Topics n Stuff EEC and UN perspectives on the U.S. encryption policy
MicroSquish a.k.a Teledesic: reach out and photog my scrotum
at&t & the clipper chip
national opsec programs
privacy keys
DOE e-intrusions ( tscm email )
Hacked Pages: Before & After Shots
uniform financial transaction protocols initiative
opsec e-sec service list
list of web sites for pc intruder-stoppers/informants
X-Ray Vision: Multi-Intruder Monitor
PGP Encryption
Cookie Stoppers:
Complete Cleanup
Cookie Crusher v1.5
Cookie Chomper v1.02
Cookie Web Kit v2
Cookie Pal v1.1b
Cookie Cutter v2.23
these programs allow you to (1) refuse cookies before they are set (when using netscape) and (2) find and erase cookies on your hard disk if they've already gotten through.
some of you who surf heavily won't BELIEVE how many cookies are already set on your hd. there are many sites which sell or give the cookie probes of your pc straight to advertisers and a myriad acronym-outfits which will eventually figure out a clipper-chip-related purpose for this data. particularly the alphabet soup outfits which are more than happy to continue to press in the U.S. for elimination of any private e-encryption.
the use of cookies allows, among other things, the transmitting server to document where you surf, when you surf, from where you are surfing, and how long you stay there... url by url.
this correctly suggests that, while the cookie is active, and while you are on site at the url from which the cookie originates.
your pc and the server in question are COMMUNICATING both ways, though you don't "see" it happening.
here's what the EC thinks of US encryption policy... their motives (and the US') are likely multi-motivated.
Citing privacy concerns and a wish to foster the growth of high-tech industries and electronic commerce, the European Commission said in a report released today that it would not support a US plan to allow law enforcement access to encrypted communications.
"If citizens and companies have to fear that their communications and transactions are monitored with the help of key access, or similar schemes unduly enlarging the general surveillance possibility of government agencies, they may prefer remaining in the anonymous offline world, and electronic commerce will just not happen," the report said.
The report concludes, among other findings, that:
- Restricting encryption use could "prevent law-abiding companies and citizens from protecting themselves against criminal attacks. It would not, however, totally prevent criminals from using these technologies." Citing a crime and crypto study released in July by Georgetown University computer scientist Dorothy Denning and William Baugh Jr. of Science Applications International Corp., the report said that restricting public access to strong encryption would do little to keep such technology out of lawbreakers' hands.
- With strong encryption being produced by more than 840 companies, many with annual growth rates of more than 100 percent, stifling industry would shut out the "economic and social benefits" of an information society.
- Key escrow systems could open the door to attacks by hackers and crackers. The possibility of insider abuse, targeted attacks, and the cost of such a system make it an unwise course.
"Restrictions imposed by national licensing schemes, particularly those of a mandatory nature, could lead to internal market obstacles and reduce the competitiveness of the European industry," the report said.
- Widespread use of encryption can limit the billions of dollars in economic damage from industrial espionage, credit-card fraud, cellular-phone fraud, and pay-TV piracy.
As to how to let police see scrambled data during investigations, the commission said that access to plaintext - but not to keys - would be the most desirable option. The commission said that "existing regulation on traditional forms of lawful access to data and communication could be explored," such as court orders requiring suspects to hand over keys to encrypted data.
The United States recently has been lobbying European countries to persuade them that law enforcement must have access to scrambled communications traveling over networks and stored on hard drives. However, European commissioners have gotten mixed messages from the Clinton administration. Ira Magaziner, senior policy adviser and principal architect of the White House framework on electronic commerce, recently told leaders that US crypto policy remains undecided.
William Reinsch, Commerce undersecretary fo export administration, said today that in ongoing negotiations with the European Commission the United States will try to underscore what it sees as its flexibility on encryption policy.
"In those discussions, we will continue to make clear that our policy is designed to accommodate a variety of technologies and is not focused on third-party key escrow solutions," Reinsch said in a statement. "I'm surprised that the European Commission study objected to recovery technology without providing an alternative that balances privacy and electronic commerce with law enforcement and national security."
The European Commission plans to hold a hearing on encryption and digital signatures in early 1998.
A U.S. presidential commission says cyber terrorism could be today's worst threat to national security. Attacks on the infrastructure -- including telecommunications networks, electric power grids, transportation, water lines, and emergency services -- would cripple the U.S. economically and militarily, the panel concluded. One of the most worrisome trends is an increase in system-cracking tools. Here's where you come in: The panel's solution is to convince the private sector to work with government to protect key infrastructure components. Independent security consultant Ira Winkler suggests if private companies would properly administer their networks, 95% of the problems would be eliminated.
Information warfare is now a recognized reality.
In a report submitted to President Clinton on Monday, October 20, the Presidential Commission on Critical Infrastructure Protection named cyber terrorism as potentially today's worst threat to public and national security.
While the report is classified, much of the commission's conclusions were discussed at the National Information Systems Security Conference earlier this month.
"We are approaching a new age of new threats," said Robert T. Marsh, a retired general and the chairman of the PCCIP, during a keynote at the conference. "It's going to require a new way of thinking about our vulnerabilities."
Marsh pointed to America's military superiority as the main force driving malicious network attacks. "They cannot win on the battlefield, so they seek 'asymmetric' means, like information warfare," he said during the keynote.
The commission studies the risks to the nation's infrastructure, including telecommunications networks, electric power grids, transportation, water lines, and emergency services. Attacks on these networks would cripple the U.S. economically and militarily.
Unfortunately, the networks are interdependent with the Internet, giving potential attackers the access, tools and opportunity to stage an assault.
In an interview on National Public Radio, Marsh said, "Every day there are hundreds of unauthorized intrusions into all manner of systems; through the Internet to the power distribution systems, or into defense plants where data is stolen, for example." Marsh was not available for comment at press time.
Yet the solution is not to eliminate vulnerabilities. "Basically, there will always be vulnerabilities. That is not the issue," said Ira Winkler, independent security consultant and author of the book Corporate Espionage. "The issue is, to what extent do mistakes hurt you? Someone is always going to be able to find out information about your system, but by plugging the holes in a network you can protect it from most incursions."
( Ira Winkler talks about what infrastructures are at risk and why.)
The solution is to convince the private sector to protect its own systems, which make up an important part of various infrastructures. This requires better communications between the government and corporations. Yet most companies find it in their best interests to keep quiet about any breaches.
"[We need to] protect vulnerability information so the businesses can share information without fear of compromising their competitive position," said Marsh in his keynote. By knowing the threats, companies and services can be better aware of trends in break-ins.
Take the telephone network, for example. "Essentially the telephone system is one large computer system," said Winkler. "Computer errors have caused the power system to crash, and hackers have been behind many of those."
Marsh and his commission identified the increase in system-cracking tools -- those used to exploit unfixed bugs in a system -- as one of the most dangerous trends.
"If companies would properly administer their networks," stressed Winkler, "more than 95 percent of the problems would be eliminated." Most companies don't do routine updates, nor do they enable the security features on their systems, and that is dangerous. "All it takes now for someone to do serious harm to [the nation] is for them to be organized and have the intent [to act]," concluded Marsh.