Why the White amendment is a good idea (fwd)
---------- Forwarded message ---------- Date: Wed, 24 Sep 1997 19:06:33 -0600 From: Aaron Weissman <aweissman@mocc.com> To: "'fight-censorship@vorlon.mit.edu'" <fight-censorship@vorlon.mit.edu> Subject: Why the White amendment is a good idea -----BEGIN PGP SIGNED MESSAGE----- Today, the House Commerce Committee made an important statement which will have lasting ramifications on the status of personal privacy in our nation for the foreseeable future. I know what you all are thinking -- former White staffer, praising his old boss. In the interests of total disclosure, I did work for Rep. White, and I still think he is an all-around great guy. However, solely on the merits of this amendment, I believe that it deserves the support of the Internet community (whatever *that* is). The NETCenter is a great idea. Very few of us would argue that our society has an interest defining rules and in prosecuting their transgression as crimes. Once we have agreed on that point, the issue changes to a (still very important) discussion on methods. By creating a decryption lab (and funding it with tremendous amounts of money), our society will fulfill the basic obligation to protect against the transgression of our rules. However, despite the worst intentions of some, this laboratory cannot be an indiscriminate tool. The United States Government may be a the ultimate example as an organization possessing "national means," however, it's resources are far from infinite. In addition, such a lab would require our very best and brightest mathematicians. We may be able to afford one of these labs, but more would be a large stretch. Once this NETCenter exists, the demands for it's services will soon outstrip it's resources. In addition, the massive cost involved per use would be large enough to attract public scrutiny. I have no doubt that our government could crack the very largest keys if it were to through billions of dollars at the problem. However, in an age of shrinking budgets and a commitment to a balanced budget, that much money is not spent without considerable oversight. I have no doubt that a considerable portion of the NETCenter's time will be spent in matters of foreign intelligence. (As I said, we cannot afford two massive decryption laboratories -- the NSA will have to give its decryption mandate to this new agency). In sum, this amendment gives us a powerful decryption laboratory with a great deal of sunshine on its use and limited resources on behalf of law enforcement. These factors make the NETCenter a great tool for targeted decryption, but they also guarantee that appropriate judicial supervision is acquired before the NETCenter can be used. In other words, this is a great tool for prosecutors to use *after* they have established probable cause in their most heinous cases, and a strong guarantee that the eyes of the government will not intrude into our persons, papers and effects. The passage of this amendment helps ensure that the terms of this debate remain centered on our civil liberties -- not kiddie porn. If we are going to win this argument (and the stakes are very large) we have to keep this debate framed with our criteria. Many may disagree with me on these points, and I we -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQCVAwUBNCm5F7il6vI+AAoXAQFlIgQAkvC7ABgdpCV0AzTn5eXLW/A4zsXObRIr NpOEVm0SvNsY7VWq3YoPQpetoP5sU/Z2tE4Vepl9jgxFAY3YVv9ZczrbTGdKKO1T Il3s779jI/8fGAUuOaP2B81mowOSO9NsLa462VjyaFkB7kY9gEin3LCT6Gf/cyvk Agp98YVAY4M= =ueWO -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 9:07 AM -0700 9/25/97, Declan McCullagh wrote:
---------- Forwarded message ---------- Date: Wed, 24 Sep 1997 19:06:33 -0600 From: Aaron Weissman <aweissman@mocc.com> To: "'fight-censorship@vorlon.mit.edu'" <fight-censorship@vorlon.mit.edu> Subject: Why the White amendment is a good idea
The NETCenter is a great idea. Very few of us would argue that our society has an interest defining rules and in prosecuting their
The NETCenter is largely duplicative, though will be much less effective, than the NSA. I strongly urge Aaron and others to review the history and capabilities (and limitations) of the NSA.
transgression as crimes. Once we have agreed on that point, the issue changes to a (still very important) discussion on methods. By creating a decryption lab (and funding it with tremendous amounts of money), our society will fulfill the basic obligation to protect against the transgression of our rules.
The COMINT mission of the NSA _already_ consumes vast amounts of money, with an estimated staffing (for the NSA as a whole) of 100,000 persons. (Obviously many of them are not doing SIGINT and COMINT, but a fair fraction are. And the Agency has had five decades or more to build up this staff.) The NSA also draws on additional resources, including the Defense Language School and related facilities for translation, the DOD branches of signals intelligence (Naval Security Group, Air Force Intelligence, Army Security Agency, etc.), and has ties to CIA, DIA, NRO, etc. It is UNLIKELY IN THE EXTREME that a NETCenter could even remotely approach the NSA in decryption capabilities, so the funding of NETCenter would mostly be throwing away money for a feelgood, public "demonstration site." (The NSA sometimes assists with law enforcement. But often it does not. I grant that a purely civilian codebreaking facility might once have been needed. But for reasons I'll get to below, it's much too late to start now! And much too expensive.)
However, despite the worst intentions of some, this laboratory cannot be an indiscriminate tool. The United States Government may be a the ultimate example as an organization possessing "national means," however, it's resources are far from infinite. In addition, such a lab would require our very best and brightest mathematicians. We may be able to afford one of these labs, but more would be a large stretch.
Indeed, and those bright mathematicians who are also willing to work as GS-14s. 15s, and so on, are mostly at the NSA now. Again, look into the funding of the NSA and ask if the country would be willing to make a similar expenditure for NETCenter. (Not that it will help.)
Once this NETCenter exists, the demands for it's services will soon outstrip it's resources. In addition, the massive cost involved per use would be large enough to attract public scrutiny. I
Once the NETCenter failed to decypt the first several dozen instances of PGP or 3DES thrust before it, I rather expect enthusiasm will wane.
have no doubt that our government could crack the very largest keys if it were to through billions of dollars at the problem. However, in an age of
Aaron, you really need to get up to speed on cryptography. Even the basics of it. When you do, you'll discover that it is strongly believed (though not yet proved) that leading ciphers are "hard" to break. Conventional cryptanalysis is useless, i.e., the kind where fragments of text are used to help produce a key. Even the NSA has acknowledged that cryptanalysis of modern ciphers is essentially impossible, at least from intercepted ciphertext. (Interception of signals, a la TEMPEST, may be a different matter, and of course there are important civil liberties issues involved in setting up such surveillance operations.) As to you point that "very largest keys" could be cracked with "billions of dollars," check out some of the "work factor" (difficulty of brute forcing) estimates for modern ciphers. Schneier's "Applied Cryptography" is a good place to start. You will see that some ciphers have work factors for readily achievable keys which exceed the energy in the entire universe. (The "secure phone" I have, from Communication Security Corporation, uses 3DES. This is something like 100 bits more in key length than ordinary DES. Even if a "Wiener machine" can be built to break ordinary, 56-bit DES, at a cost of perhaps a million bucks or so for the entire machine (and then perhaps a few hundred bucks per crack, it is estimated), think of the cost of the machine to break 3DES! 2^100 times harder is about 10^30 times harder. Now that's a lot of money! The "tab" for each American taxpayer would be about $10^22. (There is a slight possibility that dramatic speedups in cracking could come from mathematical advances. DES and other ciphers are under constant scrutiny, and 22 years or more of scrutiny of DES has produced a limited speedup.) The point is this: modern ciphers are for all intents and purposes "unbreakable." Though we as technical people are usually cautious to say that "unbreakable" is a dangerous word, the fact is that it's our current best description of what a 2000-bit RSA key is, and that's all there is to it. See Schneier for more on why this is so.
I have no doubt that a considerable portion of the NETCenter's time will be spent in matters of foreign intelligence. (As I said, we cannot afford two massive decryption laboratories -- the NSA will have to give its decryption mandate to this new agency). In sum, this amendment gives
Right. I'm sure that will happen. - --Tim May The Feds have shown their hand: they want a ban on domestic cryptography - ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1398269 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBNCqg0FK3AvrfAt9qEQJIkQCeIp33C8UNVsM5tbE90ZEWIrVp+IcAoKvI 0giZDX5Do56vHXSURaNt2dQ4 =/s7n -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 10:33 AM 9/25/97 -0700, Tim May wrote:
Once the NETCenter failed to decypt the first several dozen instances of PGP or 3DES thrust before it, I rather expect enthusiasm will wane.
But it doesn't have to decrypt it. It has to tell the cops: "OK, you need to send a guy in there when he's not home and look for a file called 'mykey.gkr' on his computer...it will probably be in c:\pgp. Then you need to plant a video camera to watch him type his passphrase. Then we can read his mail, no sweat." I don't know why I keep making this point, but the weak point in crypto is NOT the length of the key, it's the human factor. Go after the HUMAN USING THE CRYPTO via traditional spy/police methods, and smeg the key length. But to do that, you see, you'll need warrents, reasons for suspiscion, and, becuase of the effort involved, you'll only do it for serious crimes with a strong liklihood of conviction. *That* is the 'stauts quo' law enforcement *claims* to want. -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBNCqmtTKf8mIpTvjWEQKP2QCg23fm4sNAs0Uj9d2DZT/60ZRWgeIAoI37 /RgFkiiCHHo10o2/8yiBTj+i =af7a -----END PGP SIGNATURE-----
Lizard, you're missing the point. First, the NETcenter was sold to the Commerce cmte yesterday as a way to perform successful cryptanalysis on enciphered documents. The rhetoric was all about keeping codebreakers up to date with codemakers. To anyone with a glimmering of a clue about modern cryptography, this is complete bullshit. Industry lobbyists on Monday also tried to push this line at a press conference; I called them on it and they said, no, I was wrong, this center would let the FBI keep up with the times. Yeah right. Second, the NSA already performs these duties. Whether they should be allowed to or not is a different argument. Third, there's no funding appropriated for the NETcenter. It's useless without it. Again, it's bullshit. Fourth, even industry lobbyists admitted to me privately yesterday that NETcenter was a scam designed entirely to head off Oxley. -Declan On Thu, 25 Sep 1997, Lizard wrote:
At 10:33 AM 9/25/97 -0700, Tim May wrote:
Once the NETCenter failed to decypt the first several dozen instances of PGP or 3DES thrust before it, I rather expect enthusiasm will wane.
But it doesn't have to decrypt it. It has to tell the cops: "OK, you need to send a guy in there when he's not home and look for a file called 'mykey.gkr' on his computer...it will probably be in c:\pgp. Then you need to plant a video camera to watch him type his passphrase. Then we can read his mail, no sweat."
I don't know why I keep making this point, but the weak point in crypto is NOT the length of the key, it's the human factor. Go after the HUMAN USING THE CRYPTO via traditional spy/police methods, and smeg the key length.
But to do that, you see, you'll need warrents, reasons for suspiscion, and, becuase of the effort involved, you'll only do it for serious crimes with a strong liklihood of conviction. *That* is the 'stauts quo' law enforcement *claims* to want.
On Thu, 25 Sep 1997, Declan McCullagh wrote:
Lizard, you're missing the point.
First, the NETcenter was sold to the Commerce cmte yesterday as a way to perform successful cryptanalysis on enciphered documents. The rhetoric was all about keeping codebreakers up to date with codemakers. To anyone with a glimmering of a clue about modern cryptography, this is complete bullshit. Industry lobbyists on Monday also tried to push this line at a press conference; I called them on it and they said, no, I was wrong, this center would let the FBI keep up with the times. Yeah right.
I think you are among the most vocal when saying that congress has no clue. Replace GAK snake-oil with a cryptographic-moonshot snake-oil proposal (with branch offices in key districts) and it becomes clearer. Move the superconducting supercollider folks to quantum supercomputing. If they can believe myths that crime and terrorism will increase exponentially if strong crypto is made available, they should also believe that for a few billion, they will be able to crack PGP (sans GAK). When it doesn't work, they will demand a few billion more every few years instead of demanding GAK which will close down their bureaucracy. They may say they want to be the GAKers, but then you will have to replace all the number theory consultants with database consultants.
Second, the NSA already performs these duties. Whether they should be allowed to or not is a different argument.
But they don't tell the FBI everything.
Third, there's no funding appropriated for the NETcenter. It's useless without it. Again, it's bullshit.
There will be. Congress finds ways to fund useless projects.
Fourth, even industry lobbyists admitted to me privately yesterday that NETcenter was a scam designed entirely to head off Oxley.
Ssshhhh! someone hear you. --- reply to tzeruch - at - ceddec - dot - com ---
Declan McCullagh writes:
---------- Forwarded message ---------- Date: Wed, 24 Sep 1997 19:06:33 -0600 From: Aaron Weissman <aweissman@mocc.com> To: "'fight-censorship@vorlon.mit.edu'" <fight-censorship@vorlon.mit.edu> Subject: Why the White amendment is a good idea
The NETCenter is a great idea. [blah blah]
The passage of this amendment helps ensure that the terms of this debate remain centered on our civil liberties -- not kiddie porn. If we are going to win this argument (and the stakes are very large) we have to keep this debate framed with our criteria.
Follow your own advice. All this crap about NETCenter has nothing to do with our civil liberties. Whether NETCenter is a good idea or not is a completely separable issue (which I see Tim May just covered thoroughly), and is merely a fig leaf offered to spineless Congresscritters to deflect some of the "criticism" they might otherwise be subjected to on the law enforcement "issue". The fact that White offers it shows that he is just as spineless. We shouldn't have to "trick" Congress into doing the right thing, or provide cover for them either. As you say, though, let's keep this debate framed with our criteria: Do you, Congressman, support the constitutional guarantee of free speech, or not?
At 12:07 pm -0400 on 9/25/97, Aaron Weissman <aweissman@mocc.com> wrote:
The NETCenter
What an oxy-maroon. What a self-referent -- not to mention self-congratulary -- canard. C'mon, folks. Any entity which has the unmitigated presumption to have "center" and "net" in its name demonstrates nothing less than total ignorance of microcomputers and Moore's law, much less the internet it hopes to be the "center" of -- no matter how small a piece of the net it hopes to be the "center" of... Sheesh. GAK, indeed... Reality is not optional. Trying to find the "center" of any piece of the net is equivalent to the cosmological "problem" of finding the "center" of the universe. It represents the utter fallacy of hierarchy in a geodesic age. Cheers, Bob Hettinga Hettinga's Corolary to Gilmore's Law: The net will see "centers" as damage, and route around them. ----------------- Robert Hettinga (rah@shipwright.com), Philodox e$, 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' The e$ Home Page: http://www.shipwright.com/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 03:36 PM 9/25/97 -0400, Jeff Barber wrote:
We shouldn't have to "trick" Congress into doing the right thing,
I can't think of any other way. Each congressman has one concern:Getting re-elected. Thus, they frame each decision in terms of:"How will this sound in a 30 second TV commercial aimed at the clueless clods who live in my district/state?" and "Could this be exploited by my opponent in a similair commercial?" In order to convince a congresscritter to do what you want, you have to put it into those terms. Forget the rule of law, the Constitution, ideals, principles, values - - - those things are *meaningless* when discussing the making of law in this -- or any other -- nation. -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBNCq8CTKf8mIpTvjWEQKG3ACfVFWLfmeno5HHbrCQdstdn/QSDQQAoIf6 Fh3fqK8ST29ucr2NXsTgi1ec =OZdo -----END PGP SIGNATURE-----
participants (7)
-
Declan McCullagh -
Declan McCullagh -
Jeff Barber -
Lizard -
nospam-seesignature@ceddec.com -
Robert Hettinga -
Tim May