December 2003 - cypherpunks-legacy

Re: Oregon License Plate Site in the News Tonight!
by Duncan Frissell 17 Dec '03

17 Dec '03

At 11:28 PM 8/9/96 -0500, David E. Smith wrote: >In Missouri, that's all they wanted (a PO Box). That's >perfectly copacetic by them. If you want to register for >voting - since we have Motor Voter - they of course need >a real address. And the post office's requirements for >getting a PO Box are nearly nonexistent. Using a Mail Receiving Service (MRS) address will usually work. Many bureau-rats have yet to compile or use a list of Mail Receiving Services. There *are* commercial firms that do compile such lists but they have to be used to be any good. In those rare cases where they turn you down for a registration or drivers license because they happen to notice that you are using a MRS, you can find a real person to accept your mail for you. I solved the problem once by advertizing on Usenet newsgroups for an address and cut a deal. Another possibility is to use the "homeless defense." I'm homeless, this is the only address I have. Auto insurance companies are more likely to give you trouble than government if you use an accommodation address since they have actual money to lose. There are still 10 or so states that do not require auto insurance so by forum shopping, one can dodge this problem and save money at the same time. Most states are not so fussy, and one can usually just use MRS addresses. Litigation to force you to list a "real" address is exceedingly rare (it's not worth the government's time). This is particularly so since it is trivial to switch cities, counties, states, and countries (if in the US use Canada) for official address purposes. You control your address. Move into a hotel/motel that rents by the week, list the address, and then leave. Even in the Nazi strongholds of Mitteleuropa with their address registration laws, one can crash with friends or sublet apartments and avoid the process. Holiday cottages let a month at a time is another technique. Plenty of Germans are living unregistered lives even today. Residence=Domicile Domicile requires "actual physical presence plus intent to make it your home." *Your* actions establish intent not any actions by the government. DCF "Last year, the Government of the United States collected more taxes from the American people than any unit of government has ever collected before in the history of mankind -- and still it's not enough."

1 0

FCC_ups
by jya＠pipeline.com 17 Dec '03

17 Dec '03

8-10-96. WaPo: "Phone Service Via the Internet May Slash Rates." Labs of Advanced Technology has developed a way for people to make long-distance calls over the Internet using only their telephones, at about half the price of ordinary toll calls. Customers would merely call a central number, then dial their long-distance numbers. The call is carried on the Internet, then put back onto the local phone system at its destination. The company plans to charge 5 to 8 cents per minute for all domestic U.S. calls, which represents a 50 to 75 percent discount off most domestic long-distance rates. International rates would depend on arrangements made with foreign phone companies. "Twenty years from now, and probably sooner, I don't see the giants of the telecommunications industry existing anymore," said the company's president. The giants hoot, "FCC, PACs, whack him." "PCs and the Postal Service Challenge the Mailroom Reign of Pitney Bowes" New technology has made it possible for IBM, Bell Atlantic and National Semiconductor to start prowling around postage meters, which account for $20 billion a year in postage. With a telephone line to the post office and some fancy computer software, a "stamp" could spin out of the printer at the same time the envelope is being addressed. Computer-generated envelopes will not only have addresses and stamps, but also a bar code that can quickly be read by a computer to hasten delivery. Distinctive stamps called indicia carry a specially encrypted numerical code that Pitney Bowes believes the Postal Service should adopt to prevent counterfeiting. ----- http://jya.com/fccups.txt (22 kb) via: www.anonymizer.com FCC_ups

4 3

re: National Socio-Economic Security Need for Encryption Technology
by Bart Croughs 17 Dec '03

17 Dec '03

Duncan Frissell wrote: The first axiom of economics is "Wants are unlimited." I'm glad that they're "shipping all those jobs overseas." The more people we have working the more goodies are produced. If the labor of US workers is freed up, then they can go about producing something else valuable that they didn't have time to produce before because those "third worlders" weren't doing their fair share back when they were trapped in feudalism or fabian socialism. You can't get more stuff (wealth) unless everyone is out there working to capacity (consistent with their desired work/leisure tradeoff). I agree that 'shipping all those jobs overseas' will not cause the US workers to lose jobs. There is other work they can do. But there is another axiom of economics which the nationalist/socialist can use for his case against the free movement of capital. This axiom states that the wages of workers depend on the amount of capital invested. The more capital invested, the higher the wages are. If American companies are moving capital to Third World countries because of the low wages in these countries, then the workers in the Third World will of course be better off. But in the US, the amount of capital will be lowered. So the American workers will be able to get other jobs, but these jobs will pay less, because of the diminished amount of capital in the US. Of course there are advantages also for the US (shareholders will get higher returns, trade will increase), but how can you proof that these advantages will offset the disadvantage of the lowered amount of capital in the US? Anyone? Bart Croughs

3 3

Re: US Power Outages
by Dave Farber 17 Dec '03

17 Dec '03

As someone who was married in NYC during the 65 blackout *happened at 1716 -- the blackout , the wedding at 1705, I have watched with interest the attempt to explain that blackout and how to prevent such. We have not progressed very far. The avalanche behavior of power systems is still not well understood and techniques to prevent such failures are not obvious. Same can be said of telephone and computer networks at different levels. Dave

1 0

e$: I Never Meta-Certification...
by Robert Hettinga 17 Dec '03

17 Dec '03

-----BEGIN PGP SIGNED MESSAGE-----BY SAFEMAIL 1.0----- e$: I Never Meta-Certification... Verisign, NRC-CRISIS, Crypto vs. Encryption, "Half-Way" Measures, Meta-Certification, Reputation Rental, FLAs, Groucho Marx, and a Proto-Call for IFCA Founders. August 11th, 1996 About a month ago, after the July DCSB meeting, I had a drink with Jon Matonis, who's in charge of Financial Products for Verisign. We talked about a lot of stuff, but, since he was buying, :-), we talked a lot about certification authorities (CAs), specifically, financial certification authorities. Verisign financial certification authorities, to be completely precise. I have to admit up front that until then, I didn't follow the CA world all that much. I've been a Web-of-Trust guy, and I still think the world will go to more geodesic trust models sooner or later. The only "certificates" I care much about are the "digital bearer" kind. In a financial sense, I see certificate authorities as a way to extend book-entry accounting to the internet, and I'm more interested in edgier stuff: what I claim will be the re-emergence of cash-settled bearer certificates in the financial markets, this time in digital form, on public networks. CAs and link-level encryption are just a way, as someone from MIT said to me at MacWorld this week, to move the old private networks out onto the net, which, to my mind, are the same thing to digital commerce that derigibles were to aviation. Yes, they look like ships, which we know all about, and they *can* fly, but... Anyway, it's clear we're moving from a world of insecure transactions on private secure networks to one of secure transactions on insecure public networks. CAs, SSL, and the whole enterprise of encrypting links between accounting databases seem to be halfway measures to me. They're a way to create, like our friend from MIT says, a temporary private secure network, so you can send properly authorized, but still unsecure, book-entry down it. For that "proper authorization", you need the biometric identity a CA provides, so you can hunt down and jail miscreants who change the wrong book entry. I've even made biometric-identity CA jokes about "X.BlaBla" and "Numbers of the Beast", and all that. Which reminds me of something Steve Kent said at the NRC CRISIS report roadshow this week. He likes to make the distinction between cryptography and encryption. That is, governments tolerate cryptographic signatures because they can still read your mail, while they don't tolerate encryption, because, well, they can't read your mail. Frankly, I see that as a false dichotomy, and I think most crypto people do, too, but, since the major selling point for cryptography to business is that need to keep their book-entries clean, this gives governments a lot of breathing room. As long as most other businesses (call criminal enterprise a business for the time being) can't read the encrypted link, businesses are happy, and will accept watered-down *cryptography*, not just encryption. The problem, of course, is that *governments* will have the ability to read those messages, and even forge those signatures, and businesses aren't to the point where they're sensitive about this. Given the ubiquity of the invasiveness of modern industrial government in the affairs of business, not only with respect to regulation, but also with the ability to audit for taxes and other reasons, it may take a while for business to wake up to their own need for privacy through strong cryptography. But they will. Governments are made of people, of course, and when it's possible to create enormous financial advantage for yourself by reading financial transaction data, some of those people will do so, and, given the ubiquity of networks, they'll be able to get away with it. When you outlaw crypto, only outlaws have crypto, and all that. However, the *business* knows they've been robbed, and, since government employees are the only ones with the power to break the link and forge signatures, either through computational horesepower or key escrow, who are going to be the, heh, usual suspects? A bad place for a nation-state to be in, it seems to me. Cleptocracy may work in *some* places, but in general they're bad for business. Finally, there's a red herring in all of this, and that's the so-called exemptions for "financial activity" from much proposed cryptography controls. So, how do you know what's financial activity and what isn't if a message is encrypted? This doesn't even take into account the fact that, if bearer certificate technology takes off, from micropayments like Micromint and Millicent, through ecash and on to digital bearer certificates for foriegn exchange (a $3 trillion daily business), the sheer volume of encryption on the net, of the strongest possible form, is going to explode. Don't get me wrong, I like the CRISIS report, because they are, to use a beloved scatalogical expression, inside the tent and er, pointing, out. But, to beat a few more metaphors like dead horses :-), the CRISIS report is trying to "decompress" government into a world where they can't really wiretap anymore. To do that, they want to start the bar at, say, 56-bit DES and 1048-bit RSA, and move it up as technology, er, improves. In this, they remind me more of someone trying to shovel uphill against an avalanche. If you can't sign a mortgage with a signature long enough to withstand 30 years of Moore's law, or encrypt something you don't want others to read for that long, then why do it at all? A little bit of encryption is like being a little bit pregnant --. OK, OK, I'll give the metaphors a break now... :-). So, we're back in the hotel bar, and Jon was buying, and I'm listening. (Besides, Jon's an original e$pam subscriber, and he's *still* one, so I had *better* listen.) He has a point when he says that most of the stuff I'm interested in is out *there* somewhere, and the way you make money is here and *now*, where the "halfway measures" live. Jon says that as far as he's is concerned, of all the different kinds of businesses you can use certification authorities for, banks and financial institutions the low hanging fruit, and he and his bunch are out there shaking the trees for all they're worth. Go, Jon, go. So, why *doesn't* Verisign rule the world of financial CAs already? After all, they have the patents, "modulo" the debate on the legal strength and longevity thereof. From the standpoint of mobilized resources, they're literally the only game in town, and, even if they aren't, with a tip of the black cryptographer's hat to Redmond, a lack of uniqueness hasn't kept other first movers from software hegemony before, anyway. Well, first of all, let's assume the market's already there for book-entry transactions on the internet (like credit and debit cards, and counter-cash like Mondex). Yeah, I know, "assume a frictionless surface". But, everyone else around here does, so we'll fiat the issue for the time being. Last Sunday's "Shoe" cartoon, about the wizard spending $300 in webware upgrades while ostensibly learning to get rich doing web commerce, to the contrary. Second, we can assume that banks need certification, for all the reasons I outlined above: In order to move book-entries around the net, you need *functionally* encrypted links (for the time being, what technology and governments let us have) and the digital authority to change those book-entries. Operationally, they may not need strict biometric identity just to map a signature to an account full of money, but we'll deal with that some other time. Now, let's look at what I presume is Verisign's business strategy for financial markets. They're trying to build a superheirarchy of all those bank heirarchies, so that those banks can clear trades with each other, on the net, without using a proprietary network to do it. This is, of course admirable, if not necessary, if banks want to do internet commerce efficiently with their customers. It will be necessary when electronic checks come on line, say, next year, because even though ACH is out there on the other side of those internet-ACH gateways, there might come a time where banks will want to clear checks against each other directly. Having a CA's CA, CA^2, if you will, will make that possible. To make this happen, Verisign doesn't want you to be you unless Verisign says you're you, to paraphrase the old underwear comercial, and that, I believe, is the problem. Verisign is not paying attention to what it really is: a software vendor. It is not a financial intermediary, which is what this CA's CA would be, by definition. A financial intermediary, especially one on the net, is in effect "renting" its reputation to a trade until it clears. It is saying, first and foremost, that the trade will be safe, effectively risk-free, or at least risk-calculable, to both parties of the trade. What it does to control that risk is almost immaterial as long as it works, but, in this case, it is to use RSA as the technical means of identifying the parties of the trade, with a link to a "biometric" identity of either party. If you can call it "biometric" for a financial institution. The financial institution then, of course vouches for the contents of the particular account being offset, the book-entries swap, and the trade is over. Like flying an airliner, of course, this is the easy part. If the trade is broken, what does Verisign do? Of course, it can refuse to do trades with the offending party. It can even call the law. The former is much more powerful, however, and, frankly, it's the only enforcement mechanism which we'll be able to use someday anyway. Physical force costs a lot to use, even if you can buy it wholesale, at the government rate. Fortunately, this kind of "club", as Eric Hughes calls it, is the predominant way of renting reputation in the financial community. Think of NYSE, or NASD, or CBOT, or NIDS, or SIAC, or any other FLA. ;-). (Yes, there's DTC, and CUSIP, and Other-Letter-Acronyms too.) They're pretty easy to set up. Verisign itself is *not* how to do it, however. They would to *sell* to this reputation-rental entity. Every one of the above entities is an association (not-necessarily-non-profit), or, more usually, a member-owned corporation. So, with that in mind, internet financial institutions like banks could create an association or member-owned corporation, which would "rent" reputation and function as a financial intermediary between members. Obviously we shouldn't restrict membership in this organization to just depositories like banks, because non-depositories will be significantly involved in internet commerce. See Phil Webre's CBO study on electronic retail payments for more on that. Here is one way that could be done. A bunch of banks -- and non-depository financial intermediaries, like digital cash underwriters / trustees, payment gateway companies, (someday maybe Millicent brokers and MicroMint issuers) - -- could get together, purchase shares for startup money, and form a certification authority for themselves. Revenue could come from processing and membership fees. They could then contract with Verisign to build their system. Of course, they could contract with someone else, too, but I expect that Verisign is in the best position to do this at the moment. In addition, Verisign would probably be the technology of choice for the subordinate certification heirarchies those financial intermediaries use with their customers. Pretty lucrative, but it is also tempered by whatever patent lifetimes Verisign has hanging over its head. Here's what that gets us. We get the ability for any member to clear any trade of any agreed-upon financial instrument (subject to legal restrictions, of course) with any other member, no matter where they are in the world, using the internet as the transport mechanism. Very powerful stuff indeed. In fact, this *organization* can be located anywhere, which gets really interesting, but we'll save that for some other discussion. Notice that I'm not saying that this would be a monopoly. Just like several countries have multiple stock and commodity exchanges, there will probably be multiple financial certification associations like this one. In fact, that's the core of a good prima facie name. The Internet Financial Certification Association. Nice ring to it. Four-Letter Acronym, too. I also expect that these kinds of "heirarchies" will probably devolve into a geodesic, too, but they'll probably survive the change, because there'll always be a market for, er, inter-mediary intermediation. I feel vaguely like Frege, or Russell, or Goedel here. Maybe (Groucho) Marx? So. Like most internet enterprise ideas, all it takes is a mailgroup, and, later, a meeting (I can think of this *nice* time and place in Anguilla ;-)), to set this up. Obviously, the membership/shareholders of the proposed IFCA should be companies, and the management of this enterprise should come from the membership, or at least hired by them. Any individuals (like myself, for instance) who participate at this stage are just kibbitzers along for the ride, unless they're planning to be an internet financial institution, of course. :-). As a sort of test of the idea, I've gone and set up yet another mail-group on thumper (<mailto://majordomo@thumper.vmeng.com>, with " subscribe ifca " in the body of the message) to discuss it. We'll move it someplace else later, if necessary. If there's enough interest from the right people, expect a call for founders sometime soon. If there isn't, it'll sink without a trace, as it should. So, if you, or anyone you know, is part of a financial institution involved, or wishing to get involved, in financial transactions on the internet, pass this rant along to them. Well, maybe not the *whole* rant, it might scare them. :-). But enough necessary to give them the idea, anyway. I expect that the places I put this rant will probably be enough to get critical mass for the mailgroup, at least, and we'll take it from there. Cheers, Bob Hettinga -----BEGIN PGP SIGNATURE-----BY SAFEMAIL 1.0----- Version: 2.6.i iQCVAwUBMg5FQvgyLN8bw6ZVAQF2GQP/fPHzQmgLy2ZOO8qTQIZoBgyiOUxXxkDA hoWJOc0BO5IoeK+JETLTiH5BNxbVqnWQiCO0N13RWXEDFyaBHAmRoujG1hgzs2e0 zYIS37jab3nPH7bkznswQJXOgOYBu9qRtZqrP5VonWXQxz2Zw5izFqdOIiOgoANv 0xMO8UayXEY= =MTk+ -----END PGP SIGNATURE----- ----------------- Robert Hettinga (rah(a)shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "'Bart Bucks' are not legal tender." -- Punishment, 100 times on a chalkboard, for Bart Simpson The e$ Home Page: http://www.vmeng.com/rah/

1 0

Re: photographed license plates
by David Rosoff 17 Dec '03

17 Dec '03

-----BEGIN PGP SIGNED MESSAGE----- At 08.23 AM 8/9/96 -0700, i am not a number! wrote: >>How? Their license plates have been photographed. >>... and the cheery "news" anchorwoman sweetly moved on to the next >>story..... [...] >O, and I think they're talking more about putting up cameras at some >troubling intersections to take pictures of cars running red-lights. > >And cameras on transit vehicles (buses primarily). > >Gee, I am starting to feel so warm and safe! Typical prole. Doesn't know what's good for him. =============================================================================== David Rosoff (nihongo ga sukoshi dekiru) ---------------> drosoff(a)arc.unm.edu PGP public key 0xD37692F9 -----> finger drosoff(a)acoma.arc.unm.edu or keyservers 0xD37692F9 Key fingerprint = 25 7D AA 01 85 41 43 89 50 5A 33 76 F1 F1 99 67 Do you know who's reading your email? ---> http://www.arc.unm.edu/~drosoff/pgp/ Is it a forgery? --- I have PGP signed all email and news posts since May 1996. =============================================================================== "Your Honor, I have been following this person's movements for quite some time, and I can prove that he is in possession of secret government underwear." -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMg5oqxguzHDTdpL5AQGdOAQAmAjdOJzLTavjv2wsMwiJKKYc2vI2t9pk CK4lzP163lEwIbvaQsDg9sLm4CmV+6JYV4+YbeLcSLLW5xNoCHV+Eh8XkDFC+fpP XF4wjYdQyux+WF/vYeNBcnKdtMb+VKD/+P9nkSmYexuRiGMmsMDHvX2znHKWOIa0 ko8Vul1tkuQ= =o/Ge -----END PGP SIGNATURE-----

4 4

Re: Oregon License Plate Site in the News Tonight!
by Bill Stewart 17 Dec '03

17 Dec '03

>This brings up an interesting point. Is it poosible to obtain the list of >all the individuals/corporations that have purchaced the list of DMV >information and post *THAT* information to the net. I think that people >would be surprised just who uses that information and for what... Many states have open records laws, and Oregon seems like the type that would. You might try asking your Legislator's (or their staff) first before going to the DMV, since Legislators are more likely to say "Yes, we're helpful and friendly and like interacting with the public", while DMV bureaucrats say things like "No" and "Go stand in line, peon". # Thanks; Bill # Bill Stewart, +1-415-442-2215 stewarts(a)ix.netcom.com # <A HREF="http://idiom.com/~wcs"> Defuse Authority!

1 0

Re: e$: I Never Meta-Certification...
by shamrock＠netcom.com 17 Dec '03

17 Dec '03

At 18:30 8/11/96, Robert Hettinga wrote: >Anyway, it's clear we're moving from a world of insecure transactions on >private secure networks to one of secure transactions on insecure public >networks. CAs, SSL, and the whole enterprise of encrypting links between >accounting databases seem to be halfway measures to me. They're a way to >create, like our friend from MIT says, a temporary private secure network, >so you can send properly authorized, but still unsecure, book-entry down it. >For that "proper authorization", you need the biometric identity a CA >provides, so you can hunt down and jail miscreants who change the wrong book >entry. I've even made biometric-identity CA jokes about "X.BlaBla" and >"Numbers of the Beast", and all that. Beware of biometrics. They can give a false sense of security. Case in point: the other day, I picked up my girlfriend at an international airport that uses hand shape scanners to control access to restricted areas. I had her put her hand into the scanner, entered a random four digit code -- and the scanner displayed "Access granted"... We quickly walked away. -- Lucky Green <mailto:shamrock@netcom.com> PGP encrypted mail preferred. Defeat the Demopublican Unity Party. Vote no on Clinton/Dole in November. Vote Harry Browne for President.

1 0

re: US Power Outages
by bugs＠netcom.com 17 Dec '03

17 Dec '03

> > I wonder if someone's probing power-system vulnerabilities and defense > strategies. > > Just coincidental that there's been all this noise about power grid > vulnerability and two vast regional outages this summer? > The week before twa800 Clinton signed that executive order creating the "infrastructure protection task force". Now we are having massiv power outages "caused by trees". Sounds like they are trying to make swamp gas fly again. Later Mark Hittinger Netcom/Dallas bugs(a)netcom.com

1 0

re: National Socio-Economic Security Need for Encryption Technology
by tcmay＠got.net 17 Dec '03

17 Dec '03

At 10:31 PM 8/11/96, Bart Croughs wrote: > But there is another axiom of economics which the >nationalist/socialist can use for his case against the free movement of >capital. This axiom states that the wages of workers depend on the amount >of capital invested. The more capital invested, the higher the wages are. >If American I agree strongly. In my Econ 101 class, lo those many years ago, I was constantly reminded to "Remember the Croughs Axiom!" It is why MacDonald's workers, who work at a company which has invested truly vast sums of money in the capital of its outlets, pays its workers so much more than do the legal firms, advertising firms, etc., which have invested almost nothing in the capital of their facilities. This is why so many lawyers choose to move into hamburger flipping. In fact, the lawyer who won the "hot coffee" lawsuit is now a Milkshake Trainee at the East Outback, Wisconsin MacDonalds. "Would you like fries with that?" --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay(a)got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."

2 1