May 25, 2005

The Crypto Wars are On/Off/On/Off...

The Brits have let out a cheer and declared the Crypto Wars over. And "we won" they say in a press release from the Foundation for Information Policy Research, according to a post on politech:

The Crypto Wars Are Over!

The "crypto wars" are finally over - and we've won!

On 25th May 2005, Part I of the Electronic Communications Act 2000 will be torn out of the statute book and shredded, finally removing the risk of the UK Government taking powers to seize encryption keys."

I don't think that's an accurate assessment. In fact I think it's dead wrong. Read on for today's news....

Over in the US there are worrying signs of more regulations coming to re-criminalise mathematics. Already, there are moves that foreign students will have to be "licensed to operate" any sensitive equipment. ISPs can now be served with spy&gag orders, sans court approval, and nobody's ever debunked the conflicts of interest that now bedevill the certificate authorities in positions of root power.

Today's news, from CACert, is that mere possession of PGP is to be taken as intent to commit a crime. "What has to be a huge blow for anyone with PGP or virtually any other encryption program on their computer, (in fact most computers these day come with cryptographic programs pre-installed). A man found guilty on child pornography related charges, was also found to have PGP software on his system and a court ruled that this was admissible as intent to commit and/or hide crimes in his case. This has huge ramifications if you are found guilty of a crime and then they find any cryptography software installed on your computer."

I hope that's wrong, Nope, it's true. And it was the Appeals Court that said it!

The general message is clear: if you think the war's over, that's because you're fighting the last war. Turn around and meet your new enemy.


PS: Then comes this new twist from Jim:

Now hackers can hold your files hostage...

By Ted Bridis

Washington - Computer users already anxious about viruses and identity
theft have a new reason to worry: hackers have found a way to lock up the
electronic documents on your computer and then demand $200 (about R1 200)
over the Internet to get them back.

Security researchers at the San Diego-based Websense uncovered the unusual
extortion plot when a corporate customer they would not identify fell
victim to the infection, which encrypted files that included documents,
photographs and spreadsheets.

A ransom note left behind included an e-mail address, and the attacker
using the address later demanded $200 for the digital keys to unlock the
files.

"This is equivalent to someone coming into your home, putting your
valuables in a safe and not telling you the combination," said Oliver
Friedrichs, a security manager for Symantec Corporation.

....

Here's the FIPR pres release, at least most of the copy I received.



Press release - Foundation for Information Policy research 



         Release time: 00.01, 25th May 2005





            The Crypto Wars Are Over!





The "crypto wars" are finally over - and we've won!



On 25th May 2005, Part I of the Electronic Communications Act 2000

will be torn out of the statute book and shredded, finally removing

the risk of the UK Government taking powers to seize encryption keys.



The crypto wars started in the 1970s when the US government started

treating cryptographic algorithms and software as munitions and

interfering with university research in cryptography. In the early

1990s, the Clinton administration tried to get industry to adopt the

Clipper chip - an encryption chip for which the government had a

back-door key.  When this failed, they tried to introduce key escrow -

a policy that all encryption systems should leave a spare key with a

`trusted third party' that would hand the key over to the FBI on

demand. They tried to crack down on encryption products that did not

contain key escrow. When software developer Phil Zimmermann developed

PGP, a free mass-market encryption product for emails and files, the

US government even started to prosecute him, because someone had

exported his software from the USA without government permission.



In its dying days, John Major's Conservative Government proposed

draconian controls in the UK too. Any provider of encryption services

would have to be licensed and encryption keys would have to be placed

in escrow just in case the Government wanted to read your email. New

Labour opposed crypto controls in opposition, which got them a lot of

support from the IT and civil liberties communities. They changed

their minds, though, after they came to power in May 1997 and the US

government lobbied them.



However, encryption was rapidly becoming an important technology for

commercial use of the Internet - and the new industry was deeply

opposed to any bureaucracy which prevented them from innovating and

imposed unnecessary costs. So was the banking industry, which worried

about threats to payment systems from corrupt officials. In 1998, the

Foundation for Information Policy Research was established by

cryptographers, lawyers, academics and civil liberty groups, with

industry support, and helped campaign for digital freedoms.



In the autumn of 1999, Tony Blair finally conceded that controls would

be counterproductive. But the intelligence agencies remained nervous

about his decision, and in the May 2000 Electronic Communications Act

the Home Office left in a vestigial power to create a registration

regime for encryption services.  That power was subject to a five year

"sunset clause", whose clock finally runs out on 25th May 2005.



Ross Anderson, chair of the Foundation of Information Policy Research

(FIPR) and a key campaigner against government control of encryption

commented, "We told government at the time that there was no real

conflict between privacy and security. On the encryption issue, time

has proved us right. The same applies to many other issues too - so

long as lawmakers take the trouble to understand a technology before

they regulate it."



Phil Zimmermann, a FIPR Advisory Council member and the man whose role

in developing PGP was crucial to winning the crypto wars in the USA

commented, "It's nice to see the last remnant of the crypto wars

in Great Britain finally laid to rest, and I feel good about our win.

Now we must focus on the other erosions of privacy in the post-9/11

world."



Notes to Editors:



1.      The Foundation for Information Policy Research

 is an independent body that studies the

interaction between information technology and society. Its goal is to

identify technical developments with significant social impact,

commission and undertaken research into public policy alternatives, and

promote public understanding and dialogue between technologists and

policy-makers in the UK and Europe.



2.  The late Professor Roger Needham, who was a founder and trustee of

FIPR, as well as being Pro-Vice-Chancellor of Cambridge University, a

lifelong Labour party member and, for the last five years of his life,

Managing Director of Microsoft Research Europe, once said: `Our enemy

is not the government of the day - our enemy is ignorance. If

ignorance and government happen to be co-located, then we'd better do

something about it.' 



3.    The Electronic Communications Act 2000 received Royal Assent on

the 25th May 2000. Part I provides for the Secretary of State to create

a Register of Cryptography Support Services. s16(4) reads: "If no order

for bringing Part I of this Act into force has been made under

subsection (2) by the end of the period of five years beginning with the

day on which this Act is passed, that Part shall, by virtue of this

subsection, be repealed at the end of that period."





4.     The crypto wars ended in the USA when Al Gore, the most outspoken

advocate of key escrow, was found by the US Supreme Court to have lost

the presidential election of 2000.



5.    The last battle in the crypto wars to be fought on UK soil was

in the House of Lords over the Export Control Act 2002. In this bill,

Tony Blair's government took powers to license the export of intangibles

such as software, where previously the law had only enabled them to

criminalise the unlicensed export of physical goods such as guns. This

caused resistance from the IT industry, and also raised the prospect

that scientific communications would become subject to licensing. FIPR

organised a coalition of Conservative, Liberal and crossbench peers to

insert a research exemption (section 8) into the Act, and an Open

General Export License was created for developers of crypto software.



6.    Phil Zimmermann is arriving in London on the 25th May to take par

...

Posted by iang at May 25, 2005 01:37 PM | TrackBack
Comments

200 DOLLARS RANSOM

PGPCoder.A ' will kidnap computer archives and demand a ransom for them.

SERVIMEDIA MADRID. - The inventiveness to create virii and to make criminal activities with them seems not to have limits, demonstrated by the recent appearance of a new trojan that encrypts archives of the infected computer later to ask for a ransom of 200 dollars so that these can be released. According to PandaLabs, the malicious code of 'Trj.PGPCoder.A is a trojan, since it does not have capacity of own propagation, although its "modus operandi" supposes a new strategy, little used to date, and that it already has in alert to the FBI. Once installed in the computer, the code creates two keys in the registry: one to ensure its completion in each system startup, and one second to take control of processes in the infected computer, counting the number of files that the troyano has analyzed. Once executed, virus comes with his mission, that is the one to codify by means of a digital key of coding all the archives that find in the units of the computer and which they have one of the extensions that it has registered in his code, between whom they are ' DOC', ' HTML', ' JPG', ' XLS', ' ZIP' and ' RAR', all of them formats very common. In order to carry out the blackmail, the trojan deposits a text file within each directory, where the action is indicated that has been carried out, and a email address is provided where to ask for the "rescue" of documents, previous payment of an amount of money, 200 dollars.

http://www.el-mundo.es/navegante/2005/05/25/seguridad/1117026740.html
http://www.google.es/search?hl=es&q=PGPCoder&btnG=B%C3%BAsqueda&meta=

Posted by: Hasan at May 25, 2005 11:10 AM

There is nothing new about a computer virus which encrypts your hard disk using strong encryption. How about this 1993 vintage one ?

KOH (King of Hearts / Potassium Hydroxide)

http://securitydigest.org/virus/mirror/www.phreak.org-virus_l/1993/vlnl06.115

The source code was published by Dr. Mark Ludwig in "The Giant Black Book of Computer Viruses"

http://www.ameaglepubs.com/store/gbb.html

Posted by: Watching Them, Watching Us at May 25, 2005 01:53 PM
Post a comment









Remember personal info?






Hit preview to see your comment as it would be displayed.