[2704] in cryptography@c2.net mail archive
RE: Secure Office
daemon@ATHENA.MIT.EDU (Frank O'Dwyer)
Thu May 14 19:04:58 1998
Date: Thu, 14 May 1998 23:48:37 +0100
To: tkellar@fsp.fsp.com (Thomas Kellar), cryptography@c2.net
From: "Frank O'Dwyer" <fod@brd.ie>
Cc: cryptography@c2.net
In-Reply-To: <199805142044.UAA24858@fsp.fsp.com>
Thomas Kellar wrote:
>Okay, says the mouse. I put it on http://www.fsp.com
Criminy.
I don't know if the following helps, but:
* I remember some time ago receiving a beta of Windows
NT 4 via Microsoft Developer Network, that had an RSA key
management program. The program generated 1024-bit keys
(at least it claimed to). As far as I know, this was a
'domestic' key length at the time, even for digital
signatures. (I am an Irish citizen. Microsoft mailed
the CD to my home in Ireland. You do the math.) From
memory, this was NT 4.0 beta 2, if any non-US MSDN
folk care to check it out. I think they pared it down
to 512 bits in the next beta, which is what makes
me feel that this was an MS goof.
(I'd filed the CD away in anticipation of the day
MS sued me over some patent or pie-throwing attack,
but this seems like an appropriate time to mention it:-)
* What about that guy last year with the add-in
for netscape that took it to 128-bit. This was
a 'foreign' national, but he chose a US ISP
to host his website (doh!). I don't remember
reading about the US asking for extradition
proceedings.
* I know of one other major US software firm
which posted a software kit with full-blown crypto,
realised their mistake, then withdrew it from
their (heavily trafficed, US-hosted) web site.
Unfortunately I received this information under
NDA, and am not at liberty to disclose the name
of the firm in question. This was just before
last Christmas, if the timing matters.
* It occurs to me that it would be trivial
for non-U.S. citizens to telnet or dial into
a US ISP, and from there move anything on an "export
controlled FTP site" (one that checks for a US
IP address) to a large number of publicly
accessible U.S. sites. This can be done without
entering the states, and without having the crypto
leave the states, making it impossible to argue that
anything has been exported. If this were done
via various trial ISP accounts, or from public
access points, then I think "they" would have
great difficulty working out who to prosecute,
never mind what to prosecute them for.
I'm sure that a demonstration of the last point
could be arranged, if that would be helpful.
(Not that we "foreigners" haven't got triple-DES
already...can you say "cryptozilla"...Sheesh.)
Cheers,
Frank.
>
>> >At 19:20 12/05/98 -0400, you wrote:
>> >>No, a better method of civil disobedience would be to get it on as many
>> >>foreign servers as possible.
>> >For this to work wouldn't you have to show that the 'foreign' hosts
>> >didn't just download it from the original site?
>> >Still it could be a good publicity stunt - especially if many U.S.
>> >sites linked to these servers, and it showed up as a hot item
>> >in altavista or whatever.
>> All this talk sounds like a dare to me. I'm going ahead and putting the
>> damn thing up on my site.
>> http://www.tux.org/~protozoa
>> -K
>
>--
>Thomas Kellar w8twk Tkellar@fsp.com http://www.fsp.com
> How can I wear the harness of toil, and sweat at the daily round,
> While in my soul forever The drums of Pictdom sound? - REHoward
>
>
