San Francisco Chronicle Wed., 20 Sept, 1995, pp B1,B2

The Cypherpunks Who Cracked Netscape

They wanted to see if it was safe for them to use

By Michelle Quinn
Chronicle Staff Writer

"There he is," shouted Ian Goldberg, one of the two UC Berkeley students who cracked Netscape Communication Corp.'s Internet security code, spotting his partner, David Wagner.

"Where the f- have You been?" demanded Goldberg.

"Exterminating roaches," said Wagner.

While fumigating his apartment, Wagner hadn't bothered to answer his phone or his electronic mail. He was oblivious to the commotion he and Goldberg caused after announcing Sunday night they had cracked Netscape's security code for Internet communications.

The security breach forced the Mountain View-based company, one of the hottest initial public offerings this year, to provide a temporary security fix a set off alarm bells about the integrity of Internet-based commerce.

Goldberg and Wagner are a breed of self-appointed vigilantes, dubbed cypherpunks (a play on the pejorative cyberpunks), who say they are not motivated by pranksterism or nefarious intent. Rather they have an anarchistic vision that communications on the Internet should be so secure that no one, not crooks, competitors, employers, government spies, police or even the Internal Revenue Service would be able to intercept digital money or eavesdrop on electronic messages.

Netscape had stated that its software for browsing the graphical portion of the Internet was secure. The company steadfastly would not release information about what went into its security formula. But Goldberg and Wagner were unclear whether Netscape's product did what the company advertised.

"I wanted to see if this would be good enough encryption for me to use," said Goldberg.

The two cypherpunks, Goldberg, 22, and Wagner, 21, met just three weeks ago when they entered Berkeley's computer science doctorate program and had independently "taken a glance" at Netscape's security. Both say "something about it did not seem right."

For several days, they tinkered with the program in their office at Soda Hall on the Berkeley campus. They tried to figure out a quicker way to crack the Netscape code than what had been applied several weeks earlier by a computer user in France. With several high-powered computers, the European hacker performed the electronic equivalent of trying a trillion keys before finding the right one to break a single electronic mail message.

Netscape dismissed that security breach, saying that the international version of their product has weaker security because the U.S. government doesn't let them sell the suped-up version abroad.

But the two Berkeley students saw the initial code-breaking success pointing to a larger problem with the program. Goldberg and Wagner say they discovered that Netscape uses a formula based on date, time and other known information to generate a random code each time a message travels using Netscape's product. They posted their findings on an Internet mailing list for cypherpunks.

There is no reason to trust Netscape and other companies that do not reveal the codes behind their encryption policy, Goldberg and Wagner say. Although it may seem ridiculous to ask a company to offer such a thing, the duo say it is possible to look at how the electronic locks and keys are made, without weakening the program.

"Netscape is trying to promote security through obscurity," Goldberg said.

Responding to the charge, Netscape announced yesterday it would share parts of its code with experts at RSA Data Security, the Massachusetts Institute of Technology and other security experts. The company also said it would most likely share parts of the code on the Internet. Goldberg and Wagner said they hadn't been offered the code from Netscape, but they did receive many job offers and new T-shirts that read "I hacked Netscape."