( cryptography@c2.net removed from the distribution list, as I am not a subscriber to that list, and Perry has admonished me when I have accidentally left his list on the cc: to my messages) Reuter (Washington, Friday), Security experts reported today that the nation's encryption standard, "DES," has been proved to be secure. "It took more than 1000 computers working for 3 months before a single "toy example" was finally found, " reported Murray Bowdark, Director of the Computer Security Association, Ft. Meade, Maryland. "This shows that even a concerted effort by thousands of hackers will take months," said Bowdark. "And since hacking like this is outlawed by new legislation just passed by Congress, this makes "cracking DES" about as improbable as proving that the CIA imported drugs." (OK, I confess. Not a real press release. But, as ET notes below in his article, the spin doctors are already drawing the conclusion that many of us expected they would draw: by using the crack to prove that this means DES is resistant against thousands of computers running for months. And to tell the truth, were I less aware of some of the issues surrounding hardware-based DES-crackers, I admit that this report would tend to leave me with this impression. I can imagine most of our parents would look up from the CNN report on this and say, if they said anything, "OK, so my bank account is pretty secure.") At 5:05 PM -0700 6/20/97, ET wrote:

I caught the Headline News mention of the DES crack and it unfortunately put the wrong spin on things.

I can't remember it word for word, but it went like this: "If you're going to decrypt financial transactions you'd better be prepared to get 1000 computers and spend 3 months on the project."

The report was delivered with a hint of a smile, as if to suggest that the time and resources might have been better spent.

*Sigh*

There's something wrong when I'm a felon under an increasing number of laws. Only one response to the key grabbers is warranted: "Death to Tyrants!" ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1398269 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."

C Matthew Curtin wrote:

The crack of the DES Challenge Key is important. Presenting an accurate description of what happened is just as important. There is no need to cause widespread panic, yet. This is a shot across the proverbial bow.

Screw presenting an accurate description. The test mode of the software indicates my machine will check about 80,000 keys/sec. In actuality, since I am running other programs as I use it, it checks about 5,000 keys/sec. Using my machine as an example of the average efficiency of all the 1,000 machines, one could thus estimate that the crack could have succeeded in about 90 days using one machine. So why not put out a press report making this claim? Headline News would probably snap it up! The problem is that most people working to fight censorship and oppression have this thing about wearing white hats and honesty and all of that crap. Meanwhile, those working to censor and oppress others to enhance their own power and finances are content to twist the facts to fit their desires. And since they do have money and power, their voice gets heard quite easily by the major media. Thus the people in Waco died because of a "mistake" and the people in OKC died because of a "monster." Thus the Netscape problem was a "bug" that needs fixing instead of a wake-up call that if the government is allowed to require programmers to build surveillance capabilities into our software, then unknown others are going to take advantage of those built-in capabilities. And thus those who uncover the compromising of our privacy will be called "blackmailers" and "terrorists" by the very people who intentionally wrote their software to support the Clipper chip, or GAK, or the Next Step in fascism. Thus the DES crack was a monumental effort by a plethora of computer gurus using a massive amount of computers, instead of a mostly disorganized effort by a variety of people doing it as an exercise in their spare time, and using the scraps from the CPU tables of those participating. "Everybody knows that the boat is sinking. Everybody knows that the captain lied." - Lou Reed In the end, the media gets away with feeding us lies because that is what we want to hear. Everyone who wants to believe that they might wake up in the morning with 800 law enforcement agents surrounding them because of their religious beliefs, raise your hand. Everyone who wants to believe that if they blindly go along with all manner of injustice and justify it as "the way the system works" that they need to fear personal reprisal, raise your hand. Everyone who wants to believe that every time you use your computer over a phone line others can access your files, raise your hand. Everyone who wants to believe that the government is perfectly willing to compromise the security and privacy of your financial transactions in order to stifle crypto development that won't allow them fascist control over all information, raise your hand. "Everybody knows that the war is over. Everybody knows that the good guys lost." - Lou Reed I truly believe this, but it does not mean I won't continue to work on the RC5 crack and continue to take small, halting steps against the wind of middle-class fascism sweeping the country. I will continue to do so because I also believe that the end of any war is the beginning of the next revolution. When Timothy McCypherpunk hacks a government hospital because of weak security and because of weak encryption is able to destroy their files, then I am sure that lives will be lost. Even children's lives, perhaps. I am equally certain that he/she will be called a "blackmailer" and a "terrorist" and a "monster." Why? Because the word "revolutionary" is too scary. We can only have so many Waco's, just like we could only have so many Kent State's, before people begin backing the "terrorists" instead of the government. Louis Riel, a Canadian Metis (French-Indian) was hung as a terroist murderer, and now there are statues honoring him and government buildings bearing his name. We can hang Timothy McVeigh and Jim Bell and the Netscape "blackmailer" but we can't guarantee that there won't be a statue of them in the town square fifty years from now. When the information counter-revolution comes, remember that I started writing about it before Tim May began posting to the hallowed cypherpunk archives. (a cheap shot, but a *good* one, eh?) http://bureau42.base.org/public/xenix http://bureau42.base.org/public/webworld RC5CrackHead

...

...

...

...

"Rick" == Rick Smith <smith@securecomputing.com> writes:

...

I can't remember it word for word, but it went like this: "If you're going to decrypt financial transactions you'd better be prepared to get 1000 computers and spend 3 months on the project."

Rick> At least Harry Houdini made it look easy when *he* cracked state Rick> of the art security technology... I was on the Talk America radio network very briefly Monday morning (about 6:30-6:40 EDT). The host read something like that, and observed that it "must be pretty secure" to take three months. I asked him how long it would be before his credit cards expired. He got the point. -- Matt Curtin Chief Scientist Megasoft Online cmcurtin@research.megasoft.com http://www.research.megasoft.com/people/cmcurtin/ I speak only for myself Pull AGIS.NET's plug! DES has fallen! http://www.frii.com/~rcv/deschall.htm