I mailed this yesterday, but it never showed up on the list. -----BEGIN PGP SIGNED MESSAGE----- V Z Nuri has actually stolen my thunder a bit here, with his post on 'crypto confrontation', but I've been working on this stuff since Friday. I have a somewhat different approach, and I'd like to see some comment. "CYPHERPUNK" considered harmful I would like to propose that we, the 'cypherpunks', are making a strategic error, which will make it far more difficult to achieve the goal we share. I realize that many will bridle at the notion that we have a common goal, but I think that most of the participants in this list will agree with the following: "Strong cryptography is a powerful new technology, of which the widespread and unfettered use should be encouraged." Our error lies in our approach to encouraging the widespread use of crypto. It is an error of hubris - overweening pride. We too often think of ourselves as an elite - smarter and better in various ways to our non-cpunk neighbours. We refer to these others as 'Joe Sixpack" and other such derogatary terms. The problem is that in doing so we are marginalizing ourselves. We call ourselves 'cypherpunks'. While this is derived from the SF term 'cyberpunk', consider the image we are creating for ourselves: A 'punk' is a marginalized young adult, one who rejects the norms of his or her society, and takes delight in irking those around him with his or her rejection. The older of us will think of James Dean in 'Rebel Without a Cause', or Brando in 'The Wild One'. Later, you get images such as Peter Fonda in 'Easy Rider', and more recently, Sid Vicious and other icons of the 'punk rock' movement. These punks are often romantic figures, but in reality they started marginalized, remained marginalized, and died marginalized. They were ineffective in changing the core values of the society in which they lived (yes, I know that most the examples I've given are fictional characters, but I'm talking about the type of people they are modeled on). We, the 'cypherpunks' have embraced this label, taking pride in our technical abilities, and acting as if we can institute 'cryptoanarchy' without getting a majority of the population to support us. This is a bad approach. The overwhelming majority of the US population is not alienated from the US government, and regards with suspicion those who are. I suggest that we drop the term 'cypherpunk' - it has the wrong connotations to get our ideas into the mainstream. I don't have a perfect replacement yet: 1. I want to get away from the strings 'crypt' and c[iy]pher- they sound too cloak-and-dagger. 2. It should imply that the labelees are level-headed, responsible citizens, not longhaired weirdos. 3. It should make itself difficult to invert - the classic example is the pro-choice/pro-life dichotomy, where each side refuses to acknowledge the other's terminology. 4. A cute and apropos acronym would help. Many on this list have been advocating cryptography primarily as a means of liberating ourselves from an intrusive and overcontrolling state. This is a goal that leaves most Americans cold - they correctly regard their country as one of the most free in the world, and are alarmed by people who want major changes in the status quo. To get crypto accepted into the mainstream, we need to make it something the average person expects and wants to use, for goals that make mainstream sense - not for some distant, idealist utopian cryptoanarchic libertarian dream. Crime is a major political hot button these days. Advocating crypto for preventing crime is probably the best approach we have to getting the meme into the mainstream's ear that "I need good crypto". - -------------------------------------------------------------- Towards this goal, I have written a short Q&A that could be used as a model when discussing cryptography with non-cypherpunks. These are UNFINISHED DRAFTS. I would welcome additions, corrections, completions, and modifications. Please do NOT repost to other locations until they are finished. I'm trying to avoid wild anti-state tirades, giving mainstream reasons for people to take pro-cryptography positions. - ------------------------------------------------------------- Q: Why should I use cryptography? A: To protect yourself against crime. Criminals have already been caught installing "sniffers" on the Internet, and capturing passwords and other data. Cryptography will protect you from this. It will also protect your company against industrial espionage, and reduce fraud by providing unforgeable and undeniable digital signatures. Cell phone companies currently pay $XXXX million every year due to cellular fraud. This vast level of crime could be reduced to near zero by cryptography, with a corrosponding reduction in cellular rates. On top of this, a great deal of crime is committed by tapping cell phone conversations - something that can be done by any teenager (or gangster) with a simple scanner. Even the British royal family have had their privacy invaded by this method. Encryption can protect your phone conversations, and make them as private as regular phones. Finally, strong encryption can make the Internet safe for commerce and trade. [We need more data on the 'sniffer' attacks which have occurred - I know there was one on BARRNET about a year ago, and I understand that there have been others]. Q: Won't criminals be able to evade wiretaps by encryption? A: In theory they could. However, the FBI has not reported a single case where cryptography has been a barrier to wiretaps [I think this is correct - any counters?]. It turns out that criminals have not been using strong cryptography. Even if they did start to do so, audio and data bugs can still be planted. Criminals *have* been tapping the unencrypted data that flows through and is stored on the Internet, and tapping cell phone transmissions to commit cellular fraud. Encrypting your data and communications will help protect you against them. Q: Aren't LEAs worried that strong encryption will make it more difficult for them to catch crooks? A: There's an old saying that's apropos here: "When you're up to your ass in alligators, it's easy to forget that you're trying to drain the swamp." The reason we have LEAs is not to catch crooks; their purpose is to prevent crime. Catching crooks is simply one method of doing so. Cryptography provides a method of preventing crime before it happens, and putting the crooks out of business. To give a couple of analogies: 1. If your house was strongly built, and no one could enter without your consent, you would not worry about burglery. If every house was similarly robust, burglers would be out of a job. 2. Similarly, if your car could not be broken into, damaged, or moved in any way without your cooperation, you would not worry about car theft, or pay for theft insurance. If all cars were similarly protected, car theft and carjacking would no longer exist as crimes. LEAs tend to focus on the small number of investigations which may be hampered by good cryptography, ignoring the vast number of crimes which would be prevented by the same technology. This is a classic example of failing to see the forest for the trees. The widespread use of cryptography would reduce crime to a point where many LEA employees could retire. Q: What's this 'key escrow' thing? A: Some government agencies have been trying to figure out methods which simultaneously permit US citizens to use strong cryptography against criminal eavesdroppers, while retaining the ease with which LEAs can currently tap your calls. The schemes generally involve something mistitled 'key escrow', in which copies of cryptographic keys would be stored at sites accessible by LEAs. Q: Why do you object to it? A: This is a bit as if your local police department ordered you to send them copies of all of your house, car, and office keys, so that they could enter whenever they felt it warranted, without your knowledge. Even assuming no keys will be leaked to criminals from such a valuable archive, it's an incredible boondoggle. The inital cost is tens of millions of dollars per year, by the most conservative government estimates. In reality, it's likely to be hundreds of millions a year, all to enable LEAs to investigate a type of crime which does not yet occur, and may never occur. Q: But isn't escrow required only for export [like I said, I haven't finished] - ------------------------------------------------------ Cute signature quotes are needed. example: I lock my house. Don't you? I lock my car. Don't you? I lock my data. Do you? Use cryptography to protect yourself against crime. - ------------------------------------------------------ Up to this point, I've been an advocate of crypto without using it for much of anything - a classical case of 'I don't have anything that needs it'. I'm going to start clearsigning my messages with PGP. My new key is <ptrei@acm.org> is included here, and has been put on the MIT server. No signatures yet (sorry I didn't get together with Perry in Danvers). Here's my key: - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzBST7QAAAEEAMs3b6h0lmwbELWbwoVwBVTInb3Gt0YWSamxbC/DJZ4YHqCh 2+aFZKGGlRfoaAeUeus/Vf0oLffwBMmXspSp86P1Nbk/jlR3TdwTqZA4BpcsylF9 68hJYQjrqQRoibXNyNc6O6/yyqm0MUkE1zcZAM3mW0dGV4d5+1QxhKXe9s8VAAUR tB1QZXRlciBHLiBUcmVpIDxwdHJlaUBhY20ub3JnPokAlQMFEDBSUEJUMYSl3vbP FQEB9Z4D/i2vJclQg4iCnHq1H02DR7az533GoRlxWIjOXd/Y1HrxSyFWcA6zTRM1 8FVFPJw4vL0qbynyCXKKTSmN4kzfSSN/Tt60UKy7i3DWZIL6J0kQIbNUxt6mMB76 4Qk3yFWebf14hg7w3e42Hngf6Nw0ZGjLdLieSlixFgg3CAFXmWVa =DsOh - -----END PGP PUBLIC KEY BLOCK----- KeyId = DEF6CF15 Key fingerprint = 07 4A 45 4E 09 F8 30 1F 78 97 AD 18 24 4E 19 E3 I'm signing this with 'pgp -sta' on a Windoze NT machine. Could someone check the sig and tell me if it computes? Thanks, Peter Trei - ------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMFXLXFQxhKXe9s8VAQEhewP9GFus8GXNygG3rjQqrx1uIW6Cb2QxtMZG igKwDaSZQpp3a9Q8oQfSCbK6da6TotOOSZhI9EYG6Es31eoDhyomn2HR/Bompocl hmkQgMqasJW37Rs1/Vw4uBfdoq0o0FiC8jLkvSj7j+pDP6FB890pWzTtEJ+t+Hqd au6NALhGo14= =jTar -----END PGP SIGNATURE----- gah - pgp has munged the dashed lines for the pubkey. Here it is again: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzBST7QAAAEEAMs3b6h0lmwbELWbwoVwBVTInb3Gt0YWSamxbC/DJZ4YHqCh 2+aFZKGGlRfoaAeUeus/Vf0oLffwBMmXspSp86P1Nbk/jlR3TdwTqZA4BpcsylF9 68hJYQjrqQRoibXNyNc6O6/yyqm0MUkE1zcZAM3mW0dGV4d5+1QxhKXe9s8VAAUR tB1QZXRlciBHLiBUcmVpIDxwdHJlaUBhY20ub3JnPokAlQMFEDBSUEJUMYSl3vbP FQEB9Z4D/i2vJclQg4iCnHq1H02DR7az533GoRlxWIjOXd/Y1HrxSyFWcA6zTRM1 8FVFPJw4vL0qbynyCXKKTSmN4kzfSSN/Tt60UKy7i3DWZIL6J0kQIbNUxt6mMB76 4Qk3yFWebf14hg7w3e42Hngf6Nw0ZGjLdLieSlixFgg3CAFXmWVa =DsOh -----END PGP PUBLIC KEY BLOCK----- Peter Trei Senior Software Engineer Purveyor Development Team Process Software Corporation http://www.process.com trei@process.com