RSA HTML Reference
The BXA were quoted by Peter Junger, in a written reply to his
questions to them about what he can "export" in teaching his
law class about export controls:
> "While the use of html links by a person might, in some
> applications, involve an export . . . we reiterate that the activity
> described by your submission is not an export activity that is subject
> to the EAR and would also not constitute conduct prohibited by Section
> 744.9 of the EAR."
Antonomasia speculated on cypherpunks thusly:
> I think a mere pointer is not an export, no matter what it points to,
> but a link with prohibited smuggled _content_ might be:
>
> <A HREF="http://www.cypherspace.org/~adam/print pack"C*",split/\D+/,echo.....
>
> although the quoting would probably take a lot of thought.
>
> Perhaps that's the kind of thing they mean ?
So the challenge is set, can we create an html HREF to a link where the
link's name is a non-exportable program, and can we simulatneously persuade
a unix shell to create a series of funny named directories, and file which
is a non exportable program, and will the web server and web browser be
willing to serve/request this file.
Lets find out...
Creating the file
My prompt is aba:cwd/ where cwd is the current working
directory, my prompt is shown below in bold typewriter
font, comments are in italics, commands and computer output are
in normal typewriter font. I use tcsh, which means I was
pressing the TAB key rather than constructing all those quoted symbols
manually.
aba:~/ cd ~/public_html/rsa/
aba:~/public_html/rsa/ mkdir -p 'print pack"C*",split/\D+/,`echo "16iII*o\U@{$//=$z;[(pop,pop,unpack"H*",<>)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`;$'
Wow worked right off, now try changing into those directories:
aba:~/public_html/rsa/ cd print\ pack\"C\*\",split/
aba:~/public_html/rsa/print pack"C*",split/ cd \\D+/
cd: No match.
hmmm tcsh is getting confused here, lets try pwd
aba:~/public_html/rsa/print pack"C*",split/ pwd
/home/aba/public_html/rsa/print pack"C*",split/\D+
ahh yep, it's actually working just tcsh is confused
aba:~/public_html/rsa/print pack"C*",split/ cd ,\`echo\ \"16iII\*o\\U@\{\$/
Unmatched `.
more confusion, it's still working see:
aba:~/public_html/rsa/print pack"C*",split/ pwd
/home/aba/public_html/rsa/print pack"C*",split/\D+/,`echo "16iII*o\U@{$
aba:~/public_html/rsa/print pack"C*",split/ cd =\$z\;\[\(pop,pop,unpack\"H\*\",\<\>\)]}\\EsMsKsN0\[lN\*1lK\[d2%Sa2/
Unmatched `.
more tcsh confusion
aba:~/public_html/rsa/print pack"C*",split/ cd d0\<X+d\*lMLa^\*lN%0]dsXx++lMlN/
Unmatched `.
and again
aba:~/public_html/rsa/print pack"C*",split/ cd dsM0\<J]dsJxp\"\|dc\`/
Illegal variable name.
cd: No match.
one very confused tcsh!
aba:~/public_html/rsa/print pack"C*",split/ ln -s ~/public_html/rsa/link.html index.html
link to this web document self referentially
aba:~/public_html/rsa/print pack"C*",split/ cd ~/public_html/rsa
aba:~/public_html/rsa/ cat print\ pack\"C\*\",split/\\D+/,\`echo\ \"16iII\*o\\U@\{\$/=\$z\;\[\(pop,pop,unpack\"H\*\",\<\>\)]}\\EsMsKsN0\[lN\*1lK\[d2%Sa2/d0\<X+d\*lMLa^\*lN%0]dsXx++lMlN/dsM0\<J]dsJxp\"\|dc\`/index.html
<HTML>
<HEAD>
<TITLE>RSA HTML Reference</TITLE>
</HEAD>
...
Creating the HREF
Rather than work out manually how to quote all those characters, move the
file into a new directory without an index.html file. As there is no index
file, I let the browser do the rest for me by then viewing the directories
by clicking on the funny named directories in the browser, till I got to the
file. Then I cut and pasted the full quoted URL from the URL box in
netscape.
Here's the URL:
Have you exported RSA today?
The HTML code you'll need looks like this:
<![CDATA[
<A HREF="http://www.cypherspace.org/~adam/rsa/print%20pack%22C*%22,split/%5cD+/,%60echo%20%2216iII*o%5cU@%7b$/=$z%3b%5b(pop,pop,unpack%22H*%22,%3c%3e)%5d%7d%5cEsMsKsN0%5blN*1lK%5bd2%25Sa2/d0%3cX+d*lMLa%5e*lN%250%5ddsXx++lMlN/dsM0%3cJ%5ddsJxp%22%7cdc%60%3b$/">
Have <EM>you</EM> exported RSA today?</A>
]]>
The Saga Continues
Chyden.Net <cko@chyden.net>
complained thusly following up to my post showing off the non exportable
link above:
> mmm...
>
> If one tried to run the above string, would it run? There is a
> difference between " and %22, no? If I am correct, the above code is not
> executable, and thus exportable.
I protested:
> It's not directly executable, agreed. What you have to do is save it
> in a file, and convert %xx into the ascii character for that hex number.
>
> Here do this, cut and paste:
>
> % perl -pe 's/%(..)/pack H2,$1/eg' > rsa.pl
> print%20pack%22C*%22,split/%5cD+/,%60echo%20%2216iII*o%5cU@%7b$/=$z%3b%5b(pop,pop,unpack%22H*%22,%3c%3e)%5d%7d%5cEsMsKsN0%5blN*1lK%5bd2%25Sa2/d0%3cX+d*lMLa%5e*lN%250%5ddsXx++lMlN/dsM0%3cJ%5ddsJxp%22%7cdc%60
> ^D
> %
>
> Then you're ready to rock:
>
> % perl rsa.pl 13 99D61071378EE2C0C8C9C4B7786B203DEDF2D6E526F24F7E83F3E0F960FB66B9CB81C04E89D70689A4866F21AD1BB5BA6AEE51469E5B59B121BA6F3F8D776B627253BA5DC9FCA8155A565B9893F695D83A0496EB977EE4659EE20E0F2EB49B2593C11487B377CC5D767C79FB985B464D4AE94A5F45E42E3B29C8B89D556A4A67 < national_sikrits | mail -s "rsa mail"
> %
And then relented:
> However... I do take your point that the code contains some naughty
> characters which mean that you need to use %xx to allow it to be a
> valid URL.
>
> Challenge #2 then is can we change the code so that it no longer has
> any naughty characters and hence works without quoting, in such a way
> that it still works as perl! Hmm...
So the next challenge then is to create a link which doesn't have any
characters which the URL spec requires to be quoted, had to break this
up with /s because otherwise we were going over the limit on
filenames on SunOS4.x (which is what the webserver at dcs is running).
Have you exported RSA today?
The HTML code for that one is:
<![CDATA[
<A HREF="http://www.cypherspace.org/~adam/rsa/eval(pack(q(H*),q/7072696e74207061636b22432a222c73706c69742f5c442b2f2c606563686f202231366949492a6f5c55407b242f3d24/.q(7a3b5b28706f702c706f702c756e7061636b22482a222c3c3e295d7d5c45734d734b734e305b6c4e2a316c4b5b6432255361322f64303c582b642a6c4d4c615e2a6c4e25305d647358782b2b6c4d6c4e2f64734d303c4a5d64734a7870227c646360))),$/">
Have <EM>you</EM> exported RSA today?</A>
]]>
However, it's not nearly so readable. And it's longer. I really don't
think I can do it readable as well. (The approach above being to
hexadecimal encode the program, and make the new program unhex decode that,
and eval it, which means it will decode and run transparently each time you
use it).
(The trailing ,$ is needed to make the code still executable
in the presence of the trailing /. This means it's safe even
if people use a trailing / after the directory name. We want
to create a directory so that we can put an index.html in it, and have
a browser recognize it as html, otherwise it wouldn't end in .html,
and you would get to view the HTML source).
Comments, html bugs to me
(Adam Back) at
<adam@cypherspace.org>