Your "RIGHT" to Speak to Big Brother
Today Janet "The Bitch of Waco" Reno held a news conference announcing that, in her not-so-humble opinion, Microsoft Corporation was in violation of a consent decree by virtue of bundling Internet Explorer with Windows '95, and that she was asking for a $1 million a day fine. Ho Hum. However, one tiny item in her news conference caught my attention. It wasn't related to IE or Windows, but to company secrets protected by non-disclosure agreements. Even though Microsoft has indicated that it does not intend for its non-disclosure agreements to be binding in a way which prevents persons from disclosing anything they like to the DOJ in a criminal investigation, the Feds apparently want the concept of non-disclosure to the government scrapped. Everyone, they claim, has a "right" to speak to the government on any subject whatsoever, which cannot be abrogated by anything as flimsy as a contract or agreement, designed to protect anothers secrets. After all, the government is your friend, and is here to help you. This was made clearer when The Bitch of Waco introduced her minion, Assistant Attorney General Joel Klein. "We're asking the court to order Microsoft to tell everyone who has signed or who in the future will sign a non- disclosure agreement, that it doesn't apply to the government, period. We won't allow anyone to interfere with the people's right to provide information to their government." And there you have it. The people's right to provide their neighbor's proprietary information their government shall not be infringed. How Constitutional-Sounding. -- Eric Michael Cordian 0+ O:.T:.O:. Mathematical Munitions Division "Do What Thou Wilt Shall Be The Whole Of The Law"
At 8:13 PM -0700 10/20/97, Eric Cordian wrote:
This was made clearer when The Bitch of Waco introduced her minion, Assistant Attorney General Joel Klein.
"We're asking the court to order Microsoft to tell everyone who has signed or who in the future will sign a non- disclosure agreement, that it doesn't apply to the government, period. We won't allow anyone to interfere with the people's right to provide information to their government."
You left out the Really Interesting paragraph: "We're also asking loyal Americans within companies to send us the CMR secret keys. Companies have no right to keep secrets from government. We won't allow a company to have policies which prevent loyal Americans from providing information to their government." (He didn't say this, but he may as well have. What the Justice Department is arguing is that it wants spies within companies. It wants narcs. It wants people to funnel information to them.) By the way, I think the notion that the government will go to great lengths to get CMR secret keys is not far-fetched. Until PGP for Business supports a richer system of snoopware keys--and my understanding is that PGP 5.5 does _not_--then the CMR secret key of, say, Microsoft, would be a prize indeed. This is of course a security weakness of the whole CMR approach, exactly as with the key escrow database. It is a too-tempting target. Anyone within a company with access to the CMR secret key will be incentivized to sell it. I am offering $25,000 for the CMR key for Microsoft. (As a loyal American, I plan to then send it to Janet Reno and Louis Freeh.) Of course, Microsoft won't be using PGP for Business. Recall that they may have their own "software key escrow" program cooking, based on my discussion a few years ago with Tom Albertson (sp?) of Microsoft. Bill Gates has issued strongly anti-GAK statements, so maybe this is on hold. --Tim May The Feds have shown their hand: they want a ban on domestic cryptography ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^2,976,221 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
Tim May <tcmay@got.net> writes:
"We're also asking loyal Americans within companies to send us the CMR secret keys. Companies have no right to keep secrets from government. We won't allow a company to have policies which prevent loyal Americans from providing information to their government."
By the way, I think the notion that the government will go to great lengths to get CMR secret keys is not far-fetched. Until PGP for Business supports a richer system of snoopware keys--and my understanding is that PGP 5.5 does _not_--then the CMR secret key of, say, Microsoft, would be a prize indeed.
I think the CMR public key extension is not limited to one CMR extra recipient per key. Closely following discussions on ietf-open-pgp, and the notes Bill Stewart kindly posted to this list (taken from the description PGP Inc gave at a meeting in the US) it sounded to me that there is a migration path like this: pgp5.0: accepts keys with multiple CMR key requests attached but doesn't honour CMR requests (? I hope!), and can't generate keys with CMR requests pgp5.5: generates keys with single CMR requests, can accept and handle keys with multiple CMR requests pgp6.x: will generate keys with multiple CMR requests (and of course honour them too) This suggests that the yet to be released pgp6.x (or whatever version number is chosen) will be able to cater to such government demands merely by the company generating their keys with two CMR requests: recovery@acme.com thoughtpolice@nsa.gov The NSA can publish their public key on http://www.nsa.gov/ tomorrow, and the law by presidential decree the day after. This is the balanced Sword of Damocles over privacy for real now: this is the switch waiting to be flicked. This is why I am upset with PGP Inc for using the CMR approach. It is not CMR per se as a neutral mechanism, but it is the approach of building tools which allow third party access, or "recovery" of communications traffic which has enabled all of this. This despite their stated corporate user requirement being storage recovery.
This is of course a security weakness of the whole CMR approach, exactly as with the key escrow database. It is a too-tempting target. Anyone within a company with access to the CMR secret key will be incentivized to sell it.
I agree, it is a centralised security risk. PGP Inc are talking about adding secret splitting perhaps, but still it is a security risk. The whole technique of sending recovery information over the wire is a security risk. Recovery information if there is any should be kept on local disks and thereby be protected by the companies normal physical security in the same way that papers in filing cabinets are. This is the status quo. (Well actually no encryption at all locally is largely the status quo, but pgp5.0 (and I presume pgp5.5) is also able to encrypt files, and PGP Inc argues more reasonably that their corporate clients have a requirement of being able to recover stored encrypted files also). Regardless it is trivial to have local storage recovery without sending recovery information over the wire. I'll be posting (web and list) a security analysis of CMR vs CDR presently; I think CMR loses badly from even a purely security oriented standpoint. (I have made my feelings about the political demerits of CMR as a storage recovery mechanism known already).
Of course, Microsoft won't be using PGP for Business. Recall that they may have their own "software key escrow" program cooking, based on my discussion a few years ago with Tom Albertson (sp?) of Microsoft. Bill Gates has issued strongly anti-GAK statements, so maybe this is on hold.
Perhaps this is what they are busy building at their top-sikrit crypto software development/research center at Cambridge, UK under the guidance of new head of research cryptographer Roger Needham. Looks like an export embargo end-run by Bill Gates. Maybe Bill Gates is a cypherpunk after all, well we can live in hope, anyway. Adam -- Now officially an EAR violation... Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
participants (3)
-
Adam Back -
Eric Cordian -
Tim May