You really do want to volunteer, don't you?
Item: Getting a transponder or bar-coded "EZ Pass" for your vehicle is completely voluntary....but if you don't have one of these transponders or passes, you'll have to go to the "manual" lane...Oh, and it seems that due to budget cutbacks we're short on staff and so you'll have to wait a while...maybe _quite_ a while. (Plus, while you're waiting maybe we'll just snap a photo of your license plate anyway, as you might be a terrorist or Mann Act felon trying to evade our surveillance....) Item: The U.S. is proud to call its tax system "voluntary," in terms of what citizens report. (The voluntary term was never that participation was voluntary, only that a tax collector did not show up in person and decide what a person owed.) However, to ensure compliance with the voluntary part, citizen-units will find that their bank narcs them out to FinCEN and IRS, and that electronic intercepts of financial dealings are common, and that "compliance audits" are far more draconian than ordinary citizen-units imagine. Item: Key recovery is purely voluntary. Unless you try to communicate with foreigners. Unless you are involved in any communications with drug dealers, money launderers, terrorists, child pornographers, or any other Horsemen. (Wouldn't you really rather play it safe and use the Government Approved Krypto?) Item (in the Very Near Future): "But, Mr. and Mrs. Zludnick, the ChildFinder (TM) implant is painless and quick. Based on the technology used to find lost pets, ChildFinder (TM) allows authorities in public places to scan for kidnapped or lost children. Surely you'd want your daughter to have access to this technology? While completely voluntary--after all, Mr. Zludnick, we are still a democracy, aren't we?--you should be aware that the school nurse will be most unhappy if your children are not ChildFinder-compatible. Not to mention the teachers who count on using RollTaker (TM) to automatically take the roll of students. And your children will have to take tests in special rooms, and checked for evidence of identity spoofing. All in all, Mr. and Mrs. Zludnick, I think you can see the problems. Why, in a sense, it would be a kind of child abuse, don't you think, to make your little Johnny and Suzy such oddities in the class. I'm sure you wouldn't Child Protective Services to make one of their "visits," would you? They're oh-so-thorough in uncovering signs of an unwholesome home environment. And then where would you be? So, can I assume you'll be volunteering?" What we are seeing is an Orwellian abuse of the English language. Programs are introduced as "voluntary" ones, but the alternatives are either deliberately made time-consuming and annoying, or the alternatives are just dropped completely. (I'm not talking about what private individuals or companies ask for. Alice's Restaurant is free to require patrons to wear silly hats, as it is their property. What I'm confining my comments to is the "mandatory voluntary" nature of more and more government programs.) The airline bag confirmation system is an in-between situation. It is partly a security matter to require bags be correlated with actual flying passengers...cuts down on bombs sent in bags. But it is also a surveillance/tracking issue, and the airlines are playing the tune the government calls for. (Else why would airlines not accept passengers who a) in fact board the plane, and b) pay in cash for their tickets? It used to be this way. No more. Now they demand a True Name, regardless of how easy it is to buy phony documents. If I can buy a phony set, or can even make up my own, imagine what actual terrorists can do.) And there's the whole issue of Social Security Cards. My card, issued in 1969, says it's not be used for any purposes except SS and income tax matters. Tell that to the many agencies, public and corporate, demanding it. The point? Our privacy is being "escrowed." The automobile transponders and barcoded vehicle passes are touted as voluntary, but they really are not. Chaumian, identity-protecting technologies need to be deployed. Frankly, I think Cypherpunks are getting off track with all the recent focus on "old" technologies (which I'll leave unspecified, as my point is not to attack certain pet projects). The real stuff is going undone. --Tim May There's something wrong when I'm a felon under an increasing number of laws. Only one response to the key grabbers is warranted: "Death to Tyrants!" ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1398269 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
At 12:28 PM -0700 9/2/97, Ian Goldberg wrote:
The effect the crypto regs have on me is that any time I want to actually _implement_ something and publish it, I have to wait for school breaks, go home (to Canada), do all of the work there, and publish it from there before I return to Berkeley. This obviously cuts down on the rate at which I can get things done. Americans don't even have this option. If not for problems like this, S/WAN would certainly be further along than it is now.
One more question. Could you tell us which things you are talking about here, which things you returned to Canada to implement? (And was any of the "prep" work done here in the U.S.? My understanding of the EARs is that if any of the prep work--basic research, algorithm development, trial coding, etc.--was done in the U.S., then going to Canada to finish and release a piece of code is no protection, and in fact violates the EARs. This is, at least, the explanation given by RSADSI, PGP, Netscape, etc., for why they don't simply move their crypto experts offshore.) In any case, Ian, I think your examples would be very interesting to hear about. I think Dan Bernstein's "Snuffle" was not quite a serious piece of code. By this I mean that Snuffle was never used in a major way in any product (perhaps it could've been...I recall Schneier had some mention of it a while back in Dr. Dobbs, and I don't mean to imply it was not a good cipher, just that Bernstein's challenge was more to prove a legal point than to actually get Snuffle and whatnot available for export in real products), Ditto for Prof. Junger, whom I don't believe was actually threatened with prosecution. In both the Bernstein and Junger cases, and this is a credit to their initiative, they filed premptively, so to speak. They requested clarifications/permissions, and as Karn did, as Levien did (the t-shirt). I have seen no evidence that those publishing academic work in the journals, or even producing products, are being prosecuted under the ITARs or EARs. (The issues of whether a Web release constitutes "export" is of course a separate--and important--issue. And the issue of whether Ian, as a Canadian, can legally do work or sell products while on a student visa in America, is also a separate issue.) If you are actually going to Canada to release products, this might be even more interesting than either the Junger or Bernstein cases. Of course, if you discuss this openly, you may be inviting repercussions. --Tim May There's something wrong when I'm a felon under an increasing number of laws. Only one response to the key grabbers is warranted: "Death to Tyrants!" ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1398269 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
Tim May <tcmay@got.net> writes:
One more question. Could you tell us which things you are talking about here, which things you returned to Canada to implement?
I can't see that export controls are much of a big deal for freeware cypherpunk software ... just publish it on a US site with whatever access controls you fancy. It'll make it's way out of the country in a few minutes and end up on replay.com, or one of the automated mirrors of export control sites at ftp://idea.sec.dsi.unimi.it/pub/ or where ever. It's not as if you're trying to sell it, or are a corporation worrying about stepping on toes at NSA Inc.
If you are actually going to Canada to release products, this might be even more interesting than either the Junger or Bernstein cases. Of course, if you discuss this openly, you may be inviting repercussions.
Just release it in the US. Lets someone else do the export. Adam -- <A HREF="http://www.dcs.ex.ac.uk/~aba/rsa/print%20pack%22C*%22,split/%5cD+/,%60echo%20%2216iII*o%5cU@%7b$/=$z%3b%5b(pop,pop,unpack%22H*%22,%3c%3e)%5d%7d%5cEsMsKsN0%5blN*1lK%5bd2%25Sa2/d0%3cX+d*lMLa%5e*lN%250%5ddsXx++lMlN/dsM0%3cJ%5ddsJxp%22%7cdc%60%3b$/"> Have <I>you</I> exported RSA today?</A>
-----BEGIN PGP SIGNED MESSAGE-----
I do understand that US citizens and Permanent Residents are prohibited from giving crypto to foreigners even when they are outside of the US,
Or giving it to foreigners even when those foreigners are *in* the US.
but I'm neither of those. The BXA _could_ try the old "let's tax all foreigners living abroad" tactic, of course...
'Mericans probably don't realize that there is a distinction between Permanent Residents (PRs) and other sorts of ferriners. All of the Feds' cute extra-territoriality ploys: outlawing gold ownership in '33, outlawing unlicensed space launches in 85(?), outlawing working on anything in Cuba or on nuclear power plants in the old bad South Africa, or outlawing exporting crypto, or blocking ownership of 60% of the world's mutual funds, or levying taxes on worldwide income, etc. apply to US citizens, US permanent residents, and in some cases those present in the US. Thus US citizens and PRs were prohibited from owning gold anywhere on earth from 1933 to 1980. Same with the rest (with numerous complications). A student Visa holder is most assuredly not a PR and so would not be covered by these laws save to the extent that they cover all those present in the US. DCF -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQCVAwUBNA2hhYVO4r4sgSPhAQHO6gP+My3oSRgvYQFmNFfigWrD+/+qdVfxT1Lo FZ2+pVJMZTsg8eLytafFcDPAeSYmJOdiOWepP5X8n0Nm+tE/DXykeBodlm/MmtLp bwMRQC5hNw3kLhy12G8JX5hshGz35X4ID3UK/TsnGwJED8vT6ohgiRmLi4bvXrO7 TwqoAUBn9rY= =2UR3 -----END PGP SIGNATURE-----
In article <199709022216.XAA00915@server.test.net>, Adam Back <aba@dcs.ex.ac.uk> wrote:
Tim May <tcmay@got.net> writes:
One more question. Could you tell us which things you are talking about here, which things you returned to Canada to implement?
I can't see that export controls are much of a big deal for freeware cypherpunk software ... just publish it on a US site with whatever access controls you fancy. It'll make it's way out of the country in a few minutes and end up on replay.com, or one of the automated mirrors of export control sites at ftp://idea.sec.dsi.unimi.it/pub/ or where ever.
It's not as if you're trying to sell it, or are a corporation worrying about stepping on toes at NSA Inc.
If you are actually going to Canada to release products, this might be even more interesting than either the Junger or Bernstein cases. Of course, if you discuss this openly, you may be inviting repercussions.
Just release it in the US. Lets someone else do the export.
I'm not primarily talking about _products_, here; I'm not selling stuff. I'm just trying to publish! Part of my research (which focuses on computer security) involves (surprise) building secure systems or breaking insecure ones. Where this involves cryptography or cryptanalysis, I am prohibited from publishing these systems on the Net, from my homepage (and I don't _want_ to put access control on my homepage). To answer Tim: for example, when I was in Canada last, I wrote Top Gun ssh (secure shell for the Pilot) from the ground up. It would be hard to understand how this could be a violation of US export regs, when nothing involved ever _entered_, let alone was _exported_ from, the US. I do understand that US citizens and Permanent Residents are prohibited from giving crypto to foreigners even when they are outside of the US, but I'm neither of those. The BXA _could_ try the old "let's tax all foreigners living abroad" tactic, of course... - Ian
Ian Goldberg <iang@cs.berkeley.edu> writes:
In article <199709022216.XAA00915@server.test.net>, Adam Back <aba@dcs.ex.ac.uk> wrote:
I can't see that export controls are much of a big deal for freeware cypherpunk software ... just publish it on a US site with whatever access controls you fancy. It'll make it's way out of the country in a few minutes [...]
It's not as if you're trying to sell it, or are a corporation worrying about stepping on toes at NSA Inc.
Just release it in the US. Lets someone else do the export.
I'm not primarily talking about _products_, here; I'm not selling stuff. I'm just trying to publish! Part of my research (which focuses on computer security) involves (surprise) building secure systems or breaking insecure ones. Where this involves cryptography or cryptanalysis, I am prohibited from publishing these systems on the Net, from my homepage (and I don't _want_ to put access control on my homepage).
Hmmm... There are lots of crypto papers on the net. Pick a US cryptographer, his home page will be bristling with papers (postscript, html whatever). If you're talking about publishing code to go with your paper, well publish the URL in your paper, and put the code at the URL. There seems to be a reasonable selection of code at the cypherpunks ftp site @ berekely judging from the Italian mirror of it. Some of _your_ code is on that site... Adam -- <A HREF="http://www.dcs.ex.ac.uk/~aba/rsa/print%20pack%22C*%22,split/%5cD+/,%60echo%20%2216iII*o%5cU@%7b$/=$z%3b%5b(pop,pop,unpack%22H*%22,%3c%3e)%5d%7d%5cEsMsKsN0%5blN*1lK%5bd2%25Sa2/d0%3cX+d*lMLa%5e*lN%250%5ddsXx++lMlN/dsM0%3cJ%5ddsJxp%22%7cdc%60%3b$/"> Have <I>you</I> exported RSA today?</A>
At 12:42 am -0400 on 9/2/97, Tim May wrote:
Chaumian, identity-protecting technologies need to be deployed.
Frankly, I think Cypherpunks are getting off track with all the recent focus on "old" technologies (which I'll leave unspecified, as my point is not to attack certain pet projects).
The real stuff is going undone.
So, Tim, what should we all be working on, in particular? Cheers, Bob Hettinga ----------------- Robert Hettinga (rah@shipwright.com), Philodox e$, 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' The e$ Home Page: http://www.shipwright.com/
-----BEGIN PGP SIGNED MESSAGE----- At 11:58 am -0400 on 9/2/97, Tim May wrote:
At 5:43 AM -0700 9/2/97, Robert Hettinga wrote:
So, Tim, what should we all be working on, in particular?
OK, you asked. This isn't a comprehensive list.
[outstanding non-comprehensive list snipped] So, Tim, does this mean that you're now willing to fund development of any of those things? Sorry to bait and switch you like that, Tim, but I had a point. That is, if it doesn't make money, it won't happen. Economic "utilitarianism", like the rest of reality, is not optional.
Also, 95% of the crap about "digital commerce" is merely a distraction. The wrong direction, the wrong technology. Just "Visa on the Net," and hence of no real use for our sorts of goals. Worse, the wrong direction.
Agreed. Book-entry transactions on the internet are the functional equivalent of an electric car with a power cord. Or trying to make a supersonic derigible. And, the *only* way you can have bearer certificate transactions on the net of any non-repudiable strength is with cryptography. The strongest cryptographic protocols, for very little extra cost, are those involving anonymous bearer certificates, and so, I claim, anonymous bearer certificate protocols will eventually replace "Visa on the Net", with digital bearer forms of picocash, or macrobonds, or anonymously held equity or derivatives. You certainly can't do those anywhere, much less on the net, with book-entry settlement. The net, or the machines which use them, anyway, would choke on the overhead. The internet sees audit trails as damage and routes around them, to torture poor Gilmore's quote one more time... So, my goal is *not* to maximize privacy, because it's a natural consequence of my actual goal, which is reduce the cost of any given transaction by 3 or so orders of magnitude. To maximize profit, in other words. The way to do that, on a ubiquitous internet, is, paradoxically, with strong cryptography. That, I am sure, is a fundemental economic fact of the universe. Amazing, isn't it, that my goal and your goal get the same result of ubiquitous financial (and thus any other kind of) anonymity? Kind of like the neat way that some mathematics describes physical processes, or that aerodynamic flight, ostensibly orthogonal to economics, is cheaper than long distance surface travel, much less boyant flight, for moving people around. An argument that Hume would have loved, certainly. The connection between privacy and economic return is only constant conjunction, like the sun coming up tomorrow because it came up every morning in human memory. It's going to be just as predictable, though. So, getting back to my point, which Sameer and PGP and even RSA have proven already, and which lots of the rest of us hope to prove going forward, cryptoanarchy must pay for itself in order to be deployed. It's that simple. In other words, if you want to see it, Tim, and you can't build it yourself, hire it built, and see if it sells. It's risky, any investment is, but given your past financial success, you're demonstrably clueful enough to get a good return for any investment you make in cryptography. Cheers, Bob Hettinga - ----------------- Robert Hettinga (rah@shipwright.com), Philodox e$, 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' The e$ Home Page: http://www.shipwright.com/ -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQEVAwUBNAzBMMUCGwxmWcHhAQHGSQf/YVe284MvE+mptcsgMhFl+a1Uz1/dbCRM wd0f0MaQ1BPSGmXIkhcBjcLddy3jO5m6PBGpXCaJ1HAiCIu5Id6ocKURs4Y6SWD1 ntQCpfmfR8DWf6t7n0S9O0CadmtlPjRhv9jpT7yI5+QGc8RaIyXsTetdAZ8GXRFf /OjZ2ML5oKNer/7BwfKs+BYfFHxZIGTm7ocpliT4dfJGpXuBpMgjdNVrrrdKI5Ec PBR9RB/ct8I0bKg+GdmF2o4vwJlYGjT5tyIbKxEnSABsN/TgHYZXYgmqFg8woWDZ jbPIzSeeDUHlOZ7SuZqLhYc7ox+iM50hKwlOnZL/tW0pwHq2srqaqQ== =JGAl -----END PGP SIGNATURE-----
At 11:21 pm -0400 on 9/2/97, Tim May wrote:
Sorry I "donated" my time making up this list,
To the contrary, it's not a donation at all. I see it as a set of investment criteria, myself. How is the market going to make something for you if it doesn't know what you want? Keeping in mind what I said about privacy being economically efficient, I take what is said on this list about privacy, "gossip" or not, very seriously, especially when it comes from someone like you, Tim.
given the messages I'm seeing and the private chastisements of me for daring to suggest.
Maybe they're misinterpreting all the stuff you've said over the years about "something must be done", "cypherpunks is not a group", and "we" ought to do to things, etc. Frankly, a discussion of specifications and desired results is worth much more than the wasted random effort saved when people just write code and let god sort it out. I mean, Michaelson-Morley may have been a neat experimental finding, but nothing really happened with gravity until Einstein figured out space-time, right?
Apparently some of you think that only full-time C or Java programmers are qualified to make suggestions.
Of course not. See above. There are many more people who know how to write code than there are like you, Tim, who know what to do it *for*. Unfortunately, people who write code need to eat. Fortunately, people who know what to do can raise money to hire people who write code if the idea's good enough to sell twice: once to investors, and again to the market for which the code's intended. And, rarely, as in your case, Tim, some people with money already know what to do and can hire people to do it. If they can "sell" *themselves* on the idea that the market will buy it. The guy who founded Aldus did it with Pagemaker. Osbourne did it, too, before he made the mistake of hiring a completely ignorant "professional" managment...
And spare me the lectures on Capitalism 101.
Well, it was more for the list's benefit than yours, Tim. You're just my unsuspecting foil, here. :-). If, say, John Gilmore were here saying the same kinds of stuff you were, I'd have sprung my little rhetorical trap for him instead, by getting him to list what we should do next, and then asking him which ones he's going to invest in. He'd probably be just as pissed off. You just got lucky, is all... Actually, if you count the money and time he's thrown at politics and lawyers, and S/WAN, and cypherpunks, and a few other things, you might say Gilmore's made an investment or two. Unfortunately, since he's not using actual investment criteria -- profits, in other words -- you might consider those investments to have been accidental. On the other hand, investing is always about personal choices, whatever they are, and so the loop closes on itself, I suppose. The point is, all of the stuff you've listed costs money to do, Tim, or it would have been done already. Which means, unless you're doing this for a hobby, spending a very small fraction of your total income, (or an obsession, taking all of your time and income, which can easily be argued here on my own part :-),) then the money or time you invest in an activity has to perpetuate itself, or eventually you won't be able to do it anymore. Simple economics. So, Tim, why don't you pick your favorite project on that list, hire some people to write code, and go for it? Most of the stuff on your list can't cost that much to do, and, if it did, then it's probably the wrong project for you, personally, financially, to work on. If that project makes money, you can reinvest it in something bigger anyway. Capitalism 101. I think that Sameer in particular proves that the barriers to entry for some financial cryptography markets are still practically nonexistant from an investment perspective. Not for the stuff Sameer's doing, of course. He's raised his own barriers to entry behind him by investing in his markets already. C2NET was completely bootstrapped, though, and hopefully, Sameer will never need outside investment. As smart as he is about business, he'd certainly be a fool to ever take VC money. However, like Bill Gates, the time may eventually come when he's got so many option holders in C2NET that the SEC will force him to go public, like they did to Microsoft, another bootstrapped company. Anyway, especially in anonymous digital bearer settlement, which is the really important stuff in financial cryptography, there are lots of opportunities out there, and some of them are bootstrapable. Some of those which aren't should be funded by single, monomaniacal, investors like the Aldus guy did with Pagemaker, or you, Tim, should do with your favorite project on the list. Hopefully, the rest the non-bootstrap stuff can be done with e$lab or something like it. At least that's what *I'm* hoping... ;-). You don't even have to be incredibly active as an investor. Armand Hammer (not a good example as a human being, but certainly a good one here) got into the oil business practically by accident *after* he retired, and pretty much kept a retiree's schedule all throughout Occidental's growth into a major oil company. Privacy, financial or otherwise, is economic efficiency. Anyone who consistantly steers by the star of privacy is going to make money and thus change the world. And, Tim, there is no better navigator of those waters, anywhere in the world, than you are. None. You're the moral compass most of us in the crypto community have internalized when we think "what would Tim say" about something we're thinking about doing. (Well, you don't steer north all the time, sometimes there are rocks in the way, but you still have to know where north is, certainly, or you don't *get* anywhere. ;-)) So, Tim, again, which one of those projects do you want to do? Who are you going to hire to do them? More important, how much money do you think you'll get back by doing it? Cheers, Bob Hettinga ----------------- Robert Hettinga (rah@shipwright.com), Philodox e$, 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' The e$ Home Page: http://www.shipwright.com/
At 3:35 pm -0400 on 9/3/97, Tim May wrote:
I almost deleted these messages from Bob, but have decided to say a few words about financing companies "to help the Cypherpunks cause."
Frankly, I wish you had, we seem to get along better that way, something I keep forgetting, but here goes...
To the contrary, I never write political and socioeconomic essays with the expectation that someone out there will be "making something for me."
So, you just write them in vaccuo? I doubt that. Nobody writes things so that no one ever will ever read them. Especially when they post them to an immediate potential audience of thousands, and their words are permanently archived for posterity in at least 10 places. :-). Even if you posted them here so no one would act on your suggestions -- the best ones out there, I might add, because you've thought about all of these things longer and harder than practically anyone in the world -- they still have value, which is why I, for one, asked for them.
But generating "VC funding requests" is most definitely not even in my Top Ten of reasons.
Of course not. However, it doesn't keep your best thinking on this from having economic value, nonetheless...
From Day One, I have not shied away from talking about interesting building blocks.
Which is why I asked for your opinion, besides to set a rhetorical trap for you, of course. :-).
I agree with this. Certainly for all of the chants about "Cypherpunks write code," and the several years worth of (apparently) several dozen folks here writing code of some sort, what are we really left with that has had a major effect?
Nothing. That's because it costs money to do, and the best people have to work for a living. Well, most of the best people do, anyway. :-).
Most of the code apparently being written either never makes it into products, or is buried deeply, or just evaporates (as code tends to do, a la bit rot). PGP, SSH, the remailer code, and a few other such achivements are what lasts.
Agreed. Just think, there would be more effort put into the exercise of writing code if people could see reward for the risk of their time and neurons. Frankly, for the best coders _qua_ coders, probably, the only reward, after the inherent satisfaction of doing good work, in my opinion, is money. Like Rhett Butler said in GWTW: "People say that money doesn't buy happiness, but it usually does, and when it can't it can buy the most interesting substitutes." I see your life, including your door-side stack of assault rifles, to be reasonable proof of interesting substitutes at the very least, myself. :-).
I don't trash such efforts. Rather, I think it means that it is vitally important that we think carefully about what code is interesting and important. This beats the hell out of people just starting in at coding for the sake of coding.
Indeed. And, I claim that the very best barometer of what works is what sells in the market.
First, this grossly oversimplifies the process of funding companies.
If *I* knew what *you* knew? Someday, when I can afford the body armor, you can give me the breifing. :-).
Methinks Bob has read about Jim Clarke's decision to fund Andreesson and Company too many times. Rarely (very rarely) do the VCs hire people to write the code for some vision.
Well, frankly, I'm not after VC money, but we'll talk about that in a minute.
Second, writing code is cheap, and requires almost no capital. No factories, no chip making machines, no clean rooms, etc. Just a bunch of people with ideas doing it themselves. Nearly all successful software companies started out with almost no working capital.
Agreed. However, there is opportunity cost, measured not only in the time invested on something else, but the return on the investment of doing that other thing. "The cost of anything is the foregone alternative." As my old Mizzou econ prof liked to beat us with. Frankly, if you're doing things for the glory of the revolution, or to make the world free from nation-states, or the joy of flight, that's cool, but it don't pay the rent. It may temporarily focus your efforts more than if you're just trying to pay the rent, certainly, but it won't actually keep the wolves from the door nearly as well as a ducat or two will. I other words, it may have been the joy of flight which motivated the Wright Brothers, but it was coach fare to Cleveland which built the DC3 and got the rest of us actually in the air.
(By contrast, I've watched several "idea" companies which had the "grand vision" first and then sought to hire the hired guns to write the code. All four that I have followed failed.
Certainly a bass-ackward way to do it. Unfortunately, that's the way Disney did it, or L.B. Mayer did it, or Gates, or Edison, or Parekh did it. They had a picture in their head of the way the world worked, or should work, they did things, as cheaply as possible, which should work in that picture, and they were right. They still invested something, is my point, whether it was their money or their time, or their inspiration. Just because your friends spent so much money doing what they wanted to do, Tim, or doing the wrong thing because they didn't know how, doesn't mean that economic enterprise shouldn't exist at all. There's something to be said for heuristics, obviously, but I think your sample size is too small.
A handful of these programmers seem to be truly gifted...the rest are, well, hackers. OK for churning out code with well-defined specifications (and even then the well known Brooks' Law sorts of factors can make some of them grossly unproductve). The few who seem really gifted would be fools to work for a pittance for me--and I'm not willing to give them their easily-gotten daily consulting rates for months on end, etc.
Frankly, gifted programmers are not the people who make money, Tim. Robert Noyce may have been a gifted scientist once, but in the end it was his ability to motivate people ("...don't expect to come here and have me solve your problems. It's *your* ass.") that mattered. That and his ability to understand the opportunities in his market.
Fourth, in my years of Cypherpunks involvement, I have never seen any reasonable investment opportunities. This is not to say there have not been any, especially with the benefit of hindsight.
Probably because as one of the few people around who understood what constitutes an investment opportunity, you didn't create one?
Side note: <snip> What about C2 Net? <snip> He probably--and I haven't checked with him on this--knew that the best opportunities were funded on a shoestring, by those involved directly, by those living the dream, and that diluting his ownership with outside funding would be a mistake. And this shoestring operation was able to more nimbly move to take advantage of opportunities, e.g., dropping the original focus on being a kind of "local ISP" (which is what I perceived the original CC to be) and to instead focus on SSLeay/Stronghold stuff.
Sameer is exactly my case in point. He decided, at the outset, to make money, with as little investment as possible, from cryptography. He kept looking, no, *creating*, opportunities in cryptography until he figured out that financial cryptography was literally where the money was, and now he's riding that pony for all it's worth. Gates, Carnagie, Morgan, all those guys did the same thing.
Other companies have sought funding in a grander way. E.g., PGP, Inc. I had no desire to invest in them, for various reasons. I wish them well, of course.
I look at PGP, Inc., as the second round of funding for Phil's Pretty Good Software, Inc.. They have a product, they have a market, they have (mostly) a managment, they needed money to go after much larger competition, like RSA/DSI, and people with money trusted that they could do it. And, it's a good bet, after a false start, that that's the case...
Eric Hughes has a company, "Simple Access." To tell the truth, and in spite of Eric being a longtime friend of mine (since 1990 at least), I really have no idea what they do. The "www.sac.net" site is remarkably uninformative. Perhaps by design. In any case, I don't think investing money in this is what I want to do.
Rumor has it that they don't pay their bills, and have been stiffing various suppliers ever since they started up. "You should think like an illegal actor" indeed. I understand that there's enough in unpaid bills from around the country at this point to call in the Feds, of all people, onto SA, but most of the people holding the bag are politically opposed to calling the cops. Kind of works out nice for Eric and Hilby, though it makes for an interesting incentive to build one of your eternity-style deadbeat servers, now that I think about it. It might explain why, in addition to the reasons you've already outlined above, they haven't actually gotten anything off the ground. What goes around comes around, and all that.
And there's Electric Communities (www.communities.com), containing several past or present Cypherpunks. I have a lot of hope from them, for "Microcosm," but,again, this is someone else's vision. It's too soon to tell if they have a killer app on their hands. If they do, then business magazines will write sage articles on the wisdom of the VCs. If not, as the odds must say is likelier, just by Bayesian odds, then they'll be forgotten, and the VC money will have just evaporated.
Agreed. However, you have to remember that probability works both ways. The expected value of an investment, be it VC or not, has to be greater than zero, or the money won't go there. That, I believe, is why we have investors in technology, in particular cryptography. It's why I also think that the largest investment opportunities in cryptography will be in financial cryptography, which, I expect, requires all the fun things that people here want to implement, anonymity, unbreakable encryption, reputation sanction, the works, to exist in order to work well. More to the point, all of this stuff will exist because it will be the *cheapest* way to transact business on the net, probably by several orders of magnitude over the way it's done now. It's also why I think you, Tim, would be one of the best financial cryptography investors on the planet. If you decide to "create" an opportunity or two.
Fifth, what I have seen from all of these experiences is that the popular impression of VC funding, that someone has a good idea, then finds a VC angel to provide seed funding, then worker bees are hired, etc., is basically wrong. Or at least a recipe for disaster.
Pretty much agreed. Like the old jewish shopkeeper's maxim: "First thing you do, you get the money." That means customers, not investors. However, in order to get customers, you have to have something to sell, which requires an investment of some kind. Chicken and egg, maybe. That's probably why some investors are willing to break the cycle if you can show them where the money's going to come from. Frankly, if you sell them a story instead of a market, they deserve to lose their money on you, and you deserve to not get anyone's money anymore.
The best growth opportunities come from nimble, mostly self-funded small teams that can learn in an evolutionary way, changing focus as failures occur and learning from mistakes. The worst growth opportunities come from "grand vision" situations.
Absolutely agree. Except of course, that those nimble self-funded small teams have the most coherent "grand visions" in their head of anyone in the market. They know what the world should be so well that even if nobody will invest in their idea, they can make money with it. "The first thing you do, get the money." However, coming from Intel, did you notice that Intel had investors? Admittedly, software startups don't need *that* much, money, as you've said. As long as the principals see there's money to be made from their efforts in the long run. Or they want to change the world. And, frankly, I think financial cryptography is the best of both; you're getting paid to change the world.
Sixth, we often forget that "history is written by the winners." We ask the five star general what his strategies were, forgetting that he became a general because he survived the battles and triumphed. Sort of like asking the Lottery winner what her strategy was....one will get answers, but they probably won't be useful.
Post hoc, ergo, propter hoc. Certainly. Warren Buffett talked in a Forbes issue on portfolio managers a few years ago about a country of 268 million chipanzees, where everyone is given a quarter, and every day the chimps would pair off and flip coins, winner take all. After 28 days of increasingly high-stakes "competition", a single winner would emerge, and write a book titled "How I made $68 million in a month, working just seconds a day". However, like I said before, if the expected value of a given investement is positive, then you can make money investing in enough investments just like it, Tim, as you, of all people, know. It's not a zero sum game. That's why it's called investing, and not gambling... Lots of people who just go through the mechanics of "active" portfolio management might as well invest in an index and let other people think about such things. However, Tim, my claim is that, as someone who knows more than practically anyone else about this field and what it could do, you have the, forgive me, "grand vision" thing down better than almost anyone. You invented most of it, for starters. :-). It's one of the reasons this list is what it is, vitriol and all. ;-). A selling point of the Schnelling Point, to torture the language more than a little.
Asking Jim Clarke or Bill Gates to opine on his strategies for success is not quite as pointless, but is not real useful either. Ask also Manny Fernandez about Gavilan Computer. Or ask the financiers of Ovation, Processor Technology, Mad Computers, Symbolics, Thinking Machines, Trilogy, or a hundred other examples of companies that burned through a billion dollars of hard-earned investor money.
I'm not so sure about that. Clearly, people like Clarke, or Gates, or lots of other people, for that matter, know how to make money just by investing their time and intuition into something. That skill is mostly learned, I think. Gates' parents and family taught it to him, for instance, and it's clear that somebody taught Clarke as well, or he wouldn't have been able to do Netscape after SGI. Whether Clarke, or Gates, for that matter, can continue to do so is anybody's guess, but clearly, they're making it happen, or we wouldn't be talking about them. I also believe that lots of other people who know almost what you know about cryptography could learn a little about making a business, pick up a lot of that financial cryptography that's on the floor, and make the stuff we all think should happen faster than if they just wrote code for the cause and hoped that people would use it. Money makes a good proxy for measuring success, and it buys stuff too...
Seventh, I have no doubt that if I issued a cattle call for programmers to write C code for some pet project I'd get some bites. The "burn rate" for a supported programmer is higher than the salary, of course. (Many will work for a share of the company, plus a living wage, but this of course means incorporation....not a simple matter of just offering to hire programmers.)
Yes, you have to actually spend money (in some form, even time) in order to make money. And, frankly, if you spend enough time doing something well, you'll probably make money too, in spite of your reason for doing things. PRZ is a great example of this, which actually proves my point.
Those small software companies I mentioned burned through $5 million in 3 or so years, with nothing to show for it. And they sure did have the grand vision.
Well, if you count the odds of a single company succeeding, that's about what you expect, right? However, if you looked at, say 30 of such companies, even picking them at random would probably pay for your losses from the ones which hit.
Sorry, but I have no desire in even "giving away" a million bucks, let alone several.
I don't think I said anything about giving money away. I said that you, of all people, know significantly more about cryptography, financial cryptography in particular, that you would be a person who could make real nice money investing in it. Unlike most investors who will be investing in strong crypto and privacy, you are in a very good position to create your own opportunities, instead of waiting for them to present themselves.
In 1993 I elected to help fund a small startup with an extremely promising technology. <snip> And that $65K investment necessitated my sale of $100K worth of various stocks, inclduding Intel, due to the income tax laws being what they are. That $100K worth of stock would now be worth $600K, roughly, given that Intel has gone from $15 to $100 in that period. C'est la vie.
The cost of anything is the foregone alternative. But, like Heinlein said, "Of course the game is rigged. But, you can't win if you don't play."
But is sure makes me more cautious about funding little startups.
Amen.
And I for damned sure won't write out checks for people I only casually know from this mailing list and from occassional Cypherpunks meetings!!!)
I doubt that that's the way *you'd* invest in crypto at all. Nobody but fools would do that. However, you, not being a fool, do know what to invest in, and, more to the point, you'd be more likely to make the stuff you want to happen if you were actively engaged, i.e., invested, in the process. Given what you've done in your life so far, that is.
I could easily spend $500K (costing me an actual $700K before taxes, less some tax deductions as a business, possibly) hiring a staff of several programmers for slightly more than a year. Then it'd be gone. Would a "product" be ready? You tell me the odds.
Frankly, I think they'd be pretty good. Given what we've agreed before about what to code being the most important part of coding. I also expect that others with more money than time, would kick some in to make it happen.
And what would come out of such an effort? I've watched a certain American living in Europe burn through most (and maybe all?) of his fortune, and (some say) his family's fortune, and he had the best of pedigrees and the best set of ideas there is. Now many of us quibble with the choices he made, in licensing, etc., but this should be a cautionary tale to anyone who thinks such funding is easy.
You're talking about David Chaum, of course. And hindsight, which is always bullshit (my hindsight in particular ;-)), says that he should have worked on financial cryptography, a field he invented, and let other people try to be banks, and then software companies, and now credit card associations. Dolby is his business model, not Citibank, or VISA.
I'm not being defeatist. I know that sometimes a $500K investment could turn into tens of millions. It sometimes happens. But usually not, even for the proposals that get funded. (And VCs tend to look at 10 to 30 proposals for every one they actually fund, so the odds in the Cypherpunks pool ain't real great that even a single proposal would reach the funding stage, let alone turn into another Netscape or Yahoo.)
I think that the time has come to change the conventional wisdom on that. In my opinion, there is enough cryptography out there, particularly financial cryptography, that can be funded to see what sells. Stuff which, by your own admission on this list as far back as 3 years ago, needs more money than people can donate time for, though not as much as you thought back then.
No, I'm not a defeatist. But I worked very hard for many years, saving a large fraction of my paycheck and saving my purchased stock (including stock options, which were not as lucrative as popular myth might have it...what made them now worth so much money is that I didn't sell them when they became available, as so many of my coworkers did). I don't intend to blow through half a million or a million bucks a year funding some grand vision,
I think we're getting to the nub of things, here, and maybe a way to hone the point a bit. I'm saying, for a lot of technology, that it may not cost $500K. It might, because of the diseconomies of scale for internet software and the lack of barriers to entry for the extremely clueful technology folks out there, be possible to get a fully functional product to market for as little as $250k, if you could figure out a way to standardize most of the administrative/legal/financial cruft so that the current crop of 20-something proto-crypto-entrepreneurs could concentrate on getting stuff done quickly. That, in fact, is what a bunch of us want to do with this e$lab thing we're kicking around. However, Tim, someone like you doesn't *need* something like e$lab (if anyone does at all :-)). You already *know* how to invest in something properly. You *know* who all the good people are and where all the bodies are buried. And you clearly know how to squeeze a buck until it hollers. Hell, you can even fight off an assault of black-nomex-clad ninja bill collectors. :-). Finally, you probably could do it for significantly *less* than that $250k... Someone like you could go out there and find, or, better, build, something which is just sitting at the edge of the cliff, full of kinetic energy already, and kick it off onto the market's head. There's shitloads of that stuff out there right now, and if you thought about it, you'd know more about what to do, and how to do it, than anyone else. Anyone. And, I claim, that *that* is the only way to *deploy* any of the stuff on your list in any *useful* fashion quickly enough to stop the kinds of totalitarian statism that seems to be afoot this week. If you make something which saves people whole bunches of money and which uses strong cryptography to do it, then privacy through strong cryptography isn't just a good idea, it's a business necessity. Again, you're the person who can do this best, I think.
especially when there seem to be few grand visions that are realistic.
As the one person I know whose reality distortion field is bigger (and more coherent, I might add) than mine (I'm also modest to a fault; ask me...), I find this hard to believe. *Make* a grand vision which is realistic, if you don't like what's out there. Frankly, you already have one. Just add money and stir rapidly...
(Plenty of zealots, though.)
So it seems. ;-).
The Pagemaker team wrote it on a shoestring. No VCs until much later, when a product existed. (BTW, similar to the models for both PGP, Inc. and C2Net, where actual products are actually being sold or distributed.)
Exactly. However, in the case of Pagemaker, the shoestring was *paid* for. That's why he made out like a bandit. Because he knew exactly what he wanted, hired the programmers, told them what to write, and paid them for their work, he *owned* the code when he was done. This is exactly what I see you doing. Same thing with C2NET. My bet is that, for the moment, at least, Sameer owns it *all*, and, frankly, most of the people who work for him are just happy to get paid to do what they love to do, because nobody's investing in the market right now the way Sameer does. When people start to really invest in the market, Sameer's going to have to offer stock options, like Gates did, to keep people. But he's never going to need to get actual investment from anyone ever, if he plays his card right. Of, course, like Gates, he might have to go public someday if he's got too many option holders. That's a nice problem to have, as I've said before. My point, Tim, is that you could take any of the projects on your list, or just the best one, and fund its development as cheaply as possible, on a shoestring, and do exactly what Sameer or Gates did. Though obviously not on the same scale as Gates, of course, but certainly the same mechanical process, and with more than enough return on your investment.
As it happens, I knew Adam Osbourne.
Great. So you know how to do it then.
The problem with your "rhetorical traps," by your own admission, is that you just don't know what you're talking about in most cases, at least insofar as startups and funding go.
You may be right, and, frankly, at the moment, all I can do is bark at the end of my rope about it. :-). Your uncanny talent for ad hominems aside, I believe that my *analysis* of the situation is still valid, no matter my motives or credentials to make it. Frankly, there are people with more than enough credentials agreeing with me on a lot of this stuff. However, that and a nickle, etc... That analysis is that you, Tim May, the person who knows more about this class of stuff than anyone out there, would, in my (completely unworthy ;-)) opinion, be an ideal person to make the right stuff happen. You have the (if you'll pardon the aspersions on your character) "vision", you have the knowlege, -- you even have the money -- to create your own opportunities in cryptography, especially in financial cryptography, which is the lever long enough to lift the world, as it were. And it's a shame you don't just up and do it.
I recall your "hothouse" VC proposal (I may have the name wrong, but the idea was the same as one of those hothouse schemes, with offices for budding entrepreneurs, etc.).
Yup. It's called e$lab, for the time being, and it's supposed to be modeled on IdeaLab in Sacremento, and ThermoElectron, here in Massachusetts, and it's purpose is to put together as many financial cryptography companies as possible. Thank you the plug, however backhanded. Just spell my name right, or not, and I'll be happy. Any mention you can walk away from, and all that...
Maybe in another post I'll give my views on why such hothouse schemes are lousy ideas.
Wonderful. Love to hear it. Be prepared to stand in line for a little while at the microphone, though... :-).
But if yours is up and running and headed for success, I'll be happy to stand corrected.
I'd be happy to stand and correct you, someday, hopefully soon. If it works, that is. Another nice problem to have. Certainly e$lab represents my willingness to put people with money and business acumen together with people who know financial cryptography until the people who know financial cryptography have enough business accumen to teach it themselves. Whether e$lab ends up a 'hothouse' in the model we've all come to know and love remains to be seen. It doesn't mean we get to quit, though. Sameer's original idea for C2NET didn't work, or his second, either, for that matter. Microsoft isn't Traff-o-Data anymore. However, the "grand vision" is still there, and I'm just as convinced that it's right as they were of theirs...
John chooses to do the things he chooses to do. He has more interest in, or faith in, the legal process. I have more interest in, or faith in, the expository process. I write about 100 times as much as he does. To each their own.
Indeed. Maybe we're circling around another important truth here. Mark Twain made his name, and lots of money, writing. You don't need money, but you've made your name by thinking, writing, and talking, for the most part. Mark Twain spent horrendous chunks of his personal fortune on a supposedly revolutionary printing press, or maybe it was a precursor to the typewriter, something like that. His famous quote, "Put all your eggs in one basket. And watch the basket." comes from that experience. Heck, maybe all *I'm* good for is shooting my mouth off too. (That and conning people into doing fun projects, hopefully for money.) It would be nice, someday, to have done a little more than that, though. It could be that you're not tempermentally suited to invest your time, effort, and money into strong cryptography as a business, even if you did know more about where the future is and how to do it cheaper than anyone else, as I believe you do.
I won't get involved in Bob's seeming challenge to me to start matching John's investments.
I'm not challenging, per se. That's a little more effort than I'm capable of. Wheedling might be more apt, but that's an undignified appelation for my good intent, here. ;-).
It costs money, but almost certainly not VC money. Take just one example, an offshore credit reporting agency not bound by U.S. restrictions under the FCRA. There is no need for a VC to fund this...this is best done "on a shoestring" by someone who starts small and expands.
Exactly my point. I think, myself, that venture vapital is probably an industrial phenomenon, caused by transfer pricing inefficiencies in a hierarchically organized, government controlled, capital market. (But, that, of course, is an indecipherable jargon-pile for another day.) I'm sure that someday -- after someone *else* makes a bunch of money bootstrapping various successful financial cryptography companies -- venture capitalists will invest in financial cryptography. Maybe, if we make something like e$lab work, somebody in the venture capital business will want to play there some day, too. Hopefully, if need to have a second round at all, shares in e$lab would be stable -- and large -- enough to be more in line with straight up institutional investment than venture capital. Again, a nice problem to have. And maybe one we don't even need to have. e$lab may only be of a certain size. Certainly if the investment's small enough and the returns are large enough, and if every person in china gave us a nickle... :-).
(Think of how Amazon.com got started. Lots of similar examples.)
Indeed.
Personally, I would only get involved in such a thing if I lived offshore, as the government could otherwise come after me (even for funding such a thing). But the interesting pros and cons of such a project are well worth discussing. Maybe someone out there will do it.
I think that lots of what you want to do don't need to be done offshore, and, remembering that whatever you do offshore still hangs your ass here Stateside, if it can be proven, it doesn't help to be there much. People like one of the Duty Free Shops partners, and a commodity trader in Zug, Switzerland (Not to be confused with ZOG, Palestine :-)) come to mind. In addition, there are lots of foriegn nationals trying to make some of this "regulatory arbitrage" stuff happen as we speak. Anyway, you yourself have said here, many times (check the archives ;-)), that technology has to be built which is jurisdiction independant, anyway. Besides, you've also said here, many times (check the arch<BIFF! Ouch!...>) that living offshore, except maybe for the nice weather in Anguilla, is not what it would be cracked up to be for someone like you, anyway...
(This space reserved for someone to chime in about Vince Cate's ISP operation in Anguilla.)
Ask not for whom the bell tolls, etc...
Why don't you knock off the "Put up or shut up" kinds of remarks? It's never a good basis for investment, to respond to "dares."
My apologies. I'm not entirely sure I was "daring" you to do anything. And, I agree that responding to a "dare" is not a rational investment strategy. However, I bet that if you put some of your considerable expertise in both investing and in cryptography, that you could figure out away to make a lot of the stuff that we talk about here on this list real. (Maybe, if I'm not careful and I keep bugging you enough, even assasination markets. ;-))
I'll say what I want to say. Maybe even someday a good investment will appear. But from what I've seen of the folks at gatherings I meet them at, few of them would be good candidates for a VC-funded approach.
Nope. More like a hands-on, bootstrap, create your own opportunity approach, which is what I'm talking about. Something you could probably do, and probably do better than anyone else out there, by virtue of having created this "vision" we all want to see happen.
No, what it shows is the power of small entrepreneurs doing very local things, with the things that succeed being all that we remember (the losers are forgotten).
Agreed, but again, that's not the point. The point is, that for a given amount of money, time, and determination, more money is made than is invested over all. And, frankly, I do not believe that people like Sameer is "lucky" (heh...) anyway. He made his luck by not giving up on making money with privacy and cryptography. What he found was the most money can be made in financial cryptography, which is, oddly enough, the way to make the most privacy happen as well. Funny how that economics stuff works...
Yeah, well let us know when "e$lab" gets really rolling.
As Telulah Bankhead said to Chico Marx under lewd circumstances: "And so you shall, you old fashioned boy"...
Personally, I think you undercut your own significance by the heavy reliance on cutesy names centering around "$" in place of "s," as in "e-$pam" and "e$lab." Cutesy wears thin fast.
Cutsey may be as cutesy does, but heavy reliance on it or not, it's not nearly as skinny a gambit as periodically calling for "somebody" to suitcase nuke Washington, however pleasant the prospect may be to some of us on occasion.
In the meantime, knock off with the dares.
Admittedly, I did not play fair back there. When one bangs on the cage of a 900 lb gorilla with a stick, one should expect a little shit thrown in one's face in return... I mean, not that you're a gorilla or anything, Tim. Or 900 pounds. Or even throw shit, for that matter, but, well, maybe I better quit, now...
Maybe we should just mutually ignore each other for a while.
Sounds like a good idea. I keep forgetting that when we try to engage in civil discourse, I say something that pisses you off and my throat gets ripped out... Cheers, Bob Hettinga ----------------- Robert Hettinga (rah@shipwright.com), Philodox e$, 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' The e$ Home Page: http://www.shipwright.com/
In <v03102808b0314226079c@[207.167.93.63]>, on 09/01/97 at 09:42 PM, Tim May <tcmay@got.net> said:
The real stuff is going undone.
I must object to this. We at bomberpunks (TM) are getting the real work done. New and intresting technologies are currently being developed. Also further improvements in command and control, communications, stragic and tactical planning along with an increase of "in the field" training with numerious "freedom fighters" worldwide. Bomberpunks coming to a "soft target" near you.
"William H. Geiger III" <whgiii@amaranth.com> writes:
In <v03102808b0314226079c@[207.167.93.63]>, on 09/01/97 at 09:42 PM, Tim May <tcmay@got.net> said:
The real stuff is going undone.
I must object to this.
We at bomberpunks (TM) are getting the real work done. New and intresting technologies are currently being developed. Also further improvements in command and control, communications, stragic and tactical planning along with an increase of "in the field" training with numerious "freedom fighters" worldwide.
Bomberpunks coming to a "soft target" near you.
Cool. Please nuke Washington, DC. --- Dr.Dimitri Vulis KOTM Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps
At 5:43 AM -0700 9/2/97, Robert Hettinga wrote:
At 12:42 am -0400 on 9/2/97, Tim May wrote:
Chaumian, identity-protecting technologies need to be deployed.
Frankly, I think Cypherpunks are getting off track with all the recent focus on "old" technologies (which I'll leave unspecified, as my point is not to attack certain pet projects).
The real stuff is going undone.
So, Tim, what should we all be working on, in particular?
OK, you asked. This isn't a comprehensive list. 1. Fully secure machine to machine connections for the Net, as in Gilmore's "SWAN" project. This makes the Net unsnoopable by the NSA and other TLAs, and makes encryption an automatic (at this level...individual users will of course still encrypt on top of this, as relying on others is never enough). 2. A usable form of Chaum's cash, a la Goldberg's or Schear's or Back's or whomever's implementation. An evolution of Magic Money, Hashcash, etc., using full strength algorithms. Backing can be decentralized. Less emphasis on deals with banks, more emphasis on guerilla deployment, a la PGP. (Initial uses may be for illegal things, which may be a good thing for deployment. Sex, for example, historically drives technologies like this. Thus, one might imagine combining blinded (no puns, please) cash with message pools to allow users to anonymously purchase JPEG images and have the resultant images placed in a pool for their later browsing. If done on a per image basis, for small amounts of digital cash, this could help users get their feet wet and gain familiarity. Integration into browsers would help.) 3. Distributed, decentralized data bases, a la Eternity, Blacknet, etc. My number one candidate: a commercial credit rating data base not bound by the U.S.' "Fair Credit Reporting Act." Let lenders and landlords find out the dirt on those who welshed on loans or who skipped out on leases, regardless of what the FCRA says. (This could technically be located today in any non-U.S. country, practically, but access by U.S. persons and corporations would have to be done circumspectly. A good use for blinded cash, of the _fully_ untraceable sort, e.g. payer- and payee-anonymous sort.) Ditto for ratings of doctors and lawyers. Some states in the U.S. are doing this, but under their strict state control. Why not laissez faire approaches, with user-inputted information? (I've written about this extensively. Cf. my Cyphernomicon, for example.) 4. Wider use of persisistent pseudonyms. Most of the "anonymous" posts we see are signed in cleartext with names like "TruthMonger," "BombMonger," etc., with little use of PGP sigs to ensure persistence. Spoofing is trivial. Checking sigs is up to the *end reader*, for example, to see that "Pr0duct Cipher" really is the same nym that's in the past posted as Pr0duct Cipher, but it might be useful for us to start really making more use of this sig checking, and even to maintain our own data base of nyms and their public keys, as a kind of demonstration testbed. 5. And so on. Cf. the archives, etc. for many, many things. What I meant be "the wrong stuff" is the recent focus on breaking simple ciphers that were known to be breakable 20 years ago...just a matter of applying the computons in the right way. All credit to Goldberg and all, but hardly accomplishing very interesting goals (helps Ian get a good job, that's certainly true). Maybe it'll cause slightly stronger crypto to be allowed for export...I don't really care too much about that. In fact, the whole focus on _exports_ and doing things to make exports easier is a _detour_, even a _derailment_. As I've said, I'll start worrying about Netscape getting a license when they start paying me. Until then, foreigners should just bypass what Netscape provides and use drop-ins. (In fact, monkeywrenching the status quo is better than helping Netscape and Microsoft get stronger crypto. For lots of obvious reasons.) My list above is not meant to be a "Strategic Plan." But clearly the Cypherpunks list has been slowly devolving into a gossip list, and a dumping ground for anonymous insults, drunken rambles, and a cheerleading group for predictable accomplishments and for corporate plans. (In particular, a large fraction of the Bay Area contingent now work(s) for various companies in crypto capacitites, even for crypto-focussed companies, and their edge, or at least their public utterance edge, has been dulled. One can speculate on some reasons. Too much talk about how to "help" PGP, Inc., for example, when PGP, Inc. is doing fairly ordinary crypto things and is in fact participating at some level in GAK talks. (I may get a nastygram from Phil on this, courtesy of helpful forwarders of my words to him...it's what I think.) Also, 95% of the crap about "digital commerce" is merely a distraction. The wrong direction, the wrong technology. Just "Visa on the Net," and hence of no real use for our sorts of goals. Worse, the wrong direction. I could rant on, but will spare you all. --Tim May There's something wrong when I'm a felon under an increasing number of laws. Only one response to the key grabbers is warranted: "Death to Tyrants!" ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1398269 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
At 6:25 PM -0700 9/2/97, Robert Hettinga wrote:
So, Tim, does this mean that you're now willing to fund development of any of those things? ... In other words, if you want to see it, Tim, and you can't build it yourself, hire it built, and see if it sells. It's risky, any investment is, but given your past financial success, you're demonstrably clueful enough to get a good return for any investment you make in cryptography.
Sorry I "donated" my time making up this list, given the messages I'm seeing and the private chastisements of me for daring to suggest. Apparently some of you think that only full-time C or Java programmers are qualified to make suggestions. And spare me the lectures on Capitalism 101. --Tim May There's something wrong when I'm a felon under an increasing number of laws. Only one response to the key grabbers is warranted: "Death to Tyrants!" ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1398269 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
I almost deleted these messages from Bob, but have decided to say a few words about financing companies "to help the Cypherpunks cause." As I lack the energy right now to compose an essay from scratch, I'll take the easier way out and respond to Bob's points. At 7:23 AM -0700 9/3/97, Robert Hettinga wrote:
At 11:21 pm -0400 on 9/2/97, Tim May wrote:
Sorry I "donated" my time making up this list,
To the contrary, it's not a donation at all. I see it as a set of investment criteria, myself. How is the market going to make something for you if it doesn't know what you want? Keeping in mind what I said about
To the contrary, I never write political and socioeconomic essays with the expectation that someone out there will be "making something for me." That's just plain disconnected from reality thinking. Why I write, and what I write, has various motivations. No time to delve into a psychoanalysis of this right now--my Cyhernomicon has sections describing the confluence of technologies and opportunities I saw beginning in about 1987 or so, with comments on why I think these are such exciting issues. I write because the ideas interest me, not to make a few bucks. (And, as I explain later, the odds of losing $1-2 million in VC investments grossly outweigh the odds of making $10-20 M. Grossly.) But generating "VC funding requests" is most definitely not even in my Top Ten of reasons.
Maybe they're misinterpreting all the stuff you've said over the years about "something must be done", "cypherpunks is not a group", and "we" ought to do to things, etc.
From Day One, I have not shied away from talking about interesting building blocks. Including remailers, which I briefed the attendees at the first meeting on (having been mightily influenced by Chaum's 1981 brief paper on untraceable e-mail). And so on. This is well-covered history.
It is true that I try to avoid using the language "Here's is what I want you to work on," and variants. My "things we need to work on" was my name for a list--and not the first one--of things which I think are a lot more interesting and important than working on, say, lists of "things that make Cypherpunks happy," or silk-screening new t-shirts with the slogan du jour.
Frankly, a discussion of specifications and desired results is worth much more than the wasted random effort saved when people just write code and let god sort it out. I mean, Michaelson-Morley may have been a neat experimental finding, but nothing really happened with gravity until Einstein figured out space-time, right?
I agree with this. Certainly for all of the chants about "Cypherpunks write code," and the several years worth of (apparently) several dozen folks here writing code of some sort, what are we really left with that has had a major effect? Most of the code apparently being written either never makes it into products, or is buried deeply, or just evaporates (as code tends to do, a la bit rot). PGP, SSH, the remailer code, and a few other such achivements are what lasts. I don't trash such efforts. Rather, I think it means that it is vitally important that we think carefully about what code is interesting and important. This beats the hell out of people just starting in at coding for the sake of coding. Part of coding is carefully deciding what to code. This is Programming 101, or at least should be. Deciding that a simple remailer would be an interesting thing to code was the important part of getting remailers deployed....the actual coding of the first actual remailer (of the Cypherpunks "true" style, not the WizVax/Kleinpaste/Helsingius nym server style) took a weekend of Perl hacking by Eric Hughes. Knowing _what_ to program is 90% of the effort. ...
Of course not. See above. There are many more people who know how to write code than there are like you, Tim, who know what to do it *for*. Unfortunately, people who write code need to eat. Fortunately, people who know what to do can raise money to hire people who write code if the idea's good enough to sell twice: once to investors, and again to the market for
This is the crux of my essay here. Read this part even if you skip the rest. First, this grossly oversimplifies the process of funding companies. Methinks Bob has read about Jim Clarke's decision to fund Andreesson and Company too many times. Rarely (very rarely) do the VCs hire people to write the code for some vision. Second, writing code is cheap, and requires almost no capital. No factories, no chip making machines, no clean rooms, etc. Just a bunch of people with ideas doing it themselves. Nearly all successful software companies started out with almost no working capital. (By contrast, I've watched several "idea" companies which had the "grand vision" first and then sought to hire the hired guns to write the code. All four that I have followed failed. One burned through about $5 million, another through $2 million. And one that just finally gave up the ghost is reported (by a friend of mine, and I haven't been able to confirm it) to have absorbed more than $30 million in funding by the initial investors and then by the parent company which acquired or semi-acquired them and pumped more money in.) Third, I've seen a lot of programmers here in the Bay Area, either because of my work at Intel on AI/Lisp sorts of stuff, or the Hackers Conference, or many years of Bay Area parties, Cypherpunks events, etc. A handful of these programmers seem to be truly gifted...the rest are, well, hackers. OK for churning out code with well-defined specifications (and even then the well known Brooks' Law sorts of factors can make some of them grossly unproductve). The few who seem really gifted would be fools to work for a pittance for me--and I'm not willing to give them their easily-gotten daily consulting rates for months on end, etc. Fourth, in my years of Cypherpunks involvement, I have never seen any reasonable investment opportunities. This is not to say there have not been any, especially with the benefit of hindsight. Side note: There have been several startups loosely associated, or even closely associated, with Cypherpunks. Some were started before (Cygnus. for example), and cannot really be called CP companies. What about C2 Net? I have no idea what that company is now worth, but I know that it evolved from Sameer's Community Connexxion. While we all nodded and applauded Sameer's plan to hook up his dorm or whatever with terminals in the bathrooms (I'm not joking, by the way), I never saw this as something to put hard-earned money into. Nor did Sameer solicit "angels" to fund this vision. At least I never heard him soliciting. He probably--and I haven't checked with him on this--knew that the best opportunities were funded on a shoestring, by those involved directly, by those living the dream, and that diluting his ownership with outside funding would be a mistake. And this shoestring operation was able to more nimbly move to take advantage of opportunities, e.g., dropping the original focus on being a kind of "local ISP" (which is what I perceived the original CC to be) and to instead focus on SSLeay/Stronghold stuff. Other companies have sought funding in a grander way. E.g., PGP, Inc. I had no desire to invest in them, for various reasons. I wish them well, of course. Eric Hughes has a company, "Simple Access." To tell the truth, and in spite of Eric being a longtime friend of mine (since 1990 at least), I really have no idea what they do. The "www.sac.net" site is remarkably uninformative. Perhaps by design. In any case, I don't think investing money in this is what I want to do. And there's Electric Communities (www.communities.com), containing several past or present Cypherpunks. I have a lot of hope from them, for "Microcosm," but,again, this is someone else's vision. It's too soon to tell if they have a killer app on their hands. If they do, then business magazines will write sage articles on the wisdom of the VCs. If not, as the odds must say is likelier, just by Bayesian odds, then they'll be forgotten, and the VC money will have just evaporated. Fifth, what I have seen from all of these experiences is that the popular impression of VC funding, that someone has a good idea, then finds a VC angel to provide seed funding, then worker bees are hired, etc., is basically wrong. Or at least a recipe for disaster. The best growth opportunities come from nimble, mostly self-funded small teams that can learn in an evolutionary way, changing focus as failures occur and learning from mistakes. The worst growth opportunities come from "grand vision" situations. Sixth, we often forget that "history is written by the winners." We ask the five star general what his strategies were, forgetting that he became a general because he survived the battles and triumphed. Sort of like asking the Lottery winner what her strategy was....one will get answers, but they probably won't be useful. Asking Jim Clarke or Bill Gates to opine on his strategies for success is not quite as pointless, but is not real useful either. Ask also Manny Fernandez about Gavilan Computer. Or ask the financiers of Ovation, Processor Technology, Mad Computers, Symbolics, Thinking Machines, Trilogy, or a hundred other examples of companies that burned through a billion dollars of hard-earned investor money. Seventh, I have no doubt that if I issued a cattle call for programmers to write C code for some pet project I'd get some bites. The "burn rate" for a supported programmer is higher than the salary, of course. (Many will work for a share of the company, plus a living wage, but this of course means incorporation....not a simple matter of just offering to hire programmers.) Those small software companies I mentioned burned through $5 million in 3 or so years, with nothing to show for it. And they sure did have the grand vision. Sorry, but I have no desire in even "giving away" a million bucks, let alone several. (Another sidenote: In 1993 I elected to help fund a small startup with an extremely promising technology. And the principals were, and still are, incredibly hard working people. I call them "sled dogs" for their perseverance and 80 hours a week (each) work habits. I bought a small stake in the company, for about $65K. So did several others. And some contract money came in. The entire funding was burned through in a matter of a year or two, and now they're struggling. They can't raise moe without giving their remaining ownership of the company away, and potential investors would want to see a real product, which they don't have. I still wish them well, but....tick tock. And that $65K investment necessitated my sale of $100K worth of various stocks, inclduding Intel, due to the income tax laws being what they are. That $100K worth of stock would now be worth $600K, roughly, given that Intel has gone from $15 to $100 in that period. C'est la vie. But is sure makes me more cautious about funding little startups. And I for damned sure won't write out checks for people I only casually know from this mailing list and from occassional Cypherpunks meetings!!!) I could easily spend $500K (costing me an actual $700K before taxes, less some tax deductions as a business, possibly) hiring a staff of several programmers for slightly more than a year. Then it'd be gone. Would a "product" be ready? You tell me the odds. And what would come out of such an effort? I've watched a certain American living in Europe burn through most (and maybe all?) of his fortune, and (some say) his family's fortune, and he had the best of pedigrees and the best set of ideas there is. Now many of us quibble with the choices he made, in licensing, etc., but this should be a cautionary tale to anyone who thinks such funding is easy. I'm not being defeatist. I know that sometimes a $500K investment could turn into tens of millions. It sometimes happens. But usually not, even for the proposals that get funded. (And VCs tend to look at 10 to 30 proposals for every one they actually fund, so the odds in the Cypherpunks pool ain't real great that even a single proposal would reach the funding stage, let alone turn into another Netscape or Yahoo.) No, I'm not a defeatist. But I worked very hard for many years, saving a large fraction of my paycheck and saving my purchased stock (including stock options, which were not as lucrative as popular myth might have it...what made them now worth so much money is that I didn't sell them when they became available, as so many of my coworkers did). I don't intend to blow through half a million or a million bucks a year funding some grand vision, especially when there seem to be few grand visions that are realistic. (Plenty of zealots, though.)
which the code's intended. And, rarely, as in your case, Tim, some people with money already know what to do and can hire people to do it. If they can "sell" *themselves* on the idea that the market will buy it. The guy who founded Aldus did it with Pagemaker. Osbourne did it, too, before he made the mistake of hiring a completely ignorant "professional" managment...
The Pagemaker team wrote it on a shoestring. No VCs until much later, when a product existed. (BTW, similar to the models for both PGP, Inc. and C2Net, where actual products are actually being sold or distributed.) As it happens, I knew Adam Osbourne. (I used to go to the Homebrew Computer Club, circa 1976-78, and met many of those who later became famous. This also helped shape my skepticism about predicting success, as I would surely have funded Bob Marsh at Processor Tech before funding Woz and Jobs...and in fact I bought a Proc Tech Sol-20 in 1978 rather than an "Apple.")
Well, it was more for the list's benefit than yours, Tim. You're just my unsuspecting foil, here. :-).
If, say, John Gilmore were here saying the same kinds of stuff you were, I'd have sprung my little rhetorical trap for him instead, by getting him to list what we should do next, and then asking him which ones he's going to invest in. He'd probably be just as pissed off.
The problem with your "rhetorical traps," by your own admission, is that you just don't know what you're talking about in most cases, at least insofar as startups and funding go. I recall your "hothouse" VC proposal (I may have the name wrong, but the idea was the same as one of those hothouse schemes, with offices for budding entrepreneurs, etc.). Maybe in another post I'll give my views on why such hothouse schemes are lousy ideas. But if yours is up and running and headed for success, I'll be happy to stand corrected.
Actually, if you count the money and time he's thrown at politics and lawyers, and S/WAN, and cypherpunks, and a few other things, you might say Gilmore's made an investment or two. Unfortunately, since he's not using actual investment criteria -- profits, in other words -- you might consider those investments to have been accidental. On the other hand, investing is always about personal choices, whatever they are, and so the loop closes on itself, I suppose.
John chooses to do the things he chooses to do. He has more interest in, or faith in, the legal process. I have more interest in, or faith in, the expository process. I write about 100 times as much as he does. To each their own. I won't get involved in Bob's seeming challenge to me to start matching John's investments.
The point is, all of the stuff you've listed costs money to do, Tim, or it would have been done already. Which means, unless you're doing this for a hobby, spending a very small fraction of your total income, (or an
It costs money, but almost certainly not VC money. Take just one example, an offshore credit reporting agency not bound by U.S. restrictions under the FCRA. There is no need for a VC to fund this...this is best done "on a shoestring" by someone who starts small and expands. (Think of how Amazon.com got started. Lots of similar examples.) Personally, I would only get involved in such a thing if I lived offshore, as the government could otherwise come after me (even for funding such a thing). But the interesting pros and cons of such a project are well worth discussing. Maybe someone out there will do it. (This space reserved for someone to chime in about Vince Cate's ISP operation in Anguilla.)
So, Tim, why don't you pick your favorite project on that list, hire some people to write code, and go for it? Most of the stuff on your list can't cost that much to do, and, if it did, then it's probably the wrong project for you, personally, financially, to work on. If that project makes money, you can reinvest it in something bigger anyway. Capitalism 101.
Why don't you knock off the "Put up or shut up" kinds of remarks? It's never a good basis for investment, to respond to "dares." I'll say what I want to say. Maybe even someday a good investment will appear. But from what I've seen of the folks at gatherings I meet them at, few of them would be good candidates for a VC-funded approach.
I think that Sameer in particular proves that the barriers to entry for some financial cryptography markets are still practically nonexistant from an investment perspective. Not for the stuff Sameer's doing, of course.
No, what it shows is the power of small entrepreneurs doing very local things, with the things that succeed being all that we remember (the losers are forgotten).
Anyway, especially in anonymous digital bearer settlement, which is the really important stuff in financial cryptography, there are lots of opportunities out there, and some of them are bootstrapable. Some of those which aren't should be funded by single, monomaniacal, investors like the Aldus guy did with Pagemaker, or you, Tim, should do with your favorite project on the list. Hopefully, the rest the non-bootstrap stuff can be done with e$lab or something like it. At least that's what *I'm* hoping... ;-).
Yeah, well let us know when "e$lab" gets really rolling. Personally, I think you undercut your own significance by the heavy reliance on cutesy names centering around "$" in place of "s," as in "e-$pam" and "e$lab." Cutesy wears thin fast.
So, Tim, again, which one of those projects do you want to do? Who are you going to hire to do them? More important, how much money do you think you'll get back by doing it?
See above for my answer. In the meantime, knock off with the dares. Maybe we should just mutually ignore each other for a while. --Tim May There's something wrong when I'm a felon under an increasing number of laws. Only one response to the key grabbers is warranted: "Death to Tyrants!" ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1398269 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
In article <v0310280cb031dea9cd30@[207.167.93.63]>, Tim May <tcmay@got.net> wrote:
All credit to Goldberg and all, but hardly accomplishing very interesting goals (helps Ian get a good job, that's certainly true). Maybe it'll cause slightly stronger crypto to be allowed for export...I don't really care too much about that.
In fact, the whole focus on _exports_ and doing things to make exports easier is a _detour_, even a _derailment_. As I've said, I'll start worrying about Netscape getting a license when they start paying me. Until then, foreigners should just bypass what Netscape provides and use drop-ins.
I have to disagree here. The export issue is very important to me. For me, crypto export isn't about Netscape getting their 128-bit crypto overseas; it's about me being allowed to publish my research on the net, or give "technical assistance" to foreigners. As long as the current export regs are in place, my ability to publish, collaborate in, and by extension, perform, research in pure or applied cryptography is severely hampered. The effect the crypto regs have on me is that any time I want to actually _implement_ something and publish it, I have to wait for school breaks, go home (to Canada), do all of the work there, and publish it from there before I return to Berkeley. This obviously cuts down on the rate at which I can get things done. Americans don't even have this option. If not for problems like this, S/WAN would certainly be further along than it is now. - Ian
At 12:56 PM 9/2/97 -0700, Tim May wrote:
My understanding was that you had to do most of your work in Canada because of U.S. restrictions on those with student visas? Certainly you are just as much in violations of the EARS by going to Canada to do your crypto work as Rivest and Company would be in by crossing into Canada to develop stuff for RSADSI. Am I missing something here?
Yeah, you're missing that Ian's a Canadian, not subject to US laws when he's not in US territory, unlike Rivest (but not unlike Shamir.) Taking working papers with him might be an export problem, but taking ideas in his head isn't, and when he's at home, he can work, subject to Canadian limits on writing, publishing, and internetting crypto. If he wants to sell products based on his crypto work, there may be student visa issues involved, but there's a Canadian corporation that can take care of some of those problems for him. # Thanks; Bill # Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com # You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp # (If this is a mailing list or news, please Cc: me on replies. Thanks.)
At 12:28 PM -0700 9/2/97, Ian Goldberg wrote:
In article <v0310280cb031dea9cd30@[207.167.93.63]>, Tim May <tcmay@got.net> wrote:
All credit to Goldberg and all, but hardly accomplishing very interesting goals (helps Ian get a good job, that's certainly true). Maybe it'll cause slightly stronger crypto to be allowed for export...I don't really care too much about that.
In fact, the whole focus on _exports_ and doing things to make exports easier is a _detour_, even a _derailment_. As I've said, I'll start worrying about Netscape getting a license when they start paying me. Until then, foreigners should just bypass what Netscape provides and use drop-ins.
I have to disagree here. The export issue is very important to me. For me, crypto export isn't about Netscape getting their 128-bit crypto overseas; it's about me being allowed to publish my research on the net, or give "technical assistance" to foreigners. As long as the current export regs are in place, my ability to publish, collaborate in, and by extension, perform, research in pure or applied cryptography is severely hampered.
Fair enough, and that's exactly what the focus of the Bernstein and Junger cases is on. The Washington nonsense would do essentially nothing about the issue of whether crypto is speech, and might even weaken the pending legal cases.
The effect the crypto regs have on me is that any time I want to actually _implement_ something and publish it, I have to wait for school breaks, go home (to Canada), do all of the work there, and publish it from there before I return to Berkeley. This obviously cuts down on the rate at which I can get things done. Americans don't even have this option. If not for problems like this, S/WAN would certainly be further along than it is now.
My understanding was that you had to do most of your work in Canada because of U.S. restrictions on those with student visas? Certainly you are just as much in violations of the EARS by going to Canada to do your crypto work as Rivest and Company would be in by crossing into Canada to develop stuff for RSADSI. Am I missing something here? --Tim May There's something wrong when I'm a felon under an increasing number of laws. Only one response to the key grabbers is warranted: "Death to Tyrants!" ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1398269 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
At 12:12 AM -0700 9/3/97, Bill Stewart wrote:
At 12:56 PM 9/2/97 -0700, Tim May wrote:
My understanding was that you had to do most of your work in Canada because of U.S. restrictions on those with student visas? Certainly you are just as much in violations of the EARS by going to Canada to do your crypto work as Rivest and Company would be in by crossing into Canada to develop stuff for RSADSI. Am I missing something here?
Yeah, you're missing that Ian's a Canadian, not subject to US laws when he's not in US territory, unlike Rivest (but not unlike Shamir.) Taking working papers with him might be an export problem, but taking ideas in his head isn't, and when he's at home, he can work, subject to Canadian limits on writing, publishing, and internetting crypto. If he wants to sell products based on his crypto work, there may be student visa issues involved, but there's a Canadian corporation that can take care of some of those problems for him.
"Sigh" As I've answered four people with in private e-mail, I'm fully aware that Ian is Canadian. This is why he presumably returns to Canada on vacations. I think he's from Toronto, if memory serves. But I was not aware that this exempted him from the U.S. Export Administration laws, known variously as the Export Administration Regulations (the EARs), the ITARs (old name), or related to the "Munitions Act." I admit that the EARs are a dense read (cf. glimpses at several sites, incl. http://bxa.fedworld.gov/ear.html). It's possible that a court would rule that Ian's 10 months out of the year residency in the U.S. does not make him subject to the EARs, but I think otherwise. (Is Ian also exempt from the Espionage Act?) Now the issue is whether Ian's admitted (here, today) use of trips to Canada as a subterfuge to bypass the EARs is in fact an admission of violation of the EARs. Personally, my hunch is that nobody in D.C. much cares what Ian is now doing. Not because he's not doing good work, but because they have no interest in stopping this work. But this is a different thing from saying that Ian is exempt from the EARs if he goes back to Canada to either finish a piece of work started in California or to codify the thinking begun in California. By any reasonable sense of the EARs, this would be as much a violation of the EARs as if Jim Bidzos went to Greece on vacation and wrote a new piece of software. (Note that Bidzos is not a citizen of the United States. He retains Greek citizenship. He is thus essentially analogous to Ian Goldberg, modulo some issues of wealth and coding ability, and age.) I am not saying Ian will be prosecuted or hassled. I am saying I think it is poor legal advice to suggest that Ian, though he attends school in California, is miraculously exempted from the force of the U.S. EARs when he is temporarily back in Canada. And I repeat what I understood Ian's situation to be, from what he personally told me some months back: he is forbidden by U.S. Immigration law from most kinds of normal employment while on a student visa in the U.S. (graduate student stipends being not part of this "most"), and thus must be back in Canada to act as an ordinary consultant or author. This apparently has little to do with the point of evading the EARs. Could Ian please clarify the situation? --Tim May There's something wrong when I'm a felon under an increasing number of laws. Only one response to the key grabbers is warranted: "Death to Tyrants!" ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1398269 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
-----BEGIN PGP SIGNED MESSAGE----- At 12:12 AM 9/3/97 -0700, Bill Stewart wrote:
Yeah, you're missing that Ian's a Canadian, not subject to US laws when he's not in US territory, unlike Rivest (but not unlike Shamir.)
I don't know Ian's status but those who are US permanent residents are subject to most of these sorts of laws even if they are temporarily outside of the US. Student Visa holders are not permanent residents of course.
Taking working papers with him might be an export problem, but taking ideas in his head isn't, and when he's at home, he can work, subject to Canadian limits on writing, publishing, and internetting crypto. If he wants to sell products based on his crypto work, there may be student visa issues involved, but there's a Canadian corporation that can take care of some of those problems for him.
He's probably OK there. If I am in France, or China, or Canada, I can continue to write the great American Novel or the Great American Algorithm that I'm working on without violating work permit requirements. The nice thing about those of us who only sell ideas for a living is that they haven't figured out a way to outlaw thinking yet (as much as they've tried). In any case, I take it that Ian is a graduate student which implies that he possesses a bachelor's degree from somewhere and thus can work here more or less at will for five years. Under the US-Canada FTA and NAFTA, citizens of the three signatory countries who have bachelor's degrees and genuine job offers can work in either of the other two countries without going through the whole work permit process. It's just a little paper shuffling at the border and "cannot ordinarily be denied". So Ian can work here but poor Bill Gates can't work in Canada. DCF -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQCVAwUBNA1914VO4r4sgSPhAQGmdQP5AdIfzFV0RTNCPUc/G36b8LaZuwTI6tG0 97E5SEgyt0TYLtgLmBLA57s8eiIpbPbKcD4qXUTbjLgee1d7HgIGd+SOrpgAh7rH 87HpRVduFfCet+J9OfBS7apPvmvwTU/OTMRHWX3UyLspDpFakJ9mFNmpZX1jhU+G 0/5FdOYa/5g= =Ha4r -----END PGP SIGNATURE-----
participants (8)
-
Adam Back -
Bill Stewart -
dlv@bwalk.dm.com -
Duncan Frissell -
iang@cs.berkeley.edu -
Robert Hettinga -
Tim May -
William H. Geiger III