If it has been posted here once, it has been posted a thousand times, that no one wants to give company data or part numbers due to fear of reprisal. Here is the way to post your exact data, chapter and verse, name names and all the rest, without fear of being traced.

Go to this site.

http://www.anonymizer.com/3.0/services/index.shtml

Post through them. Read all the references and such on their site if you don't understand the concept of an anonymous service. You can't be traced, and anonymous services don't keep records of who went where.

All you need after that, is a handle. Just make sure you post data that is known to a number of people - it is not possible for a company to go to court and say - we know one of them did it - execute them all. By the same token - they can't persue reprisals against dozens of people - they do want to keep SOMEONE to do the work.

But please do post company names and/or serial numbers of parts that won't work. Maybe the moderators will even create a new category for this type of information.

-- Paul Davis (davisp1953@yahoo.com), July 01, 1999

Answers

Paul, if you pollys are so interested in protecting whistleblowers, then why is it that your beloved Debunking Y2K forum does not allow inputs from the anonymizer?

-- a (a@a.a), July 01, 1999.

Well, I did not know that. And it is a bit of a stretch to call Debunkers 'beloved' by me - I have started very few threads over there and really haven't posted much since the first couple of weeks. I have 9 posts out of what looks like about 250 total on the active page right now - the most I have had in several weeks.

So post at BFI - there is nothing I know of over there to keep you from being anonymous. Or here for that matter.

-- Paul Davis (davisp1953@yahoo.com), July 01, 1999.

Paul,

I think you've got a great idea here.

Furthermore, I don't just want to hear about problems with parts, etc. I'd love to hear from people in y2k remediation who can devulge that their projects are completed and compliant.

Contrary to popular polly assumption, I'm on a mission to find GOOD news.

Mike

PS. My boss let's me spend way too much time researching y2k! I do? Yep, you do? Naw...I don't. Yeah...you do...get some work done! Hey, guess your right! (Tough sometimes being self-employed : ) ================================================================

-- Michael Taylor (mtdesign3@aol.com), July 01, 1999.

Inside The Web dis allows the use of anonymizer.com to ANY of their discussion threads.

-- (abc@defg.hij), July 01, 1999.

Sorry Paul - I have to disagree with you on this one. If I am in a position where I am either the only person or one of just a very few who *HAVE* this type of information about ABC-Widgets, then posting anonymously with a bogus handle / ID would have little to no affect at all.

I would be identified and sued in rather short order.

The reason that I say this is because I am currently in such a position and it hit home pretty swiftly. The Corporation that I am currently under contract with is, btw, in very good shape and are Y2K Ready.

Yours in COBOL... Dino!

-- (COBOL_Dinosaur@yahoo.com), July 01, 1999.

On the issue of security, U.S. browser support for export supports only 40-bit keys. The domestic versions support 128-bit keys. 40-bits can be broken in minutes.

Even if you are in the U.S., you may still only have 40-bit. Either get the "stronger" version -- (and go through the "your papers, please"), or get a patch from

http://www.fortify.net

You can download from Fortify a patch that upgrades your browser from 40-bit to 128-bit, regardless of whether you're in the U.S. or not, without the "your papers, please" bit.

Note that this is available for Netscape only, not Microsucks Internet Explorer (IE) (no big loss).

If this post doesn't mean anything to you, go to the Fortify site and read the material. This effects e-mail, on-line buying, etc.

-- A (A@AisA.com), July 01, 1999.

It isn't quite THAT easy to break 40 bit encryption A, the cracker has to catch quite a bit of the handshaking and initial key exchange as well as the critical message to pull it off in minutes.

128 bit is certainly better all the way around, though I don't doubt someone will eventually find a way to break it. Anyone who solves the factoring of large numbers problem will screw up encryption for the next decade or two.

-- Paul Davis (davisp1953@yahoo.com), July 01, 1999.

Anyone who solves the factoring of large numbers problem will screw up encryption for the next decade or two.

Paul Erdvs could have done it (if he took an interest in it) but he's gone away.

-- Tom Carey (tomcarey@mindspring.com), July 01, 1999.

Dino, I will admit there are some situations like yours where a company might have just a few people who actually know of a problem. I meant the type of company often discussed here, large enough that a problem would be known across several sites, and details discussed in fair sized meetings. In such a case, an anonymous poster who named names and told all, would only have to be moderately careful to be pretty well bulletproof.

-- Paul Davis (davisp1953@yahoo.com), July 02, 1999.

From the Fortify (http://www.fortify.com) site:

How strong is a 40 bit secret key anyway?

It is feeble.

Netscape Communications peg the computation effort to exhaustively search a 40 bit key at approximately 64 MIPS-years (MIPS = millions of instructions per second). This means that it would take a 1 MIPS computer 64 years to find a 40 bit key value. A 64 MIPS computer would take one year to do the same task. Two such computers would need 6 months of computation. And so on.

Digital Equipment Corporation announced in July 1996 a version of its 64-bit Alpha 21164 RISC chip that is capable of 2000 MIPS. Hook together, say, four CPUs of this power, and you have a machine that can exhaustively search a 40-bit key space in (64 * 365) / (2000 * 4) = 2.92 days. On average, a key search will reach its goal in half the maximum search time, i.e. 1.46 days. This is a crude example. The inescapable conclusion is that large corporations, governments, and intelligence agencies already have the ability to break 40-bit keys in real-time. The encryption is transparent - like using glass windows against a peeping tom.

Similar deficiencies can be seen in the 56-bit DES algorithm. DES is roughly twenty years old. At the time it was designed and published it was regarded as being sufficiently strong, given the computing power that was available in the 1970s. Since then the algorithm has remained unchanged, and our technology has made quantum leaps several times over. You can draw your own conclusions...

In a recent article "Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security", several of the world's leading cryptographers "strongly recommend a minimum key-length of 90 bits for symmetric cryptosystems (unquote)". [Ref: here ]. 90-bit keys would appear to be acceptably strong in 1997. 128-bit keys are therefore what the world should be using.

Has anyone ever "broken" one of these keys?

Yes. Several times. One of the first public attacks on a 40-bit key was carried out in August 1995, as part of Hal's Challenge. The challenge was ultimately solved independently by two parties. The first party to find the key was David Byers and Eric Young, using approx 50 PCs, 15 workstations and a MasPar MP-1 for the search. The second person to find the key was Damien Doliegez (France), who used approx 20 workstations and two supercomputers for 8 days to conduct the search.

A group known as the Cypherpunks have banded together to co-operatively conduct exhaustive key searches in record times using run-of-the-mill computing resources. Their fastest time for a 40-bit key search currently stands at 31 hours 47 minutes, which was the time taken to break Hal's Second Challenge, also in Aug 1995.

In January and February of 1997, two more cryptography challenges were broken. The first was a 40-bit cipher key that was broken in a mere 3.5 hours by Mr. Ian Goldberg at the University of California, Berkeley, using a network of approx 250 PCs and workstations. The second was a 48-bit cipher key that was broken in approx 13 days by a collaborative group of approx 5000 computers operating across the Internet.

56-bit DES has also been "broken", on at least four separate occasions. The Deschall group, headed by Mr. Rocke Verser, announced the winning key to the RSA's first DES challenge in June 1997. Deschall was, once again, an Internet-based collaborative effort. The group used the spare CPU cycles from "tens of thousands" of standard computers, over a period of roughly four months, to perform the key search.

The second DES challenge was completed in February 1998, by a collaborative group known as distributed.net in 39 days - one third of the time taken to solve the first DES challenge.

The Electronic Frontier Foundation has accomplished at least two separate 56-bit DES "cracks" in June and July, 1998. The most widely publicized result was a solution to the RSA DES II challenge. The solution was achieved in 56 hours - substantially faster than the previous record. These results once again demonstrate the fact that export grade ciphers, including DES, are largely ineffective, and their usefulness degrades rapidly over time.

These and other challenges were published by RSA Inc. on Jan 28th, 1997 as part of a research exercise into the security of export grade ciphers. The exercise is on-going

Why should I bother with Fortify? Who cares!

Let's keep the politics to a minimum, ok? Suffice it to say that privacy is a right, and that the U.S. government's cryptographic export restrictions are helping no-one (with the possible exception of itself). If you use a web browser for anything that is even slightly personal, valuable or sensitive - and sooner or later you will - then you need strong encryption.

Strong encryption exists right now. It is proven, it is practical, it is reliable and it is cheap. It is by far the best possible solution to a worldwide need. Anything less is a sham.

Say "No" to key escrow.
Say "No" to Clipper chips.
Say "No" to key recovery systems.
Say "No" to diluted key lengths.
Say "No" to cryptography that comes with "strings attached".

[snip}

Is this legal?

Fortify for Netscape was developed in Australia, using all Australian resources, with no assistance from Netscape Communications. As such, it is beyond the ambit of the U.S. Government's export controls.

Australian export regulations do not currently restrict export of cryptographic software by electronic means, such as FTP or e-mail.

You may have the misfortune of being subject to laws in your home country that restrict or prohibit the possession of strong cryptography. In such situations you may find that you cannot legally use Fortify for Netscape together with a Netscape browser.

Fortify for Netscape is not a Netscape product. Furthermore, the U.S. export laws prevent Netscape U.S. from providing any official endorsement or support for Fortify. You must weigh up this fact against the acceptability of export-grade cryptography. Support and assistance relating to Fortify for Netscape is available via the the feedback form on the Fortify web site.

-- A (A@AisA.com), July 02, 1999.

Note that the Fortify for Netscape home page is at www.fortify.net, not www.fortify.com.

-- - (-@-.-), July 02, 1999.

Yeas, sorry about that:
http://www.fortify.net


-- A (A@AisA.com), July 02, 1999.

Yes, sorry about that:
http://www.fortify.net


-- A (A@AisA.com), July 02, 1999.