From owner-freebsd-security Tue Sep 9 06:44:28 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id GAA09382 for security-outgoing; Tue, 9 Sep 1997 06:44:28 -0700 (PDT) Received: from florence.pavilion.net (florence.pavilion.net [194.242.128.25]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id GAA09377 for ; Tue, 9 Sep 1997 06:44:22 -0700 (PDT) Received: (from joe@localhost) by florence.pavilion.net (8.8.7/8.8.7) id OAA29388; Tue, 9 Sep 1997 14:43:47 +0100 (BST) Message-ID: <19970909144346.54450@pavilion.net> Date: Tue, 9 Sep 1997 14:43:46 +0100 From: Josef Karthauser To: security@freebsd.org Subject: FTP compromise. Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.81 X-NCC-RegID: uk.pavilion Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk ll versions) TESTED: BSDI 3.0 (all patches), FreeBSD 2.2.1 DATE: 15th Aug 1997 REPEAT BY: Log into a wu_ftp server (either anonymously or as a user) and issue the command... nlist ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/ ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/ ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/ ../*/../*/../*/../*/../*../*../* DESCRIPTION: You can severly compromise the ftp servers performance. This command will create a HUGE directory listing, no matter how many files/directories are in the current directory (this is recursive). CONSEQUENCES: These vary. On my FreeBSD 2.2 box I was able to eat up all memory and swap memory until the kernel spewed "out of swap space" errors and killed a few processes. It also eats up all available CPU space (up to 99.22% on my box). If repeated a few times you will no longer use up swap space and the processor usage will rocket and stay there for quite a while (hours). Since the ftpd program is still processing the command your ftp session will not idle timeout. However, if you do decide to kill your attacking ftp session, ftpd will still process teh command and therefore, the hosts resources will take a beating. Basically, it looks like any user can severely drain your systems resources - a kind of Denial of Service attack. I was able to use up all remaining processor time for two hours (would have gone on for much longer only I got bored and kill it). CONTACT: You can email me at ener@shell.firehouse.net if you want to discuss this problem further (or let me know if it works on any other ftpd). I found this today. Any comments? BUG: wu_ftpd (all versions) TESTED: BSDI 3.0 (all patches), FreeBSD 2.2.1 DATE: 15th Aug 1997 REPEAT BY: Log into a wu_ftp server (either anonymously or as a user) and issue the command... nlist ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/ ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/ ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/ ../*/../*/../*/../*/../*../*../* DESCRIPTION: You can severly compromise the ftp servers performance. This command will create a HUGE directory listing, no matter how many files/directories are in the current directory (this is recursive). CONSEQUENCES: These vary. On my FreeBSD 2.2 box I was able to eat up all memory and swap memory until the kernel spewed "out of swap space" errors and killed a few processes. It also eats up all available CPU space (up to 99.22% on my box). If repeated a few times you will no longer use up swap space and the processor usage will rocket and stay there for quite a while (hours). Since the ftpd program is still processing the command your ftp session will not idle timeout. However, if you do decide to kill your attacking ftp session, ftpd will still process teh command and therefore, the hosts resources will take a beating. Basically, it looks like any user can severely drain your systems resources - a kind of Denial of Service attack. I was able to use up all remaining processor time for two hours (would have gone on for much longer only I got bored and kill it). CONTACT: You can email me at ener@shell.firehouse.net if you want to discuss this problem further (or let me know if it works on any other ftpd). -- Josef Karthauser Technical Manager Email: joe@pavilion.net Pavilion Internet plc. [Tel: +44 1273 607072 Fax: +44 1273 607073] From owner-freebsd-security Tue Sep 9 10:42:29 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id KAA22822 for security-outgoing; Tue, 9 Sep 1997 10:42:29 -0700 (PDT) Received: from firewall.ftf.dk (root@mail.ftf.dk [129.142.64.2]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id KAA22809 for ; Tue, 9 Sep 1997 10:42:25 -0700 (PDT) Received: from mail.prosa.dk ([192.168.100.2]) by firewall.ftf.dk (8.7.6/8.7.3) with ESMTP id UAA19350; Tue, 9 Sep 1997 20:12:38 +0200 Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10]) by mail.prosa.dk (8.8.5/8.8.5/prosa-1.1) with ESMTP id TAA04601; Tue, 9 Sep 1997 19:49:02 +0200 (CEST) Received: (from regnauld@localhost) by deepo.prosa.dk (8.8.5/8.8.5/prosa-1.1) id TAA01220; Tue, 9 Sep 1997 19:41:22 +0200 (CEST) Message-ID: <19970909194121.10288@deepo.prosa.dk> Date: Tue, 9 Sep 1997 19:41:21 +0200 From: Philippe Regnauld To: Josef Karthauser Cc: security@FreeBSD.ORG Subject: Re: FTP compromise. References: <19970909144346.54450@pavilion.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Description: Main Body X-Mailer: Mutt 0.69 In-Reply-To: <19970909144346.54450@pavilion.net>; from Josef Karthauser on Tue, Sep 09, 1997 at 02:43:46PM +0100 X-Operating-System: FreeBSD 2.2.1-RELEASE i386 Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Josef Karthauser writes: > ll versions) > > TESTED: BSDI 3.0 (all patches), FreeBSD 2.2.1 > > DATE: 15th Aug 1997 > > REPEAT BY: Log into a wu_ftp server (either anonymously or as a user) > and issue the command... > > nlist ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/ > ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/ > ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/ > ../*/../*/../*/../*/../*../*../* Behaves differently depending on client. stock ftp in -current (as of 28/07) makes ftpd eat 45% cpu, but no noticeable memory footprint increase. Killling ftp (the client) solves the problem. With ncftp2, I get ftpd at 10-12% cpu, in a biowait loop, and constant seeking on the disks. Killing ftpD is the only way out. -- -- Phil -[ Philippe Regnauld / Systems Administrator / regnauld@deepo.prosa.dk ]- -[ Location.: +55.4N +11.3E PGP Key: finger regnauld@hotel.prosa.dk ]- From owner-freebsd-security Tue Sep 9 11:13:02 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id LAA24831 for security-outgoing; Tue, 9 Sep 1997 11:13:02 -0700 (PDT) Received: from chain.freebsd.os.org.za (GTxA0jadpdKCA64FhfT+beK74/B9AgV1@chain.iafrica.com [196.7.74.174]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id LAA24822 for ; Tue, 9 Sep 1997 11:12:52 -0700 (PDT) Received: from localhost (khetan@localhost) by chain.freebsd.os.org.za (8.8.7/8.8.7) with SMTP id UAA17796; Tue, 9 Sep 1997 20:11:49 +0200 (SAT) Date: Tue, 9 Sep 1997 20:11:49 +0200 (SAT) From: Khetan Gajjar X-Sender: khetan@chain Reply-To: Khetan Gajjar To: joe@pavilion.net cc: security@freebsd.org Subject: Re: FTP compromise. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Date: Tue, 9 Sep 1997 14:43:46 +0100 >From: Josef Karthauser >To: security@FreeBSD.ORG >Subject: FTP compromise. >CONSEQUENCES: These vary. On my FreeBSD 2.2 box I was able to eat up > all memory and swap memory until the kernel spewed > "out of swap space" errors and killed a few processes. Just tried this on my 2.2-STABLE box now; I'm running wu-ftpd-2.4.2-beta-13, and after a minute, was nowhere near consuming all CPU time or memory. (output from top) 17745 root 98 0 772K 432K RUN 1:32 67.57% 67.52% ftpd Five minutes later, nothing different happened. 17745 root 105 0 772K 432K RUN 5:05 69.96% 69.96% ftpd --- Khetan Gajjar | khetan@iafrica.com or khetan@os.org.za http://chain.iafrica.com/~khetan | PGP : finger khetan@chain.iafrica.com UUNET Internet Africa Support | FreeBSD enthusiast-www2.za.freebsd.org MOTD : In a world without fences who needs Gates? From owner-freebsd-security Wed Sep 10 04:06:17 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id EAA23578 for security-outgoing; Wed, 10 Sep 1997 04:06:17 -0700 (PDT) Received: from racoon.riga.lv (racoon.riga.lv [194.8.12.142]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id EAA23567 for ; Wed, 10 Sep 1997 04:05:59 -0700 (PDT) Received: from racoon.riga.lv (racoon.riga.lv [194.8.12.142]) by racoon.riga.lv (8.8.4/8.7.3/OL.cf-2.3) with SMTP id OAA21638 for ; Wed, 10 Sep 1997 14:05:51 +0300 (EET DST) Date: Wed, 10 Sep 1997 14:05:51 +0300 (EET DST) From: Nikolai Matyushenko X-Sender: nick@racoon.riga.lv To: security@FreeBSD.ORG In-Reply-To: <19970909194121.10288@deepo.prosa.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk unsubscribe From owner-freebsd-security Wed Sep 10 04:44:08 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id EAA25372 for security-outgoing; Wed, 10 Sep 1997 04:44:08 -0700 (PDT) Received: from hood.1lo.lublin.pl (sopel@hood.1lo.lublin.pl [193.59.31.126]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id EAA25353 for ; Wed, 10 Sep 1997 04:44:01 -0700 (PDT) Received: from localhost (sopel@localhost) by hood.1lo.lublin.pl (8.8.7/8.8.5) with SMTP id NAA10045; Wed, 10 Sep 1997 13:45:00 GMT Date: Wed, 10 Sep 1997 13:45:00 +0000 (GMT) From: Wojtek Sobczuk To: Josef Karthauser cc: security@FreeBSD.ORG Subject: Re: FTP compromise. In-Reply-To: <19970909144346.54450@pavilion.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk the same problem shows up when you type: ls ../*/../*/../* consider that another good feature :) [ bIfacEd (Wojciech Sobczuk) ] [ sopel@hood.1lo.lublin.pl ] [ wojtek@gaja.ipan.lublin.pl ] [ sysadmin, coder, and a lil' more.. ] From owner-freebsd-security Wed Sep 10 14:55:05 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id OAA00205 for security-outgoing; Wed, 10 Sep 1997 14:55:05 -0700 (PDT) Received: from vs1.ap-usa.com (ap-usa.com [206.168.18.192]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id OAA00197 for ; Wed, 10 Sep 1997 14:55:01 -0700 (PDT) Received: from 208.146.246.178 (professor.ap-usa.com [208.146.246.178]) by vs1.ap-usa.com (8.8.3/8.8.3) with SMTP id QAA05874 for ; Wed, 10 Sep 1997 16:12:34 -0600 (MDT) Message-ID: <3416B494.34CB@ap-usa.com> Date: Wed, 10 Sep 1997 15:54:12 +0100 From: Sid Cooperrider Reply-To: sid@ap-usa.com Organization: AP Marketing Technology X-Mailer: Mozilla 3.02 (Macintosh; I; PPC) MIME-Version: 1.0 To: security@FreeBSD.org Subject: unsubscribe Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk unsubscribe From owner-freebsd-security Wed Sep 10 16:35:21 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id QAA06603 for security-outgoing; Wed, 10 Sep 1997 16:35:21 -0700 (PDT) Received: from hotlava.com (NU4VtTeKzBZN6E5L8xzP85tcm7zEXidz@internal-mail.hotlava.com [193.67.124.74]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id QAA06556 for ; Wed, 10 Sep 1997 16:34:44 -0700 (PDT) Message-Id: <199709102334.QAA06556@hub.freebsd.org> Received: (qmail 11849 invoked from network); 10 Sep 1997 23:33:46 -0000 Received: from localhost (?eB/QpaavlncW3bYgJsUWDe9s/JWMt053?@127.0.0.1) by localhost with SMTP; 10 Sep 1997 23:33:46 -0000 X-Mailer: exmh version 2.0gamma 1/27/96 To: freebsd-security@FreeBSD.ORG Subject: Re: Kernel Install Permissions Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 11 Sep 1997 01:33:46 +0200 From: Gary Howland Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > Jamil J. Weatherbee writes: > > > > This is just a personal opinion, and maybye it is uneducated, but is there > > really some reason for the kernel to be installed chmod 555, wouldn't 544 > > or even maybye 444 do (I'm not to familiar with the bootloader, I would > > guess that it doesn't execute /kernel in the same way a coff binary is > > executed so permissions probably don't matter hunh?) > > Perhaps even 550 or 540 with group kmem or something. Better still make it unmodifiable with chflags (assumming that you're running at a suitable security level). Gary From owner-freebsd-security Thu Sep 11 14:13:16 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id OAA18505 for security-outgoing; Thu, 11 Sep 1997 14:13:16 -0700 (PDT) Received: from anshar.shadow.net (anshar.shadow.net [204.177.71.2]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id OAA18498 for ; Thu, 11 Sep 1997 14:13:14 -0700 (PDT) Received: from goliath (bwound@goliath.shadow.net [204.177.71.247]) by anshar.shadow.net (8.8.7/8.7.3) with SMTP id RAA29443 for ; Thu, 11 Sep 1997 17:13:33 -0400 (EDT) Date: Thu, 11 Sep 1997 17:13:44 -0400 (EDT) From: B Wound X-Sender: bwound@goliath To: security@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk subscribe security subscribe freebsd subscribe freebsd-security From owner-freebsd-security Fri Sep 12 15:52:27 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id PAA15770 for security-outgoing; Fri, 12 Sep 1997 15:52:27 -0700 (PDT) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id PAA15759 for ; Fri, 12 Sep 1997 15:52:13 -0700 (PDT) Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.8.7/8.6.10) id PAA08231; Fri, 12 Sep 1997 15:52:01 -0700 (PDT) Message-Id: <199709122252.PAA08231@passer.osg.gov.bc.ca> Received: from localhost(127.0.0.1), claiming to be "passer.osg.gov.bc.ca" via SMTP by localhost, id smtpdaakgFa; Fri Sep 12 15:51:56 1997 Reply-to: cschuber@uumail.gov.bc.ca X-Mailer: MH X-Sender: cschuber To: freebsd-security@freebsd.org, linux-security@redhat.com, bugtraq@netspae.org, best-of-security@cyber.com.au Subject: Special Notice: News on Pending US Legislation Date: Fri, 12 Sep 1997 15:51:39 -0700 From: Cy Schubert - ITSD Open Systems Group Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk The enclosed note discusses some pretty scary stuff... Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 UNIX Support OV/VM: BCSC02(CSCHUBER) ITSD BITNET: CSCHUBER@BCSC02.BITNET Government of BC Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it." ------- Forwarded Message Delivery-Date: Fri, 12 Sep 1997 13:15:02 -0700 Return-Path: coastwatch-request@cs.purdue.edu Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.8.7/8.6.10) id NAA05409 for ; Fri, 12 Sep 1997 13:14:51 -0700 (PDT) Received: from orca.gov.bc.ca(142.32.102.25) via SMTP by passer.osg.gov.bc.ca, id smtpdaajraa; Fri Sep 12 13:14:42 1997 Received: from arthur.cs.purdue.edu by orca.gov.bc.ca (5.4R3.10/200.1.1.4) id AA23153; Fri, 12 Sep 1997 13:14:30 -0700 Received: (from smrtlist@localhost) by arthur.cs.purdue.edu (8.8.7/8.8.7/PURDUE_CS-2.0) id PAA13628; Fri, 12 Sep 1997 15:04:10 -0500 (EST) Resent-Date: Fri, 12 Sep 1997 15:04:10 -0500 (EST) X-Authentication-Warning: arthur.cs.purdue.edu: smrtlist set sender to coastwatch-request@cs.purdue.edu using -f Message-Id: <199709122003.PAA18028@dorsai.cs.purdue.edu> To: coastwatch@cs.purdue.edu (COAST Mailing list) Subject: Special Notice: News on Pending US Legislation Reply-To: spaf@cs.purdue.edu X-Uri: http://www.cs.purdue.edu/people/spaf Organization: COAST, Department of Computer Sciences, Purdue Univ. Mime-Version: 1.0 Approved: spaf@cs.purdue.edu Content-Type: text/plain; charset=us-ascii Date: Fri, 12 Sep 1997 11:58:47 -0500 From: spaf@cs.purdue.edu (Gene Spafford) Resent-Message-Id: <"lZKyg.A.uUD.2AaG0"@arthur.cs.purdue.edu> Resent-From: coastwatch@cs.purdue.edu X-Mailing-List: archive/latest/4 X-Loop: coastwatch@cs.purdue.edu Precedence: list Resent-Sender: coastwatch-request@cs.purdue.edu The last week has produced some incredible events in the U.S. House of Representatives as regards cryptography. Enclosed is a story about one such event that may soon result in U.S. law. If you do business in the U.S. or live in the U.S. and expect to use computer systems and networks, this issue should be of major concern to you. Most mainstream media seems to be avoiding this issue, perhaps because it is difficult to present to the lay reader. Thus, you may not have heard about this. We think you should. The implications are huge for our security and privacy, and for the ability to conduct unhindered research and education on information security issues in the U.S. I will not editorialize on this issue here. However, I urge you to seek out information on what is happening and convey your opinions, whatever they may be, to your elected representatives (if you are in the US). You should act soon, as there may be little time before a final bill is crafted to go to the floor of the House. >---------- Forwarded message ---------- >Date: Thu, 11 Sep 1997 23:37:39 -0700 (PDT) >From: Declan McCullagh >To: fight-censorship-announce@vorlon.mit.edu >Subject: House panel votes behind closed doors to build in Big Brother > >Software that protects your privacy is a controlled substance that may no >longer be sold, a Congressional committee decided today. > >Meeting behind closed doors this morning, the House Intelligence committee >voted to replace a generally pro-encryption bill with an entirely >rewritten draft that builds in Big Brother into all future encryption >products. (The Senate appears to be moving in a similar direction.) > >The new SAFE bill -- titled in a wonderfully Orwellian manner the >"Security and Freedom through Encryption" act even though it provides >neither -- includes these provisions: > >SELLING CRYPTO: Selling unapproved encryption products (that do not >include "immediate access to plaintext") becomes a federal crime, >immediately after this bill becomes law. Five years in jail plus >fines. Distributing, importing, or manufacturing such products >after January 31, 2000 is another crime. > >NETWORK PROVIDERS: Anyone offering scrambled "network service" >including encrypted web servers or even "ssh" would be required to >build in a backdoor for the government by January 31, 2000. This >backdoor must provide for "immediate decryption or access to >plaintext of the data." > >TECHNICAL STANDARDS: The Attorney General will publish technical >requirements for such backdoors in network service and encryption >products, within five months after the president signs this bill. > >LEGAL TO USE CRYPTO: "After January 31, 2000, it shall not be >unlawful to use any encryption product purchased or in use prior to >such date." > >GOVERNMENT POWERS: If prosecutors think you may be selling, >importing, or distributing non-backdoor'd crypto or are "about" to >do so, they can sue. "Upon the filing of the complaint seeking >injunctive relief by the Attorney General, the court shall >automatically issue a temporary restraining order against the party >being sued." Also, there are provisions for holding secret >hearings, and "public disclosure of the proceedings shall be >treated as contempt of court." You can request an advisory opinion >from the government to see if the program you're about to publish >violates the law. > >ACCESS TO PLAINTEXT: Courts can issue orders, ex parte, granting >police access to your encrypted data. But all the government has to >do to get one is to provide "a factual basis establishing the >relevance of the plaintext" to an investigation. They don't have to >demonstrate probable cause, which is currently required for a >search warrant. More interestingly, this explicitly gives the FISA >court jurisdiction (yes, the secret court that has never denied a >request for a wiretap). If they decode your messages, they'll tell >you within 90 days. > >GOVERNMENT PURCHASING: Federal government computer purchases must >use a key escrow "immediate decryption" backdoor after 1998. Same >with networks "purchased directly with Federal funds to provide the >security service of data confidentially." Such products can be >labeled "authorized for sale to U.S. government" > >ENCRYPTION EXPORTS: The Defense & Commerce departments will control >exports of crypto. Software "without regard to strength" can be >exported if it includes a key escrow backdoor and is first >submitted to the government. Export decisions aren't subject to >judicial review, and the "president may by executive order waive >any provision of this act" if he thinks it's a threat to national >security. Within 15 days, he must send a classified briefing to >Congress. > >ADVISORY PANEL: Creates the Encryption Industry and Information >Security Board, with seven members from Justice, State, FBI, CIA, >White House, and six from the industry. > >INTERNATIONAL: The president can negotiate international agreements >and perhaps punish noncompliant governments. Can you say "trade >sancation?" > >(Other provisions barring the use of crypto in a crime and >some forms of cryptanalysis are also in the bill.) > >Next the Commerce Committee will vote on SAFE, and a former FBI >agent-turned-Congressman is vowing to ensure that similar language to this >is included. (The committees are voting on the bill in parallel, and a >four-person team of Congressmen is working to forge a compromise before >Commerce votes.) Then the heads of the five committees that have rewritten >the legislation will sit down and work out another compromise. If it's >acceptable to the House Rules committee -- and if the FBI/NSA get what >they want it will be -- the bill can move to the floor for a vote. > >That's why the encryption outlook in Congress is abysmal. Crypto-advocates >have lost, and lost miserably. A month ago, the debate was about export >controls. Now the battle is over how strict the //domestic// controls will >be. It's sad, really, that so many millions of lobbyist-dollars were not >only wasted, but used to advance legislation that has been morphed into a >truly awful proposal. > >I wrote more about this at: > > http://cgi.pathfinder.com/netly/opinion/0,1042,1385,00.html > >-Declan > - ------- End of Forwarded Message ------- End of Forwarded Message