June 1993 - cypherpunks-legacy

PGP speech coding on SoundBlaster
by L. Detweiler 30 Jun '93

30 Jun '93

This person is very serious about developing a scrambler based on PGP and Soundblaster, topics that get banged around here alot (``...with great sound and fury, told by an idiot, signifying nothing.'') There is room for suggestions on approaches or (more importantly) volunteers in coding. He does not subscribe to the list because of volume. ------- Forwarded Message From: dorsey(a)lila.com (Bill Dorsey) Subject: PGP Mailing List Date: Tue, 29 Jun 1993 02:12:54 -0700 (PDT) - --- BEGIN SUMMARY --- Voice-PGP is a software package that will allow PC owners to have secure communications over insecure phone lines. It will require only that the users possess a modem capable of 9600 baud or greater and own a SoundBlaster compatible sound card. Later versions may support other sound cards. As the project stands now, I have developed a large number of speech coders of varying complexity based on coders discussed in the literature from the early 70's to the present. Although the sound quality is generally poor among the simple coders at these bit rates, they do allow computers not blessed with fast CPUs to make use of the software. The more complex coders produce sound quality equal to or better than local two-way radio communications and operate on contemporary (486 and fast 386-based) PCs. In addition to the coders, I have developed a simple user-interface and an expandable packet-based communications protocol. What remains to be done includes writing driver modules for the modem (I'll assume they are Hayes compatible) and SoundBlaster card in addition to coding up a set of functions to implement the communications protocol and hooks for encryption. Finally, I'll need to integrate all of the above together and test it out. Initial code development is being done on a Sun Sparcstation and a 486-based PC running Linux. As my DOS experience is severely limited, it is my hope that someone will come forward and volunteer to port the software to DOS. Since the code is being written with portability in mind, this should require little more than re-writing the driver modules. - --- END SUMMARY --- I hope this isn't too long. Feel free to edit/condense as you feel is appropriate. - -- Bill Dorsey "Give me your tired, your poor, I'll piss on 'em dorsey(a)lila.com That's what the Statue of Bigotry says." PGP 2.x public -- Lou Reed key on request ------- End of Forwarded Message

1 0

Kleinpaste's Charcoal anonymous server
by L. Detweiler 30 Jun '93

30 Jun '93

One person asked about the Charcoal remailer. I try to stay on top of this area of anonymity servers and have corresponded with the owner Karl Kleinpaste extensively in the past. First, I would like to encourage *everyone* who wants to create and run an anonymous server, which is time-consuming, thankless, and even painful at times, and don't want any of my comments to be construed otherwise. I think something disparaging could probably be said about any remailer operator. However, I also think that remailer policies vary and that we should keep track of the practices and reputed integrity of operators as much as possible. Under that vein I'll just make a few *candid* comments to cypherpunks on Mr. Kleinpaste. Please *do not* forward these notes anywhere. Kleinpaste started his server early this year mostly in response to alt.personals, with the death of another server, I believe. In a *very* scorching-hot incident, an estranged boyfriend posted nude pictures of his old girlfriend to alt.binaries.pictures or some other newsgroup. It is not clear to me that he used an anonymous server to do so--I believe he did not based on some testimony of others. Anyway, this caused a huge eruption as these things inevitably do, and legal action was in motion against the person in his hometown. The guy apparently *later* used Kleinpaste's anonymous server to send mail to another anonymous person who he thought worked with the girlfriend's mother. I guess there was some extortion or `threats' in the letters. Anyway, Kleinpaste gave all the persons mail to the `authorities' (despite marginal relevance to the original picture-posting) and got very emotional and wrapped up in the whole case. In fact, he acted, in my view, very paternalistic in the way a father would protect his daughter. (At one point he made the comment that the young girl had moved to a new town and `was making new friends' -- something that sounds like something one's parent's would say, eh?) BTW--the estranged boyfriend was never prosecuted apparently due to gray legal areas and prosecution cost. Kleinpaste also revealed how a person was suicidal and was posting through his server. It's not clear to me what he did but I think he said he tried to contact the person's home institution. Here is where the ethical quandaries of anonymous servers are rather intense! What should an operator do if a person, who is using the system in *trust* of their anonymity, is suicidal? Is about to commit a crime? Involved in a conspiracy? Well, I'm not advocating anything, but the stance of `unhindered carrier' is certainly the least problematic from the operator point of view. Anyway, through all this it seemed to be clear to me that Kleinpaste may be regularly reading some of the mail that is going through his server, and in any case probably keeping fairly thorough logs. Look at his policies! Essentially they are: if you don't post anything offensive, I'm behind you. If you do, I will restrict your access temporarily, permantently, or even expose you. Kleinpaste soured very seriously on the whole idea of the anonymous server and killed it. Then in the big flame wars J. Palmer started up his server and Kleinpaste appeared to want some attention that Julf & others were getting. I found it highly incongruous in the least and hypocritical at worst given some of his statements on `bastards who abuse the service' that he restarted his own -- he's one of the most strong-mouthed people on that subject. Anyway, charcoal.com seems to have been humming along for a few months now and Kleinpaste does not appear to be ready to shut it down anytime soon. It posts to a limited number of groups. He tells me that he has refused requests to `out' a particular individual in alt.personals by another prominent individual. So, I'd say that if you have his endorsement for your use of anonymity, it's a safe server. But if you're on morally gray areas in your use, by *his* definitions, then Caveat Emptor. p.s. one reference on all this is rtfm.mit.edu:/pub/usenet/news.answers/net-anonymity. I would document further these really volatile incidents (esp. the `nude picture posting') but don't have enough eye-witness accounts to do so (in particular, not my own).

1 0

Wired tidbit about NSA
by Timothy L. Nali 30 Jun '93

30 Jun '93

Here's a little something about the NSA from the latest issue of Wired: pg 25, in the middle type Clipper Purposely Clipped? Sources cloas to those in the know on Captial Hill claim that NSA deliberately sabatoged the poorly considered Clipper encryption chip (rolled out to the Net.public's dismay by the White House early this spring). The NSA, our sources say, would like nothing more than to see the the Clipper chip fail, resulting in the outlawing of encryption altogether ("Gee, we tried..."). The Electronic Frontier Foundation's response to the Clipper plan, which has been in the works for four years and was formulated by the NSA: "We should not rely on the government as the sole source for Clipper or any other chip. Rather, independent chip manufacturers should be able to produce chip sets based on open standards." ----------------------------------------------------------------- While I wouldn't take this as absolute truth yet, it is certainly food for thought. --Phelix /----- P h e l i x ' s P s y c h o t i c P h i l o s o p h i e s -----\ ***************************************************************************** Perfect Paranoia is Perfect Awareness \---------------------------------------------------------------------------/ _____________________________________________________________________________ Tim Nali \ "We are the music makers, and we are the dreamers of tn0s(a)andrew.cmu.edu \ the dreams" -Willy Wonka and the Chocolate Factory

1 0

mailers not liking + in the address
by TO1SITTLER＠APSICC.APS.EDU 30 Jun '93

30 Jun '93

There is, of course, a way around this if you have telnet... telnet to port 25 on charcoal.com, or to somewhere else if you can't reach there, and enter your message as per RFC-821, SMTP. Directions for the lazy: once you get an acknowledgement from the remote computer, type helo apsicc.aps.edu (or whatever your computer is called) It should greet you or hang up. So if it didn't hang up, type mail from: <your name here> DON'T FORGET THE ANGLE BRACKETS! Then, type rcpt to: <anonymus+info(a)charcoal.com> if you connected to charcoal directly, or rcpt to: <@somecomputer.com:anonymus+info@charcoal.com> where somecomputer.com is where you are connected to. (It is possible this is wrong and @somecomputer.com either: a) is not necessary or b) should appear in the mail from: line. Try it.) Then, type data and type in the From:, To: Subject:, Date:, Message-ID:, and so on fields. Send yourself a message to find out how it should look. Make the Message-ID something that will not be replicated by the computer you are on. Follow this with a blank line, and type the body of your message. Double any periods appearing alone on lines. End your message with a period alone on a line. Then type quit to close the connection. (BTW: this provides a certain amount of anonymity without need for a remailer, but it is then possible to detect which computer you are mailing from. I sent the anonymous message about people not doing something if you make it hard enough by this method, as a demo, but I kind of botched it. The message arrived, but it did not look right.) Kragen, SMTP wizard (NOT!) hee hee

1 0

Remailer Test
by nobody＠mead.u.washington.edu 30 Jun '93

30 Jun '93

This is a remailer test. Please forgive the waste of time/space.

1 0

REMAIL: problems
by Karl Barrus 30 Jun '93

30 Jun '93

There must be some correlation between my weekend trips and other events. Last time I went out of town was "Cliper weekend" :-) I've tested the remailers with unencrypted requests, and have received these replies (within seconds, I might add): soda.berkeley.edu cicada.berkeley.edu pmantis.berkeley.edu bsu-cs.bsu.edu alumni.caltech.edu rosebud.ee.uh.edu mead.u.washington.edu shell.portal.com tamsun.tamu.edu tamaix.tamu.edu <-- note, 'Return-Path: remail(a)tamaix.tamu.edu' 'From: remail(a)tamsun.tamu.edu' just in case you see the from line and think tamaix isn't working So I'll wait for the others (rebma, extropia, utter, uclink, jarthur) and then try them all with encrypted requests. A while ago I had a script test all the remailers once a week - I wasn't able to have a cron entry, but I used the 'at' command to schedule the mailing of prepared messages and itself every week. Maybe I'll start that up again since it would help isolate problems if a remailer doesn't respond, especially if twice in a row. /-----------------------------------\ | Karl L. Barrus | | elee9sf(a)menudo.uh.edu | <- preferred address | barrus(a)tree.egr.uh.edu (NeXTMail) | \-----------------------------------/

5 4

SEARCH ME
by Sandy 30 Jun '93

30 Jun '93

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT Reply to: ssandfort(a)attmail.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cypherpunks, Duncan Frissell's experience with the "drain police" reminded me of a similar experience I had some years ago. I found out that the "building police" in Kansas City would be inspecting homes in my neighborhood looking for "code violations." I had put in some electrical plugs without benefit of an electrician. Also, I was still in law school, so naturally I felt like raising some (legal) hell with the Powers That Be. When the inspector showed up, I said "no thank you" when he asked if he could inspect my house. If I had poll-axed him, he couldn't have looked more surprised. Apparently, nobody had *ever* said "no." After he recovered, he asked me why not. I mentioned the Fourth Amendment and the -See- and -Camara- decisions in the Supreme Court. He never came back. I won't go into the embarrassing story of the one time I did cooperate with the police. Suffice it to say, I regretted it. Both events, however, have made it clear to me that it is almost always stupid to cooperate with the cops. To be truthful, I strongly considered leaving out the word *almost* in the previous sentence. I'm afraid some of you will outsmart yourself by thinking you can control a law enforcement situation with "clever" cooperation. Dream on. If you aren't a lawyer, it is very likely you will fuck yourself. But shouldn't you cooperate for the little things, especially when you know you are clean? No, no, no, for two reasons. First, I are you sure you are clean in the officials eyes? The one time I cooperated, the fact that I had 3-4 $100 bills on my dresser made it into the cops report (though he did add, "no other signs of drug dealing"). Are you *sure* you're clean? Second, it's great practice. You have a right to require a valid warrant. These guys (nominally) work for you. Enjoy yourself; make them jump through some hoops for you. Rights are like muscles, if you don't exercise them, they atrophy. Use it, or loose it! S a n d y >>>>>> Please send e-mail to: ssandfort(a)attmail.com <<<<<< ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1 0

LPF statement on PKP-DSS patent
by L. Detweiler 30 Jun '93

30 Jun '93

I especially like the part where they concisely summarize it all as `the worst of both worlds'... ------- Forwarded Message

1 0

Charcoal remailer
by M..Stirner＠f28.n125.z1.FIDONET.ORG 30 Jun '93

30 Jun '93

Has anyone here had any experience with the "charcoal remailer," a Penet-ish looking system that I saw in another newgroup footer? The footer says to contact "anonymus+info(a)charcoal.com" for information, but this isn't a good address. The misspelling of anonymous is suggestive, but that's how it read... ___ Blue Wave/QWK v2.12 -- M. Stirner - via FidoNet node 1:125/1 UUCP: ...!uunet!kumr!shelter!28!M..Stirner INTERNET: M..Stirner(a)f28.n125.z1.FIDONET.ORG

2 1

PC Week Clipper article
by fergp＠sytex.com 30 Jun '93

30 Jun '93

I just got back from the first day of PC Expo at Javits Center here in New Yawk. (God, how I love these shows. Trinkets, trinkets and more trinkets.) To make a long story short, I picked up a copy (and renewed my subscription) of the latest PC Week. The following article shows (at least) that the Clipper/Capstone debate has not subsided, but rather, is just becoming public knowledge thanks to coverage in trade publications and popular press. This particular article is included amongst several others in a "Special Report" section in the June 28 issue of PC Week relating to Privacy in the Workplace, "Privacy issue comes of age in the networked world." Other articles in this issue include "Encryption, monitoring and E-mail spur the privacy debate," "Some companies spell it right out: We will be watching you," "Privacy Act would force firms to inform their employees about E-mail monitoring, "Electronic monitoring raises legal and societal questions, "Encryption technology is on the rise in the private sector," "UPS toes the line with its package-tracking technologies" and two side-bar articles entitled " Cellular phones: Some like'em and some don't" and "From A too Z: Privacy policies run the gamut." Cheers from Times Square, Manhattan. 8<------- Article follows --------------- PC Week Special Report "Workplace Privacy" "News Analysis" PC Week June 28, 1993 pages 207, 211 Crypto policy and business privacy The White House wants businesses to protect data but leave doors open to law-enforcement agencies by Winn Schwartau Following the Clinton administration's April 16 endorsement of the Clipper chip, law-enforcement and privacy advocates are staking out positions that will likely test the bounds of the Constitution. The Clipper chip, manufactured by Mykotronx Inc., of Torrance, Calif., and officially designated the MYK-78, contains a sophisticated encryption algorithm that protects a company's communications by scrambling the data. Announced as a joint technical effort between the NSA (National Security Agency) and NIST (National Institute for Standards and Technology), the chip is supposed to balance the needs of law enforcement with businesses' need for data privacy. The Clinton administration is encouraging American businesses to adopt Clipper to ensure their own privacy, yet still permit "lawful government electronic surveillance," according to a statement released by the White House. Third-party products that contain the Clipper chip are expected to be announced by fall. The keys to decrypting Clipper communications will be held by two independent parties, such as the Federal Reserve Board and a private company. Attorney General Janet Reno had expected to announce the holders of the keys in early May, but has delayed the announcement until midsummer, according to a spokesman at the Attorney General's office. The Clipper endeavor stems from Bush-era intelligence-agency attempts at adding legislative riders to congressional bills that would have forced telecommunications and networking companies to build in back doors for encrypted transmissions. The EFF (Electronic Frontier Foundation) and CPSR (Computer Professionals for Social Responsibility), citizen groups based in Washington, are generally credited with having such riders removed from the bills. Deep concern drives the anti-Clipper privacy advocates, many of whom focus on the integrity of the encryption key-escrow agents who will ultimately hold the keys to the U.S. digital kingdom if the proposed program is successful. Said Kevin Murray, president of Murray & Assoc., a security-consulting firm in Clinton, N.J., "I don't like Clipper at all. If you're going to offer privacy, then offer it. I've seen too many cases where secrets easily leaked out." Few, if any, businesses appear willing to sign on with the government's plan. Spearheaded by the EFF and the ACLU (American Civil Liberties Union), 31 companies sent a letter last month to the White House and Congress stating "... We believe that there are fundamental privacy and other constitutional rights that must be taken into account when any domestic surveillance is proposed." Among the companies signing the letter were AT&T, Apple Computer Inc., Digital Equipment Corp., IBM, Hewlett-Packard Co., Lotus Development Corp., MCI Communications Corp., Microsoft Corp., RSA Data Security Inc. and Sun Microsystems Inc. One area of concern among the companies is that the government intends to keep all technical information about the Clipper encryption algorithm secret. Conventional cryptological wisdom says that only after wide-spread public analysis and comment can an encryption technique be trusted. CPSR last month filed a lawsuit against the National Security Council seeking information about the Clipper chip. "The Clipper plan was developed behind a veil of secrecy," said Marc Rotenberg, director of CPSR's Washington office. "We need to know why the standard was developed, what alternatives were considered and what the impact will be on privacy. "As the proposal currently stands, Clipper looks a lot like desktop surveillance," Rotenberg said. Said Mitch Kapor, founder of Lotus and chairman of the EFF, "An [encryption] system based upon classified, secret technology will not and should not gain the confidence of the American public." On the other hand, Clipper chip supporters such as Dorothy Denning, chairman of the Computer Science Dept. at Georgetown University in Washington and a noted expert in the field of cryptography, say the key-escrow system is more than adequate to protect legitimate American interests. Padgett Peterson, information-security specialist at defense contractor Martin Marietta Corp., in Orlando, Fla., said, "I believe Clipper's going to work. The government has more to lose than we do." The Justice Department has already placed large orders with AT&T for telephones fitted with Clipper encryption chips. Said Peterson,"Soon enough, everyone will be using Clipper: doctors, lawyers and CPAs." However, the chip's use in other governmental agencies is not assured. Neither the Federal Reserve Board nor the Department of the Treasury has indicated that they will adopt Clipper. Many business executives believe the government's encouragement of voluntary adoption is only the first step in a plan drawn by the intelligence community years ago that will eventually mandate Clipper encryption for private businesses and outlaw all other forms of encryption. The ACLU, EFF, CPSR and other watchdog groups aim to ensure that the government never goes that far. American businesses that adopt Clipper encryption in their networks and communications systems will have to accept some far-reaching assumptions, according to its skeptics: - that the Clipper algorithm is robust enough to secure their corporate information assets domestically and internationally. The international security community already believes American data to be less secure than it should be and worries about leaving doors open to the United States; - that the government does not have its own back door to read encrypted communications; - that the key-escrow agents, once named, can be trusted; - that the key-escrow repository, a vault that contains the Clipper chip serial numbers and encrypting and decrypting keys, will be secure enough to withstand a dedicated attack. The Attorney General's office also plans to announce this summer what form the repository will take -- electronic or otherwise -- and how it will be secured; - that by its very use, the company is not unintentionally giving up its right to privacy or other constitutional rights; and - that purchasing machines that include the hardware-based Clipper chip is better than using currently available and field-tested software encryption techniques such as DES and RSA. The response to Clipper has been negative despite pleas from the administration that "while [other forms of] encryption technology can help Americans protect business secrets and the unauthorized release of personal information, [they] also can be used by terrorists, drug dealers and other criminals." Martin Marietta's Peterson still believes Clipper is "good enough" for business, but he is in the minority. The majority opinion holds that Clipper may be what the government wants, but it shouldn't even think about making any laws mandating its use. ------ Winn Schwartau is the executive director of INTERPACT, a Seminole, Fla., consultancy, publisher of the Security Insider Report and author of "Terminal Compromise" and "Information Warfare: How To Wage It, How To Win It." Paul Ferguson | "Confidence is the feeling you get Network Integrator | just before you fully understand Centreville, Virginia USA | the problem." fergp(a)sytex.com | - Murphy's 7th Law of Computing Quis Custodiet Ipsos Custodes?

2 1