Re: password-cracking by journalists...
17 USC 1204 (a) In General. - Any person who violates section 1201 or 1202 willfully and for purposes of commercial advantage or private financial gain -(1) shall be fined not more than $500,000 or imprisoned for not more than 5 years, or both, for the first offense... Does this mean that if you are a private researcher, and reverse-engineered something for fun or the challenge, you escape the clutches of this law? You may be able to escape the *criminal* clutches of this law. But you might still be sued under 17 USC 1203, which provides for seriously frightening statutory damages (as well as actual damages). -matt - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: password-cracking by journalists...
In message v0421010cb86ca9bc4254@[192.168.0.2], Arnold G. Reinhold writes: At 9:15 AM -0500 1/16/02, Steve Bellovin wrote: A couple of months ago, a Wall Street Journal reporter bought two abandoned al Qaeda computers from a looter in Kabul. Some of the files on those machines were encrypted. But they're dealing with that problem: The unsigned report, protected by a complex password, was created on Aug. 19, according to the Kabul computer's internal record. The Wall Street Journal commissioned an array of high-speed computers programmed to crack passwords. They took five days to access the file. Does anyone have any technical details on this? (I assume that it's a standard password-guessing approach, but it it would be nice to know for certain. If nothing else, are Arabic passwords easier or harder to guess than, say, English ones?) Outside of the good possibility that they might be quotations from Islamic religious texts, why would you think Arabic passwords are any easier to guess? I didn't say that they would be easier; I asked... As for why I asked -- while I don't know much about Arabic, I do know some Hebrew, and the languages are related. Some aspects of Hebrew would certainly impact a guessing program. For one thing, in Hebrew (and, I think, Arabic) vowels are not normally written. Hebrew vowels look like dots or lines surrounding the letters, which are all consonants; printed Hebrew material aimed at Israeli adults omits the vowels. Also, there are a few Hebrew letters which have different forms when they're the final letter in a word -- my understanding is that there are more Arabic letters that have a different final form, and that some have up to four forms: one initial, two middle, and one final. Finally, Hebrew (and, as someone else mentioned, Arabic) verbs have a three-letter root form; many nouns are derived from this root. Do these matter? I think so, though I suspect they'd make the problem harder. But I don't know, and I'd like to learn from someone who has paid more attention to the problem of password-cracking in other languages and alphabets. --Steve Bellovin, http://www.research.att.com/~smb Full text of Firewalls book now at http://www.wilyhacker.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
@Stake's Wysopal on Bill's Bull (was re: [ISN] Security guruswelcome Microsoft's goal)
--- begin forwarded text Status: U Date: Fri, 18 Jan 2002 01:18:29 -0600 (CST) From: InfoSec News [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [ISN] Security gurus welcome Microsoft's goal Sender: [EMAIL PROTECTED] Reply-To: InfoSec News [EMAIL PROTECTED] http://news.com.com/2100-1001-817849.html By Robert Lemos Staff Writer, CNET News.com January 17, 2002, 3:45 PM PT Security experts hope that this time Microsoft really, really means it. A memo from Chairman Bill Gates, leaked Wednesday, exhorted Microsoft employees to make the company's products more secure and stated that a new initiative, which Gates called Trustworthy Computing, is now the software giant's top priority. The initiative, Gates wrote, aims to make computing and the Internet as available, reliable and secure as electricity, water services and telephony. While security experts gave Gates' message high marks, they withheld judgment on whether Microsoft--which has been pasted by a series of high-profile security blunders over the past year--can deliver. This gives me more hope, said Chris Wysopal, director of research and development for security company @Stake. Nothing is a cure-all solution, but when you say we have an organization focused on getting security into different product groups, that's got to help. Gates' message comes as Microsoft is betting its future on its .Net effort, an attempt to give consumers secure, easy and round-the-clock access to businesses via the Internet. Without better security, the software titan will have a hard time convincing developers, businesses and Web users to start using the new services, Wysopal said. Because of other (incidents) in the past, they have to make their software more secure if .Net is going to make it, Wysopal said. Recent problems with Passport, the Microsoft Network and the company's Windows Update service--all considered embryonic versions of future .Net services--have angered consumers and caused security experts to wince. And past initiatives have not delivered spectacular results, either. Despite Microsoft's Secure Windows Initiative and its Strategic Technology Protection Program, the company fell afoul of a major problem with its flagship Windows XP software. Microsoft has touted XP as its most secure operating system ever and intends to push it as the gateway to .Net. While the company's new focus is welcome, some in the security community remain cautious. Microsoft--a company found to have abused its monopoly power--isn't exactly the poster child for trustworthiness, and some are wary of the new initiative. This comes from the same vendor that tried to settle an antitrust suit by finding a market segment they couldn't penetrate and giving their product away for free in that market, said David Dittrich, senior security engineer at the University of Washington, referring to recent wrangling over the company's proposed schools settlement. In that instance, the company pitched its proposal as a charitable solution that would provide free software to needy schools. But competitors characterized the move as an effort to monopolize the education market. Similarly, some wonder whether the new security initiative can be taken at face value. And even if it can, some are concerned it could wind up having a downside. Dittrich points to the company's initiatives to hush up the disclosure of certain information about vulnerabilities in its products and says that, arguably, such an attitude can aid hackers and run counter to interests of security. Security experts and hackers who find bugs in software usually release the information to the public after notifying the program's creator of the flaws. However, the security community has long argued about how much information should be given, since malicious hackers could use details to write tools to help them break into computers using the flaw. In November, Microsoft and five security companies announced they had formed a group to create a policy for ethical disclosure of such information. They should want their employees to know as much about a vulnerability as possible, Dittrich said. Such apprehensions aside, though, security experts said it's a welcome signal that Microsoft is now taking security seriously enough to give it priority over new features. It's about time, said Mark Maiffret, chief hacking officer for network protection company eEye Digital Security. This is something that Microsoft and other companies have needed to say for a while: Security needs to come before features. eEye discovered the major hole in Microsoft's Web server software that online vandals used to spread the virulent Code Red worms and a serious hole in Windows XP that could have been exploited by Internet attackers to gain control of any person's PC. Finally, Maiffret said, there is a wake-up call out there that security needs to come first. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED]
Re: password-cracking by journalists...
Arnhold writes: Another interesting question is whether the reporters and the Wall Street Journal have violated the DCMA's criminal provisions. The al Qaeda data was copyrighted (assuming Afghanistan signed one of the copyright conventions--they may not have), the encryption is arguably a technological protection measure and the breaking was done for financial gain. That, I think, is an unintended consequence of the law, but I bet there's a lawyer somewhere who'd take a crack at it. More important is the origin of the info. itself: were it peacetime you'd have a pretty clear case of receiving stolen property. Add to that certain trade-secret laws in various of the 50 United States, and you could do a long time in the slammer over this... Will Rodger - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: password-cracking by journalists...
At 9:41 AM -0500 1/18/02, Will Rodger wrote: Arnhold writes: Another interesting question is whether the reporters and the Wall Street Journal have violated the DCMA's criminal provisions. The al Qaeda data was copyrighted (assuming Afghanistan signed one of the copyright conventions--they may not have), the encryption is arguably a technological protection measure and the breaking was done for financial gain. That, I think, is an unintended consequence of the law, but I bet there's a lawyer somewhere who'd take a crack at it. More important is the origin of the info. itself: were it peacetime you'd have a pretty clear case of receiving stolen property. Add to that certain trade-secret laws in various of the 50 United States, and you could do a long time in the slammer over this... Will Rodger This law has LOTS of unintended consequences. That is why many people find it so disturbing. For example, as I read it, and I am *not* a lawyer, someone who offered file decryption services for hire to people who have a right to the data, e.g. the owner lost the password, or a disgruntled employee left with the password, or a parent wants to see what was stored on their child's hard drive, could still be charged with committing a felony. As for the legal situation before the DMCA, the Supreme Court issued a ruling last year in a case, Barniki v. Volper, of a journalist who broadcast a tape he received of an illegally intercepted cell phone conversation between two labor organizers. The court ruled that the broadcast was permissible. So the stolen property argument you give might not hold. The change wrought by the DMCA is that it makes trafficking in the tools needed to get at encrypted data, regardless whether one has a right to (there is an exemption for law enforcement) unlawful. Arnold Reinhold - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Horseman Number 3: Osama Used 40 bits
Trei, Peter wrote: [Moderator's note: It wasn't a direct quote, and I generally assume reporters misquote people anyway. Also, note that the general confusion because the UK uses thousand million for the US billion makes the whole thing even less clearly the expert and not the reporter. --Perry] Actually, to my perpetual dismay, we are now supposed to use a billion in the US sense (it used to mean a million million). As a result, I don't use the word at all, since it predictably has become ambiguous in the UK. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]