By God, I knew there was something fishy about that latest CERT release (the one that referred to things that happened last November and didn't actually say anything new, but somehow managed to hit the *WORLD* press extensively within 24 hours)... It's stuff that's been happening *since* last November. I'm quite certain that the attacks were continuing until (at the very least) shortly before the announcement. PS The statement is also false: digital signatures would have no effect on network sniffing attacks; but it's just more FUD to strengthen the Whitehouse hand in a release that was buried in a flood of releases that day on Clipper. No, you're wrong. A challenge/response login architecture based on digital signatures would have eliminated the attack. And digital signatures -- unlike most other technologies for one-time passwords -- do not require that any secret information be kept on the host. There are practical difficulties, such as entering in 160 bits of information, but for host-to-host logins, that isn't much of a problem.