 EOboXhy3E9GajpW31P+SidhTpmYdIU4c6J9YQbo1tbtHgF9yQdoiAOqV51uWKxCA hEjA9KW9YIlI8uJzREmJpwpzdFEcGXdkSGxH3T7D3KBeYLQnUC4gQy4gQ29uc3Vs dGluZyA8cGNjb25zdWx0aW5nQGpwcy5uZXQ+iQCVAwUQNgKPiN6T2+wcdEU9AQEd cAP+OrpJc0zSrBKV5t7LodalQe76AY5PvTQUXUIZDYYPaQM8H1vMA/QvCqDtUDjm Ozyoo0gf0Agbqnbq4wGsF7O77AXO49SPeMeSmXvxNU4QEbC/Vv38AKd+wZFkjrNg WUGdiKziK6h9bNcmUYql5zTXNizGsly6nJoYtpDyHB9p4P0= =hhH8 -----END PGP PUBLIC KEY BLOCK----- ________________________________________________________________ Get secure free e-mail that you don't need Web access to use from Juno, the world's second largest online service. Download your free software at http://www.juno.com/getit.b.html. From dparkins@alien.bt.co.uk Mon, 07 Jun 1999 08:41:05 +0100 Date: Mon, 07 Jun 1999 08:41:05 +0100 From: David Parkinson dparkins@alien.bt.co.uk Subject: More on fortifying Lotus Notes At 16:50 06/06/99 +0100, Ben Laurie wrote: >That's a general requirement for export. Until recently, that is. 1024 >bit keys are now permitted. As are 56 bit symmetric keys. According to my print out of the Dual-Use List, category 5, Part 2: [...controlled items include...] A "symmetric algorithm" employing a key length in excess of 56-bits; An "Asymmetric algorithm" where the security of the algorithm is based on.....Factorisation of Integers in excess of 512 bits (eg RSA). i.e. 56-bit symmetric ok, 1024 RSA still a no-no. However if we look at Note 3 (The Cryptography Note), we find there is no mention of "asymmetric algorithms", just symmetric. Could be read as "mass-market" products (such as Lotus Notes(?), Netscape, IE5, Exchange) can employ 64-bit symmetric keys with RSA >512 bits? David From gladman@seven77.demon.co.uk Mon, 7 Jun 1999 09:07:24 +0100 Date: Mon, 7 Jun 1999 09:07:24 +0100 From: Brian Gladman gladman@seven77.demon.co.uk Subject: Germany Frees Crypto Hi Nigel, >From: Nigel Hickson >To: >Sent: 06 June 1999 21:36 >Subject: Re: Germany Frees Crypto > >Brian > >Just seen; the PIU document was talking about coordination on encryption >policy; not on export controls. Why should we lie abou Wassenaar? We were >simply trying to make point (something I thought you wd be in favour of) >that there has been little coordination on broad encryption policies in the >round. > >Nigel Hickson > Thank you for your quick reaction to my flame. The remit given to the PIU was: * to study the needs of law enforcement agencies and of business; * to examine the merits of the current encryption policy (and in particular key escrow, which is explained in chapter 5); and, if necessary, * to identify proposals that would satisfy both the need to promote encryption for electronic commerce and the Government's duty to ensure that public safety is not jeopardised. Although there is clearly an emphasis on key escrow, it says 'current encryption policy' and here it is not sensible to omit coverage of export controls when many of us have been saying for years that these are impeding the development of e-commerce. I am also very confident that one of the arguments used in promoting Wassenaar crypto controls has been law enforcement requirements so this again shows the relevance of Wassenaar within the remit of the PIU study. I hence maintain my surprise that the document makes ***no mention*** of the crypto export control issue, something that is quite amazing given the study remit. In terms of international co-ordination of encryption policy, various arms of the UK government machine, especially GCHQ, have a long standing set of international relationships within which policies on encryption are discussed. Moreover within Europe, the Senior Officials Group on Informaton Security and the EU Cryptography Working Group are attended by the UK. The UK has been heavily involved in continuing discussions with the US (Aaron et al) on the topic of encryption controls. And the GCHQ/NSA axis continues to discuss in detail the issues involved in trying to limit the spread of cryptography. Moreover a number of nations co-operate 'behind the scenes' in such bodies as ETSI to limit the strength of the encryption technologies deployed within telecommunications systems. But despite this extensive international coordination of encryption policy the PIU document claims that there is "remarkably little international co-ordination"! I don't often accuse the government of barefaced lies but on this occasion there is no other word to describe what the PIU document has said. I would certainly support a statement that said "there has been remarkably little ***open and publicly accountable *** international co-ordination of encryption polices" and this might be what was meant but this is NOT what the PIU report says. Most often I believe that these situations are the result of mistakes rather than conspiracies but on this occassion I find it ***VERY*** hard to see this as anything but a deliberate attempt to divert attention from one of the key issues in the development of e-commerce. When someone is stamping on your toes (crypto export controls) and beating you over the head with a sledge hammer (key escrow), it is a relief when they give up the sledge hammer but it is important not to forget that they are still stamping on your toes! Key escrow can be seen as an excellent way of diverting attention from the export control issue and the PIU study provides a clear insight into this intention. Those of us who want these controls removed should not allow our attention to be diverted in this way. Perhaps you or David can explain why you consider encryption export controls to be outside the remit of this PIU study? Brian From ben@algroup.co.uk Mon, 07 Jun 1999 10:41:14 +0100 Date: Mon, 07 Jun 1999 10:41:14 +0100 From: Ben Laurie ben@algroup.co.uk Subject: More on fortifying Lotus Notes Nicholas Bohm wrote: > > At 07:08 PM 6/4/1999 +0100, Paul Crowley wrote: > >Ian BROWN writes: > >> Paul Crowley wrote: > >> >Is that because Lotus has been engineered such that it's harder to > >> >reverse-engineer or modify? Because presumably if we could find > >> >where the NSA's public key is stored in the