Slashdot Mirror
Export-level Encryption Proves Insufficient
rossjudson writes: "The Independent is running an article about the shoe bomber terrorist. The interesting bit for Slashdot readers is at the bottom -- apparently the 40-bit encryption in the export version of Windows 2000 was cracked by a set of computers using a brute force method. So let's confront the question: Should the US prohibit the export of high-encryption software? Here is a case where the default values (40 bit) clearly helped recover valuable information from a system." There's another article in New Scientist focusing on the encryption issue.
HE WAS/IS A CITIZEN OF THE USA
Since when? Reid is a British subject, not a US Citizen.
128-bit Encryption Becomes the Default in Windows 2000 Service Pack 2 (SP2)
The Windows® 2000 operating system was the first Microsoft platform with 128-bit encryption to be shipped internationally after the United States government relaxed its export restrictions for strong encryption in early 2000. Microsoft has obtained the necessary approvals to ship Windows 2000 with strong encryption to all customers worldwide except U.S. embargoed destinations.
Agreed. Several years ago, one of my countrys "popular science" magazines ran an article about "the new encryption", which basically was about the technology that PGP and all other uses.
:)
Looking at that article now today, and mind you it was not very technical, and it only described the math involved pretty sweeping, my biggest problem offhand from doing my own encryption would be generating big enough primes.
That is where any "advanced math algorithms" book, or for that matter site comes in. They are not gonna put restrictions on exporting prime numbers, are they?
It is stupid. A talented 15-year old with enough determination and time on his/her hands can hack something good enough together, if it wasn't already available out there. You think huge terrorist networks with tons of cash couldn't find someone to do it for them, if they needed it?
Don't you think that broke terrorists have at least a few among them that would do it for free?
If I was anybody anywhere looking for encryption tools, I'd start with GnuPG. This way we can avoid patented algorithms and proprietary/closed source problems altogether from the git go.
I do not have a signature
My God, it seems like some of you posters do nothing but cut-and-paste posts from articles five years ago!
1.) Export restrictions aren't about making it impossible to get high encryption (that in and of itself would be impossible), but to make it more difficult. Much like the point of encryption itself. Sure, you could get PGP and the like, but could you be bothered to go out of your way like that? Obviously at least one criminal didn't, or else you wouldn't be reading this.
2.) No, the criminals won't automatically be the most heavily-encrypted amongst us. If you actually took two seconds to read the description of the article (if not the article itself), you'd see that this is about a very big isntance where a criminal DIDN'T use heavy encryption. Your argument officially doesn't hold as much water as it used to any more. Time to try something new.
3.) This is about EXPORT restrictions. EXPORT! EXPORT! You know, where something LEAVES THE US!?!? Restricting what kind of crypto can be exported doesn't do a damned thing to the domestic market unless you're a seller trying to export your stuff or you're a foreign organization trying to buy the software on the open market. Restrictions on domestic crypto sale and use may or may not be an issue, but it doesn't have a damned thing to do with this article beyond sharing the words "crypto" and "export." If you read things more closely than your average IRC bot, you'd have noticed that.
Go ahead, mod me down to -17 flamebait or troll or whatever. Just so long as you're spending your mod points on sending me down there instead of modding up some of the posts I've seen in here so far described as "interesting" and "insightful."
Here is a link to the MIT distribution site for PGP freeware. I haven't tried the GNU Privacy gaurd yet, but the MIT site seems to be more comprehensive in comparison. For instance they have a .exe for Windows 95/98/NT/2000! and the Macintosh and
a Command Line version for UNIX. Although you need One of these flavors of UNIX:
Sun Solaris for SPARC version 2.51 or later; AIX 4.2 or later; HPUX 10.20 or later; and of course Linux x86 Red Hat (RPM) 5.0 or later. To encypt mail they use something being developed on sourceforge [woo hoo] called Mailcrypt . It does say on the Mailcrypt site that they now support both PGP and GnuPG. So now I am not sure of the difference between the two.
/.................../ \\
Your point seems to be that humans could never have developed encryption on their own. If the encryption gods handed us the algorithms on stone tablets that is a detail I never heard.
I remember a couple of years ago an Irish high-school student developed a new encryption algorithm and it made the news all over the world. I suppose you'll say she did it with help from... aliens, perhaps?
If you mod me down, I will become more powerful than you can possibly imagine.
somehow get a 5 x 5 x 1/16" piece of plastic outside a country
Why bother?
Just print the code in a book (or even use the 3-line RSA algoritham on a bit of paper) and it was perfectly legal to export it from the US (freedom of the press).
This is how the international PGP versions were legitematley exported, and then scanned in using OCR to get the code in an electronic format again.
This was partly why the law was overturned. What is the point in banning the export of code in an electronic format, when it was perfectly legal (first amendment) to export in a writen format.
Anyone quoted by a reporter knows how little they understand
Don't believe what you read is the truth.
Getting to the heart of the documents contained in the al-Qa'ida computer bought by chance by the Wall Street Journal's reporter in Kabul meant cracking the encryption of Microsoft's Windows 2000 operating system installed on the machine, which had been used to protect the data.
That is not a trivial task. Microsoft will only say that if you lose the password that controls entry to a Windows 2000 system, your best option is to remember it or simply to wipe the machine and start again. And its Encrypting File System (EFS), which had been used to encode the files, is just as strong.
Now read This paper on how to read EFS encrypted hard disks.
Cracking a Windows 2000 password may very well be very difficult to do, but getting into a password protected computer is actually rather easy. I have used before a floppy I downloaded off the web which contained a simple boot to a simplified Linux OS (Red had i think?) and had the lil floppy change whatever user accounts (including administrator) to a new password of my choice.