Mailing list software losing posts
The list software seems to be having problems again. I sent the below post to the list three times, and it never got sent out. But since another post from me just showed up, maybe it's working now... (Let me know if you got more than one copy, because I sure didn't.) ----- To: cypherpunks@toad.com Subject: Re: lists of U.S. cypherpunks and Tentacles. CC: Matthew J Ghio <mg5n+@andrew.cmu.edu> In-Reply-To: <9402260131.AA08270@toad.com> References: <9402260131.AA08270@toad.com> Date: Sat, 26 Feb 1994 11:34:54 -0500 (EST) From: Matthew J Ghio <mg5n+@andrew.cmu.edu> mg5n+eaibiubkxb58z84cy2iaf9r61u26ra5x26mc0h@andrew.cmu.edu wrote:
Please add me to your list. As you can see, I clearly have a US-based email address. :)
hehe... This didn't come from my site tho. It looks like a clever port 25 hack. However, the return address is valid. I suppose this points out another problem with the US export laws: How can you know where a message came from? As the above example shows, there is really no way to know where the person you're communicating with is. In other words, you can't not break the US export laws. All you have is someone's word that they are in the US or not, but you really can't know for sure. Something to mention in your letters to Rep. Cantwell.
-Ibiu
Cute... using part of your encrypted address as a handle? I never thought of doing that... hmm...
Why bother with something as obvious and complex as an encrypted address with a + in the middle. If I were Joe Foreign_Guy I would simply get an account somewhere in the USA, there are plenty of public access unix systems that allow you a free month or so, do the request for the crypto software, and immediatly put a .forward file in my directory. I do this because I can no longer support the high price of calling the USA, and thus want my mail sent to a machine on the net that is sitting on my desk here in sunny (insert_foreign_country). This way, the author has not broken the law by sending the software to anysite.com, and I haven't either because all I did was to tell the unix box to forward my mail out of the country. Such a setting isn't illegal, neither is sending crypto software via email to a USA site. Legally who is to blame? Neither "I" nor the sender broke the law although the software has been sent. If I move from the USA to another country and arrange a deal with my post office to send me ALL my mail to wherever I am and pay them in advance for the service plus agree to pay for whatever forwarding costs, who is to be blamed if Joey_CryptoAuthor sends me a disk with a ton of crypto software in an unlabled box, and the Post Office does not check its contents, but exports it? Neither I nor Joey_CryptoAuthor broke ITAR. Not really. Not intentionally. But who gets blamed?
The situation: -- non-USA person retains a USA-based email service -- this person forwards mail to non-USA machine -- this person requests crypto software be sent to the USA email address -- another person sends software to the USA address -- the forwarding works and the software is shipped outside the USA
This way, the author has not broken the law by sending the software to anysite.com,
This is correct, since the sender of the crypto was told that the address was a US place. If, however, the sender of the crypto knows that it will be automatically forwarded outside of the country, the they become liable because they have prior knowledge of the consequences of their actions.
and I haven't either because all I did was to tell the unix box to forward my mail out of the country.
Such a direction is not improper _per se_, but the combination with a request to have crypto software sent to that address means that the requester has prior knowledge that the request will cause crypto software to be exported across US boundaries. And that prior knowledge creates liability.
Neither I nor Joey_CryptoAuthor broke ITAR. Not really. Not intentionally.
Incorrect. The person who sets up forwarding with the intention of moving crypto software automatically outside of the country is in violation. But since I am not a lawyer I feel compelled to point out that the cost of extradition of random people to the USA for trial under USA laws is expensive and difficult, the most recent high-profile example being Noriega. In addition, detection of such an action will be difficult at best, and near impossible to prove if encryption is used. Proof that software was exported in encrypted mail would require at least the following: -- a copy of a particular piece of mail claimed to contain encryption software -- evidence that this particular piece of encrypted mail did in fact contain encryption software -- evidence that a particular piece of encrypted mail was sent outside of the country at a particular time and between two given machines So, someone has to supply the authorities with a copy of the mail, with a decryption of the mail, and with mailer logs evidencing a transmission across USA borders. Mailer logs are typically purged after a week or two. So if the intermediate machine has purged logs and the .forward file is gone, there will be precious little direct evidence left of an actual transmission. If the encryption is addressed to only the receiver, and if the sender did not keep a record of the session key, only the receiver can provide the session key. The session key is necessary to show that a given piece of encrypted mail is an encrypted copy of a particular piece of software. And unless the NSA or the intermediate machine or the sender provides a copy of the particular piece of mail, there's no fact in evidence that any software was actually sent. Of course, if the sender is out to sting you and ther intermediary provides logging information, one might get screwed. But then again, all intermediaries would have to cooperate, were there more than one. And finally, I have written so much only to point out that legality and enforceability are two very different things. Eric
<<And finally, I have written so much only to point out that legality and enforceability are two very different things.>> Another scenario. Suppose Person A has a unix account they don't use very often. Say once every few months. Suppose person X is a hacker and breaks into Person A's account. Person X then sets up a small program that acts as a remailer, *BUT* in a very specific way. This remailer looks for a particular message, specifically the requested cryptographic software sent from person B who is a crypto author. Person X is outside of the USA and has grabbed many many accounts and has installed similar programs on each machine, which strip out all headers of forwarded mail, and encrypt/stego all traffic through them. Person X wants to get his hands on a new, but very strong cypher or interesting program that he doesn't have. So through his captured accounts whose profieles match person A's, he manages to set up the transaction and receive the software. The remailer programs have a very specific code in them that when triggered will remove all trace of their existence within the captured accounts. (ie: the program rm's itself and overwrites the original .login file to the one person X has hacked.) In other words, he gets his hands on the software, sends the kill code to one mailer which sends it on to the next and kills itself, all mailers die. The resulting trail is a long, but quickly disappearing one. Nevermind that the odds are that Person X willbe caught before he manages to set up his "network" and all that. Cliff Stoll is/was an exceptional sniffer with a lot of time on his hands talking to deaf ears until he talked through a megaphone and was taken seriously. The law in theory has been broken. In practice, Person C, F, and N, are pretty much out of luck, unless they get some other breaks leading to person X. :-) Now suppose that Person A = Person X. Would you say that person A has an aliby that his account had been hacked in and he wasn't aware of it until a few months later his password mysteriously appeared in 2600 or Phrack or elsewhere and a few people told him of the "breech" of security? :-) Okay, that's it, time for me to get some sleep. Too many theoretical, useless schemes. A true sign of sleep deprivation.
participants (3)
-
hughes@ah.com -
Matthew J Ghio -
rarachel@prism.poly.edu