January 1993 - cypherpunks-legacy

No Subject
by Juggler 23 Jan '93

23 Jan '93

COuld you sub me to the cypherpunk list? Thanks. -Juggler -------------------------------------------- | Juggler | Insert cool | | IH23(a)utep.BITNET | saying here. | | IH23(a)utepvm.ep.utexas.edu|Long live sigs!| |******************************************| | Sysop of Three Ring Circus (915)564-0026 | -------------------------------------------- My school doesn't have opinions....

1 0

Re: perl scripts for PGP
by Marc Horowitz 23 Jan '93

23 Jan '93

>> Marc, >> when you were here in DC, you mentioned some perl scripts that processed >> PGP output. Can you please send me a copy? yeah, and I'm cc'ing cypherpunks, since I think you all might be interested, too. This script has three functions. All take the output of pgp -kvv as input. 1) it "inverts" a pgp file, listing all the keys signed by a given key, as compared to giving all the keys which have signed a given key. 2) given -kvv output (and it can merge several files of input automatically, since it hashes on key id), it lists all the keys which you (or any other key) have a path of signatures to, and the length of the shortest such path. So, the specified key has a path length 0. All keys signed by that key have a path length 1, all keys signed by those keys have path length 2, etc. 3) Optionally, it will list one of these paths for each key you can reach. There may be many paths, so this is only for interest; to enumerate all paths would be painful. The most interesting use for this script is to see what your "radius" is (maximum distance to any key), and to see how big your "world" is. Needless to say, I wouldn't trust keys which have a long path length too much, if at all. There are 155 keys in my "world" (out of a keyring of about 350). My current radius is 7. Tom, if you're in Boston anytime, my radius would decrease to 5 if I signed your key. That would be cool :-) Marc #!/afs/athena/contrib/perl/perl # # $Id: pgputil.pl,v 1.7 1993/01/23 07:29:27 marc Exp $ # ## pgputil.pl. Copyright 1993, Marc Horowitz <marc(a)mit.edu> ## ## This program may be freely redistributed and used as long as the RCS ## Id, copyright, and this message are left intact. It may also be used ## as the basis for other programs, as long as this program is ## acknowledged in the code and documentation, and it is made clear that ## the new program is a derivative work, and not the original. Although ## not required, it would be nice if any modifications were sent back to ## me. $save = ""; sub next { local($ret); return() if !defined($save); while(1) { $_ = $save || <>; $save = ""; if (! $_) { undef $save; return($ret); } elsif (/^\s/) { $ret .= $_; } elsif ($ret) { $save = $_; return($ret); } else { $ret = $_; } } } sub parsekvv { local($keyid,$ring,$lastpub); while($_ = &next()) { if (/^Key ring:\s+'(.*)'$/) { $ring = $1; } elsif (m!^pub\s+\d+/([0-9A-F]+)\s+\d+/\d+/\d+\s+!) { $lastpub = $1; $publine{$lastpub} = $_; ($pubindent{$lastpub} = $_) =~ s!\d{4}/\d\d/\d\d!$& !; } elsif (/^sig\s+([0-9A-F]+)/) { $keyid = $1; $sigindent{$keyid} = $_; ($sigline{$keyid} = $_) =~ s/^(sig\s+[0-9A-F]{6})\s\s/$1/; $siglist{$keyid} .= $lastpub." " if $siglist{$keyid} !~ /$lastpub/; } } } sub findsigned { local($level,@from) = @_; local($tmp,@next); foreach $hash (@from) { next if (defined $depth{$hash}); $depth{$hash} = $level; for $nexth (split(' ',$siglist{$hash})) { push(@next,$nexth); $signedby{$nexth} = $hash if !defined $signedby{$nexth}; } } if (@next) { &findsigned($level+1,@next); } } ($zero = $0) =~ s!^.*/([^/]+)$!$1!; sub usage { die "usage: $zero signators [ file ... ]\n" ," $zero recurse [ -v ] <keyid> [ file ... ]\n"; } sub signators { &parsekvv(); print "Type bits/keyID Date User ID\n"; foreach $hash (keys %siglist) { next if ($sigline{$hash} =~ /Unknown signator/); print $sigline{$hash}; foreach $pubhash (split(' ',$siglist{$hash})) { print $pubindent{$pubhash}; } } } sub recurse { for (@ARGV) { if (/^-v/) { $verbose++; } else { push(@newargv, $_); } } @ARGV = @newargv; $keyid = shift(@ARGV); if ($keyid !~ /^[0-9A-F]{6}$/) { &usage; } &parsekvv(); $signedby{$keyid} = ""; &findsigned(0, $keyid); foreach $pubhash (keys %depth) { $out{sprintf("%02d%s",$depth{$pubhash},$pubhash)} = sprintf("%2d %s",$depth{$pubhash},$publine{$pubhash}); } foreach $k (sort keys %out) { print $out{$k}; if ($verbose) { $sig = $signedby{substr($k,2,6)}; while($sig) { ($x = $pubindent{$sig}) =~ print " ",$x; $sig = $signedby{$sig}; } } } } ## dispatch $cmd = shift(@ARGV) || &usage(); if ($cmd =~ /^s/) { &signators(); } elsif ($cmd =~ /^r/) { &recurse(); } else { &usage(); }

1 0

crypto, NSA, gnu, and cypherpunks in Boardwatch magazine
by Eric Hughes 23 Jan '93

23 Jan '93

Jack Rickard was kind enough to send me the following. A new member of the list told me he had found out about the list from this article. Eric ----------------------------------------------------------------------------- From: jack.rickard(a)boardwatch.com Date: Wed Jan 20 09:57:55 1993 Subject: CYPHERPUNKS COVERAGE The following article appeared in the February, 1993 issue of Boardwatch Magazine, a monthly publication covering electronic bulletin boards, online information services, and networking issues. Boardwatch Magazine is published monthly at an annual subscription rate of $36. Boardwatch Magazine, 7586 West Jewell Ave., Suite 200, Lakewood CO 80232; (303)973-6038 voice; (303)986-8754 fax; (303)973-4222 data. Internet: jack.rickard(a)boardwatch.com. FRONTAL ATTACK ON THE PUZZLE PALACE by Lance Rose A privately funded attack is underway against a little-known government agency that has devoted itself to the control of privacy in this country (who gets to have privacy, who doesn't, and how much privacy can anyone have?). If successful, it may begin to unravel decades of surreptitious information control so effective most of us have not been aware of its operation. The agency in question is the National Security Agency, or NSA. It was established in 1952 by President Harry Truman to monitor signal transmissions that might affect the security of the United States. Since that time, the NSA has steadily cast a pall over public use and knowledge of cryptography, and generally regulated the limits of privacy in this country. It has done so with 40,000 or more active employees, and funding not readily discernible from inspecting Congressional budget lines. Those not already familiar with the NSA might be surprised at the depth and extent of its influence. For instance, rumor has it that NSA monitors much of the digital telephone activity in this country, even though it is authorized only to monitor foreign transmissions. NSA is also in charge of regulating the export of cryptographic devices to other countries, which are officially deemed such a great security risk they are dealt with as "munitions" under the U.S. export control laws. Any device or software intended for export and using encryption techniques (which are usually included to aid in the privacy or security of personal or business communications, such as in cellular phones) must be reviewed by the State Dept., which generally passes on the review to the NSA. These review processes are so slow and nitpicking that they choke off almost all international trade in effective encryption devices from the U.S. The ultimate effect of this process, as pointed out by John Barlow of the EFF, is to inhibit development of strong encryption devices even within the U.S., since manufacturers are often reluctant to make two different versions of their goods, one for domestic use and one for export. Well-known, powerful encryption techniques subject to close NSA export control include devices based on the DES algorithm, and public key devices based on the RSA algorithm. In addition, NSA is actively involved, along with such cohorts as the FBI and the Justice Department, in ongoing legislative efforts to keep effective new cryptography and privacy techniques out of the public's hands. Last year, proposed Senate Bill 266 would have made it illegal to use a cryptographic technique unless the government had been provided a "back door" enabling it to easily extract the plain text from any message encrypted through that technique. Apparently, brute force cipher-cracking by the NSA was wasting a little too much of the taxpayers' dollars (albeit through untraceable budget lines) so we would all get a break if the government's obligatory snooping and code-cracking activities cost a lot less. Luckily, this bill was kept from enactment, in large part through the efforts of the Electronic Frontier Foundation. NSA and FBI came back this year with a new variation - a bill that would require all phone companies to set up special wiretap stations for official eavesdropping, so agents would not have to waste taxpayer dollars figuring out how to tap those nasty optical fiber lines without being detected. It's ironic that in the face of a federal statute (the Electronic Communications Privacy Act) with strong legal obstacles to discourage officials who seek to monitor private telephone activities, those same officials want to install facilities giving them the practical ability to wiretap as easily as you or I might open the faucet for a glass of water. Another NSA tactic has been massive removal of texts on cryptography from public access through classifying them as secret government documents. Again, slowing down the transmission of knowledge on cryptography in this manner has placed a drag on development of publicly useful encryption methods. The advent of the Freedom of Information Act (FOIA) threatened this regime, with its provisions for requesting declassification of government documents. However the NSA, like many other federal agencies, discovered a fairly effective antidote to FOIA requests: ignore the requests, and when it could ignore them no longer, make the requesting party drag the NSA bodily into court over and over in escalating legal procedures to compel production of the requested documents. This process was such a burden on the requesting parties that it weeded out all but the most dedicated and well-financed attempts to fetch documents on cryptography out of the black hole of NSA classification. Such conduct was also literally illegal, since it involved failure to meet statutory time limits to respond to FOIA document requests. The NSA appeared to be deliberately not meeting the time limits, and basically thumbing its nose at those who sought the documents under its control. One of those who encountered the NSA's monumental heel- dragging in releasing cryptography-related documents was John Gilmore. Gilmore runs a software house named Cygnus Support, was one of the founders of the Electronic Frontier Foundation, and is a vocal and impassioned supporter of individual privacy rights against the modern encroachments of the state. Gilmore and his attorney, Lee Tien, decided to challenge certain NSA practices head-on, specifically the practices of overclassifying documents in the area of cryptography, and the NSA's unwillingness to release cryptographic materials into the public domain regardless of whether the materials actually have strategic military value justifying their classification. In July, 1992, Gilmore requested, under the FOIA, copies of the books "Military Cryptanalysis" by Friedman, volumes 3-4 (earlier volumes were already declassified) and "Military Cryptanalytics" by Friedman and Callimahos, volume 3 onward (the exact number of volumes is not publicly known). The Friedman books dated from the 1930's, the ones with Callimahos from the 1950's - not likely state of the art stuff. To add a little irony, Friedman had been one of the founders of the NSA. To no one's surprise, the NSA did not respond to Gilmore's FOIA request for the books. Gilmore appealed the decision administratively, but again was unable to obtain the materials, forcing him to the next step of filing a suit against NSA in federal court in the Northern District of California. Here is an example of an administrative setup ripe for abuse, being played for all it's worth by the NSA. In an ordinary court action, a party who does not respond within a time limit set by statute can lose the case by default. Here, however, the NSA did not lose anything by not responding to the FOIA requests in the administrative agency setting. In fact it actually gained an advantage, forcing Gilmore to put more energy and resources first into a pointless administrative appeal, and then finally starting a federal court action from scratch. Some time after beginning the FOIA procedure, Gilmore tracked down the Friedman volumes from the '30's at a couple of public repositories in California. Amazingly, when the NSA found out he had the books, they told him the books were still classified or should be classified, and threatened him with a criminal action if he dared to show the books to anyone else. This received some press attention in the S.F. Examiner and elsewhere, to the NSA's great displeasure. Not only was the NSA getting publicity, which it shuns, but it looked like NSA was trying to bury ancient materials already fully accessible to the public, and threatening to jail someone who dared assert the public had a right to such materials. The attention had a salutary effect on the NSA's actions, however. They recently declassified the old Friedman volumes, making it perfectly legal for Gilmore to distribute them. Score one for the libertarians. They have started the NSA backpedalling. As we go to press, Gilmore's case against the NSA is still proceeding for purpose of obtaining the remaining Military Cryptanalytics volume(s), as well as a "pattern and practice" claim against the NSA. This last legal claim is particularly important. As described above, the NSA drags its heels on FOIA requests, outlasting all but the most resolute opponents. But any time a hardy soul manages to push his case close to a court decision, the NSA can turn around at the last moment and say, "here are the materials you requested." The case would then officially become moot because the request was finally honored, and no court decision stating that the NSA engages in obstructive and delaying practices would ever issue. This sorry result can be avoided by the claim that NSA engages in a "pattern and practice" of obstructing and delaying FOIA requests for cryptographic materials. It will survive any such "mooting" move by the NSA, and if Gilmore perseveres, may result in a judicial decision laying some of the NSA's practices bare on the public record. If Gilmore and his attorney Lee Tien succeed, they could end up chipping off a big piece of the NSA wall of darkness. From the look of things, they may still have some arduous going ahead. No matter the decision on the trial court level, the NSA will have many court appeals left, and doubtless ot getting to UUCICO:USERLOG:d:\tbbs\userlog.inx Those interested in cryptography issues may find a new Internet mailing list of interest. A group is physically meeting in John Gilmore's Silicon Valley facilities and has started a mailing list under moderation of Timothy C. May (tcmay(a)netcom.com) The group includes John Draper (Cap'n Crunch), Tom Jennings, and others interested in cryptography, anonymous mail forwarding techniques, encryption, the Pretty Good Privacy program, and other privacy issues. You can join this mailing list from any service allowing Internet e-mail by sending a message to CYPHERPUNKS-REQUEST(a)TOAD.COM. [<BI>Lance Rose is an attorney practicing high-tech, computer and intellectual property law in the New York City area, and is available on the Internet at elrose(a)well.sf.ca.us and on CompuServe at 72230,2044. He works with shareware publishers, software authors, system operators, technology buyers, interactive media developers, on-line database services and others in the high technology area. He is also author of the book SYSLAW, a legal guide for bulletin board system operators, available from PC Information Group (800)321-8285. - Editor<D>]

3 2

An ebank's vulnerability.
by Jay Prime Positive 23 Jan '93

23 Jan '93

From: jpp@hermix To: cypherpunks(a)toad.com Subject: An ebank's vulnerability. I think that the physical location of an ebank's value reserve (be it gold, corn, stock certificates, whatever) is really the trickyest problem. At that location the bank can be attacked by governments (or other crooks). [enter fantasy... Person with gun says "Well, if all this money is your's, then you sure owe us taxes (protection). Don't pay and you're going to jail (to the bottom of the river). If it ain't your's, then (I'll just take it for myself) you're a bank, and you're going to jail." ...leave fantasy] One solution I see is to not have any physical deposit at all. This is what most governments do isn't it? But without a physical resource for reference the question of the value, or the origin of ecreds becomes tricky (at least for my limited economic knowledge). Suppose I create a really great joke and try to sell it. Where does the buyer get the ecreds from? If I wanted to buy a taco, would the vendor take ecreds? Would they take ecreds *I* printed up? Another solution is to use the banking system of a country which *ALREADY* has anonymous value storage as a comodity for sale. Supose some enterprising Swiss citizen wanted to set up ebanking, I bet they could do it. I wouldn't mind my ecreds being denominated in Swiss francs either. But I suspect the Swiss government might drop by the bank every year to collect some taxes from the accounts. At what tax rate would this become unacceptable? Someone could always set up an ungoverned value storage location. Smuggling gold (or other valuables) into, with in, and out of governed areas shouldn't cost too much, since valuables generaly have at least the value/weight and value/volume than marijuana has. The cost of smuggling, and defending the valuables becomes the limiting factor. How much could be "lost" to smuggling and defense befor this becomes unacceptable? j'

1 0

Re: Communications Policy
by lefty＠apple.com 23 Jan '93

23 Jan '93

>I hear concern over privacy and also over erasure of White House tapes. >I pose the following question: Should an institution have the right >to private communication? Is the White House an institution? A _private_ institution should have a right to private communications. The White House is _not_ a _private_ institution. -- Lefty (lefty(a)apple.com) C:.M:.C:., D:.O:.D:.

1 0

the bill of rights hasn't been revoked. not yet, anyway.
by thug＠phantom.com 22 Jan '93

22 Jan '93

I've been thinking about this a bit, and it seems that the Constitution's Bill of Rights has all the provisions required to implement and legally use digital money, secure encryption, and anonymous communication networks. Specifically, the First, Fourth, and Fifth Ammendments can be used as one's defense in implementing any of the above. The First Ammendment can be seen as allowing encryption. Freedom of Speech does not preclude the government or anybody for that matter having to understand what I am saying. I can just as easly say "blardi blahr oof aarf bloo arrr foo barr arrh blard foobaaaaah" or "010110101101101011101.." to anyone I like and be protected by the First Amendment. Only those that can decode my speech will understand it, those that can't won't. I am free to speak to whoever I like (freedom of association / assembly). I am free to speak anonymously provided I break no law (copyright, slander/libel, etc.). Even if I do break a law, the next two paragraphs will show that I cannot be prosecuted for such a crime very easily. The Fourth Ammendment protects us from illegal search and siezure. If the government can get a warrant, they can search my place and sieze all my encrypted files. They can intercept my encrypted communications. They can have them, it won't do them any good. But it is their duty to decode it, not mine, and the Fifth Amendment basically says that.. The Fifth Ammendment is the tastiest one of all when it comes to encryption. By pleading the Fifth, you do not have to decrypt anything for the prosecution. The Fifth Ammendment gives you the right not to testify or provide evidence that would incriminate you. Providing a key to decrypt your hard disk would incriminate you, and you don't have to do it. In short the 1st & 5th ammendments + Secure Encryption can be used make even a completely legal search or wiretap warrant against one self worthless. Hence, not enough evidence for prosecution, hence no prosecution. They can't force you to decrypt any of your communcations or stored files, because you merely plead the Fifth amendment. This is assuming one encrypts everything, and has no accomplices/conspiritors who offer to testify for the prosecution. Even then, with public key encryption, the most that people who rat on you can give to the prosecutors are messages that you sent to them (the rat). And assuming all messages that you have sent out are sufficiently vague/obscure as to be non-incriminating, you are fairly safe there too. Assuming all messages from you were sent anonymously to a list, they can't even prove you sent them. Thus if they cannot force you to decrypt your hard disk, you should be relatively safe from successful prosecution for whatever, whether it be drug running or running a anonymous digital money bank / barter house. I guess now you can see why the government is so scared of encryption. Widespread use of encryption on the part of the criminal class would simultaneously obsolete all police, the FBI, CIA, Secret Service, and Department of Justice, or at the very least make their jobs several thousand orders of magnitude more difficult. For example, a child pornography ring that trades anonymously in encrypted .gifs using truly anonymous remailers would be impossible to take down by just taking down one member of the ring. Furthermore, it may be impossible to prosecute even that one member. Thug

2 1

Re: privacy vs. public servants
by Eric Fogleman 22 Jan '93

22 Jan '93

Responding to Tom DeBoni's message concerning whether or not government officials should have a right to secure communications. > I submit that the amount of (real or potential) oversight should be > somehow proportional to the potential for harm or abuse of power > available to the individual involved. Surely Ollie North or Richard > Nixon had much greater abilities to subvert the democratic process or > otherwise break the law than Professor Smith of the Chemistry Dept. of > State U. Agreed! I agree with Dave Deltorto's idea about "a body that decided on a case by case (or a class by class) basis what accounts would be subject to heavy scrutiny". Or perhaps limiting certain public servants (the chief executive, Oliver North's successor, etc) to a set of "open" computing systems and communication paths. (Similar to limiting people with security clearances to sets of closed computing systems, communication paths.) Dave says: > Unfortunately, this begins to create a overseeing body so > huge and convolute as to render the entire process unwieldly > approaching on the absurd. I read Kafka's "The Trial" and I don't > want to face that sort of Juggernaut any time soon. Unwieldy? Kafka-esque? Expensive? Possibly, but it doesn't have to be that way. As Bongo says: "The price of freedom is eternal vigilance." How much do you want to pay? Eric Fogleman

1 0

Re: the bill of rights hasn't been revoked. not yet, anyway.
by Marc.Ringuette＠GS80.SP.CS.CMU.EDU 22 Jan '93

22 Jan '93

> Agreed. I guess if you refuse [ to decrypt your files] after that > point, they can hold you in contempt of court or cite you for > obstruction of justice. Oh yeah, this reminds me of a scheme by my friend Fuzzy. Create an encryption system which compresses and encrypts two files in the space of one (more or less) using two different keys, the "real" one and the "innocent" one. When you encrypt something, you also encrypt a similar-sized hunk of innocuous text. When they ask for the key, you give them the one that spits out the fake stuff. True, it's security by obscurity. But I thought you might be interested. -- Marc Ringuette (mnr(a)cs.cmu.edu)

1 0

Re: the bill of rights hasn't been revoked. not yet, anyway.
by thug＠phantom.com 22 Jan '93

22 Jan '93

Matthew Lyle writes: > In a recent message, Murdering Thug said: > | The Fifth Ammendment is the tastiest one of all when it comes to > | encryption. By pleading the Fifth, you do not have to decrypt anything > | for the prosecution. The Fifth Ammendment gives you the right not to > | testify or provide evidence that would incriminate you. Providing a > | key to decrypt your hard disk would incriminate you, and you don't > | have to do it. > > What the government has to do in this case is to give you immunity from > prosecution. They can then order you to decrypt your hard disk. You can't > refuse based on the 5th ammendment because you have been given immunity from > prosecution. They can't use the hard drive against you, but they then can > in anybody elses prosecution. Agreed. I guess if you refuse after that point, they can hold you in contempt of court or cite you for obstruction of justice. BUT, what if they "crime" involves only you. Then they (the prosecutors) are up shit's creek, pardon the language. You're immune, and there's no one left to prosecute. Okay, let's assume the crime involves a conspiracy, and they give you immunity and force you to decrypt your hard disk. What good would this do them if all your communications between your conspirators took place anonymously and the messages from your conspirators are so vague/obscure as to be worthless as evidence. Now, they have already given you immunity, and now they can't even go after your conspirators because they may not even know who those conspirators are or even what the hell those conspirators were talking about in their vague/obscure messages to you. Even if the prosecutors know what the messages are in reference to, they still have to prove that in a court of law, beyond a reasonable doubt. Since they cannot go back on their promise of immunity to you, the prosecutors are again up shit's creek. All this will only work providing the prosecutors have no other evidence against you (ie: voice wire taps, physical evidence (notes, cancelled checks, survielance video, stashed cash, etc.)). If you conduct EVERYTHING via encrypted and anonymous communications and keep all records encrypted, they really cannot touch you. Don't you just love crypto-anarchy? I know I do. Thug

2 1

Re: the bill of rights hasn't been revoked. not yet, anyway.
by fen＠genmagic.genmagic.com 22 Jan '93

22 Jan '93

> Murdering Thug writes: > If you conduct EVERYTHING via encrypted and anonymous communications and > keep all records encrypted, they really cannot touch you. > > Don't you just love crypto-anarchy? I know I do. So do I! I get the feeling that MT is attempting to display some of the dangers of crypto-anarchy via sarcasm. (I really can't be sure, as such intonations are really difficult to convey or pick up on in ascii.) While it is true that in a free society, someone could buy a gun and kill all their neighbors and possible even get away without a trace, I would rather live in that free society than one that disallows the purchase of the gun to begin with. (The fact that I support strong gun control measures is not contradictory to this.) In the same way, I would like to encourage everyone, even the Ollie Norths, to encrypt their communications. Sure, there will be conspiracies that take their toll upon society, but I feel that one of the biggest causes of violence is the feeling of dis-empowerment caused by conventional laws. Note, for example, that the countries that are less uptight about nudity generally have less sex crimes. Laws take power away from people. Encryption affords people the capability to gain access to the information they want and disseminate it to those they want to without fear of recrimination. This empowering technology will, imho, empower the many to cause less harm to the few, and empower the few to get what they want while protecting themselves from the wrath of the many. Hope that you find some of these ideas worthwhile... Fen

1 0