Semi-Transcript: Pro-CODE hearings on CSPAN-2
Bill Stewart
stewarts at ix.netcom.com
Fri Jun 14 06:36:46 PDT 1996
I caught part of the Burns S.1726 Pro-CODE hearings on CSPAN-2 tonight.
Various speakers got about 5 minutes each; most had their full testimony
in the printed record in addition to informal speaking.
Then the Senators got to grill them. I can't type like Kerouac,
so this will be pretty random and sketchy, almost all mistakes are mine...
(Punctuation, spelling, abbrevs. etc. don't count - sorry :-)
There were several rounds of ~4 panelees I caught the first couple
but it's ~2am.
Lots of people emphasized "We recognize the legitimate needs of
law enforcement, but other things are more important to national security,
and crypto is Inevitable, inevitable, inevitable, so get used to it."
Senator Burns was showing the NTT RSA chips - he had a bit of trouble
remembering which Triple-DES pieces were 56/168/1024 bits, saying
"I have a good memory but it's short :-)"
Pressler arrived late (he's also busy marking up a tax bill where big
airports want one kind of tax and little ones want another -
used this as an analogy and ducked out soon.)
He held up a copy of Applied Cryptography "I haven't read it all yet", and
commented that he could ship the book out but not the floppy.
"We've all got to take cracks at reading summaries of books like this."
"The Cold War is over" "This is government trying to catch up,
and government is 10-15 years behind." "We have to protect banking,
and protect the ability of the FBI to protect people."
Jim Barksdale of Netscape talked about how fast his company has grown;
as with other speakers like Bidzos, he talked about how if you miss
a market window, you can't catch up. His background includes military
intelligence and working for a large cell-phone company, and he had
no problem cooperating with the "legitimate needs of law enforcement"
when they had warrants - but he considers the need for encryption to
be more critical, and considers the cat to be out of the bag.
He put up a poster with a web page www.thawte.com/products/sioux,
a web server product competing directly with Netscape Server and products
from several other people at the table here today - the product's web page
emphasizes how it's not limited by US export controls. It's SSLeay based.
Zisman from Lotus and Business Software Alliance talked; I missed most of
it and part of Bidzos's.
Jim Bidzos talked about lots of things, including the NTT chips
(Burns held them up - they're small). Emphasizes NTT biggest company in
world. Cat's out of bag, crypto inevitable. Flamed escrow.
"Bill Gates called the latest escrow proposal 'No proposal'"
Inevitability of real crypto internationally.
Tim Kraus Kopf of Spyglass talked about how Mosaic is OEMed by many
companies, US and overseas, and about his frustration about not being
able to provide good service to his overseas customers - not only
short-key crypto, but can't provide source. Decided to see how much
crypto was readily available overseas, did AltaVista search for
Apache-SSL, found it all over the world - PacRim, Germany, Australia,
talked about how SSLeay is Australian-written, contains RSA,RC2/4,DES, etc.,
and is used in products like Sioux that competes with his servers and NS's.
Burns asked Barksdale about whether key escrow extends powers of gov't etc.
Barksdale "We're not against key escrow, just mandatory, but it won't work,
there isn't a compromise, there isn't some clever back door, but it
simply won't work. If we _could_ make it work, we'd have done it
a while ago so we wouldn't be taking our time today"
"We have some national security interests - well what are they -
we can't tell you - that's like talking to a guy who keeps quoting God -
NRC report last week _had_ seen all the details and said it won't work"
Bidzos - to reinvent the software infrastructure to do key escrow would
take 3-5 years, couldn't really trust third parties to do it.
Imagine Netscape and Microsoft waiting 3-5 years doing this instead
of spending their time competing.
Pressler? Banks? Bidzos: In my interest the banks don't understand yet
Kraus Kopf: Double encryption anyway - you'll find a safe in the locked room.
Burns: American Bankers' Assoc endorsed the bill. Can't a warrant let
them get information without needing escrow and wiretaps?
Bidzos: We've heard aministration say the industry wants escrow -
only if you carefully interpret what that means - companies may do
their own, don't understand what justifies radical change that
brings in third parties and mandatory escrow
Wyden: What do you folks think will happen if we don't modernize?
Zisman at Lotus - will really hold back technology - internet growth speed
absolutely levels playing field between largest players and smallest players
trmendously empowering to small business and what we're doing here
interferes with that. People used to accept 40 bits, don't any more,
though big customers don't think it's a "joke" like some customers say.
this is a lose-lose proposition.
Wyden: Bidzos - we'll hear the Admin saying foreign products aren't as good,
how will we know foreign products contain what they assert?
Bidzos - it's easy - can download source code & read it, see if it works,
and it _does_ work as well or better. 2) test interoperability,
since you can import it and verify it's identical. German and Japanese chips
very good, use US patents, high school textbooks, etc.
often overlooked cost - we'll have our lunch eaten here in the US as well,
not just overseas markets - say MNC wants secure comms, buys Japanese.
Wyden: Barksdale - concerned that overall the government has consistently
been fighting yesterday's battle - everybody was against smut but
private sector vs. smut cops, fortunately courts making good decisions
- how to catch up and be pro-active instead of behind
Barksdale - we've given fair amount of thought - dump key escrow,
dump limited key lengths, won't work, last war - it's a given.
Understand crypto only a portion of sigint, other ways start at source
or destination - subpoenas, most people who have a mind to do harm
don't use the internet, they use phones.
So what can we do that _does_ work? Look for new ways, not restricting
old ways to make things that won't work kinda work, worst approach.
John Kerry D-Mass - My state has emormous stake, and I'm former prosecutor,
trying to come to grips with choices - how do you find out what others
selling - are they living up to level of proficiency they're advertising.
Bidzos: Largest corp in world NTT just did the chips, would deny reality
to say otherwise
KrausKopf - advantage in encryption it's easy to verify because if you can
decrypt it you know it works
Bidzos - some of the foreign implementations don't measure up, and
don't doubt some US entities can exploit, but problem - process by which
deficiencies are resolved is improving rapidly, testing by import to US,
next step may be for overseas products to be incompatible with US so
if you want good security you need to buy South African instead of US,
you can buy over Internet. They're not as good as we are, improving
rapidly, larger companies _are_ as good.
Kerry - is this inevitiability curve?
Bidzos - yep. Intelligence folks are very good but their job
isn't to care about whether we lose market share.
K - if you know what we knew?
Z - NRC did know, 13/16 security cleared. Market inevitability.
too much Focus on key escrow instead of getting intelligence community
equipped to deal with it.
K - Alternatives if escrow won't work?
Z - Escrow in legal sense vs. this stuff. Impractical, and won't
catch bad guys, unacceptible to market. Voluntary key recovery
something big companies already do, and warrants can get those from
places that use them. These discussions going on for a long time,
being brought to a head, need immediate relief and action so we can
have a playing field where we can compete
K - you do accept legitimate needs
Z - sure, but reject idea that current policies affect that
K - so you think it's inevitable that won't work
Z - yeah
K - do you believe there's potential for cyberterrorism that could
impact either defense comms or financial institutions
Barksdale - sure - that's why we need tight encryption instead of
this loosey-goosey stuff we've got. Can you imagine pressure on holder
of key escrow for international circumvention to get that file?
KK - security depends on number of doors, not just lock strength.
Bidzos - intelligence worried about increased costs, idiot-proof crypto,
but that's the inevitability we have to accept. Significant loss of
jobs and revenues if don't act, NSA doesn't understand market forces,
"other than that they're doing fine" :-)
and risk backlash that could completely lose them any controls,
if we were to raise speed limit to 100 mph, you'd see us investing in
faster police cars
Burns - in Montana we don't have speed limit :-)
Burns - are y'all saying this policy puts us at more risk than without it
Everybody - yes, we've been saying this for long time,
national security is much stronger with crypto protecting
the computers we're dependent on.
Bidzos? We get asked what if terrorist brings down airliner?
Well, in this computer age, what if a 12-year-old does?
We need crypto to prevent that sort of problem.
Kerry - market share, clearly understand, trying to balance interests
Wyden - are you discussing software with intelligence community?
new partnership on software side like have with hardware
Bidzos - couldn't agree more - NSA thinks talking AT&T & Motorola is
whole industry. And without prior consultation, all we've gotten has
been Clipper Chip and key escrow
Barksdale - My CTO talking at NSA? conference Friday, happy to talk
Zisman - expertise exists, much better to invest in intelligence-gathering
techniques than implementing diversionary stuff that won't work
Kerry - if you're US attorney and get a wiretap you can't read,
what happens if can't break - are we saying law enforce needs new tools
Barks - yes sir, just like conversation on street hard to tap
K - so we just have to adjust
B - yes sir
Bidzos - 40-bit agreement between NSA and industry waS that 40-bit
level would be periodically raised - we might not be having this
confrontation if NSA'd done their part and taken us seriously
Kenneth Dam of NRC Panel next on agenda - also brought with him
Jules Katz former deputy USTR, 30 years export control,
Herb Lin, staff director, has whole report
still in printing but we can get you copies now. volume August.
executive summary and full statement available
Keeping confidential info private is very hard.
Criminals, corporate spies, crucial systems vulnerable to all sorts of
people. Crypto an important, vital tool for protecting citizens privacy
and legitimate business interests. Bad Guys can also use it.
Feds must weigh issues. NRC study asked for by Congress.
We have diverse interests, but have strong consensus,
13/16 got cleared for classified materials, unanimously conclude
that debate can be carried out reasonably on unclassified basis.
Wider use of crypto will support everyone's interest even though
will make it harder for law enforcement.
Don't believe total drop export controls, though relaxing will help.
DOmestic/Foreign version split bad at home - govt needs to make it
easier for US companies. Should be easy to export DES.
US world market leadership good for national security.
No legal limits domestically!
"National security vs. business security" is over-simplistic -
protecting civilian infrastructure stengthens national security.
Escrow promising but unproven, risky - resolving some issues
would require legislation, but there's not enough experience to
base it on anything but speculation - government should pursue
for internal use, developing policy with open public discussion.
Only way to get consensus is Congressional discussion.
Burns - we politicians will take the parts we like and throw
the rest away :-) Why are National Security folks unwilling
or reluctant to try other approaches?
Dam - Law Enf vs. National Security - N.S. folks recognize responsibility
to protect whole country's security, including infrastructure,
so they're more balanced. Law Enf has different concerns - they're
interested in surreptitious eavesdropping phone conversations and
data - also want to hold down crime, and computers are growing part of that,
LE under pressure to solve big high-profile crimes fast and pre-empt,
like blowing up World Trade Center. They have other ways to get info,
e.g. subpoena, warrants, but most people don't keep records of phone calls
that can be subpoenaed, and this is the heart of their concern.
Burns - still vulnerable to terrorism because we're open and free,
but jsut as vulnerable to industrial espionage, need real crypto to prevent.
more risk from industrial than terrorists. Thought report was very
complete on that. Wyden?
Wyden: report ought to be real wake-up call for Clinton folks in field.
Very prestigious report. Mr. Dam - you were at State in 80s, part of team
advocating strong controls, why did you change your mind?
Dam - crypto export wasn't big issue then, world changing fast,
industrial vulnerability criticial, info security in INformation Age.
Dam - wants to allow >DES export for products that make plaintext available.
For people to understand the issues, they'll have to get up to speed on
a lot of issues, but they're not classified ones.
Wyden wants Dam to lead discussions between software folks and NSA-side,
hopes some convergence and cooperation can happen.
===========================================================
Next panel - HP, EDS, etc.
Dan Buchanan - Zion's Data Svcs. in Salt Lake - Bank holding business.
Utah digital Signatures laws. Computer breakins in financial businesses -
we need strong crypto to be able to compete with foreign banks and
preserve our own assets. Our biggest asset is the trust we represent
to our customers - essential that we not be limited in use of crypto,
flexible methodologies absolutely critical as computer power increases.
EDS - we're now separate from GM, trading NYSE next monday.
We're world-wide, chasing global electronic commerce markets,
need secure, speedy, efficient communications,
restrictions reduce our competitiveness.
Pleasant calm pro-crypto speech. Good for Industry, Good for America!
HP - Richard Sevick.
HP speaker showing off his smart card, says 500 million around world,
need stronger crypto than export allows, international competitors.
HP projects 4 billion smart cards in use by Y2000, US companies can't
afford to miss it, need this export liberalization. It's also an
international problem, not just national - HP working with US and G7
to get international framework for crypto, needs legislative support
from S.1726 - Proposes Crypto engines on servers which don't work
without smartcard "flag chips" to let you use your government-approved
crypto chip to authorize different levels of encryption as needed.
[WCS comment - yukkk! I'm trying to be objective, but.....]
Can do shopping at home with security! Companies can interchange sensitive
info, level of crypto flexible as authorized by national governments.
Pilots this fall with computer vendors, banks, phone companies, expect
approval, want S.1726 to help them export its framework.
Burns - if we're going to live in a micro-chip and supercomputer industry,
why should we hang on to the old vaccuum tube?
Seen proposals for smart cards for foodstamps/welfare/wic/etc. fraud
prevention because foodstamps are sold on street.
Joel Lisker from MasterCard - MC uses crypto for PINs,
smartcards - 40-bit key way too short, computer hackers can crack in seconds,
can't export strong enough smartcards without long slow negotiations.
Held up Spanish chip-card from Europay, their counterpart in Spain -
if we gave this kind of card to US customer, not clear they could
take it with them in their wallet on trip out of US because export laws.
Burns - are your customers reluctant to do business on phone,
divulging account numbers etc. -
Lisker - younger people usually more comfortable but older
customers more concerned about compromise.
Sevcik - people trust smartcards more with PINs since they can't
be used if stolen.
Burns - some trials of smartcards for foodstamps annoyed bureaucrats
because it doesn't take as many people at the courthouse counting
food stamps.
====================================
aharon friedman digital secured networks technology
hardware crypto product company in NJ - 512-bit keys
minimum length needed is 75 bits to be close to unbreakable.
40 not enough - can buy $400 chip to break 5 hours, etc.
$300K break 0.18 seconds
Security agencies would like us to use 56 bits,
same $300K of off-the-shelf stuff 19 days to break,
but same $300K of custom chips can break in 3 hours
as described in open literature
doesn't matter if escrow, can break anyway
Also need key-exchange, public-key eg. RSA
govt doesn't allow itself <1024 bit keys
we're forced to deliver security products that
we don't believe provide security.
overseas customers aren't stupid, they won't buy it.
Job loss estimates
His company has many requests for their technology,
thinks it's one of the best, 700 foreign companies request it.
Large Japanese compnay wants to buy lots. We can't sell
and govt dragging feet even for evaluation copies. We lose.
American companies want to communicate with foreign companies -
what can they buy? They'll buy NTT or Siemens.
Showed "Applied Crypto" book source code in back,
any criminal can type it in or buy a scanner.
Ex-FBI head says "give me 5 hackers and I can bring down US"
Easier to write crypto code than make a bomb -
law-enforcement agencies know this.
Quotes NYT editorial - clearly it's time to revise policy.
robert bigony senior-vp marketing govt & space motorola in scottsdale
Moto at center of debate because of products we make.
=====================================================
..... I'm not going to transcribe the rest....
and the recorded Senator Burns wants to get to lunch :-)
Bill
# Thanks; Bill
# Bill Stewart +1-415-442-2215 stewarts at ix.netcom.com
# http://www.idiom.com/~wcs
# Dispel Authority!
More information about the cypherpunks-legacy
mailing list