FT on NsCPunxsters

[John Young <jya@pipeline.com>]

   Financial Times, Sept 27, 1995

   Cracks in the code

   Peter Martin calls for an easing of US restrictions on
   the export of encryption technology


   Encryption used to be a subject of interest only to spies
   and mathematicians. But the central role that the
   electronic transmission of information is playing in
   commerce and society make it now a technology of enormous
   practical relevance. Two recent stories out of many
   exemplify this trend.

   Citibank lost $400,000, it is alleged, to a Russian hacker
   who managed to crack its clients' passwords. The solution
   to this security problem: a new generation of encrypted
   passwords that are much harder to crack.

   And Netscape Navigator, the leading "browser" program for
   the Internet's fast-growing World Wide Web, has been shown
   to have flaws in its encryption routine. In theory at
   least, these make it possible for outsiders to read
   encrypted data sent over the net -- such as credit card
   numbers. Netscape acknowledges the problems and says it
   will have fixes available by today.

   Is this crucial technology vulnerable to determined attack
   by hackers and fraudsters?

   Before considering the question, remember that the
   introduction of any new technology highlights risks
   uncomplainingly borne for years. The safety precautions
   demanded of the Channel tunnel are one example, as compared
   with those required of traditional trains or ferries.

   Similarly, it is argued, people have been unhesitatingly
   using analogue mobile phones, reading credit card details
   over the telephone, and sending off faxes into the ether
   without any of the panic that now surrounds the issue of
   Internet security.

   The comparison is an instructive one, but not entirely
   fair. What worries Internet users is not so much that a
   determined enemy might target them for eavesdropping, or
   even that chance might put their credit card details in the
   hands of a dishonest person.

   Instead, they worry about the Internet's unstructured
   nature under which messages are passed from computer to
   computer across the world until they reach their final
   destination.

   In principle, this would allow a criminal to leave a
   "sniffer" program lurking, electronically, at one of the
   nodes, recognising credit card numbers as they passed by,
   and scooping them up for subsequent exploitation. People
   also fear an attack on the computers of merchants selling
   goods over the Internet -- each containing thousands of
   credit card numbers. The fear is thus not one of random
   theft but of systematic brigandage.

   Encryption is all that stops such fears paralysing
   electronic commerce before it has properly begun. It is
   therefore in the general public interest that effective
   encryption be widely available.

   The Netscape problem illustrates how easy it is for the
   inherent mathematical strengths of a modern encryption
   scheme to be overcome by an oversight in its supporting
   plumbing. One of the faults in Netscape's encryption, for
   example, stems from too predictable a method of generating
   the random numbers needed to make the scheme work.

   It also illustrates how, once a code-breaker's task is
   simplified by such a weakness, today's powerful networks of
   cheap computers make it quick to crack even the most
   sophisticated encryption schemes. The narrower the range of
   numbers through which the cracker's computers must sift in
   order to find a meaningful answer, the greater the
   probability of breaking the code within a useful amount of
   time.

   All the more reason, then, for non-Americans to view with
   dismay a US policy which restricts the international
   distribution of the most powerful forms of encryption. For
   national security reasons, the US insists that the version
   of Netscape sold outside North America must contain a
   weaker form of encryption than that available to Americans
   and Canadians.

   The international version is restricted to a 40-digit
   "key", while the North American version uses 128 digits.
   The longer the key, the greater the time and computing
   power required for the code to be cracked. In principle,
   given enough computing power, even a message encoded by a
   very long key could be cracked in time. In practice,
   however, the task of cracking many millions of messages to
   find one that is of interest makes messages secure as long
   as the key has enough digits.

   Amateur code-crackers claim to have broken the 40-digit
   version of the Netscape encryption scheme. Their claim is
   hard to verify. But there is no doubt of the weakness in
   the random-number generation procedure; Netscape has
   verified it.

   This fault is common to both North American and export
   versions of the program, so it does not result from the US
   government restrictions on key length. The occasion reminds
   us, however, that effective encryption is essential to the
   growth of electronic commerce. And it teaches us that
   simplifying the code-breaker's task -- by error in
   Netscape's case, by deliberate diktat in the case of the
   government restriction is an easy way to make transmissions
   vulnerable.

   There was never much justification for the US determination
   to weaken exported encryption products. There is less now.

   [End]

---------

   NYT, Sept 27, 1995

   Russians Arrest 6 In Computer Thefts

   St. Petersburg, Russia, Sept 26 (AP) -- Russian police
   officers have arrested six more people in a $10 million
   computer theft from Citibank here, but the masterminds are
   said to remain at large.

   An officer in the organized crime division was quoted by
   the Itar-Tass news agency as saying that six people had
   been arrested in St. Petersburg on swindling charges
   stemming from the case involving Citibank, the chief unit
   of Citicorp. Weapons and tax-evaslon charges may also be
   filed.

   The police confiscated two computers and a number of
   computer diskettes, plus weapons and cash from the
   suspects.

   Bank and law-enforcement officials say a gang of thieves in
   St. Petersburg broke into Citlbank's electronic
   cash-management system scores ot times and transferred
   money into their own accounts.

   Several people have been arrested abroad and face charges
   in the United States, including Vladimir Levin, 28,
   reportedly the group's computer hacker.

   Citibank officials said they recovered all but $400,000 and
   upgraded the cash-management systems's electronic security
   after the theft.

   [End]

---------

   FT, Sept 21, 1995.

   Extradition in Citibank hacking case

   A British court yesterday approved the extradition to the
   US of Mr Vladimir Levin, the Russian science graduate
   accused of an attempted $10m (6.5m pounds) computer hacking
   fraud on Citibank. ...

   Mr Levin has been charged in the UK with offences under the
   Computer Misuse Act, forgery and false accounting. The US
   authorities are now drawing up similar charges to bring
   against him.

   Mr Levin is one of six people arrested over the alleged
   attempted fraud on Citibank. An FBI inquiry into the
   incident is continuing and it is believed that others are
   still being sought.

   When Mr Levin is returned to the US, he is likely to be
   closely questioned by the authorities, who are anxious to
   discover more of the technical details of the alleged
   attempted fraud.

   Mr Levin, who was arrested earlier this year travelling
   through Stansted airport in the UK, would appeal against
   the court's decision, his lawyers said. He has 14 days to
   lodge an appeal to the High Court in London. ...
   
   [End]