[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Crippled Notes export encryption



Alan Pugh wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> - -- [ From: Alan Pugh * EMC.Ver #2.3 ] --
> 
> Since this is definitely on-list, and I haven't seen
> anything on it here yet, I'm posting the whole thing.
> Apologies for duplication.
> 
> Date: Wednesday, 17-Jan-96 04:23 PM
> 
> Subject: infoMCI FLASH - Lotus-Security - Lotus Announces C
> 
> [infoMCI FLASH]
>                                 i n f o M C I  F L A S H
> 
> infoMCI (sm)
> Lotus-Security - Lotus Announces Compromise for Export of Strong
> Encryption
> 
> By ELIZABETH WEISE
> AP Cyberspace Writer
> 
> SAN FRANCISCO (AP) _ Lotus Development Corp. announced a
> compromise with the federal government Wednesday that will allow it
> to put better security features into the international version of
> its Notes program.
> 
> While the arrangement assures the government it can access data
> under extreme circumstances, it represents an advance in the
> strength of security allowed in software exported from the United
> States.
> 
> Federal law prohibits the export of certain high-level
> encryption programs, which are defined as a munition under a Cold
> War-era arms control act.
> 
> Encryption programs take ordinary data and put it in secret form
> that cannot be accessed without the proper data ``key.'' The
> government's arbitrary standard for cracking encryption programs
> when needed is at a technical level described as ``40-bit.''
> 
> Some software programs sold in the United States, including
> Lotus Notes, now use stronger 64-bit encryption. Lotus has been
> under pressure to bring such security to Notes users overseas.
> 
> Although 40-bit encryption is quite strong, highly-sophisticated
> attacks using several computers have been able to break it
> recently.
> 
> ``Our customers have basically lost confidence in 40-bit
> cryptography,'' said Ray Ozzie, president of Iris Associates, the
> unit of Lotus that developed Notes.
> 
> ``That left us in a bind. We are the vendor that's supposedly
> selling a secure system to them and they are saying it's no good,''
> Ozzie told a standing room audience at the RSA Data Security
> conference.
> 
> Changes in the general export laws seemed unlikely so Lotus
> negotiated an interim solution.
> 
> The export version of Lotus Notes 4.0, which went on sale last
> week, includes 64-bit encryption but the company has given the U.S.
> government a special code that unlocks the final 24 bits.
> 
> For companies that use the international version of Notes, it's
> as if Lotus put two strong locks on a door and gave a key for one
> to the U.S. government. Thieves have to get break through two
> locks, the government only one.
> 
> ``This protects corporate information from malicious crackers
> but permits the government to retain their current access,'' Ozzie
> said. He acknowledged the solution was only a compromise and said
> Lotus wants to see better data security methods developed
> worldwide.
> 
> However, many participants at the conference saw the move as a
> cosmetic answer to the tension between corporate desires for the
> best security and government's interest to access data when
> necessary.
> 
> ``It's a useful stopgap measure that has no value in the long
> run,'' said Donn Parker, a senior security consultant with SRI
> International, a computer research company in Menlo Park, Calif.
> 
> Simson Garfinkel, author and computer security expert, said he's
> not sure international buyers of Notes will like the solution.
> 
> ``Foreign companies don't want the U.S. government to spy on
> their data any more than the U.S. government wants foreign
> companies to be able to spy on theirs,'' Garfinkel said.
> 
> International Business Machines Corp. bought Lotus in July,
> citing the success of Notes, a sophisticated communications and
> database program.
> 
> AP-DS-01-17-96 1619EST
> 
>   (66413)
> 
> *** End of story ***
> 
> - ---
> [This message has been signed by an auto-signing service.  A valid signature
> means only that it has been received at the address corresponding to the
> signature and forwarded.]
> 
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.2
> Comment: Gratis auto-signing service
> 
> iQBFAwUBMP2KdioZzwIn1bdtAQGdegF9GVCEfL50vWd7e5XX/mKEnzGy5YGvW0iD
> rNPCmz3Xxf3h9wOVJMLrCeDGwe4/m84g
> =6jpa
> -----END PGP SIGNATURE-----

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|Vincent S. Gunville     
|Robbins-Gioia		 
|209 Madison St                       Email  [email protected]
|Alexandria, Va 22309    
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-