Tthe remarkably hackable nature of Netscape's "weak" crypto has been marveled at here and in the press, but has no one else speculated on how this state of affairs came to be? I, for one, would like to thank the anonymous cypherpunks toiling in the bowels of Netscape. An amazing feat, achieving world-wide distribution of millions of copies of strong crypto, the Feds all unknowing. Does anyone here _not_ think this was the deliberate act of one or more cryptoanarchists?
At 07:03 AM 3/13/98 +0100, Anonymous wrote:
Not to burst your optimism, but wouldn't good software design dictate maintainable, ie, modifiable code? ------------------------------------------------------------ David Honig Orbit Technology honig@otc.net Intaanetto Jigyoubu Beat your algorithms into swords and your virtual machines into spears: let the weak say, I am strong. Gosling deliver us from the ropes of backcompatability and mass production.
-----BEGIN PGP SIGNED MESSAGE----- On Fri, 13 Mar 1998, David Honig wrote:
Not to burst your optimism, but wouldn't good software design dictate maintainable, ie, modifiable code?
That depends on how you are using the term 'good.' If the purpose of the design is to make a programmer's life easy, then you may be right. On the other hand, if the software calls for a bit of security, like ns does, then I would assume otherwise. Programmers who are serious about making crippleware don't distribute the full executable with a simple branch instruction (going to the cripple routine) to keep the user at bay: they know that it is trivial to modify the code. I would assume that the programmer's at netscape understand this. If they were serious about keeping people from using 128 bit crypto, they would have yanked it completely. Now, I don't think that this was done out of benevolence, mind you. Rather, I think that they are a bit more concerned with producing a good browser and didn't take the time to design a weak-crypto version: they took the easy way out. Netscape wants to make money, and for this I support them. They aren't going to pay programmers to make a product like a weak-crypto browser when it doesn't make them money. They get the minimum job done to bow to ITAR, and they get to work on some new snazzy features for the next version. They make Fortezza-based browsers too, would we call them the servants of Big Brother? Hell no. They are neither freedom fighters nor henchmen of a tyrant: they are businessmen. Michael J. Graffam (mgraffam@mhv.net) http://www.mhv.net/~mgraffam -- Philosophy, Religion, Computers, Crypto, etc "Enlightenment is man's emergence from his self-incurred immaturity. Immaturity is the inability to use one's own understanding without the guidance of another. . .Sapere aude! Have the courage to use your own understanding!" - Immanuel Kant "What is Enlightenment?" -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBNQmEAAKEiLNUxnAfAQEL2QQAhvnV1xLRjXo5YHl+IBwAmBYLzfnPFspP KXNG5cxltO2ImEK094PxC9FPbEqvmHtid/e+kNzJ4lMPVAh+JZ6ALrcynRkjWK8F ZkgDZbqaIorT94w2SJppcxMAVYyJ9oAw94uytcXvPTEXDn2IOdTlpw/3gsTaHEPN ly4Kb1iBhMs= =tgBR -----END PGP SIGNATURE-----
On Fri, 13 Mar 1998, Anonymous wrote:
toiling in the bowels of Netscape. An amazing feat, achieving world-wide distribution of millions of copies of strong crypto, the Feds all unknowing.
Netscape distributes both a domestic version and an international version: "Note to customers from countries other than Canada and the United States: Netscape's recent agreement with the U.S. government allows you to download Netscape Communicator client software with strong encryption capabilities that can be accessed only when you connect to particular Netscape servers approved for export. This capability is now built into all Netscape Communicator client products and does NOT require you to fill out an eligibility declaration. U.S. and Canadian citizens and permanent residents may download versions with strong encryption that is ALWAYS enabled (regardless of the 128-bit server connected to) but must still fill out an eligibility declaration before doing so. This option allows you to talk to sites that use a strong version of cryptography to encode sensitive information - such as a credit card number - that you don't want anyone to be able to capture and read as it is transmitted over the Internet. All Netscape products include cryptographic capability. However, if you are a U.S. or Canadian citizen or a legal permanent resident of the United States, you can choose a version with the stronger encryption always enabled. Strong encryption refers to the size of the key used to encrypt the message. Roughly speaking, messages encrypted with strong (128-bit) encryption are 309,485,009,821,345,068,724,781,056 times harder to break than those that use 40-bit encryption. However, some experts estimate that keys much shorter than 128 bits will be safe for the next two decades. The strong U.S./Canada-only encryption version is available in French and English to U.S. and Canadian citizens and to permanent residents of the United States only. Because the U.S. government restricts export of any product using 128-bit encryption, you will be asked to fill out an Eligibility Declaration stating that you are a U.S. or Canadian citizen or a legal permanent resident of the United States before you will be allowed to download the software you've selected. The Eligibility Declaration will be stored in a database and made available to the U.S. government upon request." -- http://home.netscape.com/download/client_options.html#enhanced -- Andrew Fabbro [afabbro@umich.edu] [andrewf@jesuswept.com] http://www-personal.umich.edu/~afabbro/ 313.647.2713 "We make money the old fashion way. We print it." - DigiCrime
participants (4)
-
andrew fabbro -
David Honig -
mgraffam@mhv.net -
nobody@REPLAY.COM