The network is the story: News on the latest Internet standards and struggles
Internet Files index
The act was introduced this week by U.S. Senators John McCain (Republican-Arizona), Bob Kerrey (Democrat-Nebraska), and Ernest Hollings (Democrat-South Carolina). It is pitched as a compromise on the controversial encryption export issue, one that balances individuals' needs to use -- and vendors' desires to export -- strong encryption, with law enforcement concerns about encryption falling into the wrong hands. But opponents say the act all but compels Internet users to participate in key recovery -- a system that would give government officials access to "keys" needed to decipher encrypted data, and which opponents see as an invasion of privacy and a threat to security.
"[The bill] would for the first time impose domestic controls on the ability of American citizens to protect their privacy and security on the 'net," said Jonah Seiger, communications director at the Center for Democracy and Technology in Washington, D.C.
The Secure Public Networks Act is expected to move on to the Senate judiciary committee next week, Seiger said. But it is only one of several encryption-related bills pending in the U.S. Congress, and privacy rights and software industry representatives say the battle is not over yet.
"We've got a couple of options still open," said Kim Willard, a spokeswoman with the Business Software Alliance (BSA), a computer industry group based in Washington, D.C. "[Today's vote] is a pretty big disappointment and a step backwards ... but it's not a step off the cliff either."
One Senate bill, called the Pro-CODE (Promotion of Commerce On-Line in the Digital Era) bill, would liberalize encryption exports and prohibit mandatory key escrow. The bill's backer, U.S. Senator Conrad Burns (Republican-Montana), tried unsuccessfully today to add a Pro-CODE-like amendment to the Secure Private Networks Act. In the U.S. House of Representatives, however, the Security and Freedom Through Encryption Act (SAFE) has already passed the House's judiciary committee and has the backing of 125 representatives, Willard said. SAFE would also prohibit mandatory key escrow and liberalize exports.
The Secure Public Networks Act, similar to draft encryption legislation proposed by the Clinton administration earlier this year, links key recovery systems with the establishment of government-licensed certificate authorities, Seiger said.
Certificate authorities, which certify the identities of participants in an electronic transaction, are essential for the development of e-commerce, he said. The bill would create incentives for becoming a government-licensed certificate authority, such as limiting liability. But government-licensed authorities would only be able to issue certificates to people who agree to participate in key recovery.
"It makes using key recovery a prerequisite for participating in the information society," Seiger said.
The bill would also codify the current administration's encryption export policy, which requires vendors to set up a key recovery system if they want to export 56-bit or stronger encryption.
One amendment to the bill today, by Kerrey, calls for creating an Encryption Export Advisory Board to study whether there is an export market for non-key recovery products that offer stronger than 56-bit encryption. That did not sit well with the BSA, however, even though the board would be made up of representatives from government law enforcement and the computer industry.
"It doesn't really give us much of a chance to keep up with the competition," Willard said. "There's a very short window of opportunity in terms of research and development and production."
A team of graduate students has also already shown that they can break 56-bit DES encryption, even though they had to spend several months and string together several computers to do it, Seiger said. (see below) "The point is, 56-bit DES is not a long-term solution," Seiger said.
--Sari Kalin, IDG News Service, Boston Bureau
Back to index
A group of programmers acting in concert over the Internet broke the Data Encryption Standard (DES) code, which was developed in 1977 by IBM with the rumored assistance of the ultra-secret U.S. National Security Agency.
Breaking the code meant finding the one numerical combination, or "key," out of 72 quadrillion possibilities (72,057,594,037,927,936) which could unlock the encrypted message.
Using software developed and made available over the Internet by Rocke Verser, a contract programmer based in Loveland, Colorado, programmers threw sets of millions of keys at the encrypted message. A server hosted by Verser doled out the sets and kept track of which keys had been tried so that no work was duplicated.
The code was broken by a programmer from iNetz Corp. of Salt Lake City, Utah, after approximately 25 percent of the possible combinations had been tried. The message was "Strong cryptography makes the world a safer place."
Verser said that approximately 78,000 copies of his software had been downloaded from the Internet, with around 14,000 computers running the software against his server on any given day. "I wrote specialized software to do the key testing [so that] a Pentium 200 was able to test a million keys per second," Verser said.
The software runs on many platforms, including Intel-, Macintosh- and Unix-based machines, but the machine which unscrambled the message was a Pentium 90 with 16M bytes of RAM, Verser said.
The comparatively modest technical capabilities of the winning machine underscores the inadequacy of 56-bit encryption, according to an official at RSA Data Security Inc., a Redwood City, California-based encryption company which in January offered a US$10,000 reward to the first person to crack DES.
"It's ironic that the computer that finally found the key was a pretty garden-variety computer," said Scott Schnell, vice president of marketing at RSA.
RSA is a vocal critic of the U.S. government's assertion that 56-bit encryption is adequate and is, in fact, too potent to be included in exports of U.S. commercial software without governmental controls.
Currently, U.S. vendors are allowed to ship software containing encryption of up to 40 bits -- which Schnell called "high-school computer science level" in terms of its difficulty to crack -- overseas without restriction. Software containing 56-bit encryption may be shipped overseas as long as the U.S. government is provided with the keys to unlock it, an ability the government maintains it needs to ensure national security.
But many U.S. vendors, including RSA, argue that this restriction on the export of 56-bit encryption prevents them from competing in the worldwide marketplace. "What Belgian citizen wants to have his keys in the hands of the U.S. government?," Schnell said.
Instead of buying U.S. products, users are making their selections from a broad range of products which pack a greater encryption punch and do not ship with restrictions, Schnell said.
In fact, U.S. restrictions on encryption meant that Verser's software, which programmers used to coordinate their efforts, could not itself be exported outside of the U.S., or rather fell into such a grey area that Verser declined to make the investment in lawyers fees to determine its status. The rest of the world participated in RSA's challenge by using software developed in Sweden and made available worldwide, Verser said.
Neither Verser nor Schnell suggested that banks and companies using DES have become suddenly vulnerable. "The only thing that's different today than yesterday is today we've proved [DES could be cracked] and yesterday there were only academic papers that said it could be done," Verser said. "I don't think we need to panic ... but we need to start building another encryption standard to replace the aging DES standard."
That process is underway. The National Institute of Standards and Technology (NIST), part of the U.S. Department of Commerce which originally certified the DES algorithm, is currently soliciting submissions of other, more powerful algorithms to supersede DES, according to Schnell, whose company RSA has submitted its own algorithm known as RC5.
But is the nature of the encryption beast such that people will forever lament the inadequacy of each encryption standard as computers get more and more powerful?
Verser said no, because there simply isn't enough matter in the universe to support an ever-increasing ability to break code. Providing a very conservative example, he said, that even if it took not a computer but simply one atom one pico second to run a key, the number of encrypted bits doesn't have to move much higher than 168 to make cracking code impossible. "Once we get to around 168-bit keys, then all the time and matter in the universe put together can't break it," Verser said.
--Rebecca Sykes, IDG News Service, Boston Bureau
Back to index
Under the Platform for Privacy Preferences (P3) project, the W3C hopes to develop a system that will let a Web site tell users about its data collection practices -- and a user tell a Web site about their privacy preferences -- before the user enters the Web site. A user could, for example, configure their browser with their privacy preferences. The browser could then notify the user if a site collects more information than they want to reveal.
"Other proposals have to do with putting icons on a site that a user is expected to notice, but our proposal really focuses on doing this in an automated way," said Ralph Swick, P3 project manager.
The W3C also wants to develop a specification that is flexible enough to meet privacy requirements around the world, since some countries have much stricter privacy laws than the U.S., Swick said.
P3 was unveiled at the U.S. Federal Trade Commission's workshop on consumer online privacy today in Washington D.C. The FTC is holding the workshop to determine whether the U.S. needs to pass laws to protect consumers' privacy online, or whether industry is doing enough on its own to safeguard consumers' privacy.
The industry, in general, has shied away from government intervention. But the W3C is not opposed to legislation outright, Swick said. It just wants to make sure that when any legislative action is taken, that it is done "with the knowledge of what pieces of the problem technology might be able to address."
Legislation could, for example, make sure that a Web site's professed data handling practices could be enforced as a contract between the site and the user, Swick said.
P3 could wind up being an extension of PICS (Platform for Internet Content Selection), the W3C's content labeling specification, Swick said. Privacy labeling may require a degree of back and forth negotiations between the browser and server that PICS was not initially designed to handle, he said.
Netscape Communications Corp., Microsoft Corp., and Firefly Network Inc. have submitted their Open Profiling Standard to the W3C, and it will be considered as the P3 specifications are developed, according to Swick. The Open Profiling Standard, announced two weeks ago, seeks to let users control how much personal information they want to disclose on the Web and offer them a standard way to do so.
Preliminary P3 specifications may be available before the end of this year, Swick said, but no timetable has been set.
-- Sari Kalin, IDG News Service, Boston Bureau
Back to index
"Until that day Apple wasn't saying much, just taking the lumps for mistakes that had been made," Tevanian said yesterday at Internet World Berlin. At the San Jose conference, Apple spelled out a shift in the company's strategy for securing a future of the Macintosh systems platform.
Tevanian made the comments in a roundtable discussion with journalists after his keynote speech in which he explained the development strategy for Rhapsody, the operating system for the next generation of Macintosh computers, and its Yellow Box component.
Tevanian also reiterated Apple's standard remarks about its future and the Internet. "The Internet and Java are going to be our savior," Tevanian said. "We are going to be a winner when it comes to the Internet."
One of Apple's advantages is the large number of creative Internet content developers who remain loyal to Apple, Tevanian said. Sixty-four percent of companies doing professional Web authoring use Macintoshes, he said, adding that 25 percent of all Web browsers now in use are running on Macs and 15 percent of all Web servers are Macs.
Responding to a question about speculation that Apple might give up hardware production after Rhapsody comes out next year, Tevanian said there were no plans to do so.
Asked about concerns that Apple might be bought or even go bankrupt, Tevanian said he was not personally worried, but he was worried about customers thinking Apple will not make it. He also said he thinks it is a good sign that other companies, such as Oracle Corp., have expressed interest in buying Apple.
Tevanian admitted the company hasn't been nearly as good as Microsoft Corp. in articulating its products and strategy, but he said efforts were being made to beef up Apple's marketing department. He agreed with one reporter's suggestion that Apple needs clever people in its marketing department, a statement that drew applause from the mostly German journalists present.
Tevanian told journalists the company's immediate, top goal is to become profitable, and despite a corporate restructuring announced in February and layoffs announced in March, the company still has enough employees to reach that goal and expand into new territory.
--Margret Johnston, IDG News Service, Munich Bureau
If you have technical problems with this magazine, contact email@example.com