Re: anonymous credit
Hal Finney wrote:
Here is a simpler example of Wei's anonymous credit idea. We can call it the "borrowing cryptographers".
Hal, I have been following this thread with interest (no pun intended), and have had the foresight to not add to ideas that go beyond my own ability to follow. (I have to read your posts several times to even begin to grasp some of them.) I am wondering what other concrete examples you might be able to add to the one in this post which might point to an actual funtional implementation of the ideas you have been promulgating. Many of the CypherPunks discussions involve largely theoretical concepts which need much development to be practical, but it seems to me that in this post you are approaching a level where what you are discussing might actually be feasibly introduced in various microcosmic situations. Being a Canadian, and therefore semi-socialist by nature, I am thinking along the lines of Credit Union applicability of your ideas. Credit Unions often take the form of small groups of individuals or companies with common aims and/or backgrounds/interests. The basic idea behind many Credit Unions is that they are more prone to lend money to individuals or institutions which are promoting ideas which can be profitable, but which the average banker or loan agency would not understand sufficiently to advance money on. For example, having an interest in the issues you are discussing, I might be ameniable to getting involved in an effort to fund the development of the 'Hal-Wei Anonymous Credit' program. The advantage of a Credit Union setup is that I know that it is run with an eye to realistic chances of success being considered, but also will take into account efforts that should be funded which may have only a marginal chance of financial success, but will further the general cause of those things I am interested in. Truly there are a rising number of issues today which might benefit from the ability to participate anonymously in the funding of causes in which one has an interest. While AP is one of the more startling and newsworthy (?) aspects of anonymous lottery/credit systems, there are a multitude of minor causes which might benefit from the ability to engage in an anonymous credit system, as well. A simple example might be those who wish to financially back a legal challenge of their health-care system, without risking being denied benefits as a result of their participation. I think that some of the CypherPunks' contributions to computer technology go largely unrecognized because of the fact that they aide those who do not wish to draw attention to themselves, for the most part. There isn't a week that goes by without my receiving an email from someone who thanks me for the benefit they have gained by my introducing them to encryption or anonymous remailers, yet I doubt that many of them give the same feedback to those who provide those services. Remailer operaters seem to mostly receive shit and abuse for feedback, as a result of their efforts, yet I know from experience that there are many to whom their services have been a blessing. -- Toto "The Xenix Chainsaw Massacre" http://bureau42.base.org/public/xenix/xenbody.html
There isn't a week that goes by without my receiving an email from someone who thanks me for the benefit they have gained by my introducing them to encryption or anonymous remailers, yet I doubt that many of them
Toto hints at some issues here that I've been wondering about for a while now. What are some effective strategies for securely introducing "newbies" to the world of cryptography and anon remailers? I'm currently attending college, which means that my peers all use email very regularly -- a ripe environment for use of cryptography in email, I should think. However, nearly everyone's email accounts are on a central Unix machine, which brings up many issues about the (lack of) security of private keys on multiuser machines. My question is this -- is it better for the crypto community in the long run to have more people using encryption, but perhaps insecurely, or to have fewer users whose communications are more cryptographically secure? -Eric -- Thus the time may have come to abandon the cool, measured language of technical reports -- all that talk of "perturbations" and "surprises" and "unanticipated events" -- and simply blurt out: "Holy shit! Ten thousand years! That's incredible!" -- Kai Erikson, _A_New_Species_of_Trouble_, 1994.
Eric Nystrom wrote:
There isn't a week that goes by without my receiving an email from someone who thanks me for the benefit they have gained by my introducing them to encryption or anonymous remailers, yet I doubt that many of them
Toto hints at some issues here that I've been wondering about for a while now. What are some effective strategies for securely introducing "newbies" to the world of cryptography and anon remailers? I'm currently attending college, which means that my peers all use email very regularly -- a ripe environment for use of cryptography in email, I should think. However, nearly everyone's email accounts are on a central Unix machine, which brings up many issues about the (lack of) security of private keys on multiuser machines.
My question is this -- is it better for the crypto community in the long run to have more people using encryption, but perhaps insecurely, or to have fewer users whose communications are more cryptographically secure?
Multiuser Unix Security == No Security. Your users may have illusions, but not true security. First thing I'd suggest is to explain them that nothing that goes through that central unix machine is truly secure. - Igor.
On Mon, 14 Apr 1997 ichudov@algebra.com wrote:
Multiuser Unix Security == No Security.
Your users may have illusions, but not true security.
First thing I'd suggest is to explain them that nothing that goes through that central unix machine is truly secure.
It's absolutely true that nothing on a centralized Unix machine is truly secure. However, is abandoning all pretenses of crypto and security in favor of holding out for a utopian ideal really the best solution? Does using encryption for email on multiuser machines actually hurt the cause of the security community in the long run? (I'm not asking rhetorical questions here -- I'm truly looking for some thoughts on this.) -Eric -- Thus the time may have come to abandon the cool, measured language of technical reports -- all that talk of "perturbations" and "surprises" and "unanticipated events" -- and simply blurt out: "Holy shit! Ten thousand years! That's incredible!" -- Kai Erikson, _A_New_Species_of_Trouble_, 1994.
Eric Nystrom wrote:
On Mon, 14 Apr 1997 ichudov@algebra.com wrote:
Multiuser Unix Security == No Security.
Your users may have illusions, but not true security.
First thing I'd suggest is to explain them that nothing that goes through that central unix machine is truly secure.
It's absolutely true that nothing on a centralized Unix machine is truly secure. However, is abandoning all pretenses of crypto and security in favor of holding out for a utopian ideal really the best solution? Does using encryption for email on multiuser machines actually hurt the cause of the security community in the long run?
I would not call it truly "utopian". There is not much that's needed to achieve reasonable personal security, protecting from attacks from the Internet -- an individual (pesonal) computer system that offers no internet services. Could be bought for $300 or less. - Igor.
On Tue, 15 Apr 1997 ichudov@algebra.com wrote:
I would not call it truly "utopian". There is not much that's needed to achieve reasonable personal security, protecting from attacks from the Internet -- an individual (pesonal) computer system that offers no internet services. Could be bought for $300 or less.
That makes a lot of sense for data security in the general sense, but I'm uncertain how useful that would be in terms of helping the user have more secure email. Is there an offline mail reader for standard Unix systems that would run on a platform like you describe? -Eric -- Thus the time may have come to abandon the cool, measured language of technical reports -- all that talk of "perturbations" and "surprises" and "unanticipated events" -- and simply blurt out: "Holy shit! Ten thousand years! That's incredible!" -- Kai Erikson, _A_New_Species_of_Trouble_, 1994.
Eric Nystrom wrote:
On Tue, 15 Apr 1997 ichudov@algebra.com wrote:
I would not call it truly "utopian". There is not much that's needed to achieve reasonable personal security, protecting from attacks from the Internet -- an individual (pesonal) computer system that offers no internet services. Could be bought for $300 or less.
That makes a lot of sense for data security in the general sense, but I'm uncertain how useful that would be in terms of helping the user have more secure email. Is there an offline mail reader for standard Unix systems that would run on a platform like you describe?
Yes, there is one. - Igor.
On Tue, 15 Apr 1997 ichudov@algebra.com wrote:
secure email. Is there an offline mail reader for standard Unix systems that would run on a platform like you describe?
Yes, there is one.
Okay, what is it, what are the requirements, where do I find it, does it require special Unix software (and if so, what is that, and where do I find it too)? -Eric -- Thus the time may have come to abandon the cool, measured language of technical reports -- all that talk of "perturbations" and "surprises" and "unanticipated events" -- and simply blurt out: "Holy shit! Ten thousand years! That's incredible!" -- Kai Erikson, _A_New_Species_of_Trouble_, 1994.
It's absolutely true that nothing on a centralized Unix machine is truly secure. However, is abandoning all pretenses of crypto and security in favor of holding out for a utopian ideal really the best solution? Does using encryption for email on multiuser machines actually hurt the cause of the security community in the long run?
(I'm not asking rhetorical questions here -- I'm truly looking for some thoughts on this.)
Since security is not binary (i.e. talking of secure and insecure is nonsense. You must talk of more or less secure.), you have to look at the threats. If you are sending email from a multi-user Unix machine, encrypting it removes some threats (e.g. wiretaping) without adding any new threats. (There are still the continuing parade of UNIX holes based on the C string model.) I would say that if users don't think they are safe, just think they are a bit safer, then encrypting on a multi-user machine is a good thing because it is more secure than not encrypting. It is still less secure than a single-user system with Tempest shielding. ----------------------------------------------------------------- Bill Frantz Periwinkle -- Computer Consulting (408)356-8506 16345 Englewood Ave. frantz@netcom.com Los Gatos, CA 95032, USA
William S. Frantz wrote:
It's absolutely true that nothing on a centralized Unix machine is truly secure. However, is abandoning all pretenses of crypto and security in favor of holding out for a utopian ideal really the best solution? Does using encryption for email on multiuser machines actually hurt the cause of the security community in the long run?
(I'm not asking rhetorical questions here -- I'm truly looking for some thoughts on this.)
Since security is not binary (i.e. talking of secure and insecure is nonsense. You must talk of more or less secure.), you have to look at the threats. If you are sending email from a multi-user Unix machine, encrypting it removes some threats (e.g. wiretaping) without adding any new threats. (There are still the continuing parade of UNIX holes based on the C string model.)
I would say that if users don't think they are safe, just think they are a bit safer, then encrypting on a multi-user machine is a good thing because it is more secure than not encrypting. It is still less secure than a single-user system with Tempest shielding.
right, the real problem is that users start thinking that they are really safe, and start doing dumb things. - Igor.
application/pgp-message
Eric Nystrom wrote:
What are some effective strategies for securely introducing "newbies" to the world of cryptography and anon remailers?
I have found that rather than promoting encryption and anony remailers, that it is much more effective for me just to be aware of when someone mentions a problem they are having that can be solved by crypto/remailers. I always try to give them a short list of what is required to use various options, and what is gained by them. The biggest thing to me is to try to point them toward a level of technology that they are capable of using, or will be capable of learning, given the level of their problem. The following remailers are ones I recommend for totally newbie computer wrestlers who need a graphic interface and have access to a browser. http://www.myemail.net/anonymous.htm http://www.ozemail.com.au/~geoffk/anon/anon.html
My question is this -- is it better for the crypto community in the long run to have more people using encryption, but perhaps insecurely, or to have fewer users whose communications are more cryptographically secure?
My opinion is that the more people who use encryption with an understanding of what level of security they are getting, then the more people who will eventually graduate to higher levels of security when using crypto. If teenagers use crypto to keep their private diary safe from little brother or sister's prying eyes, then they will begin to learn more about it at an early age. If little brother or sister is a computer whiz, and cracks their diary open, then they will get a valuable life lesson that may save them from more costly lessons in the future. Also, if a wide range of people are using crypto, whether it is strong and secure or not, then there will be a larger group of people interested in the government or their employer not interfering with their use of it. -- Toto "The Xenix Chainsaw Massacre" http://bureau42.base.org/public/xenix/xenbody.html
On Mon, 14 Apr 1997, Toto wrote:
I have found that rather than promoting encryption and anony remailers, that it is much more effective for me just to be aware of when someone mentions a problem they are having that can be solved by crypto/remailers.
Do you do consulting work for a specific audience that would be inclined to need to use remailers and encryption more than the average user, or are you referring more to just "average" friends? If it is the second case, especially, I think that many of us might benefit from some specific scenarios in which you proposed encryption and remailers as solutions.
The biggest thing to me is to try to point them toward a level of technology that they are capable of using, or will be capable of learning, given the level of their problem.
What programs do you usually suggest? On my Linux box, I use pine 3.95's filter hooks to use PGP relatively seamlessly, but the multiuser system that most of my peers use email on does not have a version of pine capable of supporting filters. I've looked into Raph's premail, and have set it up successfully, but it seems a bit obtuse for a normal user. (Plus I *REALLY* don't like the idea of storing my passphrase on the multiuser system as well.)
Also, if a wide range of people are using crypto, whether it is strong and secure or not, then there will be a larger group of people interested in the government or their employer not interfering with their use of it.
This brings up an interesting point -- should we crypto users try and work with the system administrators to get PGP set up systemwide, or should we just try to do it on our own, as unobtrusively as possible? A systemwide implimentation of PGP would probably be advantageous, but to ask for that certainly risks bringing attention to otherwise unobtrusive activities that the system administrators might not like. -Eric -- Thus the time may have come to abandon the cool, measured language of technical reports -- all that talk of "perturbations" and "surprises" and "unanticipated events" -- and simply blurt out: "Holy shit! Ten thousand years! That's incredible!" -- Kai Erikson, _A_New_Species_of_Trouble_, 1994.
participants (5)
-
Eric Murray -
Eric Nystrom -
frantz@netcom.com -
ichudov@algebra.com -
Toto