From clark at metal.psu.edu Thu Jul 1 01:29:14 1993 From: clark at metal.psu.edu (Clark Reynard) Date: Thu, 1 Jul 93 01:29:14 PDT Subject: LEB corruption in Clipper phones--the backdoor? Message-ID: <9307010903.AA03572@metal.psu.edu> ""L. Detweiler"" quotes: >farber at central.cis.upenn.edu (David Farber) writes: >>2. Re chip health. I heard the same story plus yield was very low. >>I also understand that there is substantial redesign going on because >>the story about defaulting to an all-0 key if the LEB were corrupted >>was apparently true. I had heard this story, but discounted it as a 'cyberspace legend.' If this is true, there's the damn backdoor, obvious as the ass on a baboon. As others have noted, simply using the old crummy alligator clip method of wiretapping, sending a spike down the line at the moment of connection, and perhaps even a simple non-IC device like a cable descrambler could tap it, as easily as a normal phone. At the very least, you could record for later decryption, and it would require no more field work than currently necessary. Even with the corruption of analog media such as audio tapes, wouldn't an all-0 key make error-correction for line noise trivial? Corrupt the LEB, and any idiot could decrypt. Even _I_ could do that, with patience and at most a few thousand plaintext/ciphertext pairs (available to any fool with a Clipper chip). Am I wrong here, or is this, in fact, an idiotically simple flaw, so elementary that even the NSA could not have committed such a whopping, cretinous blunder in "good faith"? ---- Robert W. F. Clark rclark at nyx.cs.du.edu clark at metal.psu.edu From karn at qualcomm.com Thu Jul 1 01:45:05 1993 From: karn at qualcomm.com (Phil Karn) Date: Thu, 1 Jul 93 01:45:05 PDT Subject: LEB corruption in Clipper phones--the backdoor? Message-ID: <9307010844.AA24024@servo> Why are we pointing out these flaws publicly? You should let them pass, so that the flawed Clipper chips get widely deployed. THEN you go in front of Malarkey's subcommittee and demonstrate to the whole world how to intercept any Clipper-encrypted conversation without the escrowed keys. Then just stand back and watch the fun begin. 1/2 :-) Phil From nowhere at bsu-cs.bsu.edu Thu Jul 1 06:20:18 1993 From: nowhere at bsu-cs.bsu.edu (Anonymous) Date: Thu, 1 Jul 93 06:20:18 PDT Subject: No Subject Message-ID: <9307011323.AA25759@bsu-cs.bsu.edu> -----BEGIN PGP SIGNED MESSAGE----- Just a few updates: Eric Hollander told me he is working on updating the uclink remailer to only remail encrypted messages (like extropia) so that explains why it seems to be down... for now I moved it to the other remailers which don't support encrypted requests, and alphabetized the list by host. -----BEGIN PGP SIGNATURE----- Version: 2.3 iQCVAgUBLDLkCIOA7OpLWtYzAQFU+gQApPtko5koIevDJmBNo7YPkD3h6ZOybFW8 d7pzJaY6aYAN3DQUS9EHxzMiMrqNllwERvxV1+Ztr9Fgig1Ur7t/OL76WxJryV35 m+F6fOYdq5VP9j37AUr6LUXV4rg4SKcIVCip85eY6UBCLuwcio38wUSAbMbm8fP7 glUzWuSlmtI= =G7/a -----END PGP SIGNATURE----- From elee9sf at Menudo.UH.EDU Thu Jul 1 06:55:19 1993 From: elee9sf at Menudo.UH.EDU (Karl Barrus) Date: Thu, 1 Jul 93 06:55:19 PDT Subject: ANON: free speech Message-ID: <199307011355.AA09915@Menudo.UH.EDU> Wow, Here's an unfortunate case of somebody who could have used anonymous methods to protect his speech and speak without fear: Gregory Steshenko was fired from Microsoft because users on a elist he was on complained. Check out the USENET post (I saw it in alt.comp.acad-freedom.talk) but it was crossposted to zillions of groups. /-----------------------------------\ | Karl L. Barrus | | elee9sf at menudo.uh.edu | <- preferred address | barrus at tree.egr.uh.edu (NeXTMail) | \-----------------------------------/ From nobody at mead.u.washington.edu Thu Jul 1 07:49:06 1993 From: nobody at mead.u.washington.edu (nobody at mead.u.washington.edu) Date: Thu, 1 Jul 93 07:49:06 PDT Subject: REMAIL: list 7/1/93 Message-ID: <9307011448.AA57122@mead.u.washington.edu> -----BEGIN PGP SIGNED MESSAGE----- Q1: What cypherpunk remailers exist? A1: 1: nowhere at bsu-cs.bsu.edu 2: hh at cicada.berkeley.edu 3: hh at pmantis.berkeley.edu 4: hh at soda.berkeley.edu 5: 00x at uclink.berkeley.edu 6: hal at alumni.caltech.edu 7: ebrandt at jarthur.claremont.edu 8: phantom at mead.u.washington.edu 9: remailer at rebma.mn.org 10: elee7h5 at rosebud.ee.uh.edu 11: hfinney at shell.portal.com 12: remail at tamsun.tamu.edu 13: remail at tamaix.tamu.edu 14: remailer at utter.dis.org 15: remail at extropia.wimsey.com NOTES: #1-#5 no encryption of remailing requests #6-#14 support encrypted remailing requests #15 special - header and message must be encrypted together #9,#14,#15 introduce larger than average delay (not direct connect) #9,#14,#15 running on privately owned machines ====================================================================== Q2: What help is available? A2: Check out the pub/cypherpunks directory at soda.berkeley.edu (128.32.149.19). Instructions on how to use the remailers are in the remailer directory, along with some unix scripts and dos batch files. The public keys for the remailers which support encrypted remailing requests is also available in the same directory. Mail to me (elee9sf at menudo.uh.edu) for further help and/or questions. -----BEGIN PGP SIGNATURE----- Version: 2.3 iQCVAgUBLDLfl4OA7OpLWtYzAQHb8wQApHOt2pmOHoRJn7VZqUtZh3b+DLcSDI3i ReClJ//VYO2p30e5ZGlP6zhdfB0N6lbR3nK1d1u6a8hfIKM67Y9KorAgYRrIZr/n 7z/yj8mhX4FG606naDVIy0eXbwX/R5+XiYA00WQNRfhfzYdSxBibmpbdX7mFH/V+ xlkiNkCs+0E= =urKR -----END PGP SIGNATURE----- From nobody at eli-remailer Thu Jul 1 07:57:26 1993 From: nobody at eli-remailer (nobody at eli-remailer) Date: Thu, 1 Jul 93 07:57:26 PDT Subject: REMAIL: list of remailers 7/1/93 Message-ID: <9307011457.AA15378@toad.com> -----BEGIN PGP SIGNED MESSAGE----- Q1: What cypherpunk remailers exist? A1: 1: nowhere at bsu-cs.bsu.edu 2: hh at cicada.berkeley.edu 3: hh at pmantis.berkeley.edu 4: hh at soda.berkeley.edu 5: 00x at uclink.berkeley.edu 6: hal at alumni.caltech.edu 7: ebrandt at jarthur.claremont.edu 8: phantom at mead.u.washington.edu 9: remailer at rebma.mn.org 10: elee7h5 at rosebud.ee.uh.edu 11: hfinney at shell.portal.com 12: remail at tamsun.tamu.edu 13: remail at tamaix.tamu.edu 14: remailer at utter.dis.org 15: remail at extropia.wimsey.com NOTES: #1-#5 no encryption of remailing requests #6-#14 support encrypted remailing requests #15 special - header and message must be encrypted together #9,#14,#15 introduce larger than average delay (not direct connect) #9,#14,#15 running on privately owned machines ====================================================================== Q2: What help is available? A2: Check out the pub/cypherpunks directory at soda.berkeley.edu (128.32.149.19). Instructions on how to use the remailers are in the remailer directory, along with some unix scripts and dos batch files. The public keys for the remailers which support encrypted remailing requests is also available in the same directory. Mail to me (elee9sf at menudo.uh.edu) for further help and/or questions. -----BEGIN PGP SIGNATURE----- Version: 2.3 iQCVAgUBLDLfl4OA7OpLWtYzAQHb8wQApHOt2pmOHoRJn7VZqUtZh3b+DLcSDI3i ReClJ//VYO2p30e5ZGlP6zhdfB0N6lbR3nK1d1u6a8hfIKM67Y9KorAgYRrIZr/n 7z/yj8mhX4FG606naDVIy0eXbwX/R5+XiYA00WQNRfhfzYdSxBibmpbdX7mFH/V+ xlkiNkCs+0E= =urKR -----END PGP SIGNATURE----- From miron at extropia.wimsey.com Thu Jul 1 10:51:18 1993 From: miron at extropia.wimsey.com (Miron Cuperman) Date: Thu, 1 Jul 93 10:51:18 PDT Subject: REMAIL: Error reporting implemented Message-ID: <1993Jul1.172952.10775@extropia.wimsey.com> -----BEGIN PGP SIGNED MESSAGE----- I've implemented error reporting on remail at extropia. The errors are forwarded to errors at extropia.wimsey.com. This is an anon pool (=mailing list). Errors are concise, explaining what went wrong. The incoming Subject: line is used as the (sole) identifier. To subscribe to the error list, send 'subscribe' on the subject line to errors-request at extropia.wimsey.com. For help, send 'help'. - -- Miron Cuperman | NeXTmail/Mime ok Unix/C++/DSP, consulting/contracting | Public key avail AMIX: MCuperman | Laissez faire, laissez passer. Le monde va de lui meme. -----BEGIN PGP SIGNATURE----- Version: 2.2x iQCVAgUBLDMe6pNxvvA36ONDAQHgzwP+J3ra5Z/c8WpNgMlnlfnyAbvLbi8SHgsD HkWHzWr1et+3CP8mt+F/esDIQLmJZuHp+ulZsMowunVdNvfQQy/UU1jeMsepijkJ 2fqIJTjddAgdxs6cIPeZbEHjwFUbfGers5swH7aVe/NM2/W+38zGn3XzdOKHJMly 9llSzJ9K+CA= =V+9b -----END PGP SIGNATURE----- From jet at nas.nasa.gov Thu Jul 1 11:41:53 1993 From: jet at nas.nasa.gov (J. Eric Townsend) Date: Thu, 1 Jul 93 11:41:53 PDT Subject: ANON: free speech In-Reply-To: <199307011355.AA09915@Menudo.UH.EDU> Message-ID: <9307011841.AA01966@boxer.nas.nasa.gov> This is not an official NASA document, nor does it in any way reflect any of NASA's opinions, actions or views. Karl Barrus writes: > Gregory Steshenko was fired from Microsoft because users on a elist > he was on complained. Check out the USENET post (I saw it in > alt.comp.acad-freedom.talk) but it was crossposted to zillions of > groups. This sort of thing happens all the time, actually. A close friend of mine was put on an 'employee improvement plan' (the first step to being fired, actually) because she read/posted to rec.pets.cats. Upon closer examination by her grandboss and subsequent review of her actions before, during and after the plan, it was determined that the action was taken for political reasons. (ie: her boss was looking for a reason to get rid of her because they had a personal conflict). In other words, if they want to fire you, they'll look for a reason. I could be fired for sending this message, if someone wanted to push the issue and my bosses didn't like me. As it is, they do like me, and I do a very good job, so the worst that would happen (first iteration) is an official direction to stop contributing to the cypherpunks list from my work machine. (non-work related use of my government machine.) From fnerd at smds.com Thu Jul 1 13:29:19 1993 From: fnerd at smds.com (FutureNerd Steve Witham) Date: Thu, 1 Jul 93 13:29:19 PDT Subject: Boston cpunx mtg Jul 10? Message-ID: <9307012015.AA22920@smds.com> A good time for the Next Boston area Cypherpunks meeting would be the second saturday of July--july 10, at 6 PM EDT. At least that would be good for me, and easy to remember since it's the canonical time... -fnerd quote me From ftgcorp!dan at uunet.UU.NET Thu Jul 1 13:47:17 1993 From: ftgcorp!dan at uunet.UU.NET (Dan Veeneman) Date: Thu, 1 Jul 93 13:47:17 PDT Subject: Clipper article (and an OCR check) Message-ID: Cypherpunks, This may be old news to most of you, but I just got my HP ScanJet IIc working with Caere's OmniPage Pro 2.1, and thought I'd scan this in to give it a try. Note to D.C. Cypherpunks (or anyone else, for that matter): I'll be happy to scan any documents or newsclippings you send my way. I'm located in Columbia, Maryland. I'm reachable by UUCP e-mail at uunet!anagld!ftgcorp!dan. >From Network World, issue date May 31, 1993. OPINIONS SECURITY PERSPECTIVES BY MICHEL KABAY Vigilance is needed to keep Clipper Chip in check Last month, the federal government endorsed a new encryption technology based on the Clipper Chip. The Clipper Chip will give federal agencies a key to unlock users' encrypted voice and data communications. Network users can live with this situation, but only if they're vigilant about preventing any attempt to make the Clipper Chip the only legal encryption mechanism available in the U.S. The Clipper Chip will serve some legitimate needs. As the U.S. builds its National Information Infrastructure, increasing amounts of data will flow electronically throughout the nation. Users will need encryption to protect their sensitive data. In a multivendor world, having a common encryption standard, such as the Clipper Chip, will simplify protection so users won't even notice their communications being encrypted. However, users have many questions and concerns about the Clipper Chip, as well. Internet users are curious about how the chip was developed: specifically, what companies and individuals were consulted and how the initial manufacturer, Mykotronx, Inc. of Torrance, Calif., was selected. This information might cast light on the quality of the chip and the price to be charged. Internet users also wonder why the algorithm is being kept secret. Without free access to the algorithm, many argue, the scientific community will not be sure that the algorithm actually functions as claimed. Defenders of the plan point to a proposed examination by selected experts, but any closed process leaves open the question of whether there is a back door to decryption. A major user concern involves key escrow, which is at the heart of the administration's proposal. Government agencies would hold pairs of incomplete decryption keys for every Clipper Chip installed in the U.S. To decrypt private communications, a government agency would need to get a warrant to obtain the two parts of the decryption key. INSET: Clipper Chip will give federal agencies a key to users' encrypted communications Anyone who discovers the key pairs for a specific Clipper Chip could decode all encrypted communications initiated by that device, even after the warrant expires. Therefore, the trustworthiness of the key escrow agencies is crucial to avoid abuses of the decryption keys. The partial keys might be stored in databases or generated by black-box decryption devices. Any party involved in creating these databases or devices would be a vulnerable point in the control over decryption. It would be valuable to know whether the federal government has studied the risks and estimated the costs of providing adequate protection. If so, many users would want to evaluate such studies independently. Key escrow for foreign purchasers of the Clipper Chip and for foreign manufacturers will also cause problems. If other countries use the technology and have all the keys in escrow, U.S. users may find their own security compromised by legal systems beyond their control. But the biggest concern regarding this technology is that it could lead to a ban on all unauthorized encryption technology in the U.S. A few years from now, anyone using a non-Clipper Chip encryption method could be assumed to be engaging in crime. Political pressure to ban all non-Clipper Chip encryption could become intense. Making non-Clipper Chip encryption illegal would lead to enforcement problems. Applying the technology only to voice transmissions would raise the popularity of data transmission -- that is, digitally encoded voice file transfers. So it would have to be applied to data, too. But failure to produce clear text using the Clipper Chip decryption could be construed as evidence of illegal encryption, even if the original data stream was not, in fact, interpretable. The prospect of astronomers being arrested because law enforcement officials couldn't make sense of their data on elemental composition of supernovas is pretty funny--if you like that kind of joke. I urge all users to fight any attempt to make the Clipper Chip the only legal encryption mechanism in the U.S. For further developments in the ongoing debate, users should follow the dialogues on the Internet in the Risks forum, the Privacy forum and the new alt.privacy.clipper news group. END Kabay is director of education with the National Computer Security Association in Carlisle, Pa. He can be reached at (717) 258-1816 or on the Internet at 75300.3232 at compuserve.com. -- dan at ftgcorp.UUCP (Dan Veeneman) Fountainhead Title Group From warlord at MIT.EDU Thu Jul 1 13:52:48 1993 From: warlord at MIT.EDU (Derek Atkins) Date: Thu, 1 Jul 93 13:52:48 PDT Subject: Boston cpunx mtg Jul 10? In-Reply-To: <9307012015.AA22920@smds.com> Message-ID: <9307012052.AA09872@toxicwaste.MEDIA.MIT.EDU> I'm probably going to be out of town that weekend, so I can't organize things.. If someone else wants to organize, feel free. Otherwise, I can probably work on organizing the weekend after for this month, assuming people have things they want to talk about and can generate a meeting agenda. I havent had an agenda, which is why I havent called a meeting since the last one in April. Also, I've been busy on my Thesis. ;-) -derek From pbreton at cs.umb.edu Thu Jul 1 14:19:28 1993 From: pbreton at cs.umb.edu (Peter Breton) Date: Thu, 1 Jul 93 14:19:28 PDT Subject: Boston cpunx mtg Jul 10? In-Reply-To: <9307012052.AA09872@toxicwaste.MEDIA.MIT.EDU> Message-ID: The weekend after the 10th (the 17th) would also be better for me. Has Derek or anybody else still got the email addresses of the people who attended last time? ------------------------------------------------------------------------- Peter Breton pbreton at cs.umb.edu PGP key by finger ====================== ================================================== From marc at GZA.COM Thu Jul 1 14:32:44 1993 From: marc at GZA.COM (Marc Horowitz) Date: Thu, 1 Jul 93 14:32:44 PDT Subject: Boston cpunx mtg Jul 10? In-Reply-To: <9307012015.AA22920@smds.com> Message-ID: <9307012132.AA09157@dun-dun-noodles.aktis.com> >> A good time for the Next Boston area Cypherpunks meeting would be >> the second saturday of July--july 10, at 6 PM EDT. >> >> At least that would be good for me, and easy to remember since it's >> the canonical time... I'll be out of town for IETF. Since I'll be attending a DigiCash technical presentation (by David Chaum) and a new "Internet Mercantile Protocols" BOF session, I think I'll have something to offer the group :-) I return on the 18th. But my mother's birthday is the next weekend. Damn. I hate scheduling. Maybe we should just have an August meeting, too :-) Is anybody else here going to IETF? I'd like to meet up with anyone who is. Marc From ejf at world.std.com Thu Jul 1 14:39:35 1993 From: ejf at world.std.com (Eric J Fogleman) Date: Thu, 1 Jul 93 14:39:35 PDT Subject: Boston cpunx mtg Jul 10? In-Reply-To: <9307012015.AA22920@smds.com> Message-ID: On Thu, 1 Jul 1993, FutureNerd Steve Witham wrote: > > A good time for the Next Boston area Cypherpunks meeting would be > the second saturday of July--july 10, at 6 PM EDT. > > At least that would be good for me, and easy to remember since it's > the canonical time... > > -fnerd > quote me Not a good time for me -- I'll be out of town... Any Saturday from 7/24 on is ok w/ me. Eric ===================================================================== ejf at world.std.com 1 Concord Sq #4, Boston, MA 02118 From 72114.1712 at CompuServe.COM Thu Jul 1 18:06:47 1993 From: 72114.1712 at CompuServe.COM (Sandy) Date: Thu, 1 Jul 93 18:06:47 PDT Subject: CLIPPER IN SCIENCE NEWS Message-ID: <930702010048_72114.1712_FHF46-1@CompuServe.COM> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT Reply to: ssandfort at attmail.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Punksters, I have missed some messages because of a computer problem. Perhaps someone has already mentioned or reprinted an article by Ivars Peterson ("Encryption Controversy -- A Fierce Debate Erupts over Cryptography and privacy") about the Clipper, Capstone, et al. in June 19 issue of SCIENCE NEWS. If not, I would be willing to transcribe the article into ASCII and upload it to the list if enough folks are interested. S a n d y >>>>>> Please send e-mail to: ssandfort at attmail.com <<<<<< ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From mdiehl at triton.unm.edu Thu Jul 1 21:53:25 1993 From: mdiehl at triton.unm.edu (J. Michael Diehl) Date: Thu, 1 Jul 93 21:53:25 PDT Subject: PGP and offline-readers In-Reply-To: <2C31A670@kailua.colorado.edu> Message-ID: <9307020453.AA23579@triton.unm.edu> According to James Still: > > >> I am getting involved in networking some local BBS' and > >> message bases. > > The unique feature about CryptoBBS is it's "Post Office." The > P.O. allows callers to set up a p.o. box from which they can > up/download any file (pgp encrypted files for instance) to any > other user on the board without the sysop's approval/knowledge. > It encourages and nurtures an anonymous "mail drop" community > while protecting the caller's privacy. Be carefull! Remember that you may be held accountable for ANYTHING found on your BBS. If someone uses your board to trade credit card numbers..... See ya! > The question is, should I throw away the virtues of a lean 'n mean > app at 80K by adding a dolphin or pgp to it that automatically > encrypts the message base, uploaded messages, etc? Should > we give the BBS caller a little credit and assume he knows to > encrypt at his own machine before uploading the text? Or is > the temptation to make everyone *lick and seal their message > envelopes* too invasive? Typically, you want to assume that user knows NOTHING! You design your user- interface accordingly..... I know it sounds insulting but if this attitude makes your stuff easier to use....what do you care? +-----------------------+-----------------------------+---------+ | J. Michael Diehl ;-) | I thought I was wrong once. | PGP KEY | | mdiehl at triton.unm.edu | But, I was mistaken. |available| | mike.diehl at fido.org | | Ask Me! | | (505) 299-2282 +-----------------------------+---------+ | | +------"I'm just looking for the opportunity to be -------------+ | Politically Incorrect!" | +-----If codes are outlawed, only criminals wil have codes.-----+ +----Is Big Brother in your phone? If you don't know, ask me---+ From zane at genesis.mcs.com Thu Jul 1 22:36:40 1993 From: zane at genesis.mcs.com (Sameer) Date: Thu, 1 Jul 93 22:36:40 PDT Subject: Junk email/encrypted return-path-blocks Message-ID: I've been recently working at the direct-mail place putting rubber bands around mass mailings of junk mail (ah, the wonders of being a poor soon-to-be college student), which got me thinking about electronic junk mail and how such a thing can be avoided. In rl, you can go to the store, buy a product with cash, and you're not put on their mailing list. Buying via mail order, using check/credit-card, etc., requires that they get your address so they can put you on their mailing list, compile statistics about who you are, etc., as we all know. Now, over the net, suppose I wanted to buy an email product. I'd pay for it with digital cash, communicating with the vendor through the anonymous remailers. Now I see a problem in how the vendor will deliver the product. Obviously I can give the vendor my email address encrypted with the remailer's public keys, so the vendor still doesn't know who I am. But the vendor can still keep a database of address-blocks and which address blocks go with which purchases. Then the vendor can compile her mailing list of address blocks, and even *sell* this list to others, with product purchase history. Even though the junk-mailers don't know who I am, they can still flood my box with email. I thought of two possible solutions. The first solution I thought of requires a great deal of bandwidth. The vendor could simply post publicly (to usenet or something) the product I wanted, encrypted with my public key. (Rather, a public key I created just for this venture with a psuedonym so that none could see that it was I who was buying from the vendor.) The bandwidth for this thing would be incredible. The second solution I thought of seems like it would work. When I create the return-address block, it can be given some sort of ID-code (again, like with my other idea posted, similar to the ID-code on peices of Digicash in Chaum's scheme) so when the vendor delivers the product, she sends to encrypted block to the remailer, and the remailer forwards the product to me, and stores the ID-code in its database (doing the proper one-way transformation for untraceability) so that further attempts to use the exact same address-block will be noticed and not delivered. I also thought of creating a digicash like entity, a currency to pay for remailer transactions, so that sending junk mail through a remailer would be prohibitively expensive. It will probably happen anyway once we near the goal of full crypto-anarchy that most remailers will not operate without a fee, while the scheme I present above seems like it would work with both free remailers and those which charge for usage. (And a charge on a remailer which agrees with the market probably won't be high enough to stop a really rich junk mailer from spending the cash on junk mailings.) -- | Sameer Parekh-zane at genesis.MCS.COM-PFA related mail to pfa at genesis.MCS.COM | | Apprentice Philosopher, Writer, Physicist, Healer, Programmer, Lover, more | | "Symbiosis is Good" - Me_"Specialization is for Insects" - R. A. Heinlein_/ \_______________________/ \______________________________________________/ From fergp at sytex.com Fri Jul 2 00:13:18 1993 From: fergp at sytex.com (Paul Ferguson) Date: Fri, 2 Jul 93 00:13:18 PDT Subject: The last word? (forwarded article) Message-ID: <6XL26B1w165w@sytex.com> I took a few minutes (quite a few) and commited this to bidgets. I hope you folks take this as seriously as I do. Cheers. BoardWatch Magazine July 1993 pages 43 - 46 Steve Jackson Games v. US Secret Service by Peter D. Kennedy On March 12, 1993, a federal judge in Austin, Texas decided that the US Secret Service broke the law when it searched Steve Jackson Games Inc., and seized its bulletin board system and other computer equipment. The decision in this case has been long-awaited in the computer world, and most observers have hailed it as a significant victory for computer user's freedom and privacy. I had the fortune to be one of the lawyers representing Steve Jackson and his co-plaintiffs. During the course of the lawsuit, I met many people passionately interested in the issues the case raised. I watched and listened to the discussions and arguments about the case. I've been impressed by the intelligence of the on-line world, and the interest that computer enthusiasts show -- especially computer communications enthusiasts -- in the law. I've also been impressed and distressed at how the Net can spontaneously generate misinformation. Steve Jackson has spent untold hours correcting errors about him, his company, and the case on both the Net and more traditional news media. The decision in the Steve Jackson Games case is clearly a significant victory for computer users, especially BBS operators and subscribers. I hope to give a simple and clear explanation for the intelligent non-lawyer of the legal issues raised by the case, and the significance and limitations of the court's decision. The facts. By now, most people interested in the case are familiar with the basic facts: On March 1, 1990, the Secret Service, in an early-morning raid, searched the offices of Steve Jackson Games. The agents kept the employees out of the offices until the afternoon, and took the company's BBS -- called "Illuminati" -- along with an employee's work computer, other computer equipment, and hundreds and hundreds of floppy disks. They took all the recent versions of a soon-to-be-published game book, "GURPS Cyberpunk," including big parts of the draft which were publicly available on Illuminati. On March 2, Steve Jackson tried to get copies of the seized files back from the Secret Service. He was treated badly, and given only a handful of files from one office computer. He was not allowed to touch the Illuminati computer, or copy any of its files. Steve Jackson Games took a nosedive, and barely avoided going out of business. According to Jackson, eight employees lost their jobs on account of the Secret Service raid, and the company lost many thousands of dollars in sales. It is again a busy enterprise, no thanks to the Secret Service (although they tried to take credit, pointing to the supposedly wonderful publicity their raid produced.) After months of pestering, including pressure by lawyers and Senator Lloyd Bentson (now, as Treasury Secretary, the Secret Service's boss) the Secret Service returned most of the equipment taken, some of it much the worse for wear. By then, Steve Jackson had restarted Illuminati on a different computer. When the old Illuminati computer was finally given back, Jackson turned it one -- and saw that all the electronic mail which had been on the board on March 1 was gone! Wayne Bell, WWIV developer and guru, was called in. He gave us invaluable (and free) help evaluating the condition of the files. He concluded, and testified firmly at trial, that during the week of March 20, 1990, when the Secret Service still had Illuminati, the BBS was run, and every piece of e-mail was individually accessed and deleted. The Illuminati files the Secret Service had returned to Steve Jackson left irrefutable electronic traces of what had been done -- even I could understand how the condition and dates of the e-mail files showed what had happened, and when. The lawsuit. Suing the federal government and its agents is never a simple thing. The United States can only be sued when it consents. Lawsuits against individual agents face big legal hurdles erected to protect government officials from fear off a tidal wave of lawsuits. Amazing as it may sound, you cannot sue the United States (or any federal agency) for money damages for violating your constitutional rights. You can sue individual federal agents, though. If you do, you have to get past a defense called "qualified immunity" which basically means you have to show that the officials violated "clearly established" constitutional law. For reasons I can't explain briefly, "qualified immunity" often creates a vicious circle in civil rights litigation, where the substance of constitutional law is never established because the court never has determine the Constitution's scope, only whether the law was "clearly established" at the time of the violation. The strongest remedies for federal over-stepping are often statutes which allow direct suit against the United States or federal agencies (although these are less dramatic than the Constitution). Fortunately, these statutes were available to Steve Jackson and the three Illuminati users who joined him in his suit against the Secret Service. The legal claims. The Steve Jackson Games case was a lot of things to a lot of people. I saw the case as having two basic goals: (1) to redress the suppression of the public expression embodied in Steve Jackson's publications (including his publication via BBS) and thereby compensate the company for the damage unnecessarily done by the raid, and (2) to redress the violation of the privacy of the BBS users, and the less tangible harm they suffered. The individual government agents involved in the raid were sued for constitutional violations -- the First and Fourth Amendments. The Secret Service was sued under two important laws which embody the same principles as the First and Fourth Amendments -- the Privacy Protection Act of 1980 and provisions of the Electronic Communications Privacy Act of 1986. There were other claims, but these were the core. After the case was pending a year and a half and all discovery completed, the government moved to have thee claims dismissed, claiming qualified immunity. This motion (usually brought early in a case) guaranteed that the trail would be delayed by over a year, because even if the government lost its motion, the individuals could immediately appeal. In December, 1992, the tactical decision was made to drop those claims, rather than suffer the delay, and proceed promptly to trail on the claims against the Secret Service itself. The Privacy Protection Act of 1980. In the late 1970's the Stanford Daily was subjected to a fishing expedition by police officers in the Stanford Daily's newsroom. The police were looking for notes and photos of a demonstration the newspaper had covered for a story, hoping the newspaper's files would identify suspects. The Supreme Court held in 1979 that the newspaper had no separate First Amendment right protecting it from searches and seizures of its reporters notes and photographs if they were "evidence" of a crime the paper had covered -- even when the newspaper was not under any suspicion itself. Congress responded in 1980 with the Privacy Protection Act, which, until Steve jackson came along, was distinguished mostly by its lack of interpretation by courts. The Act's wording is rather obtuse, but basically it enacts a "subpoena only" rule for publishers -- law enforcement officials are not allowed to search for evidence of crimes in publisher's offices, or more accurately, they may not "search for or seize" publishers' "work product" or "documentary materials", essentially draft of publications, writer's notes, and such. To get such material, the police must subpoena them, not with the much more disruptive search warrant. Every BBS sysop should read this act, located at 42 U.S.C. 2000aa in the law books, because I can't fully explain it here. The Act is quite broad, protecting from searches and seizures the work product and commentary materials of anyone who has "a purpose to disseminate to the public a newspaper, book, broadcast, or other similar form of public communication..." It also has a big exception -- if the publisher is the person suspected in the criminal investigation. The Electronic Communications Privacy Act. Two provisions of the Electronic Communications Privacy Act (or ECPA) were paramount in the suit. The plaintiffs claimed the Secret Service violated two provisions -- one prohibiting unjustified "disclosure and use" of e-mail (18 U.S.C. 2703; the other prohibiting "interception" of e-mail (18 U.S.C. 22511(1)). The parties' positions were fairly simple, and laid out well before trail. As for the Privacy Protection Act, Steve Jackson claimed that his company's publication, both in book form and on Illuminati, were obviously "work product" protected by the Act, and the government had no right to seize them, and therefore owed him money for the damages the raid caused his business. The government replied claiming that (1) Steve Jackson Games' products are not the type of publications protected by the PPA; and anyway, (2) the Secret Service didn't know that Steve Jackson Games was a publisher when it raided its offices; and even then, (3) the Secret Service didn't mean to take the books, the books just came along when the computers and disks were taken. As for the e-mail, Steve Jackson and the other BBS users claimed that the seizure, disclosure, and deletion of the e-mail was both an unlawful "disclosure and use," and an "interception" of electronic communications in violation of the ECPA. The Secret Service replied that (1) there was no "interception" because the e-mail was just sitting there on the hard drive, not moving; and (2) the Secret Service didn't read the mail, but if it did, it was acting on good faith, because it had a search warrant authorizing it so seize Steve Jackson Games' "computers" and read their contents. The trial. When the individual defendants were dropped, the case quickly went to trail. The plaintiffs opened their case on January 29, 1993. The trail took the better part of four days; the witnesses included now-familiar names: Timothy Foley and Barbara Golden of the Secret Service, William Cook, formerly of the U.S. Attorney's office in Chicago, Henry Kluepfel of Bellcore, Steve Jackson and the BBS users Elizabeth McCoy, Walter Milliken and Steffan O'Sullivan, and WWIV master Wayne Bell. At trail, Judge Sparks was introduced to the labyrinthine E911 investigation. We also set up and ran Illuminati as it looked on March 1, 1990, and Steve Jackson walked Judge Sparks through his BBS, lingering on discussion areas such as "GURPS Old West" to give the Judge a taste of the scope and breadth of BBS publication and communications which the Secret Service had shut down. The judge had appeared upset by the callous and suspicious manner in which the Secret Service had treated Steve Jackson, and with the Service's apparent disregard for the effects the raid might have on the company. The decision. Judge Sparks decided the case in February, 1993, in a long written opinion. The full text of the opinion is available on the Internet at ftp.eff.org, and on Illuminati itself (512-447-7866). I recommend all sysops and BBS users to read it, as it is one of the very few legal rulings specifically addressing bulletin boards and electronic mail. First, the bad news: Judge Sparks accepted the government's argument that the seizure of the BBS was not an "interception" of the e-mail, even mail that had not yet been read. Essentially, he decided that the definition of "interception" implicitly means "contemporaneously with the transmission"; that is, for there to be an interception, the government must position itself in the data stream. like a conventional wiretap. Since the e-mail was temporarily stored on the BBS hard drive, he held there was no contemporaneous interception. Ruling that there was no interception means two things. First, the plaintiffs did not receive the $10,000 minimum damages a violation of the "interception" law provides, even though the judge found the Secret Service had not acted in good faith. More importantly, it lowers the standard for seizing BBS e-mail -- and threatens to lower the standard for the seizure of all electronic communications which reside long enough in computer memory to be seized (which is most all computer communications, as far as I understand it). To "intercept" wire communications you need a court order, not just a routine search warrant. This ruling (which technically only applies in Western District of Texas) means law enforcement is not limited in its seizure of BBSs by the higher standards required of wire-tapping. Now, the good news: the plaintiffs won the "disclosure and use" argument under the ECPA, getting back most of what was lost in the "interception" decision. First, Judge Sparks found the obvious: that while the Secret Service had Illuminati they or their agents read and deleted all the e-mail on Illuminati, including the plaintiffs' mail -- persons the Secret Service admittedly having no reason at all to suspect of any illegal activity. Next, he rejected the Secret Service's argument that its agents were acting in "good faith." While he didn't list all the reasons, quite a few are supported by the evidence: the Secret Service's investigation was "sloppy", he said, and there was no attempt to find out what Steve Jackson Games did as a business; the Secret Service was told the day of the raid that the company was a "publisher," and refused to make copies or return files for months after they were done reviewing them; and the Secret Service apparently allowed the private mail of dozens of entirely innocent and unsuspecting people to be read and trashed. The judge ruled that Steve Jackson, his company, and the three Illuminati users who joined Jackson in the suit were each entitled to an $1,000 award from the government, as provided by the ECPA. The Privacy Protection Act was pretty much a clean sweep. While the judge and Steve Jackson still differ over how much money the raid cost the company, the court's ruling was squarely in Jackson's favor on the law. Although unconventional, the court found that Steve Jackson Games' publications were clearly covered by the Act, should not have been seized, and should have been promptly returned. At trail, the Secret Service agents had freely admitted they knew nothing about the Act. Former U.S. Attorney William Cook claimed he knew about it before the raid, but decided (without any investigation) that Steve Jackson Games wasn't covered. The Privacy Protection Act (unlike the ECPA) allows no "good faith" excuses, anyway, and since the Secret Service was repeatedly told on March 1 and afterwards that the company was a publishing business there was no defense for the seizure of "GURPS Cyberpunk" or the other book drafts. Most of the over $50,000 awarded in damages was due to the violation of the Privacy Protection Act. Steve Jackson Games publishes traditional books and magazines, with printed paper pages. Is the BBS operator who publishes only on-line articles protected, too? It's a question Judge Sparks did not need to address directly, but his opinion can and should be read to include the on-line publisher. The court's opinion includes the BBS files as material improperly seized, and the Act specifically includes work product in electronic form. Publishing via BBSs has become just like publishing a "newspaper, book, or other form of publication..." -- the only source of news many people get. If the Privacy Protection Act is broadly understood to encompass electronic publishing (as it should) it should provide meaningful protection to innocent sysops whose boards may be used by some for illegal purposes. It should prevent the "preventative detention" of BBSs -- where boards are seized in investigations and held indefinitely -- which seems to be one crude means used to attack suspected criminal activity without bothering to actually prosecute a case. It should also force law enforcement to consider who the actual suspect is -- for instance, in the recent spate of seizures of BBSs for suspected copyright violations. The Privacy Protection Act should prevent law enforcement from seizing a sysop's board who is not suspect in engaging or condoning illegal activity. Those of you who have followed this case will note how little significance I've given to the "Phrack" investigation and the overvaluation of the E911 document. Of course the Secret Service misunderstood or exaggerated the importance of the purloined E911 document, and were chasing imaginary goblins. The real significance of the Steve Jackson Games case, however, was not knocking holes in that one investigation (the Neidorf trail effectively did that), but taking a solid step to set firm, discernible limits for criminal investigations involving computer communication. To focus on the specific foibles of the E911 investigation is to miss the importance of what the Secret Service really did wrong. Out of ignorance or callousness, they ignored the legal rights of people not even suspected of crimes; people who simple shared common electronic space. There are and will continue to be legitimate computer-crime investigations. The closeness that people live in Cyberspace, though, means the government must learn ways to conduct investigations without violating the rights of all the innocent members of the on-line community. In March 1990, the Privacy Protection Act said that Steve Jackson could write and publish his books without having them seized; the Secret Service didn't know that. In 1990, the Illuminati users had the right not to have their e-mail seized and read without at least being suspected of a crime; the Secret Service apparently didn't know that, either. Now they do, and hopefully the word will spread to other government agencies, too. (As of this writing, there is still no decision whether the Secret Service (or Steve Jackson, for that matter) will appeal Judge Spark's decision.) [Peter D. Kennedy is an associate with the Austin, Texas law firm of George, Donaldson & Ford, specializing in civil litigation. George, Donaldson & Ford represents national media, technology and other corporate and individual clients in a variety of civil litigation, including libel and invasion of privacy defense, constitutional law, intellectual property, commercial and employment litigation. George, Donaldson & Ford, 114 W. 7th Street, Suite 100, Austin, Texas 787001; (512) 495-1400 voice; (512) 499-0094 fax; E-mail: gdf.well.sf.ca.us] Paul Ferguson | "Confidence is the feeling you get Network Integrator | just before you fully understand Centreville, Virginia USA | the problem." fergp at sytex.com | - Murphy's 7th Law of Computing Quis Custodiet Ipsos Custodes? From newsham at wiliki.eng.hawaii.edu Fri Jul 2 11:24:10 1993 From: newsham at wiliki.eng.hawaii.edu (Timothy Newsham) Date: Fri, 2 Jul 93 11:24:10 PDT Subject: PGP and offline-readers In-Reply-To: <9307020453.AA23579@triton.unm.edu> Message-ID: <9307021824.AA00266@toad.com> I think a good idea for offline readers would be to build ontop of currently implemented protocols. One protocol worth mentioning is IMAP2. Right now IMAP2 usually runs over TCP but there is no reason why it couldn't run over a serial channel instead (SIMAP :) It allows for remote access to mailboxes from a mail server, and also remote access to builitin-board messages (ie. USENET). There are several packages in development or already in use that use IMAP. PINE for unix's and soon to be available for DOS machines supports IMAP access. PINE also supports MIME and could be extended nicely to handle automatic PGP encryption/decryption of mail (or en/de- cryption with other crypto-systems). Macintosh already has a mailer supporting IMAP, the name eludes me at the moment. The mailers in existence are written for TCP and would have to be modified for use over the serial line, perhaps with a pseudo-packet driver in the dos case. I think this type of solution would be much cheaper and much more feature filled than starting from scratch. Tim N. From 72114.1712 at CompuServe.COM Fri Jul 2 12:15:00 1993 From: 72114.1712 at CompuServe.COM (Sandy) Date: Fri, 2 Jul 93 12:15:00 PDT Subject: CLIPPER IN SCIENCE NEWS Message-ID: <930702190909_72114.1712_FHF95-1@CompuServe.COM> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT Reply to: ssandfort at attmail.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . As requested by some of you, here is the encryption article that appeared in the 19 June issue of SCIENCE NEWS. It's copied without permission, for personal use of list members only, blah, blah, blah. S a n d y * * * * * * * ENCRYPTION CONTROVERSY A fierce debate erupts over cryptography and privacy by Ivers Peterson With a little encryption to hide their words, Prince Charles and Princess Diana might never have suffered the embarrassing spectacle of having transcripts of their private telephone conversations splashed across the front pages of newspapers around the world. The royal couple has not been alone in learning the painful lesson that modern technology has made eavesdropping -- whether officially sanctioned, inadvertent, or illegal -- remarkably easy. Today, cellular and cordless telephones transmit conversations via radio waves that can be readily intercepted. Electronic-mail messages pass openly from one computer to another across a network accessible to innumerable people. "We take for granted that by sealing the envelope or closing the door, we can achieve privacy in our communications," says Whitfield Diffie of Sun Microsystems in Mountain View, Calif. "The challenge of modern security technology is to transplant these familiar mechanisms from the traditional world of face-to-face meetings and pen-and-ink communications to a world in which digital electronic communications are the norm and the luxury of personal encounters or handwritten messages [is] the exception." Modern technology has provided a solution in the form of sophisticated schemes for encrypting digitized sounds and text. Only a recipient with the proper key for unlocking the secret code can hear or read the otherwise unintelligible, encrypted string of digits. Nonetheless, few telephones and computers used by the general public come equipped with either software or micro-electronic circuitry for encrypting speech or text. Indeed, some critics charge that the U.S. government has actively discouraged wide dissemination of cryptographic technology. "Conflicting signals from a succession of administrations have led many to be very confused as to what U.S. citizens have a right to expect from cryptographic technologies and what capabilities the U.S. government would prefer its citizens have available," says Stephen T. Walker, president of Trusted Information Systems, Inc., in Glenwood, Md. . . . In April, the Clinton administration added a new ingredient that set the cryptographic-policy pot boiling. The White House proposal called for the adoption of a novel encryption scheme as a federal standard. It would incorporate a "front door" through which properly authorized government officials could readily decrypt intercepted messages for reasons of law enforcement or national security. the proposal ignited a firestorm of protest from large segments of the computer community. Since then, angry debate over this issue and the more general question of privacy in an electronic age has dominated discourse on many electronic bulletin boards, where individuals can post their queries and opinions on a smorgasbord of concerns. "Not everybody is saying this is terrible, terrible, terrible, but nobody is happy about it," Walker says. The list of dissatisfied parties ranges from major computer manufacturers and telephone companies to privacy activists belonging to organizations such as the Electronic Frontier Foundation and Computer Professionals for Social Responsibility. The administration's scheme has also attracted congressional scrutiny and focused attention on the need to formulate a coherent national cryptographic policy. Many see the resolution of privacy issues as one of the key elements in developing a national information infrastructure, which would allow anyone using a networked computer unprecedented access to libraries, data repositories, and other information sources throughout the United States. "Recent years have seen a succession of technological developments that diminish the privacy available to the individual," Diffie stated last month in testimony before the House science subcommittee. "Cryptography is perhaps alone in its promise to give us more privacy rather than less. But here we are told that we should forgo this technical benefit and accept a solution in which the government will retain the power to intercept our ever more valuable and intimate communications." . . . For many decades, cryptography remained largely a government matter -- an arcane discipline of interest to military organizations and to the secretive National Security Agency (NSA), which routinely monitors foreign communications. But the subject also captured the attention of a few enthusiasts outside government. In the 1970s, the development of electronic communication via the first national computer networks spurred these people to look for ways to protect information in this new, wide-open environment. In 1975, Diffie, working with computer scientist Martin E. Hellman of Stanford University, invented a novel, revolutionary cryptographic technique now know as public-key cryptography. Developed entirely outside of government, it offered a high level of security and privacy to any individual using the system. In conventional cryptographic schemes, the user typically has a "key" that changes all the digits of a message into an unintelligible string. The recipient then uses the same key to unscramble the code and read the message. In a public-key system, the user has one key -- kept secret -- encrypting the message and the recipient has a different but mathematically related key to decrypt the message. There's no need to keep the second key secret because, in principle, there should be no way to figure out the private key from knowledge of the public key. This, everyone has a private key and a public key, which they can then use to encrypt or decrypt messages. Almost simultaneously, the U.S. government offered an alternative, single-key method known as the Data Encryption Standard (DES), for coding information. Although experts outside of government initially harbored suspicions that the NSA had deliberately weakened the scheme to make code-breaking easier, 15 years of concerted effort to find flaws have failed to turn up any serious problems. Many banks and other institutions now routinely use this technique to maintain the confidentiality and integrity of communications involving financial transactions and other matters. . . . One of the first hints of something new in the works came early this year. Last fall, Walker heard about a new AT&T telephone equipped with a lightweight electronic device, basd on DES, for turning a telephone signal into a digital stream of encrypted information. He ordered five of these secure telephones for his business. In January, AT&T representatives told Walker they could only loan him the telephones he wanted; something better would become available in April, they said. Walker noticed they no longer mentioned DES as the encryption scheme. "So I knew there was something coming," Walker says. "But I didn't know what the details were." When the White House announcement finally came, the details caught just about everyone in the computer community by surprise. In essence, the proposed "key-escrow" technology takes the form of two specially fabricated, tamper-resistant integrated-circuit chips -- one, known as Clipper, for encrypting digital telephone signals and another, known as Capstone, for encrypting the output of computers. Information from any telephone or computer would pass through the chip to be encrypted, and a corresponding chip attached to the recipient's telephone or computer would decipher the message. However, the scheme is designed to include another key, divided into two parts, that when reconstituted will also unlock the message. The administration's plan is to deposit these pieces -- unique to each chip -- in two separate, secure databases. The two pieces of a particular key would be released only to officials at such agencies as the Federal Bureau of Investigation who are authorized to tap a particular telephone line. This technology improves "the security and privacy of telephone communications while meeting the legitimate needs of law enforcement," the White House stated in announcing the Clipper chip. "The effect," says Diffie, "is very much like that of the little keyhole in the back of the combination locks used on the lockers of schoolchildren. The children open the locks with the combination, which is supposed to keep the other children out, but the teachers can always look in the lockers by using the key." "Because the key-escrow chip enables lawful interceptions, the government for the first time in history is in a position to promote encryption without putting public safety at risk," says Dorothy E. Denning, a cryptography expert at Georgetown University in Washington, D.C. "As a result of the government's efforts, I expect to see greater use of encryption and, consequently, greater protection of sensitive communications." Administration officials insist the Clipper-Capstone scheme is voluntary. Initially, only certain departments and agencies of the government will be required to use it. But clearly, the administration hopes that various companies will start incorporating this technology into commercial products, at first to supply the government market and then to meet the security needs of businesses and private individuals. This approach puzzles many observers. "If you're not going to force it on people, then it's going to be largely irrelevant for the computer community," says Walker. "DES and RSA [a public-key cryptosystem] are already so widely used in software versions that most users will not even consider converting to Clipper or Capstone, simply because of the additional hardware expense." "Anyone who is seriously seeking to protect sensitive information will use alternative methods, either instead of or in addition to the Clipper-Capstone chips," he adds. That leaves the possibility that the government may eventually ban the use of certain types of cryptography, though officials presently deny any such intent. "Encryption is a technology that could be constrained legally in the same way that other technologies are constrained," Denning argues. "Congress should consider legislation that would impose such constraints." . . . Debating the technical merits of the administration's proposal has proved tricky. Many of the details of the scheme's implementation remain fuzzy, and the government has insisted on keeping secret the actual mathematical recipe, or algorithm, for generating the required keys. "It's very hard to assess something when you don't know what you're assessing," notes Lance J. Hoffman, a computer scientist at George Washington University in Washington, D.C. In contrast, the government made public the DES algorithm, giving cryptography experts a chance to examine and test the scheme thoroughly t vouch for its security. Developed secretly at the NSA, the new algorithm use for the Clipper and Capstone chips will receive no such scrutiny. The government's reluctance to release the algorithm stems from the possibility that some people might then use the algorithm without its accompanying key-escrow provision to create a formidable encryption scheme. "Tis is a powerful algorithm," says NSA's Clint Brooks. "You need some kind of control mechanism . . . to ensure the law-enforcement capability is preserved." The Clipper and Capstone chips also represent only one possible approach to achieving a reasonable balance between unconstrained privacy and the needs of law enforcement and national security. Silvio Micali of the Massachusetts Institute of Technology has proposed an alternative scheme -- developed well before the Clipper chip announcement -- that eschews complicated chips and special hardware in favor of a considerably more flexible, inexpensive software solution. Like the administration, Micali favors an approach that includes a cryptographic escape hatch in case of dire emergency. "Scientists ought to be socially responsible," he argues. "We have to ask ourselves what would be the social impact of widespread cryptography." Micali has demonstrated that it's possible with his technique to transform any public-key cryptosystem into one that includes a provision for third-party access to encrypted information, if a court deems such access essential for reasons of law enforcement or national security. He calls the transformed version a "fair" public-key cryptosystem. "The transformed systems preserve the security and efficiency of the original ones," Micali says. "Thus, one can still use whatever system [he or she] believes to be more secure and enjoy the additional property of fairness." . . . But to many others, the real debate is not about the technical merits of the Clipper and Capstone proposals. "The fundamental issue that people are talking about is the question of whether people have a right to have privacy in a conversation . . . something that cryptography can provide," says Ronald L. Rivest, a computer scientist at MIT. Denning contends that it would be irresponsible for either government or industry to promote the widespread use of strong encryption. "I do not believe our laws grant an `absolute right' to a private conversation," she says. But Rivest and others reject the notion that the pubic should have access only to cryptography that the U.S. government can decipher. They feel shut out of the government decision-making process that brought forth the Clipper chip. "I don't know anyone inside the government who is fighting for the average citizen's protection here," Walker says. "It's the national security and law enforcement guys that are running the show, and the administration has bought in to their side." "I don't think we have a fair situation at all," he adds. "That's why I keep insisting we've got to have a national review involving . . . private citizens and private organizations." The administration already has an internal review of cryptographic policy under way. This task force is supposed to have its final report ready by the end of the summer. In addition, earlier this month, the Computer System Security and Privacy Advisory Board, which advises the administration on matters of security and privacy, held a three-day meeting to hear public comments on a variety of cryptographic issues. Many people question the sudden rush to implement Clipper-Capstone, given the major ethical and constitutional questions at issue. "There hasn't been a serious public discussion," Hoffman says. "Nobody has been given enough time." Faced with such criticisms, the government now shows signs of slowing implementation of its key-escrow plan until the scheme's ramifications have been studied further. At the same time, computer users already have access to chips and software incorporating DES or the RSA public-key cryptosystem. "For the first time in history, we have a situation in which individuals can use cryptography good enough that even governments can't read [the encrypted messages]," Hoffman says. "That is a big change. The administration is ultimately going to have to address the issue of whether people can use their own cryptography and keep the keys secret themselves." * * * * * * * >>>>>> Please send e-mail to: ssandfort at attmail.com <<<<<< ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From crunch at netcom.com Fri Jul 2 12:29:21 1993 From: crunch at netcom.com (John Draper) Date: Fri, 2 Jul 93 12:29:21 PDT Subject: Cypherpunks brocures needed - Feedback welcome Message-ID: <9307021929.AA27787@netcom4.netcom.com> I am setting up some info tables at various upcoming events and partys. I want to make up a flier for those attending, and would like for someone in cypherpunks to please draft up what the flier should say. It should basically say what the goals of the Cypherpunks are, what they do, and stress the issues at stake, IE: Clipper ship proposal, promoting private data encryption, and the like. The flier will be an 8 1/2 by 11 paper, and I plan on making about 50 of them initially. I would like someone here to help me with the wording. It should be brief, and give just enough information to help our cause. Last call for Laptops. I have someone who has PC-DOS laptop, and we need someone with a Mac laptop, and we then have all bases covered. Thanx From banisar at washofc.cpsr.org Fri Jul 2 14:33:14 1993 From: banisar at washofc.cpsr.org (Dave Banisar) Date: Fri, 2 Jul 93 14:33:14 PDT Subject: CPSR Workplace Privacy Test Message-ID: <00541.2824473766.4122@washofc.cpsr.org> CPSR Workplace Privacy Testimony ===================================================== Prepared Testimony and Statement for the Record of Marc Rotenberg, Director, CPSR Washington office, Adjunct Professor, Georgetown University Law Center on H.R. 1900, The Privacy for Consumers and Workers Act Before The Subcommittee on Labor-Management Relations, Committee on Education and Labor, U.S. House of Representatives June 30, 1993 Mr. Chairman, members of the Subcommittee, thank for the opportunity to testify today on H.R. 1900, the Privacy for Consumers and Workers Act. My name is Marc Rotenberg and I am the director of the CPSR Washington office and an adjunct professor at Georgetown University Law Center where I teach a course on information privacy law. Speaking on behalf of CPSR, we strongly endorse the Privacy for Consumers and Workers Act. The measure will establish important safeguards for workers and consumers in the United States. We believe that H.R. 1900 is particularly important as our country becomes more dependent on computerized information systems and the risk of privacy abuse increases. CPSR has a special interest in workplace privacy. For almost a decade we have advocated for the design of computer systems that better serve the needs of employees in the workplace. We do not view this particular goal as a trade-off between labor and management. It is our belief that computer systems and information policies that are designed so as to value employees will lead to a more productive work environment and ultimately more successful companies and organizations. As Charles Hecksher of the Harvard Business School has said good managers have no use for secret monitoring. Equally important is the need to ensure that certain fundamental rights of employees are safeguarded. The protection of personal privacy in the information age may be as crucial for American workers as the protection of safety was in the age of machines. Organizations that fail to develop appropriate workplace privacy policies leave employees at risk of abuse, embarrassment, and harassment. The concern about workplace privacy is widely felt in the computer profession. This month MacWorld magazine, a leading publication in the computer industry, released a special report on workplace privacy. The report, based on a survey of 301 companies in the United States and authored by noted science writer Charles Piller, made clear the need for a strong federal policy. Among the key findings of the MacWorld survey: > More than 21 percent of those polled said that they had "engaged in searches of employee computer files, voice mail, electronic mail, or other networking communications." > "Monitoring work flow" is the most frequently cited reason for electronic searches. > In two out of three cases, employees are not warned about electronic searches. > Only one third of the companies surveyed have a written policy on privacy What is also interesting about the MacWorld survey is the high level of concern expressed by top corporate managers about electronic monitoring. More than a half of those polled said that electronic monitoring was either "never acceptable" or "usually or always counterproductive." Less than five percent believed that electronic monitoring was a good tool to routinely verify honesty. These numbers suggest that managers would support a sensible privacy law. Indeed, they are consistent with other privacy polls conducted by Professor Alan Westin for the Lou Harris organization which show that managers are well aware of privacy concerns and may, with a little prodding, agree to sensible policies. What would such a policy look like? The MacWorld report also includes a model privacy policy that is based on several U.S. and international privacy codes. Here are the key elements: > Employees should know what electronic surveillance tools are used, and how management will use the data gathered. > Management should minimize electronic monitoring as much as possible. Continuous monitoring should not be permitted. > Data should only be used for clearly defined, work-related purposes. > Management should not engage in secret monitoring unless there is credible evidence of criminal activity or serious wrongdoing. > Data gathered through monitoring should not be the sole factor in employee evaluations. > Personal information gathered by employers should not be disclosed to any third parties, except to comply with legal requirements. > Employees or prospective employees should not be asked to waive privacy rights. > Managers who violate these privacy principles should be subject to discipline or termination. Many of these provisions are contained in H.R. 1900, the Privacy for Consumers and Workers Act. Clearly, the policies and the bill itself are not intended to prohibit monitoring, nor to prevent employers from protecting their business interests. What the bill will do is help establish a clear framework that ensures employees are properly notified of monitoring practices, that personal information is not misused, and that monitoring capability is not abused. It is a straightforward, sensible approach that does not so much balance rights as it clarifies interests and ensures that both employers and employees will respect appropriate limitations on monitoring capability. The need to move quickly to establish a framework for workplace privacy protection is clear. Privacy problems will become more acute in the years ahead as new monitoring schemes are developed and new forms of personal data are collected. As Professor Gary Marx has made clear, there is little that can be imagined in the monitoring realm that can not be achieved. Already, some members of the computer profession are wearing "active badges" that provide full-time geographical monitoring. Properly used, these devices help employees use new tools in the hi-tech workplace. Improperly used, such devices could track the physical movements of an employee throughout the day, almost like a blip on a radar screen. Computers are certainly powerful tools. We believe that they can be used to improve productivity and increase job satisfaction. But this requires that appropriate policies be developed to address employee concerns and that laws be passed, when necessary, to ensure that computer abuse does not occur. This concludes my testimony. I would be pleased to answer your questions. ===================================================== From fergp at sytex.com Fri Jul 2 14:44:23 1993 From: fergp at sytex.com (Paul Ferguson) Date: Fri, 2 Jul 93 14:44:23 PDT Subject: Science News article request Message-ID: <3Fg36B1w165w@sytex.com> On 01 Jul 93 21:00:49 EDT, Sandy Sandfort wrote - > I have missed some messages because of a computer problem. > Perhaps someone has already mentioned or reprinted an article > by Ivars Peterson ("Encryption Controversy -- A Fierce Debate > Erupts over Cryptography and privacy") about the Clipper, > Capstone, et al. in June 19 issue of SCIENCE NEWS. If not, I > would be willing to transcribe the article into ASCII and upload > it to the list if enough folks are interested. Please do. I'm interested in seeing any article relative to the subject at hand... Cheers. Paul Ferguson | "Confidence is the feeling you get Network Integrator | just before you fully understand Centreville, Virginia USA | the problem." fergp at sytex.com | - Murphy's 7th Law of Computing Quis Custodiet Ipsos Custodes? From mdiehl at triton.unm.edu Fri Jul 2 18:16:43 1993 From: mdiehl at triton.unm.edu (J. Michael Diehl) Date: Fri, 2 Jul 93 18:16:43 PDT Subject: PGP and offline-readers In-Reply-To: <9307021824.AA00266@toad.com> Message-ID: <9307030116.AA17473@triton.unm.edu> According to Timothy Newsham: > I think a good idea for offline readers would be to build ontop of > currently implemented protocols. One protocol worth mentioning is This is fine if you are using a *nix machine. But if you are trying to enforce your privacy over CI$ or genie or a bbs, well, you can't rely on one common protocol. This is why I advocate communications program scripts. +-----------------------+-----------------------------+---------+ | J. Michael Diehl ;-) | I thought I was wrong once. | PGP KEY | | mdiehl at triton.unm.edu | But, I was mistaken. |available| | mike.diehl at fido.org | | Ask Me! | | (505) 299-2282 +-----------------------------+---------+ | | +------"I'm just looking for the opportunity to be -------------+ | Politically Incorrect!" | +-----If codes are outlawed, only criminals wil have codes.-----+ +----Is Big Brother in your phone? If you don't know, ask me---+ From newsham at wiliki.eng.hawaii.edu Fri Jul 2 20:06:43 1993 From: newsham at wiliki.eng.hawaii.edu (Timothy Newsham) Date: Fri, 2 Jul 93 20:06:43 PDT Subject: PGP and offline-readers In-Reply-To: <9307030116.AA17473@triton.unm.edu> Message-ID: <9307030306.AA14108@toad.com> > > According to Timothy Newsham: > > I think a good idea for offline readers would be to build ontop of > > currently implemented protocols. One protocol worth mentioning is > > This is fine if you are using a *nix machine. But if you are trying > to enforce > your privacy over CI$ or genie or a bbs, well, you can't rely on one common > protocol. This is why I advocate communications program scripts. We need to get people to use common protocols! CI$ will respond to what its users want. If we got alot of BBS's to use IMAP then the users would want CI$ to use the same. If we made IMAP easy to use and helped BBS authors get IMAP code running in their systems then BBS users would use it PINE is very easy to use. It will be available soon for personal computers to use. That part of the solution is almost there. How do we get BBS's to use IMAP? they could support IMAP in a similar way that they support Zmodem. What needs to be done is to write some code that does IMAPD functions that could easily be incorporated into a BBS program, and figure out a way for end users to run PINE from their favorite bbs program. (and get PINE people to allow for a serial-line connection *or* write a false-packet driver that just strips off TCP/IP headers sends the data over the line and sends back ACK's to the TCP/IP process). Tim From s.summers1 at genie.geis.com Sat Jul 3 00:15:22 1993 From: s.summers1 at genie.geis.com (s.summers1 at genie.geis.com) Date: Sat, 3 Jul 93 00:15:22 PDT Subject: Junk mail/return encrypted-blo Message-ID: <9307030715.AA22317@relay2.geis.com> >From zane at genesis.mcs.com (Sameer) >The second solution I thought of seems like it would work. When I >create the return-address block, it can be given some sort of ID-code >(again, like with my other idea posted, similar to the ID-code on peices >of Digicash in Chaum's scheme) so when the vendor delivers the product, >she sends to encrypted block to the remailer, and the remailer forwards >the product to me, and stores the ID-code in its database (doing the >proper one-way transformation for untraceability) so that further >attempts to use the exact same address-block will be noticed and not >delivered. Why not just include an Expire: header in the encrypted block, after which the remailer would just junk any mail sent with that return address? From mccoy at ccwf.cc.utexas.edu Sat Jul 3 00:23:27 1993 From: mccoy at ccwf.cc.utexas.edu (Jim McCoy) Date: Sat, 3 Jul 93 00:23:27 PDT Subject: PGP and offline-readers In-Reply-To: <9307030306.AA14108@toad.com> Message-ID: <199307030723.AA19543@tramp.cc.utexas.edu> > PINE is very easy to use. It will be available soon for personal > computers to use. That part of the solution is almost there. That part of the solution is already done. There are already several very good POP/IMAP clients for Macs and PCs (Eudora, NuPOP, etc). Why the fixation on a particular mail agent? There is no way that you are going to get people to agree on a single MUA, therefore it seems that the comm channel is the beastie that one should focus on for encryption. > How do we get BBS's to use IMAP? they could support IMAP in > a similar way that they support Zmodem. What needs to be done > is to write some code that does IMAPD functions that could easily > be incorporated into a BBS program, and figure out a way for > end users to run PINE from their favorite bbs program. I hate to break it to you, but there already exists a protocol for off-line reading of mail and news over serial connections: QWK. While a noble effort, I sincerely doubt that the BBSers and CI$ users are going to jump over to a completely new protocol for transport of information for off-line reading unless it offers them something that they do not already have, and IMAP/POP just doesn't do that. If one were to be able to offer encrypted TCP/IP connectivity though, then you would be offering people the additional functionality of this comm channel (telnet, ftp, gopher/www, etc) to entice them to switch over. > (and get PINE people to allow for a serial-line connection *or* > write a false-packet driver that just strips off TCP/IP headers > sends the data over the line and sends back ACK's to the TCP/IP > process). Why not just get them to support IP? Probably easier... All they need is a slip/ppp driver on the host, then you can do the encryption over comm channel and avoid wasting time encrypting something that doesn't need to be encrypted. Many BBS systems are beginning to wade through the shallow water of the Internet, if we had the ability to offer them modifications to provide encryption to thier IP connectivity while they are still new to the game it would be much easier to get them accostomed to the idea that such traffic should offer encryption; not that I think this will happen, but in an ideal world... jim From newsham at wiliki.eng.hawaii.edu Sat Jul 3 01:42:07 1993 From: newsham at wiliki.eng.hawaii.edu (Timothy Newsham) Date: Sat, 3 Jul 93 01:42:07 PDT Subject: PGP and offline-readers In-Reply-To: <199307030723.AA19543@tramp.cc.utexas.edu> Message-ID: <9307030842.AA23089@toad.com> > > > PINE is very easy to use. It will be available soon for personal > > computers to use. That part of the solution is almost there. > > That part of the solution is already done. There are already several very > good POP/IMAP clients for Macs and PCs (Eudora, NuPOP, etc). Why the > fixation on a particular mail agent? There is no way that you are going to > get people to agree on a single MUA, therefore it seems that the comm > channel is the beastie that one should focus on for encryption. No fixation. Just that IMAP is the best protocol for remote mail reading and pine is already available and supporting IMAP. And as a bonus it supports MIME. This *is* something that BBS'ers dont already have.. multi-media mail. > > I hate to break it to you, but there already exists a protocol for off-line > reading of mail and news over serial connections: QWK. While a noble > effort, I sincerely doubt that the BBSers and CI$ users are going to jump > over to a completely new protocol for transport of information for off-line > reading unless it offers them something that they do not already have, and > IMAP/POP just doesn't do that. If one were to be able to offer encrypted > TCP/IP connectivity though, then you would be offering people the additional > functionality of this comm channel (telnet, ftp, gopher/www, etc) to entice > them to switch over. You dont need encrypted TCP/IP! A good mail reader supporting MIME could handle encryption packages automatically! MIME also supports many other things that "they do not already have". > > > (and get PINE people to allow for a serial-line connection *or* > > write a false-packet driver that just strips off TCP/IP headers > > sends the data over the line and sends back ACK's to the TCP/IP > > process). > > Why not just get them to support IP? Probably easier... All they need is > a slip/ppp driver on the host, then you can do the encryption over comm > channel and avoid wasting time encrypting something that doesn't need to be > encrypted. Many BBS systems are beginning to wade through the shallow > water of the Internet, if we had the ability to offer them modifications to > provide encryption to thier IP connectivity while they are still new to the > game it would be much easier to get them accostomed to the idea that such > traffic should offer encryption; not that I think this will happen, but in > an ideal world... I dont think its easier. I think something like SLIMAP (serial line imap) would be the easist thing to implement. IMAP runs over a network stream and there is no reason it couldnt run over a serial line stream. The code written for imapd already runs on stdin/stdout... It wouldnt be hard to port to run on a serial line connection. > jim I dont think offering IP to the masses is the right solution right now. Its not appropriate for the BBS world. Getting people to use remote mail clients is something that the masses could take to alot easier. I think this would be the prefered way to read mail since the user interface could be made more friendly, sorta the 'prodigy thang'. I dont think it matters what protocol is used in the end but I think its something that should happen, and something that we as cypherpunks have an interest in seeing happen. From tcmay at netcom.com Sat Jul 3 02:41:39 1993 From: tcmay at netcom.com (Timothy C. May) Date: Sat, 3 Jul 93 02:41:39 PDT Subject: (fwd) GIFs--Now it can be told Message-ID: <9307030942.AA03729@netcom3.netcom.com> Cypherpatriots, Here's a little experiment I've been conducting. A week ago I posted an ecrypted GIF to a bizarre new newsgroup that showed up on NETCOM, "alt.binaries.pictures.erotica.children." Quite a controversial group, pushing several buttons. My posting generated some real heat, though there was absolutely no evidence it was anything more than just a file. Apparently the mere fact of it existing was a kind of "thoughtcrime" in these politically correct times. Anyway, I let it brew for one week, then wrote this explanation and posted it. Several Cypherpunk list readers were slightly involved, some to criticize me, some to say "Not so fast." You know who you are. :-} All in all, a pleasant little experiment. Here's the posting I sent out: Newsgroups: alt.binaries.pictures.erotica.children,alt.config,netcom.netnews From: tcmay at netcom.com (Timothy C. May) Subject: GIFs--Now it can be told Message-ID: Date: Sat, 3 Jul 1993 09:28:29 GMT One week ago tonight a new group appeared at my site, "alt.binaries.pictures.erotica.children," a group certain to provoke controversy, to bring out the Net Cops, and to induce a certain kind of "Stockholm Syndrome," wherein some folks scramble to initiate censorship prior even to the Feds doing it. (Their battle cry is "Eeek! If we don't nip this in the bud, _right now_, think of what might happen!) My experience has been that these Net.Censors are usually too quick to claim something has clearly gone beyond the bounds of decency and acceptability. Thankfully, they usually fail in their efforts. Anyway, seeing this strange new group appear on my system, I decided to conduct an experiment. I posted an "encrypted GIF," not further identified, and waited for the reaction. The file was as follows (only part of it shown): -----BEGIN PGP MESSAGE----- Version: 2.2 b2cCrVJKUYUZf7UBA/i1tSSz66dOx4+cJKzNkm1JBhGigMdRvxM8Slm3TyC7kgWW L8J3w/On10thisi487rU/Gl7xOMajxCQedHrb6k0+wYDGjxmVcu9xwLWAWpkgq+5 fUiNKBnF/SUA/JisFrWvn63rt44n+DqROwx8CXuSvL1mUdqLRTS0t/timjHnhIwC VmLN1FTnSD8BBACFa38SqiwByarfcVhFg/fuKWc4AgKtYqSt5oWW6sYLckC3nEen ZcHV+DNFo36Exg7r0trapoBXpjoe9ENCsCbFJ7i/M7FwFYvK1QAcxQ6zGt+3HICM 9Hsxg1d5Goqp4+nmpW+9Y/UVY16+WVl9moY3c7Iv04Cp0ipu2B5qfIxPZoSMAlKv ..... Not to my surprise, about 20 people have (so far) requested the key to this file. (The whole encryption rationale is covered later.) I didn't reply to them...some of them asked for the key a second time! What surprised me is that nobody carefully looked at the file. Here it is again, with some places marked: -----BEGIN PGP MESSAGE----- Version: 2.2 b2cCrVJKUYUZf7UBA/i1tSSz66dOx4+cJKzNkm1JBhGigMdRvxM8Slm3TyC7kgWW L8J3w/On10thisi487rU/Gl7xOMajxCQedHrb6k0+wYDGjxmVcu9xwLWAWpkgq+5 ^^^^ fUiNKBnF/SUA/JisFrWvn63rt44n+DqROwx8CXuSvL1mUdqLRTS0t/timjHnhIwC ^^ VmLN1FTnSD8BBACFa38SqiwByarfcVhFg/fuKWc4AgKtYqSt5oWW6sYLckC3nEen ^ ZcHV+DNFo36Exg7r0trapoBXpjoe9ENCsCbFJ7i/M7FwFYvK1QAcxQ6zGt+3HICM ^^^^ 9Hsxg1d5Goqp4+nmpW+9Y/UVY16+WVl9moY3c7Iv04Cp0ipu2B5qfIxPZoSMAlKv ....... I put a couple of other "subliminal messages" in, which I suppose could provoke the Religious Right into squawking that "Satanic messages" are being hidden in computer files *that children could possibly read*. Gasp! Needless to say, such ASCII surgery performed on a PGP file (which, by the way, was just some random message someone had sent me a while back, utterly unreadable by anyone other than the two of us--and not even that after I mutated various characters) makes it completely unreadable. Even if someone had the other half of the PGP key pair--which never existed--the file would not even checksum as a legal PGP file! (Putting plaintext into the file was both a message I hoped astute readers would eventually notice--though it *is* pretty hard to see--and an ironclad proof that the file could not be a real PGP message, let alone a GIF, let alone kiddie porn.) There are some quasi-legitimate issues surrounding the area of child erotica. Was the child coerced? Was consent meaningful? Etc. But the posting of mere bits qua bits causing such anger and flamage indicates a serious overreaction. Are mere thoughts the crime? Orwell covered this, didn't he? * What if such images merely "look like" children (and just what is the age of consent? 18? 16? "Children" of 15 can get married in most countries of the world.)...are such "fakes" illegal? * What if they are computer-generated images, of children that never existed outside of a computer? Which children were exploited? We're back to thoughtcrime again. (Don't laugh, a leading interpretation is that even computer-generated child porn would be illegal, not because of crimes committed against children, but because of the "atmosphere" and "climate" it might produce. That is, thoughtcrime.) * What if the images were morphs? Not wholly computer-generated, but the morph of an adult image into that of a child? * What if one 15-year old child took photos of a another 15-year old child? What if one child "exploited" another? What if a child took pictures of herself, self-portraits? * What if the images, if they were ever to be posted, originated someplace where they are legal? Perhaps Amsterdam, someone suggested. If the U.S government tries to stop the Net (which is already a market anarchy, thankfully) from distributing this material, mightn't all the various countries that have different laws than ours do the same thing? There goes alt.fan.salman.rushdie. And there goes soc.motss and all the "normal" alt.binaries.pictures.* groups. Of course it won't likely happen, nor will alt.binaries.pictures.erotica.children go away,either. Get used to it. (Again, I don't care for it, but wailing and moaning won't make it go away.) * What if someone scanned-in images from the widely available books by David Hamilton, or Robert Mapplethorpe? Certainly many of these photos are of nude children...would the imminent death of Usenet finally happen if someone went down to B. Dalton Books, bought a David Hamilton collection, and posted some of the photos in a.b.p.e.c.? So, I would encourage folks to lighten up. In a week on the Net, not a single kiddie porn picture has been posted. And if it does happen, try to just ignore it. The kid whose picture was taken is probably grown up by now (I'm guessing that many such images are from old magazines, etc.). In any case, the occasional picture is hardly going to create a new slave trade in children. The issue of how the media may react is a more serious one. Part of the reason I'm explaining my little experiment now is to make sure my posting, at least, is not used by some nitwit reporter as the basis of a story. (If it's being used, then he'll soon have egg on his face.) That's the story. I hope you enjoyed the ride. P.S. I said I'd say something about why I used encryption. Aside from not being a real PGP-readable file, the idea was to make it look like one. This is the likeliest way for such material to get posted, along with anonymous remailers. The "look for the key in the 'usual places'" bit was to resonate with the "binary nerve gas" idea, where the dangerous pieces are stored separately and only combined at the last minute. I don't know if such techniques are already in use, but I expect them soon. The mutant condors that one reader (who claimed to be a Pope in the Church of the Subgenius, but who humorlessly missed the joke--but I forgive him, for he knew not what he saw) wanted to feed me to, can now stop circling my house. -Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. Note: I put time and money into writing this posting. I hope you enjoy it. -- From mross at antigone.com Sat Jul 3 06:57:52 1993 From: mross at antigone.com (Michael Ross) Date: Sat, 3 Jul 93 06:57:52 PDT Subject: (fwd) GIFs--Now it can be told Message-ID: <9307031355.AA00356@antigone.com> Tim, That was very manipulative, and did not achieve much. It has also very little to do with the subject of this mailing list. If anything, you discouraged at least one person I know who became genuinely interested in encryption and PGP as a result of your post. If you had posted an actual David Hamilton photo, even encrypted, you would have put yourself forward, perhaps even bravely, as a test case. You then would really have had a point to argue, having taken a stand. As it turns out, you hid behind a pretty lame scheme, the only object of which seems to have been to make a fool out of as many people as possible. This is not how you accomplish constructive change, Tim. People resent being made to feel stupid, and they certainly will _not_ listen to what you have to say if you are belittling them. I happen to agree with those points you deigned to make in a straightforward manner. But you hid them so well behind trickery that they will go unnoticed. Learn to deal with people, and you'll see they are willing to listen to reasonable arguments. If your parents didn't give you enough attention as a child, don't take it out on the world by trying to get some here... Learn to work _with_ people, not _against_ people, lest within ten years you'll be walking into office buildings with automatic weapons strapped to your body and shooting lawyers... ;) Michael From pfarrell at cs.gmu.edu Sat Jul 3 07:04:27 1993 From: pfarrell at cs.gmu.edu (Pat Farrell) Date: Sat, 3 Jul 93 07:04:27 PDT Subject: Ad Hominum attacks (was Re: PC Week Clipper article Message-ID: <36251.pfarrell@cs.gmu.edu> I'm more than a little concerned about the vicious personal attacks that this list makes on folks that have strongly held beliefs that disagree with some (or all) of the beliefs of hot headed posters to cypherpunks. I thought this was a technical mailing list, that dabbled in politics only as necessary. I see no justification for the personal attacks, especially on 3rd parties that do not read this list. These uncalled for attacks will not convince anyone on the list, and do not become the poster. In Message Tue, 29 Jun 1993 , (someone who should know better) writes: >Dorothy Denning is a fucking idiot. I strongly object to this posting. D.E.Denning is neither an idiot nor a "wicked witch of the East." She just happens to support a view that she strongly believes in. The fact that I think her side is dead wrong does not make her an idiot. Name calling accomplishes nothing but does hurt the signal to noise ratio of this list. Even more annoying are the attacks on Jim Bidzos. He is trying to make a buck, which was legal last time I looked. And on many issues, he is far more in our camp than against us. He at least likes strong cryptography, and his disputable patents expire in a relatively short time. He has agreed to allow a PGP-compatible program to use RSA without cost, providing the legal version that many U.S. users would like to see. I thought cypherpunks wrote code. I think that personal attacks on folks that are not on the list is a waste of bandwidth. (If you want to attack me here, fine, at least I get to respond firsthand) Pat Pat Farrell Grad Student pfarrell at cs.gmu.edu Department of Computer Science George Mason University, Fairfax, VA Public key availble via finger #include From tcmay at netcom.com Sat Jul 3 12:48:06 1993 From: tcmay at netcom.com (Timothy C. May) Date: Sat, 3 Jul 93 12:48:06 PDT Subject: "Wired" has more than one cover--why? Message-ID: <9307031948.AA04165@netcom.netcom.com> I noticed that some copies of the latest "Wired" have Peter Gabriel on the cover and others have Mitch Kapor on the cover. What gives? Some sort of experiment? A novel way to gauge reader reaction to the covers? A lawsuit that forced a change in the covers? Esthetics? (My issue, with Peter Gabriel on the cover, is much artier, though harder to figure out, than the relatively mundane image of Kapor.) (Peter Gabriel, being a musician, may be said to be doing "a cover of a piece by Mitch Kapor.") Is Crunch on another set of covers? Did the issue with some of us Cypherpunks on the cover merely represent one of _several_ versions of the cover? (I envision the "Crypto Rebels" covers going to the Bay Area, the "Dish-Wallahs" covers going overseas, and the "Brenda Laurel" covers going directly to "Mondo 2000" headquarters in Berkeley.) -Tim May P.S. The issue of "Wired" is superb, as always. -- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: by arrangement Note: I put time and money into writing this posting. I hope you enjoy it. From tcmay at netcom.com Sat Jul 3 13:39:04 1993 From: tcmay at netcom.com (Timothy C. May) Date: Sat, 3 Jul 93 13:39:04 PDT Subject: Ad Hominum attacks (was Re: PC Week Clipper article Message-ID: <9307032039.AA07619@netcom.netcom.com> I largely agree with Pat Farrell's comments about the vicious attacks on various crypto folks. I was the one who jokingly used the term "wicked witch of the East" in reference to D.D., though I am almost 100% certain it was only to this mailing list, and not to sci.crypt in general. Perhaps I let my enthusiasm for my wit take precedence over judgment. And in other places, such as sci.crypt, I have in fact defended Denning against ignorant comments along the lines of "Who is this Dorothy Denning person? I can't find her name anywhere in "The Codebreakers." She must not know anything about crypto." Whatever we may think of her position on Clipper, criticizing her personally and imputing motives to her that cannot possibly be known to outsiders, is foolish. What really bothers me is the type of criticism, which I also tend to call "ad hominem" (but which rhetoriticians may have a special name for), in which people impute _motives_ to others. Thus, we see seemingly endless comments about the motives of Denning, of Bidzos, of Sternlight, and of others. (When I posted on the topic of possible cooperation with Bidzos and RSA, I was hit with a barrage of highly critical rebuttals. The substantive ones were fine, and expected, but the ones speculating on my motives and imputing evilness to me were uncalled for. I wrote them off as typical Net zeal, and am still on good terms even with those who foamed at the mouth the most.) "Demonizing" our opponents, or making them look like dunces (as with the many "I've never heard of Dorothy Denning before" posts), does not help our cause. In fact, it probably weakens our cause, for two reasons. First, it cuts off dialog with those we disagree with. Second, we tend to underestimate people we have written off as stooges or dunces. While I think Dorothy Denning is, for various reasons, hopelessly in the camp of the NSA and FBI, I see nothing to be gained by demonizing her. Or imputing evil qua evil motives. Personally, I think being close to the FBI, Justice Dept., NIST, NSA, etc., and socializing with them, having lunch with them, doing contract work for them (nothing evil about that, per se...it's how academic departments fund their research), and generally being in "the Washington scene" has polarized her somewhat, just as we Cypherpunks are polarized by the support we get from our peer group, from the "cognitive dissonance" of seeing mostly the evidence that supports our existing point of view. When you spend your time in a milieu, work with people on their problems, you begin to adopt their world view. Understand, of course, that I am not addressing the underlying issues of who is right and who is wrong...I've already made my beliefs on this clear. I'm just agreeing with Pat Farrell that we all need to be careful not to demonize folks like Denning, Bidzos, or even Sternlight. We don't have to be solicitous (overly polite) toward them, and we can knock down their arguments, but we ought not to use cheap shots and cheap rhetorical tricks (one I hate especially is the "sound effect" jab, the "" sort of comment inserted into postings, sometimes even into the direct quotes of those being attacked!). Pat writes: >Even more annoying are the attacks on Jim Bidzos. He is trying to make a >buck, which was legal last time I looked. And on many issues, he is far more >in our camp than against us. He at least likes strong cryptography, and his >disputable patents expire in a relatively short time. He has agreed to allow >a PGP-compatible program to use RSA without cost, providing the legal >version that many U.S. users would like to see. I agree, though of course he and RSADSI did not fight as hard as they might have, in my opinion, on the subject of the cross-licensing with the DSS and Clipper/Skipjack products. I don't pretend to understand all of the issues involved, though I certainly can imagine he felt a lot more pressure (legal, export, classification) from the Feds than he felt from a loose organization of crypto privacy advocates. We're not where the money is, at least not yet. (In fact, Cypherpunks are generally not even customers of RSADSI, so why should Bidzos really care about our views? The industry security group that has denounced Clipper is undoubtedly much more influential.) Meanwhile, I have no real interest, personally, in the whole RSA v. PGP issue...let those directly involved work it all out. I will applaud loudly if Phil Z. and the other PGP folks do in fact reach an agreement with RSADSI, if only because it will remove one possible avenue of attack on private encryption. -Tim May -- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: by arrangement Note: I put time and money into writing this posting. I hope you enjoy it. From tcmay at netcom.com Sat Jul 3 14:07:37 1993 From: tcmay at netcom.com (Timothy C. May) Date: Sat, 3 Jul 93 14:07:37 PDT Subject: (fwd) GIFs--Now it can be told Message-ID: <9307032107.AA09849@netcom.netcom.com> (I'll only make a few comments.) Ed Carp writes: >> There are some quasi-legitimate issues surrounding the area of child >> erotica. Was the child coerced? Was consent meaningful? Etc. > >There are no quasi-legitimate issues surrounding child pornography in the >United States. It doesn't matter, legally whether consent was obtained or >not, etc. Child pornography is not legal. To make, sell, possess, distribute, >or conspire to do any of the above is a crime. I meant "quasi-legitimate" in the sense of being at least a real criminal issue. By contrast, merely discussing the issues cannot possibly be a crime, nor can, IMHO, the creation of such a group absent actual evidence of criminality. Sort of like shutting down "alt.drugs" on the grounds that illegal drugs are often discussed. (We can all think of several dozen newsgroups that touch on subjects illegal in many states of the U.S., in many countries of the world, etc.) >In the US, it doesn't matter what their actual ages are - if they are >depicted as being under the age of consent, they are illegal. Ah, but what if no mention is made of the age? If I happen to have a collection of pictures of 19-year-olds-who-look-15, because of my own esthetic standards, is this illegal? It sounds totally legal to me, and I think a court opinion will ultimately be rendered that so long as the models actually are over 18, no matter how young they look, no crime as ocurred. (Actually, the various "cheerleader porn" films cater to this fantasy and are not classed as child porn, so long as the actresses are 18 or older.) On purely computer-generated images: >Not at all. It's not an issue of exploitation in that case, nor is it an >issue of "thoughtcrime", since the thought has produced an actual image >that can be viewed by others. I strongly disagree. A computer image that never involved an actual child, cannot reasonably be viewed as child porn. Can a computer-generated "snuff" film be viewed as murder? (I see acted-out murders every day on t.v.) >Nothing in this email should be construed as a personal attack against you, >Tim. I'm just trying to relate the laws and the facts as they are. I don't take it as a personal attack. Ed's comments were thoughtful, even if I disagreed with some of them. By the way, I agree with some comments I've received that this subject is somewhat far afield from the "Cypherpunks charter," such as it is, but I'm finding the hundreds of highly repetitive and arcane postings about the same old remailer issues, and the internals of obscure mail programs, not all that close to the charter either. (I'm not saying they shouldn't be posted, and some have been well-written summaries, but I am saying they're highly-detailed nuts-and-bolts issues which probably are meaninful to only a few readers.) Part of the Cypherpunks approach is to "monkey wrench" the "Surveillance State" by flooding the comm lines with encrypted junk, with suspicious-looking files that will soak up surveillance time, and with various other subversive things that will push the boundaries. -Tim May -- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: by arrangement Note: I put time and money into writing this posting. I hope you enjoy it. From anton at hydra.unm.edu Sat Jul 3 17:42:05 1993 From: anton at hydra.unm.edu (Stanton McCandlish) Date: Sat, 3 Jul 93 17:42:05 PDT Subject: test Message-ID: <9307040041.AA13428@hydra.unm.edu> Hmm no mail in weeks from this list...I ass-u-me the problem is on my end, so here be a test message. Blah blah blah. -- Stanton McCandlish * Space Migration * Networking * ChaOrder * NO GOV'T. * anton at hydra.unm.edu * Intelligence Increase * Nano * Crypto * NO RELIGION * FidoNet: 1:301/2 * Life Extension * Ethics * VR * Now! * NO MORE LIES! * Noise in the Void BBS * +1-505-246-8515 (24hr, 1200-14400, v32bis, N-8-1) * From wet!naga Sat Jul 3 17:48:36 1993 From: wet!naga (Peter Davidson) Date: Sat, 3 Jul 93 17:48:36 PDT Subject: Reply to Michael's criticism of Tim Message-ID: I think Michael's reaction to Tim's experiment re alt.binaries.pictures.erotica.children deserves comment. >Date: Sat, 3 Jul 93 06:55:56 -0700 >From: Michael Ross >Subject: Re: (fwd) GIFs--Now it can be told > >Tim, > >That was very manipulative, and did not achieve much. Who was manipulated? Those who reacted did so freely. As Tim said, it was an experiment, not an attempt to achieve anything. The point was to see what would happen. >It has also very little to do with the subject of this mailing list. This mailing list is about encryption and other matters. The use of PGP to distribute erotica is thus a relevant topic. >If anything, you discouraged at least one person I know who became >genuinely interested in encryption and PGP as a result of your post. Tough. >As it turns out, you hid behind a pretty lame scheme, the only object >of which seems to have been to make a fool out of as many people as >possible. I think Michael has missed the point. >This is not how you accomplish constructive change, Tim. >People resent being made to feel stupid, and they certainly will >_not_ listen to what you have to say if you are belittling them. I don't recall Tim's belittling anyone - except perhaps the Net.Censors - who certainy deserve it. I don't think we need be too concerned about hurting their feelings. After all, they plan on doing worse to us. >I happen to agree with those points you deigned to make in a >straightforward manner. But you hid them so well behind trickery that >they will go unnoticed. On the contrary, were it not for the trickery some folks wouldn't bother reading Tim's comments on this subject. >Learn to deal with people, and you'll see >they are willing to listen to reasonable arguments. Ha! Chortle! Where you been all your life, Michael? People listen to reasonable arguments only when it suits them to. >If your parents didn't give you enough attention as a child, don't >take it out on the world by trying to get some here... Learn to work >_with_ people, not _against_ people, lest within ten years ... Garbage. If we are to go into spurious psychoanalysis then I think Michael's post reveals that he is still fixated on pleasing his parents by being a good little boy and not giving anyone any trouble. Fact is, there are people in the world who want to restrict our freedom and make us behave in ways they think best. Fuck 'em all! From khijol!erc at apple.com Sat Jul 3 18:34:58 1993 From: khijol!erc at apple.com (Ed Carp) Date: Sat, 3 Jul 93 18:34:58 PDT Subject: Ad Hominum attacks (was Re: PC Week Clipper article In-Reply-To: <9307032039.AA07619@netcom.netcom.com> Message-ID: > I was the one who jokingly used the term "wicked witch of the East" in > reference to D.D., though I am almost 100% certain it was only to this > mailing list, and not to sci.crypt in general. Perhaps I let my enthusiasm > for my wit take precedence over judgment. And in other places, such as > sci.crypt, I have in fact defended Denning against ignorant comments along > the lines of "Who is this Dorothy Denning person? I can't find her name > anywhere in "The Codebreakers." She must not know anything about crypto." > Whatever we may think of her position on Clipper, criticizing her > personally and imputing motives to her that cannot possibly be known to > outsiders, is foolish. I was the one who called Denning a "fucking idiot". Perhaps I should have said "fucking naive idiot" and been more specific, because while it might make sense for her to be "in bed with" the intelligence community to *her*, it makes no sense to anyone else I've talked to. In my view, she's either being criminally naive in being a mouthpiece for the NSA, being bought off by them, being threatened by them, has a personal/financial interest in the whole Clipper fiasco, or sees a political advantage in aligning herself with them. As has been discussed (to death, probably) in sci.crypt, alt.security*, etc., Clipper has several apparent flaws, none of which I'll go into here. Why would someone who is supposed to be some sort of "expert" be endorsing such a scheme is beyond me, unless she is being motivated by one of the above. In any case, the endorsement of such a scheme is naive in the extreme and almost criminally irresponsible of her, given the nature of Clipper/Capstone and the history of the intelligence community using such technology to spy on its own citizens in illegal operations. *That's* what I meant by my "fucking idiot" remark. > comments about the motives of Denning, of Bidzos, of Sternlight, and of Bidzos is just trying to make a buck. Sternlight seems to be anally retentive in the extreme, and believes his own bullshit. > "Demonizing" our opponents, or making them look like dunces (as with the > many "I've never heard of Dorothy Denning before" posts), does not help our > cause. In fact, it probably weakens our cause, for two reasons. First, it > cuts off dialog with those we disagree with. Second, we tend to > underestimate people we have written off as stooges or dunces. The first rule of most martial arts, as the first rule of combat, is "never underestimate your opponent". However irresponsible I may think Dorothy Denning, Jim Bidzos, or David Sternlight are, I don't underestimate them. If any one of those three (or anyone else, for that matter) has something to say, I will listen and judge it on its own merits. -- Ed Carp erc at apple.com, erc at saturn.upl.com 510/659-9560 For anonymous mailers --> anonymus+5300 at charcoal.com "I've met many thinkers and many cats, but the wisdom of cats is infinitely superior." -- Hippolyte Taine (1828-1893) From mkapor at kei.com Sat Jul 3 18:41:34 1993 From: mkapor at kei.com (Mitchell Kapor) Date: Sat, 3 Jul 93 18:41:34 PDT Subject: "Wired" has more than one cover--why? (fwd) Message-ID: <199307040140.AA26801@kei.com> They decided that West Coast covers should feature Peter Gabriel and the East Coast covers Mitch Kapor. Something about rock and roll playing better on newsstands than policy everywhere but the Northeasteast corridor. All subscribers got the Gabriel cover. As the Wired editor told me this split cover was a last minute decision and a first-time experiment. The Cypherpunks were on the cover all of copies of issue #2. ------------------------------------------------------------------------------ Mitchell Kapor, Electronic Frontier Foundation Note permanent new email address for all correspondence as of 6/1/93 mkapor at kei.com From mdiehl at triton.unm.edu Sat Jul 3 20:46:48 1993 From: mdiehl at triton.unm.edu (J. Michael Diehl) Date: Sat, 3 Jul 93 20:46:48 PDT Subject: Ad Hominum attacks (was Re: PC Week Clipper article In-Reply-To: Message-ID: <9307040345.AA27592@triton.unm.edu> According to Ed Carp: > > I was the one who called Denning a "fucking idiot". Perhaps I should have > said "fucking naive idiot" and been more specific, because while it might Well, I read the post, too, and I thought it was funny! Obviously not meant to be informative. I feel that people such as DD and LEA-mongers are @#$%ing idiots. And in a free forum, I should be able to say so. This is kinda what Cypherpunks stand for, IMHO. > The first rule of most martial arts, as the first rule of combat, is "never > underestimate your opponent". However irresponsible I may think Dorothy > Denning, Jim Bidzos, or David Sternlight are, I don't underestimate them. > If any one of those three (or anyone else, for that matter) has something to > say, I will listen and judge it on its own merits. And the second rule of most martial arts is, "Never get hit." In light of all of the LEA's trying to "hit" us, this is something to think about. Just my $.02. Laters. +-----------------------+-----------------------------+---------+ | J. Michael Diehl ;-) | I thought I was wrong once. | PGP KEY | | mdiehl at triton.unm.edu | But, I was mistaken. |available| | mike.diehl at fido.org | | Ask Me! | | (505) 299-2282 +-----------------------------+---------+ | | +------"I'm just looking for the opportunity to be -------------+ | Politically Incorrect!" | +-----If codes are outlawed, only criminals wil have codes.-----+ +----Is Big Brother in your phone? If you don't know, ask me---+ > -- > Ed Carp erc at apple.com, erc at saturn.upl.com 510/659-9560 > For anonymous mailers --> anonymus+5300 at charcoal.com > "I've met many thinkers and many cats, but the wisdom of cats is infinitely > superior." -- Hippolyte Taine (1828-1893) > From mimir at u.washington.edu Sat Jul 3 23:28:33 1993 From: mimir at u.washington.edu (Al Billings) Date: Sat, 3 Jul 93 23:28:33 PDT Subject: "Wired" has more than one cover--why? In-Reply-To: <9307031948.AA04165@netcom.netcom.com> Message-ID: On Sat, 3 Jul 1993, Timothy C. May wrote: > I noticed that some copies of the latest "Wired" have Peter Gabriel on the > cover and others have Mitch Kapor on the cover. What gives? I don't know if this is related to it or not but I work in a magazine store and when we received the latest issue, I noticed that our invoice said something like "West Coast Edition" or something similar. Perhaps the different editions have different covers? From shade at Ice.CC.McGill.CA Sun Jul 4 07:20:42 1993 From: shade at Ice.CC.McGill.CA (Leslie Regan Shade) Date: Sun, 4 Jul 93 07:20:42 PDT Subject: "Wired" has more than one cover--why? In-Reply-To: Message-ID: > > On Sat, 3 Jul 1993, Timothy C. May wrote: > > > I noticed that some copies of the latest "Wired" have Peter Gabriel on the > > cover and others have Mitch Kapor on the cover. What gives? > Well, here in Montreal we got Peter Gabriel and we're certainly not on the west coast! Leslie Shade From parrinel at ux1.cso.uiuc.edu Mon Jul 5 11:35:57 1993 From: parrinel at ux1.cso.uiuc.edu (Chris Parrinello) Date: Mon, 5 Jul 93 11:35:57 PDT Subject: Non-cypherpunk question. Message-ID: <199307051835.AA21072@ux1.cso.uiuc.edu> Hi, I just started reading this mailing list and I've run into a few problems reading some of the messages because they include MIME information which my copy of MH chokes on for some reason. It doesn't like the x-text and text/x-pgp content-types. Would anybody on this list have a fix for that so I can continue to read this list with MH? Any help would be appreciated. Thanks in advance! Chris From marc at Athena.MIT.EDU Mon Jul 5 13:33:37 1993 From: marc at Athena.MIT.EDU (marc at Athena.MIT.EDU) Date: Mon, 5 Jul 93 13:33:37 PDT Subject: [daemon@ATHENA.MIT.EDU : On-Line Congressional Hearing] Message-ID: <9307052033.AA17212@steve-dallas.MIT.EDU> ------- Forwarded transaction [6484] daemon at ATHENA.MIT.EDU (hearing-info at trystero.malamud.com) Commercialization & Privatization of the Internet 07/05/93 14:27 (70 lines) Subject: On-Line Congressional Hearing Date: Mon, 5 Jul 93 14:28:25 -0400 To: com-priv at psi.com From: hearing-info at trystero.malamud.com Reply-To: hearing-info at trystero.malamud.com Station: Internet Multicasting Service Channel: Internet Town Hall Program: On-Line Congressional Hearing Release: July 5, 1993 Content: First Announcement/On-Line Congressional Hearing On July 26 at 9:30AM EDT, the Subcommittee on Telecommunications and Finance of the U.S. House of Representatives will hold the first Congressional Hearing ever held over a computer network. The oversight hearing on "The Role of Government in Cyberspace" will take place in the Grand Ballroom of the National Press Club at 14th and F Streets, N.W., Washington, D.C. The hearing is open to the public. An open house will be held from 3-5PM on the same day in the same location and is also open to the public. Chairman Markey has asked that this historic occasion demonstrate the potential and diversity of the global Internet. Thirty Sparcstations will be in the hearing room, allowing members of Congress, staff, and their guests to read e-mail, use Gopher menus, read testimony in WAIS databases, browse the World Wide Web, and otherwise use the resources of the global Internet as part of the hearing. Some witnesses for the hearing will testify remotely, sending audio and video over the Internet. Audio and video of the hearing will also be multicast over the Multicast Backbone (MBONE). We are hoping that C-SPAN and other traditional media will also carry the event. *MORE DETAILS ON MBONE AND OTHER WAYS TO WATCH THE HEARINGS REMOTELY WILL BE FORTHCOMING SHORTLY.* One of the primary points that we are hoping to demonstrate is the diversity and size of the Internet. We have therefore established an electronic mail address by which people on the Internet can communicate with the Subcommittee before and during the hearing: congress at town.hall.org We encourage you to send your comments on what the role of government should be in the information age to this address. Your comments to this address will be made part of the public record of the hearing. Feel free to carry on a dialogue with others on a mailing list, cc'ing the e-mail address. Your cards and letters to congress at town.hall.org will help demonstrate that there are people who use the Internet as part of their personal and professional lives. We encourage you to send comments on the role of government in cyberspace, on what role cyberspace should play in government (e.g., whether government data be made available on the Internet), on how the Internet should be built and financed, on how you use the Internet, and on any other topic you feel is appropriate. This is your chance to show the U.S. Congress that there is a constituency that cares about this global infrastructure. If you would like to communicate with a human being about the hearing, you may send your comments and questions to: hearing-info at town.hall.org Support for the Internet Town Hall is provided by Sun Microsystems and O'Reilly & Associates. Additional support for the July 26 on-line congressional hearing is being provided by ARPA, BBN Communications, the National Press Club, Xerox PARC, and many other organizations. Network connectivity for the Internet Town Hall is provided by UUNET Technologies. --[6484]-- ------- End forwarded transaction From mark at coombs.anu.edu.au Mon Jul 5 14:55:59 1993 From: mark at coombs.anu.edu.au (Mark) Date: Mon, 5 Jul 93 14:55:59 PDT Subject: Non-cypherpunk question. Message-ID: <9307052155.AA00294@toad.com> >I just started reading this mailing list and I've run into a few problems >reading some of the messages because they include MIME information >which my copy of MH chokes on for some reason. It doesn't like the x-text >and text/x-pgp content-types. Would anybody on this list have a fix for >that so I can continue to read this list with MH? Any help would be appreciated. I use elm to read the list and it barfs on metamail messages as metamail hasnt been installed. What i did was to get cat.c and remove the arg checks so it didnt try to interpret the metamail switches elm piped to it and to not report missing files. Then it just catted it's arguements so /tmp/mail-aa0127 is catted and piped through less so i am able to read metamail (which are just nomal messages with a different Content-Type: line int he header anyway). Bit of a kludge but it works. Mark mark at coombs.anu.edu.au From miron at extropia.wimsey.com Mon Jul 5 18:05:36 1993 From: miron at extropia.wimsey.com (Miron Cuperman) Date: Mon, 5 Jul 93 18:05:36 PDT Subject: More on remail error reporting Message-ID: <1993Jul5.184526.7226@extropia.wimsey.com> I've created a digest list for error reporting. The digest list is errors-d at extropia.wimsey.com. Send a message to errors-d-request to subscribe. Following this is an example of a digest. Notice that the subjects (which include the ID of the messages in question) are the the top for quick browsing. Currently, the digest is transmitted every 12 hours. I'm also handling bounces now, not only remail errors. --- cut here --- Date: Mon, 5 Jul 1993 09:30:29 -0700 From: errors-d-request at extropia.wimsey.com Reply-To: errors at extropia.wimsey.com Subject: errors-d Digest V1993 #2 X-Loop: errors-d at extropia.wimsey.com Precedence: list To: errors-d at extropia.wimsey.com errors-d Digest Volume 1993 : Issue 2 Today's Topics: Remailing error, ID = (No subject supplied) Remailing bounce, ID = "Horror That Scares" ---------------------------------------------------------------------- Date: Sat, 3 Jul 1993 13:44:36 -0700 From: anonymous at extropia.wimsey.com To: errors at extropia.wimsey.com Subject: Remailing error, ID = (No subject supplied) Message-Id: <199307032044.AA26014 at xtropia> No receipient could be ascertained. Note: No encrypted contents was found (encryption is required). No subject was included. Please supply a subject in the future for reporting. It will be stripped-off before remailing. ------------------------------ Date: Mon, 5 Jul 1993 09:30:04 -0700 From: anonymous at extropia.wimsey.com To: errors at extropia.wimsey.com Subject: Remailing bounce, ID = "Horror That Scares" Message-Id: <199307051630.AA05344 at xtropia> Bounced mail: > From: Mail Delivery Subsystem Subject of 'Returned mail: User unknown'. ------------------------------ End of errors-d Digest V1993 Issue #2 ************************************* From hfinney at shell.portal.com Mon Jul 5 20:17:13 1993 From: hfinney at shell.portal.com (Hal Finney) Date: Mon, 5 Jul 93 20:17:13 PDT Subject: Encrypted cypherpunks list Message-ID: <9307060222.AA18201@jobe.shell.portal.com> As Eric Hughes suggested, I put together a little perl script to remail cypherpunks mail, PGP encrypted, to all names on a list. If you'd like to receive your cypherpunks messages encrypted, send me your address and your PGP key and I'll add you to the list. Then you can unsubscribe from the regular list. I'll upload the script once I test it a little more. Initial subscribers should consider themselves alpha testers and feel free to complain. Hal Finney hfinney at shell.portal.com From ld231782 at longs.lance.colostate.edu Mon Jul 5 21:47:13 1993 From: ld231782 at longs.lance.colostate.edu ( L. Detweiler ) Date: Mon, 5 Jul 93 21:47:13 PDT Subject: (fwd) GIFs--Now it can be told In-Reply-To: <9307030942.AA03729@netcom3.netcom.com> Message-ID: <9307060447.AA08750@longs.lance.colostate.edu> >Their battle cry is "Eeek! If >we don't nip this in the bud, _right now_, think of what might >happen! or `if we don't police ourselves, then somebody else will do it for us, and we don't want that'. >The mutant condors that one reader (who claimed to be a Pope in the >Church of the Subgenius, but who humorlessly missed the joke--but I >forgive him, for he knew not what he saw) wanted to feed me to, can >now stop circling my house. boy, all I can say is that you sure have a lot of chutzpah doing something like this, but it does definitely make a fascinating Gedanken. I especially appreciate your cogent description & analysis of the grey areas without which the whole thing would have been pointless, but with it make superb social commentary. ltr. From pmetzger at lehman.com Tue Jul 6 07:43:03 1993 From: pmetzger at lehman.com (Perry E. Metzger) Date: Tue, 6 Jul 93 07:43:03 PDT Subject: (fwd) GIFs--Now it can be told In-Reply-To: <9307031355.AA00356@antigone.com> Message-ID: <9307061442.AA10023@snark.shearson.com> Michael Ross says: > Tim, > > That was very manipulative, and did not achieve much. I wholely disagree. Tim's post to alt.binaries.pictures.erotica.children was a valuable exercise even given its limitations. Perry From nobody at rosebud.ee.uh.edu Tue Jul 6 07:54:35 1993 From: nobody at rosebud.ee.uh.edu (nobody at rosebud.ee.uh.edu) Date: Tue, 6 Jul 93 07:54:35 PDT Subject: REMAIL: list 7/6/93 Message-ID: <9307061454.AA13165@toad.com> NOTE: new remailer @entropy.linet.org! -----BEGIN PGP SIGNED MESSAGE----- Last update: 07/02/93 Q1: What cypherpunk remailers exist? A1: 1: nowhere at bsu-cs.bsu.edu 2: hh at cicada.berkeley.edu 3: hh at pmantis.berkeley.edu 4: hh at soda.berkeley.edu 5: 00x at uclink.berkeley.edu 6: hal at alumni.caltech.edu 7: ebrandt at jarthur.claremont.edu 8: phantom at mead.u.washington.edu 9: remailer at rebma.mn.org 10: elee7h5 at rosebud.ee.uh.edu 11: hfinney at shell.portal.com 12: remail at tamsun.tamu.edu 13: remail at tamaix.tamu.edu 14: remailer at utter.dis.org 15: remailer at entropy.linet.org 16: remail at extropia.wimsey.com NOTES: #1-#5 no encryption of remailing requests #6-#15 support encrypted remailing requests #16 special - header and message must be encrypted together #9,#14,#15,#16 introduce larger than average delay (not direct connect) #9,#14,#15 running on privately owned machines ====================================================================== Q2: What help is available? A2: Check out the pub/cypherpunks directory at soda.berkeley.edu (128.32.149.19). Instructions on how to use the remailers are in the remailer directory, along with some unix scripts and dos batch files. The public keys for the remailers which support encrypted remailing requests is also available in the same directory. Mail to me (elee9sf at menudo.uh.edu) for further help and/or questions. -----BEGIN PGP SIGNATURE----- Version: 2.3 iQCVAgUBLDRKRYOA7OpLWtYzAQEoQgP+MS4qW2ITP5UCSACcG/ngSid3/o/I1fic guGXQ5Ay6QWu9CVdc6YlbmkxxL6ekbLhtFSmMyXC356yixJ8Nvxcs7MYypHLlo3W oG7C6HDPmAq6JgVUdD4YCUXOS7haBt3HJ3K/utXFe3G6ybbEfG0TSUvwqgIVADql LSKB4yfpsk8= =04Iy -----END PGP SIGNATURE----- From dmandl at lehman.com Tue Jul 6 08:34:07 1993 From: dmandl at lehman.com (David Mandl) Date: Tue, 6 Jul 93 08:34:07 PDT Subject: PC Week hops on the bandwagon Message-ID: <9307061533.AA11664@disvnm2.shearson.com> Sorry if this has been mentioned already, but the new issue of PC Week contains a big special report entitled "Privacy in the Workplace." It's got about five or six separate pieces on electronic eavesdropping in the workplace, encryption, Clipper, etc., etc. I've only had a chance to scan it quickly (I mean with my eyes), but it seems that there's no mention of PGP at all, even in the piece on public-key encryption. Shocking. And the piece on Clipper, while it of course mentions all the opposition to the proposal, seemed just a bit wimpy to me. Anyway, it's the June 28 issue. Worth checking out, I guess. --Dave. From 76630.3577 at CompuServe.COM Tue Jul 6 11:15:43 1993 From: 76630.3577 at CompuServe.COM (Duncan Frissell) Date: Tue, 6 Jul 93 11:15:43 PDT Subject: Thoughtcrime Message-ID: <930706181141_76630.3577_EHK32-2@CompuServe.COM> (Ed Carp?) >There are no quasi-legitimate issues surrounding child pornography in the >United States. It doesn't matter, legally whether consent was obtained or >not, etc. Child pornography is not legal. To make, sell, possess, distribute, >or conspire to do any of the above is a crime. Not quite. The 9th Circuit Court of Appeals recently threw out the sell, possess, and distribute parts of the Child Pornography act on the traditional 1st Amendment grounds that retailers can't be punished for failure to examine (and get the model's age certificates) for every page or every film frame of every item in their inventory. Such blanket coverage is vague and overbroad. Who knows what the Supremes or other Circuits not located in San Francisco will do but the state of the law is still fluid. The question of morphing or animated kiddie porn is an interesting one. I haven't read the law so I don't know if they would be arguably covered. Pure *text* kiddieporn is legal of course. Remember all the battles over text pornography? Isn't it great that the video/graphics revolution has eliminated most censorship issues concerning pure text. ******************************************************************** * DUNCAN FRISSELL Attorney at Law, Writer, and Privacy * * CIS 76630,3577 Consultant since the Nixon * * Internet: Administration * * 76630.3577 at compuserve.com * * or frissell at panix.com * * Easylink 62853962 * * Attmail !dfrissell * * TLX: 402231 FRISSELL NYK * * * * Privacy Checkup still only $29.95. Buy today before price * * controls force me to raise my prices. * * * * Would you like a debit VISA card from your secret offshore * * bank account. Let me show you how. * * * ******************************************************************** From tcmay at netcom.com Tue Jul 6 12:04:22 1993 From: tcmay at netcom.com (Timothy C. May) Date: Tue, 6 Jul 93 12:04:22 PDT Subject: We are Becoming Politically Correct Sheep Message-ID: <9307061904.AA12415@netcom.netcom.com> Perry Metzger writes, about the reaction to the "junk bits" file I posted in a controversial new group, "alt.binaries.pictures.erotica.children": >Michael Ross says: >> Tim, >> >> That was very manipulative, and did not achieve much. > >I wholely disagree. Tim's post to alt.binaries.pictures.erotica.children >was a valuable exercise even given its limitations. > Of course I agree with Perry, though I also respect the others who have posted disagreements (sometimes strong!) here on this List or in the various newsgroups...that's what free speech is all about. Bear in mind that most of the "Cypherpunks agenda," to the extent we can identify it, is likely to provoke ordinary citizens into _outrage_. Talk of anonymous mail, digital money, money laundering, information markets, data havens, undermining authority, transnationalism, and all the rest (insert your favorite idea) is not exactly mainstream. While I don't personally care for the "kiddie porn" I've seen (the David Hamilton photos of young girls and the occasional Mapplethorpe photos in news reports), the issues raised in this area are of great importance. (I don't plan to argue for or against these images in this forum, though.) If we back down every time a censor screams "Illegal!," then very few of our agenda items will ever see the light of day. So long as physical violence or coercion is not involved, I see no reason to restrict the activities of others. I completely reject the concept of "class-based crimes," such as: - conventional erotica and pornography should be banned because it is degrading to women, objectifies them, etc. (ironically, unless of course it is "made by and for wimmin," a loophole added by Andrea Dworkin and her supporters after they discovered their anti-porn crusade in Canada and elsewhere would put an end to Lesbian porn mags like "Yellow Silk"!). - I put "child porn" in this category because only the actual coercion of children--if it is happening--should be stopped. (And even this is confusing, as coercion of children happens all the time--we call it "parenting.") A mere image carries no proof that this coercion has happened, for the many reasons I have cited and others have cited (e.g., the child may have willingly participated, the "child" may be 18 and merely look 15, the images may have come from other countries where the customs and laws are different, the image may have been computer-generated or morphed, and so on). - "racist jokes" are being targeted for elimination in many of the Usenet groups, by halting the carrying of "offensive" newsgroups. Legal purists will of course note that this is not "censorship" in the legal/government sense. IMHO, the English language needs a new term for something between the one extreme of government censorship and the other extreme of personal choice, perhaps something like "institutional censorship." Being a free market sort of person, I have no problems with, say, Apple Computer deciding not to carry "alt.binaries.pictures.erotica.children" or "rec.humor.funny.cripples," but it still a _form_ of "institutional censorship." [especially when they are acting so as to head off legal action, as I describe below] - read the "academic freedom" group (I forget the exact title...search for "acad-free" in your newsreader) and you'll see that more and more universities are using the "sexual harassment" laws/codes to stop certain newsgroups, to halt the distribution of sexually oriented images, and to take disciplinary action against students (mostly male) who have put GIFs on their computers or workstations (apparently female students who walk past an office in which female models are used as startup screens have decided they are being "sexually assaulted" or "harassed"). [An important point to make here is that many of these institutions are taking actions largely because they fear that if they don't, the plaintiffs will take their case to the _government_ legal system, perhaps by suing the university for "condoning an atmosphere hostile to womym and other people of color." If there was no threat of ultimate legal action, much of this "institutional censorship" would vanish, and people could just concentrate on doing their jobs, with or without calendars of "Miss Usenet" gracing their walls.] - discussion of ways to undermine the State, via crypto anarchy and strong crypography, are likely to be targets of future crackdowns. Sedition laws, conspiracy laws, RICO, etc. How long before speaking on these matters earns a warning letter from your university or your company? [Again, I think it's the "big stick" of ultimate government action that spurs these univeristy and company policies. Apple fears being shut down for having "involvement" with a terrorist plot, Emory University fears being sued for millions of dollars for "conspiring" to degrade wimmin of color, etc.) - how long before "rec.guns" is no longer carried at many sites, as they fear having their universities or companies linked to discussions of "assault weapons" and "cop-killer bullets"? [Prediction: Many companies and universities, under pressure from the Feds, will block groups in which encrypted files are posted. After all, if one encrypts, one must have something to hide, and that could expose the university to legal action from some group that feels aggrieved.] So, free speech is under assault across the country. The tort system is being abused to stifle dissentinting views (and lest you think I am only a capitalist, only a free marketeer, the use of "SLAPP suits"--"Strategic Lawsuits Against Public Participation"--by corporations or real estate developers to threaten those who dare to publicly speak against their projects is a travesty, a travesty that the courts have only recently begun to correct). We are becoming a nation of sheep, fearing the midnight raid, the knock on the door. We fear that if we tell a joke, someone will glare at us and threaten to sue us _and_ our company! And so companies are adopting "speech codes" and other such baggage of the Orwell's totalitarian state. Political correctness is extending its tendrils into nearly every aspect of life in America. Time to fight back. -Tim May -- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: by arrangement Note: I put time and money into writing this posting. I hope you enjoy it. From jet at netcom.com Tue Jul 6 12:46:36 1993 From: jet at netcom.com (J. Eric Townsend) Date: Tue, 6 Jul 93 12:46:36 PDT Subject: Complete ignorance of any sort of reality on May's part (was We are Message-ID: <9307061947.AA17712@netcom.netcom.com> Timothy C. May writes: > degrading to women, objectifies them, etc. (ironically, unless of course it > is "made by and for wimmin," a loophole added by Andrea Dworkin and her > supporters after they discovered their anti-porn crusade in Canada and > elsewhere would put an end to Lesbian porn mags like "Yellow Silk"!). This is complete and utter nonsense. Tim May has no clue as to what he talks about. What's worse, it smells of homophobia. In no particular order: - Dworkin has never called for the banning of porn. I've read most of her books, and she even goes out of her way to say she's not calling for any sort of censorship. She *does* push for 'victim compenstation'-style legislation. (How this sort of legislation interacts with constitutional rights is beyond my keen, save a few decisions I've read about 19th century property rights in Louisiana. :-) - I've heard Dworkin come down just has hard on lesbigay porn, if not harder than, as she does on het porn. Her old housemate John Stoltenberg (sp?) is as noxious as she is on this point. - "Yellow Silk" is not a lesbian porn mag. It's a very lame het softcore mag. If you'd like to see *real* lesbian porn (some of which pisses off a fair portition of the feminist and lesbian communities) find "On Our Backs" (started by Susie Bright), "Venus Infers" (started by Pat Califia, women-only SM), or "Girljock" (sort of a preppie/athelete/lesbian (not dyke :-) porn mag). - Last I heard, there was no need to capitalize 'lesbian'. None of the dykes/lesbians I know capitalize it, unless it starts a sentence. Residents of Lesbos (the true 'Lesbians') might disagree, however. Tired of white het male computer geeks talking nonsense about anyone who threatens their place in the power structure, -- jet at netcom.com -- J. Eric Townsend -- '92 R100R: "CLACKER" "Either what you've said is so vague that it's meaningless or I disagreee with you completely." -- Tom Maddox From pmetzger at lehman.com Tue Jul 6 13:01:37 1993 From: pmetzger at lehman.com (Perry E. Metzger) Date: Tue, 6 Jul 93 13:01:37 PDT Subject: Complete ignorance of any sort of reality on May's part (was We are In-Reply-To: <9307061947.AA17712@netcom.netcom.com> Message-ID: <9307062001.AA10698@snark.shearson.com> J. Eric Townsend says: > - Dworkin has never called for the banning of porn. I've read most of > her books, and she even goes out of her way to say she's not calling > for any sort of censorship. She *does* push for 'victim > compenstation'-style legislation. This is silly. Its like saying "I'm not in favor of banning guns -- but I want victims to be able to sue the gun manufacturers for negligence". Dworkin is a fascist in feminist clothing -- for all intents and purposes she believes that any act of heterosexual sex is on some level rape. She's nuts. > Tired of white het male computer geeks talking nonsense about anyone > who threatens their place in the power structure, This white male het computer geek marches in the Gay Pride Parade every year. (Well, not this year -- I was sick. Mea culpa.) He also thinks that Andrea Dworkin is about as anti-censorship as Rev. Wildmon. I don't give a shit about the power structure -- I just think that anyone telling me what I can and cannot see, what I can and cannot write, and what I can and cannot sell, is my enemy. Perry From gnu Tue Jul 6 13:19:19 1993 From: gnu (John Gilmore) Date: Tue, 6 Jul 93 13:19:19 PDT Subject: Looking for biblio re commercialization of encryption Message-ID: <9307062019.AA15820@toad.com> ------- Start of forwarded message ------- From: Kibbee=Streetman%ACIS.1037%DSRD.K25 at VINES.ORNL.GOV To: eff at eff.org Subject: References for Crypto Study Date: Wed, 23 Jun 93 15:27:26 EDT Dear Sir -- I am working on a project for NIST to develop an annotated bibliography on issues in the commercialization of encryption technology. Can you provide me with any references to EFF publications dealing with export, Clipper/Capstone, privacy, etc. ? I already have copies of the material presented at the CSS&PAB meeting at NIST but would like to have anything else that might be available. Thank you for your help! Kibbee D. Streetman (kds at ornl.gov) 1099 Commerce Park Oak Ridge, TN 37830 (615)574-9952 ------- End of Forwarded Message From ejo at world.std.com Tue Jul 6 13:19:44 1993 From: ejo at world.std.com (Edward J OConnell) Date: Tue, 6 Jul 93 13:19:44 PDT Subject: Complete ignorance of any sort of reality on May's part (was We are In-Reply-To: <9307061947.AA17712@netcom.netcom.com> Message-ID: Yeah, I heard that she had to do some gymnastics to explain how gay male porn degrades women, too. ;-) Is this true, or am I also a homophobe? ;-) I hate Dworkins arguments. There are plenty of pro porn lesbians/feminists. At least, I've read stuff by several, (bright/Annie sprinkle, etc) and I've read some stuff by various porn stars that call themselves feminists... Identifying feminism with censorship annoys me...I wish I had some data on how many women who call themselves feminists are pro censorship... if its the majority, I guess I'd have to allow it... ;-) The problem for intellectuals is how to protect 'erotica' and somehow squash 'pornography.' The difference is amusing to me. One mans erotica is another womans porn... All right thinking people would agree that the only thing that could be wrong in the sex trade is coercion, be it of women or children or horses or hamsters... I have some problem with the idea of the coerciveness of the 'free market' though, as does Dworkin, so I guess we do have some things in common... I'd like to know that no one is in the trade to pay for a drug habit...of course, I think that drugs, like food and shelter and air, should be free... But I'm a nut. ;-) Jay From mike at EGFABT.ORG Tue Jul 6 14:03:51 1993 From: mike at EGFABT.ORG (Mike Sherwood) Date: Tue, 6 Jul 93 14:03:51 PDT Subject: (fwd) GIFs--Now it can be told In-Reply-To: <9307061442.AA10023@snark.shearson.com> Message-ID: "Perry E. Metzger" writes: > > That was very manipulative, and did not achieve much. > > I wholely disagree. Tim's post to alt.binaries.pictures.erotica.children > was a valuable exercise even given its limitations. I agree.. what if he posted it as some silly program in one of the sources groups, encrypted and all, with a description as something almost no one would want? then the worst that would happen is people flaming him for encrypting it.. that would be a way to go for a real post to convey information.. we could always create an alt.too.many.secrets (obligatory documentary movie reference =]) to post things to where there is a large audience, but for an audience of people who care about such issues, as opposed to a normal post which joe random user could argue with everyone without knowing the difference between a pgp encrypted and uuencoded file. the other issue is that people will think what they want to think if they're uninformed, such as all of the people who flamed Tim for posting what's basically a worthless message, just that those people who flamed him didn't like the name of the group he posted it in.. for all we know, he could've posted his local /etc/hosts. -- Mike Sherwood internet: mike at EGFABT.ORG uucp: ...!sgiblab!egfabt!mike From eaeu362 at orion.oac.uci.edu Tue Jul 6 14:44:58 1993 From: eaeu362 at orion.oac.uci.edu (stub23) Date: Tue, 6 Jul 93 14:44:58 PDT Subject: Wired cover Message-ID: <199307062144.AA01546@orion.oac.uci.edu> well on mindvox the cover decision was announced a bit before the magazine came out and there was a huge guessing contest over who was going to be on the cover with some damn creative ideas but anyhow... although if i were to guess, i would say taht peter gabriel is on the cover of my issue, but on the inside it says cover: mitch kapor so i got confused dunno what mitch kapor looks like... also to note la and sf have different covers from what i ahve heard From davros at ecst.csuchico.edu Tue Jul 6 15:18:22 1993 From: davros at ecst.csuchico.edu (Tyler Yip - UnixWeenie (tm)) Date: Tue, 6 Jul 93 15:18:22 PDT Subject: wired covers Message-ID: <9307062217.AA09173@hairball.ecst.csuchico.edu> In Chico, California, the two book stores large enough to have Wired have Mitch Kapor (Tower Books) and Peter Gabriel (Readmore Books). I might go pick up the other cover. :) From jet at nas.nasa.gov Tue Jul 6 15:23:55 1993 From: jet at nas.nasa.gov (J. Eric Townsend) Date: Tue, 6 Jul 93 15:23:55 PDT Subject: apologies (was Re: Complete ignorance of any sort of reality on May's part (was We are In-Reply-To: <9307062001.AA10698@snark.shearson.com> Message-ID: <9307062223.AA09861@boxer.nas.nasa.gov> I'm sorry I got sidetracked with the bit about dworkin. I'm not really even a serious supporter of hers. On the other hand, I'm probably one of the few people 'here' who've read most of her work. Before one goes about believing many of the outrageous things attributed to her, one should read her writing and take many of the statements in context. (Who was it a couple of years ago posting summaries of out of context quotes by usenetters in alt.flame?) At any rate, I was dismayed by Tim May's lack of knowledge regarding the people he was attacking. Wildly thrashing about and attacking anyone who isn't completely on one's side tends to get one nowhere. Again, I apologize for sidetracking things. -eric From tcmay at netcom.com Tue Jul 6 16:07:36 1993 From: tcmay at netcom.com (Timothy C. May) Date: Tue, 6 Jul 93 16:07:36 PDT Subject: "Let's kill all the lawyers..." Message-ID: <9307062308.AA22680@netcom.netcom.com> "What do you call the killing of those lawyers in San Francisco last week?" Answer (you knew this was coming): "A good start." The discussion of free speech and political correctness is apparently not welcome by some on this list. I guess the usual religious debates about which mail reader is better are what we're supposed to talk about. Well, I'm a member of this list, too, and issues of censorship and free speech are more interesting to me--and to some others, I suspect--than the intricacies of "MH." To each their own. Learn to use your "delete" key. (I agree that discussions of libertarianism vs. liberalism, etc., are the bane of the Net, and that we have been fortunate in avoiding the usual pitched battles between these camps on this List. My comments about censorship of speech, photos, etc., were not intended to provoke such a political battle.) Ironically, even as I type this, I am watching CNN and a special report on a "trial balloon" to ban anti-lawyer remarks! Seriously! Harvey Saferstein, President of the California State Bar, is explaining how "hate speech" laws can and should be used to limit the bashing of lawyers, the portrayal of them as good targets (he cited the lawyer being the first to be eaten in "Jurassic Park" as an example of the "atmosphere of hate" surrounding lawyers), and "inciting to violence." He specifically cited the killings in San Francisco last week as a reason to classify such speech as a "hate crime." No word on whether Shakespeare's "First, let's kill all the lawyers" would've gotten him 10-20 in the Tower of London. What is happening to free speech? What has happened to "Sir, I disagree with what you say, but I defend to the death your right to say it."? Now of course such a law is not likely to pass, or be upheld. (Saferstein is actually not lobbying for a _new_ law, but for extension through the judicial system of existing "hate crime" laws to included any "class-related" jokes and insults. A move other groups are already trying.) In a way, I am cheering this, as it can only end up trivializing and undermining the whole concept of "hate crimes" and "hate speech." Real crimes, including trespass to burn crosses on people's lawns, and the like, can and _should_ be prosecuted, but not "hate" crimes. (If such laws were applied uniformly, instead of just against so-called "white rights" groups, then most "minority" organizations, which preach hatred of "honkeys" and "hets," would be shut down.) As John Gilmore pointed out a few years back, most of us are breaking laws every day. If the government can attach penalties based on our political views, then dissidents can be targeted selectively and given sentences based on their alleged "hate crimes." (Imagine how the Black Panthers or Malcolm X could have been harassed even more aggressively if their "hate" could have been used to increase punishments for otherwise minor crimes? That they were harassed, 20 and 30 years ago, is beside the point. Folks who advocate "hate crime" laws should reflect carefully on how such laws may someday be used against them.) -Tim May -- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: by arrangement Note: I put time and money into writing this posting. I hope you enjoy it. From khijol!erc at apple.com Tue Jul 6 16:22:00 1993 From: khijol!erc at apple.com (Ed Carp) Date: Tue, 6 Jul 93 16:22:00 PDT Subject: On the medium being the message Message-ID: I was eating lunch today, staring at the cover of "Wired", when the phrase "The medium..." caught my eye. This set off a whole train of thought on message concealibility, like hiding messages in, say, the order of headers in a posting, or the "Reply-To:" header, or even the words in subsequent postings to a newsgroup. Who would ever think to look at, say, the third word in every posting Tim makes to alt.whatever newsgroup? Or in the "Date:" field, or in the "Message-ID:" field, or ... or ... or ... Hmmm. Food for thought. -- Ed Carp erc at wetware.com 510/659-9560 For anonymous mailers --> anonymus+5300 at charcoal.com "I've met many thinkers and many cats, but the wisdom of cats is infinitely superior." -- Hippolyte Taine (1828-1893) From jota at iguana.inesc.pt Tue Jul 6 17:41:10 1993 From: jota at iguana.inesc.pt (Joao Pedro Martins) Date: Tue, 6 Jul 93 17:41:10 PDT Subject: Subscribe Message-ID: <9307070041.AA21672@iguana.inesc.pt> subscribe -- * "Deitaram-se. Blimunda era virgem. Que idade tens, perguntou Baltasar, e *Blimunda respondeu, Dezanove anos, mas ja' enta~o se tornara muito mais *velha." - Jose' Saramago, "Memorial do Convento" **************************************************** jota at mujave.inesc.pt * * ...jotinha meu amor... INFOFREE * i got pgp, ask me NO MORE ! (U2,SBS-L) * 9431006 <- noy my password dancing and laughing From gnu Tue Jul 6 17:41:12 1993 From: gnu (John Gilmore) Date: Tue, 6 Jul 93 17:41:12 PDT Subject: Matchbook reminders for EFF / Cypherpunk members Message-ID: <9307070041.AA17216@toad.com> At a friend's house I found a matchbook printed up by NORML. It serves to advertise the organization, as well as providing information useful during legal troubles. It got me thinking about matchbooks or wallet cards as a good way to make people aware of us. (Matchbooks work better when your organization is concerned with smokables...) Someone mentioned a few weeks ago that we need to have a wallet-sized card that reminds people of their rights when they get into hassles. Experience has shown that we forget and bungle it, without a reminder. The NORML front cover says: Cypherpunk version (strawman): NORML CYPHERPUNKS National Organization Teaching, Learning, for the Reform of and Deploying Marijuana Laws Cryptographic Protection ------------------ 1636 R. St., N.W. Washington, DC 20009 spectron, cleveland, oh <- whoever makes the matches The spine: 900-97-NORML cypherpunks at toad.com The back: Before you rat, Big Brother's listenin' before you squeal, Big Sister's watchin'. before you snitch, Don't get cold feet, or cut a deal.. Use cryptographic stockin's. Call NORML. 900-97-NORML ...etc... (2.95 per minute You must be 18 or older to call) The inside: * NEVER CONSENT TO A Something very similar SEARCH (even with nothing to hide) * NEVER ANSWER ANY QUESTIONS (without an attorney) * CALL AN ATTORNEY IM- MEDIATELY (or call NORML) 900-97-NORML EFF's phone number? (2.95 per minute You must be 18 or older to call) NOTE: The live option is available only from 9 a.m. to 6 p.m., EST, M-F. A tract I cut out of a gay newspaper some years ago is in my wallet now; its advice is: SILENCE = GOLDEN ACT-UP/New York's clip-and-save guide to police intimidation The following guidelines were formulated by legal advisors to ACT UP/NY, but they apply to all gay men and lesbians and activists. 1. You do not have to talk to the police or FBI or any other investigators. You do not have to talk to them whether they come to your house, on the street, if you've been arrested, or even if you are in jail. Only a court or a grand jury has legal authority to compel testimony. 2. You don't have to let the police or FBI into your home or office unless they show you an arrest or search warrant which authorizes them to enter that SPECIFIC place. 3. If they do present a warrant, you do not have to tell them anything other than your name and address. You have a right to observe what they do. 4. Make written notes, including the agents' names, agency and badge numbers. Try to have other people present as witnesses and have them make written notes, too. 5. Anything you do say to any law enforcement officer may be used against you and other people. 6. If you do give the FBI or police information, it may mean that you will have to testify to the same information at a trial or before a grand jury. 7. Lying to an FBI agent or other federal investigators is a crime. 8. The best advice, if the FBI or police try to question you or to enter your home or office without a warrant, is to JUST SAY NO! Law enforcement agents have a job to do and they are highly skilled at it. Attempting to "outwit" them is very risky. YOU CAN NEVER TELL HOW A SEEMINGLY HARMLESS BIT OF INFORMATION CAN HELP THEM HURT YOU OR ANOTHER ACT UP MEMBER. 9. The investigators may threaten you with a grand jury subpoena if you don't give them information. But you may get one anyway, and anything you've already told them will be the basis for more detailed questioning under oath. 10. They may try to threaten or intimidate you by pretending to have information about you ("We know what you've been doing, but if you cooperate it will be all right.") If you are concerned about this, tell them you will consider talking to them with your lawyer present. 11. If you are nervous about simply refusing to talk, you may find it easier to tell them to contact your lawyer. Once a lawyer is involved, the agents usually pull back since they have lost their power to intimidate. If you are taken into police custory, once you request an attorney, they MUST cease questioning until your lawyer is present. But remember, you don't have to answer their questions, even if they keep asking. From karn at qualcomm.com Tue Jul 6 18:03:18 1993 From: karn at qualcomm.com (Phil Karn) Date: Tue, 6 Jul 93 18:03:18 PDT Subject: "Let's kill all the lawyers..." Message-ID: <9307070103.AA23132@servo> Amen! Well spoken, Tim. Last night I saw the Saferstein remarks you mention. I think they hit the local California TV stations before being picked up by CNN. I fully agree that PC is *really* getting out of hand if lawyers are now to be considered one of the downtrodden minority groups. Saferstein doesn't seem to understand the serious role satire plays in actually *preventing* violence in our society. Lawyers and politicians (lawyers being the larval stage of the latter) hold a tremendous amount of power over the rest of us. Satire (including jokes, political cartoons and the like) might not actually do much to lessen that power, but it does give the rest of us a chance to vent some of the resentment that might otherwise build into violence in more people. And of course there is satire's unique selectivity. It's hard to satirize somebody who doesn't deserve it. But a hypocritical lawyer or a politician with a bloated ego... well, I don't think bullets ever get any more magic than this. *They* may still believe in their own overriding self-importance, but thanks to satire, the rest of us don't have to! The real irony of trying to ban "lawyer bashing" is that some of the best (most critical) lawyer jokes are told by the lawyers themselves! So maybe we *should* pass a law against it. What better way to get more lawyers off the street and where they belong? (Short of cloning some more T. Rexes, of course...was there also applause in your theater during that scene?) Phil From dante at microsoft.com Tue Jul 6 18:08:35 1993 From: dante at microsoft.com (dante at microsoft.com) Date: Tue, 6 Jul 93 18:08:35 PDT Subject: Matchbook reminders for EFF / Cypherpunk members Message-ID: <9307070107.AA00445@netmail.microsoft.com> John Gilmore said: | |At a friend's house I found a matchbook printed up by NORML. It |serves to advertise the organization, as well as providing information |useful during legal troubles. | |It got me thinking about matchbooks or wallet cards as a good way to |make people aware of us. (Matchbooks work better when your |organization is concerned with smokables...) Someone mentioned a few |weeks ago that we need to have a wallet-sized card that reminds people |of their rights when they get into hassles. Experience has shown that |we forget and bungle it, without a reminder. Good idea. FYI, the ACLU also provides these wallet-sized cards to anyone who asks, and they are invaluable. Read them _before_ you get arrested. From mccoy at ccwf.cc.utexas.edu Tue Jul 6 18:20:03 1993 From: mccoy at ccwf.cc.utexas.edu (Jim McCoy) Date: Tue, 6 Jul 93 18:20:03 PDT Subject: On the medium being the message In-Reply-To: Message-ID: <199307070119.AA23872@tigger.cc.utexas.edu> > [...] This set off a whole train of thought on > message concealibility, like hiding messages in, say, the order of headers > in a posting, or the "Reply-To:" header, or even the words in subsequent > postings to a newsgroup. Who would ever think to look at, say, the third > word in every posting Tim makes to alt.whatever newsgroup? Or in the "Date:" > field, or in the "Message-ID:" field, or ... or ... or ... Not much bandwidth in that medium there... Things like gif/jpeg images and sound files have a ton of semi-random bits in them that you can fool around with without anyone noticing much, but plain text in news headers and postings just doesn;t leave one with much room for putting in a message. At least not without being blanently obvious... jim From phred at well.sf.ca.us Tue Jul 6 18:32:40 1993 From: phred at well.sf.ca.us (Fred Heutte) Date: Tue, 6 Jul 93 18:32:40 PDT Subject: "Let's kill all the lawyers..." Message-ID: <93Jul6.183147pdt.14190-3@well.sf.ca.us> Tim May and Phil Karn's comments remind me of my friend Mark the Lawyer who lives in SF. I visit him on occasion when I'm in the Bay Area and notice that he has the proper perspective on things. When I was there a week ago he had a copy of the Nolo Press newspaper (including a hefty selection of their vast catalogue of lawyer jokes). And his refrigerator magnet reads: "Lawyer: person retained to protect client from others of profession." We need lawyers, but do we need *so many*?! I was born and grew up in Washington, DC. The DC Bar has over *50,000* lawyers! Even in our nation's capital that seems excessive. From stjude at well.sf.ca.us Tue Jul 6 18:43:00 1993 From: stjude at well.sf.ca.us (Judith Milhon) Date: Tue, 6 Jul 93 18:43:00 PDT Subject: fwd of Chi.Trib article... Message-ID: <93Jul6.184232pdt.14403-3@well.sf.ca.us> ...for you maths hooligans and crypto thugs... From: SPOETZ Subj: The Chicago Tribune on Fermat's Last Theorem To: DELTORTO, SaintJude ------- Forwarded Message Subject: The Chicago Tribune on Fermat's Last Theorem >From: David Notkin The following column appeared in the Chicago Tribune / DuPage County edition Tuesday June 29 1993 page 2-1. MATH RIOTS PROVE FUN INCALCULABLE /by/ Eric Zorn /begin italics/ News Item (June 23) -- Mathematicians worldwide were excited and pleased today by the announcement that Princeton University professor Andrew Wiles had finally proved Fermat's Last Theorem, a 365-year-old problem said to be the most famous in the field. /end italics/ Yes, admittedly, there was rioting and vandalism last week during the celebration. A few bookstores had windows smashed and shelves stripped, and vacant lots glowed with burning piles of old dissertations. But overall we can feel relief that it was nothing -- nothing -- compared to the outbreak of exuberant thuggery that occurred in 1984 after Louis DeBranges finally proved the Bieberbach Conjecture. "Math hooligans are the worst," said a Chicago Police Department spokesman. "But the city learned from the Bieberbach riots. We were ready for them this time." When word hit Wednesday that Fermat's Last Theorem had fallen, a massive show of force from law enforcement at universities all around the country headed off a repeat of the festive looting sprees that have become the traditional accompaniment to triumphant breakthroughs in higher mathematics. Mounted police throughout Hyde Park kept crowds of delirious wizards at the University of Chicago from tipping over cars on the midway as they first did in 1976 when Wolfgang Haken and Kenneth Appel cracked the long-vexing Four-Color Problem. Incidents of textbook-throwing and citizens being pulled from their cars and humiliated with difficult story problems last week were described by the university's math department chairman Bob Zimmer as "isolated." Zimmer said, "Most of the celebrations were orderly and peaceful. But there will always be a few -- usually graduate students -- who use any excuse to cause trouble and steal. These are not true fans of Andrew Wiles." Wiles himself pleaded for calm even as he offered up the proof that there is no solution to the equation x^n + y^n = z^n when n is a whole number greater than two, as Pierre de Fermat first proposed in the 17th Century. "Party hard but party safe," he said, echoing the phrase he had repeated often in interviews with scholarly journals as he came closer and closer to completing his proof. Some authorities tried to blame the disorder on the provocative taunting of Japanese mathematician Yoichi Miyaoka. Miyaoka thought he had proved Fermat's Last Theorem in 1988, but his claims did not bear up under the scrutiny of professional referees, leading some to suspect that the fix was in. And ever since, as Wiles chipped away steadily at the Fermat problem, Miyaoka scoffed that there would be no reason to board up windows near universities any time soon; that God wanted Miyaoka to prove it. In a peculiar sidelight, Miyaoka recently took the trouble to secure a U.S. trademark on the equation "x^n + y^n = z^n " as well as the now-ubiquitous expression "Take that, Fermat!" Ironically, in defeat, he stands to make a good deal of money on cap and T-shirt sales. This was no walk-in-the-park proof for Wiles. He was dogged, in the early going, by sniping publicity that claimed he was seen puttering late one night doing set theory in a New Jersey library when he either should have been sleeping, critics said, or focusing on arithmetic algebraic geometry for the proving work ahead. "Set theory is my hobby, it helps me relax," was his angry explanation. The next night, he channeled his fury and came up with five critical steps in his proof. Not a record, but close. There was talk that he thought he could do it all by himself, especially when he candidly referred to University of California mathematician Kenneth Ribet as part of his "supporting cast," when most people in the field knew that without Ribet's 1986 proof definitively linking the Taniyama Conjecture to Fermat's Last Theorem, Wiles would be just another frustrated guy in a tweed jacket teaching calculus to freshmen. His travails made the ultimate victory that much more explosive for math buffs. When the news arrived, many were already wired from caffeine consumed at daily colloquial teas, and the took to the streets en masse shouting, "Obvious! Yessss! It was obvious!" The law cannot hope to stop such enthusiasm, only to control it. Still, one has to wonder what the connection is between wanton pillaging and a mathematical proof, no matter how long-awaited and subtle. The Victory Over Fermat rally, held on a cloudless day in front of a crowd of 30,000 (police estimate: 150,000) was pleasantly peaceful. Signs unfurled in the audience proclaimed Wiles the greatest mathematician of all time, though partisans of Euclid, Descartes, Newton, and C.F. Gauss and others argued the point vehemently. A warmup act, The Supertheorists, delighted the crowd with a ragged song, "It Was Never Less Than Probable, My Friend," which included such gloating, barbed verses as --- "I had a proof all ready / But then I did a choke-a / Made liberal assumptions / Hi! I'm Yoichi Miyaoka." In the speeches from the stage, there was talk of a dynasty, specifically that next year Wiles will crack the great unproven Riemann Hypothesis ("Rie-peat! Rie-peat!" the crowd cried), and that after the Prime-Pair Problem, the Goldbach Conjecture ("Minimum Goldbach," said one T-shirt) and so on. They couldn't just let him enjoy his proof. Not even for one day. Math people. Go figure 'em. ---------------------------------------------------------------------- St.Jude the Oblique From tcmay at netcom.com Tue Jul 6 18:55:34 1993 From: tcmay at netcom.com (Timothy C. May) Date: Tue, 6 Jul 93 18:55:34 PDT Subject: "Let's kill all the lawyers..." In-Reply-To: <93Jul6.183147pdt.14190-3@well.sf.ca.us> Message-ID: <9307070156.AA16144@netcom3.netcom.com> Fred Heutte comments: > Tim May and Phil Karn's comments remind me of my friend Mark the Lawyer > who lives in SF. I visit him on occasion when I'm in the Bay Area and > notice that he has the proper perspective on things. When I was there > a week ago he had a copy of the Nolo Press newspaper (including a hefty > selection of their vast catalogue of lawyer jokes). And his refrigerator > magnet reads: "Lawyer: person retained to protect client from others of > profession." > > We need lawyers, but do we need *so many*?! I was born and grew up > in Washington, DC. The DC Bar has over *50,000* lawyers! Even in > our nation's capital that seems excessive. I don't really think of lawyers as the problem, per se, nor do I think there are too many GIVEN WHAT THE LAW HAS BECOME. Seems to me folks have gotten what they asked for. The asked for more regulation, they got it. The asked to be protected from the contracts they signed (that is, to find ways to get out of contracts they no longer liked), they got it. They asked for easier divorce, they got it. They asked to be able to sue for nearly anything bad that happens to them, they got it. All of these things increase the business of lawyers, as business is no longer done on a handshake, property has to be divided up with the easier divorces, and so on. If you think about it, the reason for the surge in lawyers is clear. What, if anything, can be done? Here are several suggestions: 1. Return the sanctity of the contract. If parties sign a contract, then unless there is provable fraud, the contract is valid. No wiggling out claiming "diminished capacity" (if you're diminished, hire someone to handle your affairs), claims of "not understanding," or claims that the contract itself was coercion, racist, unfair, whatever. 2. Eliminate public funding of court proceedings. Eliminate things like the "Legal Aid Society" that subsidize court proceeding against landlords and property owners (as but one example). 3. Loser pays all court costs, and perhaps damages for bringing the suit, if the suit was clearly unfounded. (A murky area, I'll grant you, but other countries have tried it and it cuts down on frivolous "I'll sue!" types of suits.) 4. In divorce cases, adopt a system in advance of the wedding clearly stating the terms and conditions under which property, kids, etc., are to be doled out. Oh, and by Point #1, the sanctity of Pre-Nuptial Agreements is ironclad...no wiggling out by hiring lawyers. 5. Ultimately, privatize the court system. Bruce Benson, in "The Enterprise of Law," describes how this might work. (I won't debate it here in this group.) Obligatory Link to Cypherpunk Ideas: Many of these reforms are likely in cyberspace, where contracts will be contracts....with money placed in escrow with anonymous escrow services and only fairly simple adjudication and arbitration of the "facts," not the "intents." (Read Vinge's "True Names" for one vision of crypto anarchy and then try to imagine how the lawyers will ply their trade in such an environment.) -Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. Note: I put time and money into writing this posting. I hope you enjoy it. From phred at well.sf.ca.us Tue Jul 6 19:07:08 1993 From: phred at well.sf.ca.us (Fred Heutte) Date: Tue, 6 Jul 93 19:07:08 PDT Subject: fwd of Chi.Trib article... Message-ID: <93Jul6.190635pdt.14421-1@well.sf.ca.us> Thanks, that was priceless! Best thing I've read this year. From khijol!erc at apple.com Tue Jul 6 19:32:17 1993 From: khijol!erc at apple.com (Ed Carp) Date: Tue, 6 Jul 93 19:32:17 PDT Subject: On the medium being the message In-Reply-To: <199307070119.AA23872@tigger.cc.utexas.edu> Message-ID: > > [...] This set off a whole train of thought on > > message concealibility, like hiding messages in, say, the order of headers > > in a posting, or the "Reply-To:" header, or even the words in subsequent > > postings to a newsgroup. Who would ever think to look at, say, the third > > word in every posting Tim makes to alt.whatever newsgroup? Or in the "Date:" > > field, or in the "Message-ID:" field, or ... or ... or ... > > Not much bandwidth in that medium there... > > Things like gif/jpeg images and sound files have a ton of semi-random bits > in them that you can fool around with without anyone noticing much, but > plain text in news headers and postings just doesn;t leave one with much > room for putting in a message. At least not without being blanently > obvious... True, but how much do you need if you have code dictionaries? The Message-ID field, for example, could contain a page.word reference, one that meant "the cops are watching me, be careful", or "Nuclear detonator received". Not much the NSA could do to figure that one out unless they had searched your place, or knew a HELL of a lot about you and your co-conspirator. My point was, there are a lot of covert channels that one can use without making it obvious that there is any sort of covert data being passed. -- Ed Carp erc at wetware.com 510/659-9560 For anonymous mailers --> anonymus+5300 at charcoal.com "I've met many thinkers and many cats, but the wisdom of cats is infinitely superior." -- Hippolyte Taine (1828-1893) From sneal at muskwa.ucs.ualberta.ca Tue Jul 6 20:08:19 1993 From: sneal at muskwa.ucs.ualberta.ca (Sneal) Date: Tue, 6 Jul 93 20:08:19 PDT Subject: We are becoming politically correct sheep Message-ID: <9307070308.AA02565@muskwa.ucs.ualberta.ca> I am slightly dubious of the wisdom of Tim's switch-and-bate on a.b.p.e.c. for a couple of reasons: a) The possibility of some media nitwit hearing about the initial post and missing Tim's "retraction" (or ignoring it in the interests of a great big ol' byline). Nightmarish possibilities abound, particularly given the subtle nature of the "clue" in the PGP block. b) In a more paranoid moment some months ago, I predicted that the NSA would be waiting for a chance to work a PGP angle into some sensational story that creates a lot of public outcry. Linking PGP to terrorism, drug dealing, or kiddie porn would be a great first step towards getting some laws against "unlicensed cryptography" on the books. I'm less worried about Tim giving the TLAs any ideas (I'm sure they have lots of bright "media relations" people already) than I am about him inspiring real pornographers (or agent provocateurs). c) Personally, I think that the fewer excuses one gives busybodies to "make policy", the better. However, what with Clipper, Markey, Gore, Denning, Sternlight, et al, the cat's already out of the bag. We can only sigh and wish that these beknighted ones had viewed with alarm the excess profits and price gouging of the haircutting industry, and the need to balance unbridled free enterprise with the tonsorial rights of the public. However - tickling a few neurons may very well have been worth the risks noted above. In response to Tim's later post about freedom of speech, J. Eric Townsend writes: >[flameage censored] In arguing the fine points of Dworkinism, pornography, capitalization of proper nouns, etc., I think Eric misses Tim's point, which is (I think) that the current movement of society is from Forbidding actions that cause harm to others to Forbidding actions and speech that might offend others, or make them uncomfortable, or hurt their feelings. This is an obviously not a happy thing. While not offending others is an admirable goal, I am going to disagree with Tim May if he claims that he can levitate given the right mix of ginseng, pig knuckles, and spiritual harmony. Tim may be emotionally crushed by this, but that's life. If things keep on the way they are, in a few years, Tim will have the option of taking me to the Spiritual Tribunal and having me busted for emotional assault, where I'll be sentenced to three to five years at hard consciousness-raising. There's an excellent article on this issue by Jonathan Rauch in the April 93 issue of 'Reason'; this is an excerpt from his book "Kindly Inquisitors: The New Attack On Free Thought". Rauch's thesis is that the very humanitarian goal of making sure that nobody's feelings are hurt is incompatible with the free inquiry and lively discourse that are necessary parts of a free society. To those of you who think "it can't happen here", I would refer you to Canada's "hate speech" laws, which make it a criminal offense to "promote hatred against an identifiable group". To date, the only well-known charges under these laws have been against couple of Holocaust revisionists; however, the definitions of "promoting hatred" and "identifiable group" are vague enough to make this country a somewhat dangerous place to have unpopular views, even disregarding the tremendous leverage this law gives governments to step on anyone who gets too far out of line. "It's the First Amendment, stupid." -- Steve From nobody at soda.berkeley.edu Tue Jul 6 21:07:14 1993 From: nobody at soda.berkeley.edu (nobody at soda.berkeley.edu) Date: Tue, 6 Jul 93 21:07:14 PDT Subject: Encrypted list software Message-ID: <9307070403.AA05223@soda.berkeley.edu> -----BEGIN PGP SIGNED MESSAGE----- I've had a couple of people ask to have their names added to the encrypted list forwarder I put together. I'm soliciting feedback on how this service should work. Right now, it only encrypts the "body" of the message. The "headers", which are the "From:" and "Subject:" lines, etc., are passed through basically unchanged (except for "To:", which I change to be the person it is going to. Maybe that's unnecessary, as I notice that the cypherpunks list puts its own address into "To:", for some reason.) It also adds "Encrypted: PGP" to the headers. I wonder if it would be better for it to encrypt the whole message, headers and body together, then to mail that with a fresh new header that would show nothing about the original message. The first approach hides the contents of the message, but not its subject or who it is from; the second hides more. Any suggestions as to which is more useful? Hal Finney hfinney at shell.portal.com -----BEGIN PGP SIGNATURE----- iQCUAgUBLDoazagTA69YIUw3AQEVIQP4yImWVmyipsNbMUu8pX4QkyPx9T/95MVP lTc+LAFwACUSbm2/DNTqLOLbDhb9rnMlHT/926mjoJFC4H3xQn61oXzM50GtRiaY ORJOxJ8CVqmQE7RW51jEAM0wIH4L2CDhveudY6r2ZX7uLjmybkdHJy4G5BSb46cD x5h93fOyXg== -----END PGP SIGNATURE----- From fergp at sytex.com Tue Jul 6 21:13:11 1993 From: fergp at sytex.com (Paul Ferguson) Date: Tue, 6 Jul 93 21:13:11 PDT Subject: Public record Message-ID: <5HPa7B2w165w@sytex.com> I received a letter from "The National Computer System Security and Priivacy Advisory Board" this past week, acknowledging my letter to them (and submission thereof) on the "key-escrow" initiative. Without quoting the entirety of the letter, one particular passage merits repeat: "Copies of written statements/comments received on these issues will be made part of the public record. All statements/comments are available for inspection aand copying in the Central Reference and Records Inspection Facility, Room 600, Herbert C. Hoover (Department of Commerce) Building, 14th Street between Pennsylvania and Constitution Avenues, NW, Washington, DC 20230." The letter is signed by Lynn McNulty, Board Secretariat. (Actually, his secretary called me here in New York to get my mailing address even though I made a point of including it in my original letter of opposition. Go figure.) Anyway, this is now public record and subject to an FOIA request, no? Cheers. Paul Ferguson | "Confidence is the feeling you get Network Integrator | just before you fully understand Centreville, Virginia USA | the problem." fergp at sytex.com | - Murphy's 7th Law of Computing Quis Custodiet Ipsos Custodes? From fergp at sytex.com Tue Jul 6 21:13:49 1993 From: fergp at sytex.com (Paul Ferguson) Date: Tue, 6 Jul 93 21:13:49 PDT Subject: Live for today Message-ID: On Tue, 6 Jul 93 16:08:00 -0700, Timothy C. May wrote - > The discussion of free speech and political correctness is > apparently not welcome by some on this list. I guess the usual > religious debates about which mail reader is better are what > we're supposed to talk about. Well, I'm a member of this list, > too, and issues of censorship and free speech are more > interesting to me--and to some others, I suspect--than the > intricacies of "MH." Hear, hear. Settle down, old chum. I suppose it takes a volitile issue or two to get me off of my keister, but now that I'm up, I'm more than willing to toss my (good?) name into the fracas. Idealisms are much akin to links in a chain; each crafted individually, yet forming a bond that link each idealism together into a society. (Discussions on how healthy this society really should be left for future discusion.) I walk a fine line between an affectionado for free speech and a staunch supporter of individual rights and privacy. Each aspect has its proponents and contentions, yet each aspect needs protection under _human_ law. Now, where does one infringe upon the other? I have always been fond of the adage that "your right to swing your fist ends when it hits my nose," and I hope you understand my sentiment. I have even played the role of the "net police" in at least one instance. (But then again, I did not react to rumor, innuendo or happenstance. This is another topic entirely. Those who subscribe to RISKS may be the wiser.) I applaud your exploit in the bitwise/erotica/net-police experiment. I personally think it was damned clever and proved a valuable point. In fact, I'd like to get your permission to reprint your original message in Legal Net News, por favor. > What is happening to free speech? What has happened to "Sir, I > disagree with what you say, but I defend to the death your right > to say it."? I was a military-man (once upon a time), and took that oath seriously. I tired of the "spinning-your-wheels" metality, so I naturally migrated into the private telecommunications sector. I would still defend it today, to death. Make no mistake, this country may have developed some serious problems over the course of the past 200 years, but some of us hold the intrinsic values embelished in the Constitution dear. What Tim has done is above and beyond petty in-fighting in this group. We are about change, challenge and chaos. We are old, we are new. We change, yet we are the same. What does it take? Ask us. We will tell you -- its about stirring up the pot. Paul Ferguson | "Confidence is the feeling you get Network Integrator | just before you fully understand Centreville, Virginia USA | the problem." fergp at sytex.com | - Murphy's 7th Law of Computing Quis Custodiet Ipsos Custodes? From tcmay at netcom.com Tue Jul 6 21:25:10 1993 From: tcmay at netcom.com (Timothy C. May) Date: Tue, 6 Jul 93 21:25:10 PDT Subject: We are becoming politically correct sheep In-Reply-To: <9307070308.AA02565@muskwa.ucs.ualberta.ca> Message-ID: <9307070425.AA15301@netcom3.netcom.com> Steve Neal makes some very good points: > a) The possibility of some media nitwit hearing about the initial > post and missing Tim's "retraction" (or ignoring it in the interests > of a great big ol' byline). Nightmarish possibilities abound, > particularly given the subtle nature of the "clue" in the PGP block. I agree, which is why I ended the charade. (And I would've ended it sooner had I gotten any strange phone calls, suggesting a reporter sniffing around, or threats to report the posting to the cops. I did get a few strange messages suggesting Netcom should yank my account.) But the interesting thing is how paranoid people are about free speech being exercised (the free speech being posting of non-provably illegal material, not the posting of provably illegal material). I won't repeat my point about a nation of politically correct sheep. > However - tickling a few neurons may very well have been worth the > risks noted above. Yes, perhaps thinking about some issues in advance is a good "drill." (For some reason, I seem to gravitate toward these "early warning" situations...it was me who posted the first message about Dorothy Denning's key escrow system, last October ("A Trial Balloon to Ban Encryption?"), and I also posted the fake "Stealth Secrets" article in cypherpunks, anonymously. The intent was to test the commitment of the list to the much-talked about "whistleblowers" group and to the likey implications. (Sure enough, several people freaked out and called for censorship--as if anonymous whistleblowing can be censored! I 'fessed-up after several days, pointing out the material came from a published book and some Aviation Leak material.) Steve then makes some really excellent points: > In arguing the fine points of Dworkinism, pornography, > capitalization of proper nouns, etc., I think Eric misses Tim's point, > which is (I think) that the current movement of society is from > > Forbidding actions that cause harm to others > > to > > Forbidding actions and speech that might offend others, or make them > uncomfortable, or hurt their feelings. Yes, exactly! This is a profound shift from the principles on which this country (apologies to Brits, etc.) was founded. > To those of you who think "it can't happen here", I would refer you > to Canada's "hate speech" laws, which make it a criminal offense to > "promote hatred against an identifiable group". To date, the only And France and Germany have both used "hate crimes" as "hate groups" as justification to ban certain groups from existing. > well-known charges under these laws have been against couple of > Holocaust revisionists; however, the definitions of "promoting > hatred" and "identifiable group" are vague enough to make this > country a somewhat dangerous place to have unpopular views, even > disregarding the tremendous leverage this law gives governments to > step on anyone who gets too far out of line. Good points, but the so-called "Holocaust" never actually happened, hence there cannot be any such thing as "Holocaust revisionism," just the telling of the truth. While the Nazis were not perfect, this nonsense about extermination camps was just Allied propaganda (confirmed by documents declassified in 1967) designed to embarass the Nazi "Huns" and to hide the mass exodus of Jews, who stole the wealth of Germany and took it to New York to set up brokerage and banking firms like S.G. Warburg and the Rothschild Bank. Every true researcher knows this. (This little joke could be enough in Canada, as Steve points out, to at least threaten me, and perhaps the machine this message originates to the List from. Most likely not (the Canadians concentrated on long-time activists), but the _threat_ is there. And this threat is coming down to the U.S.) Understand that the real threat to the Jews in Germany was not so much hatred of the Jews (of which there was probably less in Germany than in France and other European countried until Hitler began stirring up hatred and staging events to trigger mass hatred) as it was the unbridled power of the Nazi state. Civil rights were suspended, the courts fell under the control of Hitler's people, and "law" became whatever the government wanted. Ironically, with "hate crimes" as a prosecutorial tool in the 1930s, Hitler could have used the laws to prosecute Jews (especially Orthodox Jews, with different fashion styles and a dislike ("hate"?) for many Gentiles. The real threat is the government, whatever its initial intent. They have the guns, they have the courts, they have the power. We've sunk into a strange situation in which various special interest groups jockey for special privilege, special powers granted to them by the State. "Live and let live" doesn't mean one has to _like_ all the various individuals or groups that are out there, it just means you let them do their thing as long as they don't interfere with your own life. You can't pass laws to force others to like you, or your group, or to make their thougths conform to yours. About all you can really do is make sure they can't rob and kill, and even that's iffy. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. Note: I put time and money into writing this posting. I hope you enjoy it. From tcmay at netcom.com Tue Jul 6 21:40:37 1993 From: tcmay at netcom.com (Timothy C. May) Date: Tue, 6 Jul 93 21:40:37 PDT Subject: Live for today In-Reply-To: Message-ID: <9307070441.AA21415@netcom3.netcom.com> Paul Ferguson writes: > I applaud your exploit in the bitwise/erotica/net-police experiment. > I personally think it was damned clever and proved a valuable point. > In fact, I'd like to get your permission to reprint your original > message in Legal Net News, por favor. By all means! Just be sure to provide enough context and to included the "explanation." Also, several other people made some excellent comments, and you might want to somehow include their points. > Ask us. We will tell you -- its about stirring up the pot. Yeah, I think a lot of us got involved in this whole thing (now called Cypherpunks, but it started percolating years ago) precisely to stir things up. And to the credit of you folks, I think some progress has been made. The remailers, the awareness of Cypherpunks-type issues in the media ("Wired," "Whole Earth Review," "New York Times," "Newsweek"), and our role in the Clipper/Capstone/Skipjack/whatever matter, are all positive steps. It is true we haven't deployed digital cash, nor have we set up data havens in cyberspace, nor a bunch of other things, but these things are instrinsically hard to pull off. Someday they'll come. Finally: > Quis Custodiet Ipsos Custodes? (I've been tempted recently to come up with a "crypto" version of this famous "And who shall guard the guardians?" line. Something, in Latin of course (for effect), about "And who shall eavesdrop on the eavesdroppers?" or somesuch. Perhaps the original is best as it is.) -Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. Note: I put time and money into writing this posting. I hope you enjoy it. From parrinel at ux1.cso.uiuc.edu Tue Jul 6 21:47:34 1993 From: parrinel at ux1.cso.uiuc.edu (Chris Parrinello) Date: Tue, 6 Jul 93 21:47:34 PDT Subject: Encrypted list software In-Reply-To: <9307070403.AA05223@soda.berkeley.edu> Message-ID: <199307070446.AA27421@ux1.cso.uiuc.edu> Your message dated: Tue, 06 Jul 1993 21:03:30 PDT >-----BEGIN PGP SIGNED MESSAGE----- > >I've had a couple of people ask to have their names added to the >encrypted list forwarder I put together. I'm soliciting feedback on >how this service should work. > >I wonder if it would be better for it to encrypt the whole message, headers >and body together, then to mail that with a fresh new header that would >show nothing about the original message. I think encrypting who the message is from and the subject would be best that way I can have a subject of "Plans to Kill Pauly Shore" after I decrypt the message. For how the service should work, I think you should look into MIME. You can include encrypted text that will decrypt when you read it with your mail program. Chris From i6t4 at jupiter.sun.csd.unb.ca Tue Jul 6 22:31:44 1993 From: i6t4 at jupiter.sun.csd.unb.ca (Nickey MacDonald) Date: Tue, 6 Jul 93 22:31:44 PDT Subject: What do you make of this? Message-ID: Here's a list of phone numbers, what do you make of them? (503) 241-9796 ext: 09 (510) 244-8003 ext: 308 (614) 626-6421 ext: 19 (917) 806-0801 ext: 19 (208) 565-6220 ext: 23 (807) 961-6176 (608) 809-5822 (402) 815-5084 (716) 251-3201 ext: 214 (317) 837-9796 ext: 20 (514) 999-7352 ext: 38 (412) 221-7266 ext: 226 (619) 620-9556 ext: 18 (417) 582-2491 ext: 26 (210) 879-1228 ext: 017 (413) 708-9037 ext: 24 (203) 791-3828 ext: 15 (413) 366-5478 ext: 37 (414) 297-3632 ext: 301 (305) 469-5633 (200) 296-4919 ext: 104 (818) 708-4065 ext: 12 (402) 614-0058 (213) 918-2514 ext: 221 (201) 897-4434 ext: 01 (611) 200-0862 ext: 208 (213) 248-9232 ext: 0309 (507) 236-2585 ext: 27 (218) 271-1379 ext: 0329 (201) 267-6176 ext: 114 (504) 214-8612 ext: 22 (803) 823-1367 (207) 562-8716 ext: 27 (215) 239-5596 ext: 0421 (405) 332-6203 (912) 248-6594 ext: 225 (216) 440-2025 ext: 122 (313) 322-2667 ext: 33 -- Nick MacDonald | NMD on IRC i6t4 at jupiter.sun.csd.unb.ca | PGP 2.1 Public key available via finger i6t4 at unb.ca | (506) 457-1931 ^{1024/746EBB 1993/02/23} From rwhelan at mason1.gmu.edu Tue Jul 6 23:00:41 1993 From: rwhelan at mason1.gmu.edu (Ryan A. Whelan) Date: Tue, 6 Jul 93 23:00:41 PDT Subject: Encrypted list software In-Reply-To: <199307070446.AA27421@ux1.cso.uiuc.edu> Message-ID: <9307070600.AA23572@mason1.gmu.edu> -----BEGIN PGP SIGNED MESSAGE----- > I think encrypting who the message is from and the subject would be > best that way I can have a subject of "Plans to Kill Pauly Shore" > after I decrypt the message. > For how the service should work, I think you should look into MIME. You > can include encrypted text that will decrypt when you read it with > your mail program. Well actaully, since we just recently got perl installed on our system, I have been playing around with the elm and nn scripts. They seem to work resonably well, but it looks like they need a little work. The do detect if the message is PGP encrypted or if it has a PGP signature in it and when I mail things it asks if I want to sign it or encrypt it. They need a little polishing but they do work. Anyone else has any experience using this? anyone got any suggestions? Sometime when I am not so tired I am going to play with the emacs and tin scripts. - -- Ryan A. Whelan "Only two good things came out of Berkeley, LSD and BSD, rwhelan at mason1.gmu.edu rwhelan at cosmos.gmu.edu coincidence???" rwhelan at gmuvax.gmu.edu PGP Public Key available via finger "If its not UNIX, its crap" -----BEGIN PGP SIGNATURE----- Version: 2.3 iQCVAgUBLDpmSxGKBstqmlA7AQHHQwQAjSnhBqjU28HAjYN87g7iSSwfZxRYxrdY ArpkU89N72CW1NgEQnLoZGYmyVuXNdmMn7qVJrEPXM5ivT/iGgiLmrUsiFSe1mtF gt20XyQ/VYO74M3DI7wC3tUcn63lRaJO79rYjenQKL6g4HPdIZxYjJMj6TlEzPK3 ULahI5aALys= =zUm7 -----END PGP SIGNATURE----- From khijol!erc at apple.com Wed Jul 7 00:07:56 1993 From: khijol!erc at apple.com (Ed Carp) Date: Wed, 7 Jul 93 00:07:56 PDT Subject: What do you make of this? In-Reply-To: Message-ID: > Here's a list of phone numbers, what do you make of them? > Nick MacDonald | NMD on IRC > i6t4 at jupiter.sun.csd.unb.ca | PGP 2.1 Public key available via finger > i6t4 at unb.ca | (506) 457-1931 ^{1024/746EBB 1993/02/23} I don't know. What are they? Ed (busily building gcc-2.4.5 on a 486) Carp -- Ed Carp erc at wetware.com 510/659-9560 For anonymous mailers --> anonymus+5300 at charcoal.com "I've met many thinkers and many cats, but the wisdom of cats is infinitely superior." -- Hippolyte Taine (1828-1893) From mike at EGFABT.ORG Wed Jul 7 00:36:42 1993 From: mike at EGFABT.ORG (Mike Sherwood) Date: Wed, 7 Jul 93 00:36:42 PDT Subject: What do you make of this? In-Reply-To: Message-ID: Nickey MacDonald writes: > Here's a list of phone numbers, what do you make of them? > > (503) 241-9796 ext: 09 > (510) 244-8003 ext: 308 I dont know about all of them, but the second one is near me and I confirmed that there is no 244 prefix in the 510 area code, so either ther is an error in that data, or should I venture so far as to say that he's trying to make a point about hiding information in a seemingly harmless format. I don't have the desire to actually try to find out what it is, but it wouldnt take much more research to find out if the list is primarily made of nonexistent numbers. However, the only reason I even looked that far is because of the nature of this group and the fact that it was brought up as such, rather than "Local U.S. Department of Agriculture offices" or some other title that would cause people to want to be as far away from it as possible. -- Mike Sherwood internet: mike at EGFABT.ORG uucp: ...!sgiblab!egfabt!mike From shipley at merde.dis.org Wed Jul 7 01:22:04 1993 From: shipley at merde.dis.org (Peter shipley) Date: Wed, 7 Jul 93 01:22:04 PDT Subject: a forward of a forward of a .... Message-ID: <9307070608.AA06525@merde.dis.org> ------- Forwarded Message Return-Path: shipley at remarque.berkeley.edu Message-Id: From: sinster at scintilla.santa-clara.ca.us (Darren Senn) Subject: Warning from the LPF... To: fyi at xcf.berkeley.edu Date: Tue, 6 Jul 1993 20:53:48 -0800 (PDT) X-Mailer: ELM [version 2.4 PL21] Content-Type: text Content-Length: 11239 Resent-To: shipley at dis.org Resent-Date: Tue, 06 Jul 1993 21:02:51 -0700 Resent-From: Evil Pete [ Indented just so I don't choke anyone's mailer -- DS ] Date: Mon, 28 Jun 1993 07:48:33 GMT From: friedman at gnu.ai.mit.edu (Noah Friedman) Subject: Digital Signature Scandal Organization: Free Software Foundation, 675 Mass Ave. Cambridge, MA 02139 [The following is an official announcement from the League for Programming Freedom. Please redistribute this as widely as possible. [NF]] Digital Signature Scandal Digital signature is a technique whereby one person (call her J. R. Gensym) can produce a specially encrypted number which anyone can verify could only have been produced by her. (Typically a particular signature number encodes additional information such as a date and time or a legal document being signed.) Anyone can decrypt the number because that can be done with information that is published; but producing such a number uses a "key" (a password) that J. R. Gensym does not tell to anyone else. Several years ago, Congress directed the NIST (National Institute of Standards and Technology, formerly the National Bureau of Standards) to choose a single digital signature algorithm as a standard for the US. In 1992, two algorithms were under consideration. One had been developed by NIST with advice from the NSA (National Security Agency), which engages in electronic spying and decoding. There was widespread suspicion that this algorithm had been designed to facilitate some sort of trickery. The fact that NIST had applied for a patent on this algorithm engendered additional suspicion; despite their assurances that this would not be used to interfere with use of the technique, people could imagine no harmless motive for patenting it. The other algorithm was proposed by a company called PKP, Inc., which not coincidentally has patents covering its use. This alternative had a disadvantage that was not just speculation: if this algorithm were adopted as the standard, everyone using the standard would have to pay PKP. (The same patents cover the broader field of public key cryptography, a technique whose use in the US has been mostly inhibited for a decade by PKP's assiduous enforcement of these patents. The patents were licensed exclusively to PKP by the Massachusetts Institute of Technology and Stanford University, and derive from taxpayer-funded research.) PKP, Inc. made much of the suspect nature of the NIST algorithm and portrayed itself as warning the public about this. On June 8, NIST published a new plan which combines the worst of both worlds: to adopt the suspect NIST algorithm, and give PKP, Inc. an *exclusive* license to the patent for it. This plan places digital signature use under the control of PKP through the year 2010. By agreeing to this arrangement, PKP, Inc. shows that its concern to protect the public from possible trickery was a sham. Its real desire was, as one might have guessed, to own an official national standard. Meanwhile, NIST has justified past suspicion about its patent application by proposing to give that patent (in effect) to a private entity. Instead of making a gift to PKP, Inc., of the work all of us have paid for, NIST and Congress ought to protect our access to it--by pursuing all possible means, judicial and legislative, to invalidate or annul the PKP patents. If that fails, even taking them by eminent domain is better (and cheaper in the long run!) than the current plan. You can write to NIST to object to this giveaway. Write to: Michael R. Rubin Active Chief Counsel for Technology Room A-1111, Administration Building, National Institute of Standards and Technology Gaithersburg, Maryland 20899 (301) 975-2803. The deadline for arrival of letters is around August 4. Please send a copy of your letter to: League for Programming Freedom 1 Kendall Square #143 P.O.Box 9171 Cambridge, Massachusetts 02139 (The League for Programming Freedom is an organization which defends the freedom to write software, and opposes monopolies such as patented algorithms and copyrighted languages. It advocates returning to the former legal system under which if you write the program, you are free to use it. Please write to the League if you want more information.) Sending copies to the League will enable us to show them to elected officials if that is useful. This text was transcribed from a fax and may have transcription errors. We believe the text to be correct but some of the numbers may be incorrect or incomplete. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ** The following notice was published in the Federal Register, Vol. 58, No. 108, dated June 8, 1993 under Notices ** National Institute of Standards and Technology Notice of Proposal for Grant of Exclusive Patent License This is to notify the public that the National Institute of Standards and Technology (NIST) intends to grant an exclusive world-wide license to Public Key Partners of Sunnyvale, California to practice the Invention embodied in U.S. Patent Application No. 07/738.431 and entitled "Digital Signature Algorithm." A PCT application has been filed. The rights in the invention have been assigned to the United States of America. The prospective license is a cross-license which would resolve a patent dispute with Public Key Partners and includes the right to sublicense. Notice of availability of this invention for licensing was waived because it was determined that expeditious granting of such license will best serve the interest of the Federal Government and the public. Public Key Partners has provided NIST with the materials contained in Appendix A as part of their proposal to NIST. Inquiries, comments, and other materials relating to the prospective license shall be submitted to Michael R. Rubin, Active Chief Counsel for Technology, Room A-1111, Administration Building, National Institute of Standards and Technology, Gaithersburg, Maryland 20899. His telephone number is (301) 975-2803. Applications for a license filed in response to this notice will be treated as objections to the grant of the prospective license. Only written comments and/or applications for a license which are received by NIST within sixty (60) days for the publication of this notice will be considered. The prospective license will be granted unless, within sixty (60) days of this notice, NIST receives written evidence and argument which established that the grant of the license would not be consistent with the requirements of 35 U.S.C. 209 and 37 CFR 404.7. Dated: June 2, 1993. Raymond G. Kammer Acting Director, National Institute Standards and Technology. Appendix "A" The National Institute for Standards and Technology ("NIST") has announced its intention to grant Public Key Partners ("PKP") sublicensing rights to NIST's pending patent application on the Digital Signature Algorithm ("DSA"). Subject to NIST's grant of this license, PKP is pleased to declare its support for the proposed Federal Information Processing Standard for Digital Signatures (the "DSS") and the pending availability of licenses to practice the DSA. In addition to the DSA, licenses to practice digital signatures will be offered by PKP under the following patents: Cryptographic Apparatus and Method ("Diffie-Hellman") No. 4,200,770 Public Key Cryptographic Apparatus and Method ("Hellman-Merkle") No. 4,315,552 Exponential Cryptographic Apparatus and Method ("Hellman-Pohlig") No. 4,434,414 Method For Identifying Subscribers And For Generating And Verifying Electronic Signatures In A Data Exchange System ("Schnorr") No. 4,995,082 It is PKP's intent to make practice of the DSA royalty free for personal, noncommercial and U.S. Federal, state and local government use. As explained below, only those parties who enjoy commercial benefit from making or selling products, or certifying digital signatures, will be required to pay royalties to practice the DSA. PKP will also grant a license to practice key management, at no additional fee, for the integrated circuits which will implement both the DSA and the anticipated Federal Information Processing Standard for the "key escrow" system announced by President Clinton on April 16, 1993. Having stated these intentions, PKP now takes this opportunity to publish its guidelines for granting uniform licenses to all parties having a commercial interest in practicing this technology: First, no party will be denied a license for any reason other that the following: (i) Failure to meet its payment obligations, (ii) Outstanding claims of infringement, or (iii) Previous termination due to material breach. Second, licenses will be granted for any embodiment sold by the licensee or made for its use, whether for final products software, or components such as integrated circuits and boards, and regardless of the licensee's channel of distribution. Provided the requisite royalties have been paid by the seller on the enabling component(s), no further royalties will be owned by the buyer for making or selling the final product which incorporates such components. Third, the practice of digital signatures in accordance with the DSS may be licensed separately from any other technical art covered by PKP's patents. Fourth, PKP's royalty rates for the right to make or sell products, subject to uniform minimum fees, will be no more than 2 1/2% for hardware products and 5% for software, with the royalty rate further declining to 1% on any portion of the product price exceeding $1,000. These royalty rates apply only to noninfringing parties and will be uniform without regard to whether the licensed product creates digital signatures, verifies digital signatures or performs both. Fifth, for the next three (3) years, all commercial services which certify a signature's authenticity for a fee may be operated royalty free. Thereafter, all providers of such commercial certification services shall pay a royalty to PKP of $1.00 per certificate for each year the certificate is valid. Sixth, provided the foregoing royalties are paid on such products or services, all other practice of the DSA shall be royalty free. Seventh, PKP invites all of its existing licensees, at their option, to exchange their current licenses for the standard license offered for DSA. Finally, PKP will mediate the concerns of any party regarding the availability of PKP's licenses for the DSA with designated representatives of NIST and PKP. For copies of PKP's license terms, contact Michael R. Rubin, Acting Chief Counsel for Technology, NIST, or Public Key Partners. Dated: June 2, 1993. Robert B. Fougner, Esq., Director of Licensing, Public Key Partners, 310 North Mary Avenue, Sunnyvale, CA 94033 [FR Doc. 93-13473 Filed 8-7-93; 8:45 am] ^^^^^^ [Looks like a typo to me... -- DS ] - -- Darren Senn Phone: (408) 988-2640 Snail: 620 Park View Drive #206 sinster at scintilla.santa-clara.ca.us Santa Clara, CA 95054 Just another alpha male wire-head pyromaniac ------- End of Forwarded Message From jonb at insignia.co.uk Wed Jul 7 02:36:21 1993 From: jonb at insignia.co.uk (jon barber) Date: Wed, 7 Jul 93 02:36:21 PDT Subject: Complete ignorance of any sort of reality on May's part (was We are Message-ID: <756.9307070933@panacea.insignia.co.uk> > Tired of white het male computer geeks talking nonsense about anyone > who threatens their place in the power structure, Bollocks. I'm sick of being labelled 'white het male'. I am, but so what ? Your response was the most power-oriented in this exchange, and your steroetypes are just as banal as me calling all lesbians fat & ugly. What power structure ? I don't see any power structure - in fact I'm just as powerless as anyone else is. I'm sick and tired of having to be politically correct for fear of being called a bigot. I'll be damned if I'll be turned into an emasculated new age man, as the ones I've come across repel me almost as much as child pornographers. Jon Barber, donning asbestos suit. P.S. I'm no homophobe. My best friend is HIV+ after having a bisexual history, and his girlfriends twin sister is a lesbian, who I like very much. From claborne at ccgate.sandiegoca.NCR.COM Wed Jul 7 21:58:29 1993 From: claborne at ccgate.sandiegoca.NCR.COM (Chris Claborne) Date: Wed, 7 Jul 93 21:58:29 PDT Subject: PC week Message-ID: <9307071831.af02186@ncrcom.DaytonOH.NCR.COM> >Sorry if this has been mentioned already, but the new issue of PC >Week contains a big special report entitled "Privacy in the >Workplace." It's got about five or six separate pieces on electronic >eavesdropping in the workplace, encryption, Clipper, etc., etc. I've >only had a chance to scan it quickly (I mean with my eyes), but it >seems that there's no mention of PGP at all, even in the piece on >public-key encryption. Shocking. And the piece on Clipper, while it >of course mentions all the opposition to the proposal, seemed just a >bit wimpy to me. Anyway, it's the June 28 issue. Worth checking >out, I guess. Wimpy yes, but a good start. I am seeing more and more on clipper and encryption. I think I even saw on in the LA Times. I would reccomend that we encourage this behavior by writing letters to the editor. Remember... Power of the press. (some day "power of the net") 2 -- C -- From murphy at s1.elec.uq.oz.au Wed Jul 7 21:59:56 1993 From: murphy at s1.elec.uq.oz.au (Peter Murphy) Date: Wed, 7 Jul 93 21:59:56 PDT Subject: We are becoming politically correct sheep In-Reply-To: <9307070425.AA15301@netcom3.netcom.com> Message-ID: <9307080418.AA00492@s2.elec.uq.oz.au> Summarizing the important bits from Timothy's Post ... > > But the interesting thing is how paranoid people are about free speech > being exercised (the free speech being posting of non-provably illegal > material, not the posting of provably illegal material). I won't > repeat my point about a nation of politically correct sheep. > > > However - tickling a few neurons may very well have been worth the > > risks noted above. > > Yes, perhaps thinking about some issues in advance is a good "drill." > .... and .... > > Steve then makes some really excellent points: > > > In arguing the fine points of Dworkinism, pornography, > > capitalization of proper nouns, etc., I think Eric misses Tim's point, > > which is (I think) that the current movement of society is from > > > > Forbidding actions that cause harm to others > > > > to > > > > Forbidding actions and speech that might offend others, or make them > > uncomfortable, or hurt their feelings. > > Yes, exactly! This is a profound shift from the principles on which > this country (apologies to Brits, etc.) was founded. > .... plus more ... > > The real threat is the government, whatever its initial intent. They > have the guns, they have the courts, they have the power. > > We've sunk into a strange situation in which various special interest > groups jockey for special privilege, special powers granted to them > by the State. > > "Live and let live" doesn't mean one has to _like_ all the various > individuals or groups that are out there, it just means you let them > do their thing as long as they don't interfere with your own life. > > You can't pass laws to force others to like you, or your group, or to > make their thougths conform to yours. About all you can really do is make > sure they can't rob and kill, and even that's iffy. > > > --Tim May > > > > -- > .......................................................................... > Timothy C. May | Crypto Anarchy: encryption, digital money, > tcmay at netcom.com | anonymous networks, digital pseudonyms, zero > 408-688-5409 | knowledge, reputations, information markets, > W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. > Higher Power: 2^756839 | Public Key: PGP and MailSafe available. > Note: I put time and money into writing this posting. I hope you enjoy it. > Okay. I agree with most of the post above. I also thought that Tim's "child- porn" exercise was both useful and amusing. These two stories below are some more examples of political correctness gone wrong. The first concerns David Irving, well-known right-wing revisionist "historian". Mr. Irving wanted to do a lecture tour in my country of residence, Australia. The government banned his entry, on grounds of racial hatred and the like. This decision has immediately criticized my a sizeable majority of the newspapers, with the prevalent view being "He's got appaling viewpoint, but he should be permitted to be heard." I am not certain whether the decision has been reversed or not. I'll have to get back on the subject. Personally, I agreed with the newspapers on that subject (but of course not on others....) The second story is more amusing. I don't know how many people on the list have seen the movie "Romper Stomper", or even if it has been released in America (from which most of the list resides). For those who don't know, Romper Stomper concerns a gang of Nazi skinheads who live in Melbourne. Most of them are unedu- cated scum, although their leader, Hando, although twisted, is quite intellegent and charismatic. The film concerns the decline of the group, both through the action of some Vietnamese immigrants (who fight back for a change), and the police. The film, like the skinheads, are quite violent. The film (from what I could gather) portrayed the skinheads in an unflattering light. None of the cast or crew advocated Nazi ideology, and especially not Russell Crowe, who played Hando. This didn't stop the British Anti-Nazi League from picketing the film when it was shown in England. They seemed to have gathered that it was a very naughty film indeed, although how they got their selective myopia I don't understand. Fortunately, the picket was a failure. Most of the Australian expatriates told their friends to see it, and they told their friends, und so weiter. Okay, political correctness is a dangerous thing. Note that I didn't say bad, just dangerous. I do agree that racism, sexism and homophobia are bad things, so I do sympathize with most p.c. objectives. But mostly I have not found any strong evidence for legislative strategies to enforce these objectives (with one exception ... see below). Fortunately their are ways to defuse this dilemma without legal wrangling. Firstly, a lot of terms (although not all) which started out as a symbol of demonizing have turned out to be words of pride. Examples are Nigga (as Niggas with Attitute) and Dyke (as in Dykes on Bikes, which are always prominent in the Sydney Gay Pride Festival, among other places, and whoops, I forgot to mention "Gay"). This is of course imperfect ... I don't think the word "Faggot" is used very positively, and as for such words like "Slag" (slang for women), the less said the better. Of course, as a white male heterosexual (or Breeder, whatever you prefer), I don't encounter much discrimination, so I am not as knowledgeble (sic) as some people. Still, when people can use _some_ of these words in a humerous fashion (as opposed to offensive), things look brighter. The second point is immediately related to the last point - humour. If you are not going to ban the bastards from speaking you can at least make fun of them. After all, it is part of YOUR right to speak. As an example, in Australia some judges have been under fire for making stupid comments at rape trial. Some people have called for their dismissal (which is a bit extreme). However, a lot of comics have been satirizing their judgements, and the jokes have even occured on two comedy shows: "The Late Show" and "Full Frontal". (After all, can you say the phrase "No means Yes" with a straight face anymore ..?) For the third point, I admit that it does fall into the category of legal wrangling. It is this - remove all legislation that limits the powers of a minority. Fortunately, most of this work has already been done in most Western countries. Still, examples do exist. Queensland (my state) decriminalized homosexual behavior among consenting adults only three years ago, and legislation still exists in Tasmania (although it is "not enforced"). Also, until recently, several cantons in Switzerland didn't give women the right to vote in local elections. I leave you to think of local example. (Note - maternity leave for women is NOT an example of limiting the power of a minority.) (Aside, I think the talk of the change of focus to "forbidding speech that hurts others" is exaggerated, or at least in Australia. (Obviously most of you know more about America than I do). My impression was that some of the local focus is on "giving more freedom to consenting adult, as doing otherwise encourages police corruption. Our state is currently going though a review of it's Marijuana legislation, and the stuff is already decriminalized in South Australia. Also, we've got more liberal censorship laws than America.) The final point. Obviously removing stupid discriminatary action (calling people by rude names, etc.,) is a laudible aim. This can (of course) occur in different ways. For example, some poor soul might fall foul of the p.c. brigade, not though nastiness, but through naivete (like using the term "chairman"). I was once called a hypocrite because I believed both in capitalism and small-l liberalism (by a socialist, no less). What's the big weapon for change? Well, it's powerful, but sometimes quite undependable. It's called time. Believe me, you need a lot of it to affect social change; revolutionary change leads almost always to tyranny. Still, a lot has happened in the last 30 years. It was only in 1966 that Australian Aborigines were given full citizenship, and currently we are in the middle of the aftereffects from the Mabo land claim decision. In a lot of ways, the world has got worst as well as better. Still, when the conservative elders die, you can only hope that their children have kept the good things, and rejected the bad things, of their parents. I'll have to end it there. I want to have lunch. Whoops, this is going to a list primarily concerning encryption! What will I say? Got it ... "Stop the Clipper chip!" I hope it will keep em' happy ... Cheers for now. Peter. -- ============================================================================= Peter Murphy - Department of Electrical Engineering,|Phone: 61 - 7 - 300 3452. University of Queensland: murphy at s2.elec.uq.oz.au .|------------------------ "Contrary to popular belief, the wings of demons are|Please do not put any the same as the wings of angels, although they're |Heinlein quotes in your often better groomed." - Terry Pratchett. |.sig - they're old. ============================================================================= From caadams at polaris.unm.edu Wed Jul 7 21:59:59 1993 From: caadams at polaris.unm.edu (Clifford A Adams) Date: Wed, 7 Jul 93 21:59:59 PDT Subject: USENET newsreaders and cryptography: features/suggestions/questions Message-ID: <9307080348.AA10446@polaris.unm.edu> Hello out there! The current version of strn (see below) contains a signature verification command (control-V). It looks for either a RIPEM or PGP signature line and passes the article to the appropriate command for verification. (Strn leaves it up to the user to interpret the output of the command.) I have a few questions/requests that I hope the cypherpunks list can help me with: 1. Does anyone know if including code like system("pgp -m foobar") might cause legal problems? Strn doesn't implement any cryptographic techniques. 2. What's the status on a USA-legal PGP (using RSAREF)? I would like to greatly expand strn's cryptographic features, but I'd rather not implement features that many of strn's users can't use. (That includes me--I won't use PGP until/unless the legal issues are cleared up.) 3. It would be greatly convenient if someone would implement a "verify signature only" switch for PGP. Most of the applications I would like to use don't involve data hiding--just signature verification. I'm also lobbying the RIPEM author to include a similar feature. Also, if anyone has any comments or suggestions about newsreader cryptographic features feel free to send mail. I hope to do some work later with things like remote reconfiguration, trusted ratings, suggested reading lists, and the like. --Cliff P.S. Strn is about 10K lines of C code added to trn. It is (probably) just a few weeks away from a public beta test. If anyone really wants to test strn, let me know and I'll consider it. More information is also available via finger or mail. -- Clifford A. Adams caadams at polaris.unm.edu | USENET Interface Project: 457 Ash St. NE Albuquerque, NM 87106 | Tools for advanced newsreading STRN (Scan TRN) now in testing: trn 3.0 plus flexible newsgroup menus, fast article scoring with score ordered display, and merged/virtual newsgroups. From phantom at u.washington.edu Wed Jul 7 22:01:01 1993 From: phantom at u.washington.edu (The Phantom) Date: Wed, 7 Jul 93 22:01:01 PDT Subject: John Gilmores' matchbook idea Message-ID: I forgot to tell you where to ftp to: ftp.u.washington.edu login: anonymous /pub/user-supported/cypherpunks/cpmatch.eps (CypherPunk MATCH.eps) let me know -- Matt Thomlinson Say no to the Wiretap Chip! University of Washington, Seattle, Washington. Internet: phantom at u.washington.edu phone: (206) 528-5732 PGP 2.2 key available via email or finger phantom at hardy.u.washington.edu From phantom at u.washington.edu Wed Jul 7 22:01:13 1993 From: phantom at u.washington.edu (The Phantom) Date: Wed, 7 Jul 93 22:01:13 PDT Subject: John Gilmores' matchbook cover idea Message-ID: I have made a mockup of what it 'should' (note my quotations) look like. I'd appreciate it if some of you would take the time to ftp the .eps and dump it to the nearest postscript printer. Let me know what you think about the text and the font sizes, also what you think about the layout. Does anyone want to pursue this? Let me know, I think they might be pretty nice looking (and a way to get our name (& cause) known). Matt Matt Thomlinson Say no to the Wiretap Chip! University of Washington, Seattle, Washington. Internet: phantom at u.washington.edu phone: (206) 528-5732 PGP 2.2 key available via email or finger phantom at hardy.u.washington.edu From i6t4 at jupiter.sun.csd.unb.ca Wed Jul 7 22:04:10 1993 From: i6t4 at jupiter.sun.csd.unb.ca (Nickey MacDonald) Date: Wed, 7 Jul 93 22:04:10 PDT Subject: Some source code for phone number coding... Message-ID: Here is a couple of message about my phone encoding format (giving progressively more info to a person trying to guess the format) followed by the complete source... Use it well. (TABsize was 3.) Okay, well without giving you the source... heres the biggest hint I can think of... >From /etc/magic: 0 string \037\235 compressed data Translating that to decimal and in 4 byte unsigned long we get (\037\235\0\0 == 31,157,0,0 == 0,530,382,848 ^^^^^ >From the start of my posted list of phone numbers: (503) 241-9796 ext: 09 ^^^ ^ ?? ? If you know the rules for forming (valid looking) phone numbers... Anyway, to finially give the whole thing away... The file that is hidden starts with these 4 bytes... 1f 9d 90 54 == 0,530,419,796 Well.. I like puzzles... (as long as the answer is eventually revealed) so I'll let you think it over for a bit, before I send you the source... ;-) Okay well... lets assume that all valid phone numbers must be in the form [2-9][0-1][0-9] [2-9][0-9][0-9] [0-9][0-9][0-9][0-9] This is the form of my encoding... now if you take a sample number, like 1,234,567,890 and try encode it into a phone number, you would get (123) 456-7890 ^^ And you notice that the 1 and the two are out of range... Well.. as it happens, for 32 bit unsigned numbers the range is 0 to 4,294,967,294... The first digit will always be 0-4, half of which are illegal in that position, so I decided to swap the first two digits... That doesn't fix all of the range problems, thus whenever there is an invalid digit in position 1,2 or 4 I move it to the extension and put a special indicator value (the higest of the legal range) in its place. Thats the whole secret... Code will follow soon... :-) /* pe.c phone encode Written by: Nickey MacDonald July 7, 1993 Encode a message as a list of phone numbers... There are some tricks used to make the phone numbers appear more realistic, and there is a caveate... If the input file has 4 null bytes aligned of a 4 byte boundry, then the program will think its the EOF and stop... This could be fixed easily... I just didn't. */ #include unsigned long getbytes(FILE *fp); int main(void) { unsigned short i, ei; /* i=work counter, ei=ext. counter */ unsigned char pn[10], ext[4], v=0; /* Digits of phone num, ext and a */ /* pseudo random value */ unsigned long b; /* 4 bytes compress to a unsigned long */ char tpnumbuf[11]; /* a sprinft buffer for b */ /* Read until EOF or 4 properly aligned null bytes */ while((b=getbytes(stdin)) != 0) { ei=0; /* Convert the unsigned long into a string */ sprintf(tpnumbuf, "%010lu", b); /* Pick up the digits of the unsigned long */ /* Because of the distribution, swap the first two digits... */ pn[0]=tpnumbuf[1]-'0'; pn[1]=tpnumbuf[0]-'0'; for(i=2; i<10; i++) { pn[i]=tpnumbuf[i]-'0'; v+=pn[i]; } /* The first digit of the area code must be [2-9] */ if (pn[0]<3) { ext[ei++]=pn[0]; pn[0]=2; } /* Currently the middle digit of area code must be 0 or 1 */ if (pn[1]>0) { ext[ei++]=pn[1]; pn[1]=1; } /* The first digit of prefix must be [2-9] */ if (pn[3]<3) { ext[ei++]=pn[3]; pn[3]=2; } /* Generate the output phone number */ fprintf(stdout, "(%d%d%d) %d%d%d-%d%d%d%d", pn[0], pn[1], pn[2], pn[3], pn[4], pn[5], pn[6], pn[7], pn[8], pn[9]); /* Generate the extension if needed */ if (ei>0) { ext[ei++]=v%10; fprintf(stdout, " ext: "); for (i=0; i void putbytes(FILE *fp, unsigned long val); int main(void) { unsigned short i, ei; /* i=work counter, ei=extention work counter */ unsigned char pn[10]; /* The digits of the phone number */ unsigned long b; /* The finally decoded value from the phone num */ char pnline[30]; /* Input line buffer */ int flg=0; /* The error message is only output once */ /* Read lines until end of file */ while((fgets(pnline, 30, stdin)) != NULL) { /* error checking */ if ((pnline[0] != '(') || (pnline[4] != ')') || (pnline[9] != '-')) { if (flg==0) { fprintf(stderr, "Input not in correct format, output will be garbage!\n"); flg=1; } } /* Extract the digits of the phone number, and convert from ASCII */ pn[0]=pnline[1]-'0'; pn[1]=pnline[2]-'0'; pn[2]=pnline[3]-'0'; pn[3]=pnline[6]-'0'; pn[4]=pnline[7]-'0'; pn[5]=pnline[8]-'0'; pn[6]=pnline[10]-'0'; pn[7]=pnline[11]-'0'; pn[8]=pnline[12]-'0'; pn[9]=pnline[13]-'0'; /* The first digit of the extension should be the 21st loc of input buf */ ei=21; /* The first digit of an area code is always [2-9] */ if (pn[0]==2) { pn[0]=pnline[ei++]-'0'; } /* Currently, the middle digit of area code is always 0 or 1 */ if (pn[1]==1) { pn[1]=pnline[ei++]-'0'; } /* The first digit of a prefix is always [2-9] */ if (pn[3]==2) { pn[3]=pnline[ei++]-'0'; } /* Swap first two digits */ i=pn[0]; pn[0]=pn[1]; pn[1]=i; /* Encode the individualt digits into a unsigned long */ b=0; for(i=0; i<10; i++) b=b*10+pn[i]; /* output the decoded bytes */ putbytes(stdout, b); } return(0); } /* Simple encoding... 4 bytes to the longword... seperate them here */ void putbytes(FILE *fp, unsigned long val) { int b[4]; b[0]=(int)(val>>24 & 255); b[1]=(int)(val>>16 & 255); b[2]=(int)(val>> 8 & 255); b[3]=(int)(val & 255); fprintf(fp, "%c%c%c%c", b[0], b[1], b[2], b[3]); } -- Nick MacDonald | NMD on IRC i6t4 at jupiter.sun.csd.unb.ca | PGP 2.1 Public key available via finger i6t4 at unb.ca | (506) 457-1931 ^{1024/746EBB 1993/02/23} From i6t4 at jupiter.sun.csd.unb.ca Wed Jul 7 22:04:34 1993 From: i6t4 at jupiter.sun.csd.unb.ca (Nickey MacDonald) Date: Wed, 7 Jul 93 22:04:34 PDT Subject: Motorola cordless phones with 'Secure Clear (tm) Audio' Message-ID: Anyone know anything about Motorola's new phones (models VST 100, VST 350, VST 550, locally priced at $179, $249 and $299 Canadian)? This is what the ad says: - Motorola's newest telephones add nothing to cellular, but do set a new standard for Cordless Technology. - The Secure Clear (tm) Technology is the only Cordless Telephone to virtually eliminate any possibility of eaves dropping. - Motorola Cordless Telephones project a scrambled signal making it virtually impossible to monitor a conversation with other Cordless Phones, scanners or baby monitors. - The Motorola Secure Clear (tm) Cordless Phones are available in three models: VST 550, VST 350, VST 100. - The New Secure Clear (tm) Cordless Telephones meet the same rigid quality and durability standards demanded of all Motorola products. There are pictures and feature lists... and then a phone number, which I have been trying to get through fo 2 hours... 1-800-668-1117 {As if it was obvious... the bottom line says: Secure Clear (tm) and Motorola are Trademarks of Motorola Inc.} -- Nick MacDonald | NMD on IRC i6t4 at jupiter.sun.csd.unb.ca | PGP 2.1 Public key available via finger i6t4 at unb.ca | (506) 457-1931 ^{1024/746EBB 1993/02/23} From fergp at sytex.com Wed Jul 7 22:06:29 1993 From: fergp at sytex.com (Paul Ferguson) Date: Wed, 7 Jul 93 22:06:29 PDT Subject: Technophobia & Intelligence: Forwarded article from Information Week Message-ID: reprinted from: Information Week July 5, 1993 (cover story) pages 31 through 38 The Intelligence Test Do tight funds and technophobia impede the CIA's ability to gather information? by Francis Hamit As the United States turns 217 years old this week, the officials responsible for the computers and communications of the nation's intelligence agencies are in no mood for a party. Many of their systems are antiquated, inefficient, and sometimes dangerously ineffective. Their resources are being taxed by the changing demands of post-Cold War politics. They need money to update their systems, yet a Democratic Congress appears intent on cutting the overall intelligence budget by more than $1 billion. To top it all off, IS officials in the intelligence community face an internal cultural bias against computers; some CIA employees see the machines as little more than electronic security leaks. "They just don't get it," says industry analyst Esther Dyson, who recently visited the CIA with an Electronic Frontier Foundation delegation. "It's depressing." Yet, the U.S. intelligence community, under the leadership of the CIA, is undergoing a quiet revolution in culture and methodology. The IT component of the effort is being led by Michael L. Dillard, chairman of the information policy board in the Office of the Director of Central Intelligence, essentially the intelligence community's CIO. Dillard has the authority to do the job. He reports directly to the director of central intelligence, R. James Woolsey. Dillard and Woolsey's charter includes the CIA -- which is in the process of trying to fill a new CIO position of their own -- as well as government departments such as the Bureau of Research and Intelligence in the State Department, the intelligence elements of the various Armed Forces, the Energy Department's intelligence component, the National Security Agency, even units of the Treasury Department. Factor in the ad hoc task forces and working groups set up to handle specific areas of concern such as terrorism, narcotics, and transnational criminal activities, and it's a potentially cacophonous collection of sources to manage in a real-time environment -- and with an extremely limited margin for error. The Agency That Knew Too Much? The intelligence community's work is breathtaking in scope. Raw data floods in daily from every conceivable source. Technical collection efforts such as signals interception and high- resolution imaging from spy satellites and other sources are combined with the reports of agents and secret sources around the world and "open sources," such as newspaper articles and radio broadcasts. All this information flows like a river into a system that must select, analyze, and evaluate significant data, and then turn it into easy-to-understand digests for policymakers. But the overall system is not working as well as it should, and the need for reform has long been acknowledged by members of the intelligence community. The CIA alone runs 10 data processing systems; under the current classification and compartmentalization, there is virtually no interoperability between them (see related story below). This has led to some public embarrassments. Recently, for example, the agency was accused of covering up part of the BNL scandal, in which an Italian bank used U.S. Agriculture Department guarantees to help Saddam Hussein finance Iraq's arms buildup before the Gulf War. This accusation came after the CIA first denied knowledge of the affair, then later found the requested documents in a file box under a staff member's desk. The current reforms began last year under former director of central intelligence Robert Gates and have continued under Woolsey, who was a member of the committee that made the original reform recommendations. Late last year, before the annual convention of the Association of Former Intelligence Officers, Gates identified the targets for intelligence community reform as nothing less than "our mission, our structure, our long-term size and budget, and our culture." These changes come at a time when intelligence consumers are demanding interactive, multimedia systems that better meet their needs and time constraints. Given the current climate of budget cutbacks and growing demands, the community may undergo a major restructuring that will force wider use of distributed, multimedia computer and communications systems. CIO Dillard is unable to detail precise changes to the intelligence community's IS effort because information such as various agencies' IS budget and staff size is strictly classified. But he shared his five goals for IS in the intelligence community: o Increase the volume of data, especially from "open sources." The first Open Source Coordinator has been appointed. o Attain true connectivity and interoperability among the systems used in the intelligence community. While some are PC- and workstation-based and use commercially available software, traditional approaches to security had mandated that they not be linked. o Reduce the growing cost of operating and maintaining legacy systems. Today, 82 cents of every dollar spent by IS groups in intelligence goes to maintain and operate existing systems. "This," says Dillard,"is using up our resources and driving out our ability to recapitalize and meet new requirements." o Downsize systems. o Create an equal infusion of technology throughout the community. While some computers in use are leading edge, others date back to the 1960s, Some software is 25 years old. These initiatives would be difficult in any environment, But the intelligence community also harbors a cultural bias against electronic systems. It stems, in part, from the need to secure information in such a way to protect sources and methods. "In the proper-based world, this is not a problem," Dillard says. "In the electronic one, the ability to connect and compare data can lead to unintended compromises of security." Indeed, the intelligence community has had an explosion of literally thousands of databases. Open sources alone command 4,000 databases of all kinds; the most sensitive are kept offline. Many paper files are never converted to digital form. With the intelligence community creating an estimated 20,000 digital records a day, the job of digitizing and transferring older paper files is relegated to the to-do pile. The agencies are researching and developing software tools to break through this logjam by helping analysts search very large databases. This effort is being managed by the Intelligence Community Management Staff, a separate entity charged with implementing much of the reform. Congress has had much to say about the intelligence community's need to eliminate redundant computer systems. But unlike in private businesses, redundant sources in intelligence may actually help clarify information by providing additional checks on incoming data. Redundant information also helps guard against deception schemes by adversary intelligence services. In addition, while the community's rapidly growing stream of data demands the use of the latest technology, the open systems approach that works best in the business world is unfamiliar, possibly even threatening, to those in the intelligence community. Past attempts to cut one type of collection in favor of another generally have been damaging. In the late '70s, director of central intelligence Stansfield Turner emphasized technical means over human intelligence sources -- he was uncomfortable with spies and forced out many veteran covert operatives. Turner's critics say the efforts may have led to an inability to respond to anti-American terrorist operations in the Middle East, such as the 1983 bombing of the U.S. Marines barracks in Beirut, which was aggravated by the bombing and subsequent kidnapping and murder of the CIA's local station chief. Satellites Alone Don't Fly Only 30% to 40% of all intelligence gathering is the result of technical means such as satellite surveillance and signals interception. Another 30% comes from open sources, while an overwhelming 80% is derived from human sources (the total exceeds 100% to account for overlap between sources). Many in the intelligence community believe there is no substitute for the human analyst. Funding for the intelligence community's new IT efforts may be scarce. Despite Clinton administration efforts to expand the overall intelligence budget to more than $28 billion in order to cope with the changes caused by the collapse of the Soviet Union, Congress seems intent upon cutting more than $1 billion from current levels. Not surprisingly, intelligence professionals are horrified by this prospect in the midst of the agencies' most profound cultural change and organizational restructuring since World War II. They fear that vital programs may be damaged, eroding the nation's ability to cope with new challenges. At the same time, the intelligence community is trying to downsize by attrition and has cut expenditures by 17.5%. Hiring has been cut back both for career and contract agents, and many veterans are being offered early retirement. Some intelligence officers feel budget cuts could interfere with the community's recruiting ability. "The lifeblood of the intelligence community is bringing in new people and giving them experience and training," says David Whipple, a CIA veteran and now executive director of the association of Former Intelligence Officers. The demands upon the intelligence community since the end of the Cold War have grown more complex. Veterans of the Cold War era sometimes even wax nostalgic. "The Cold War simplified things into a bipolar world," says one CIA veteran analyst. "It froze a lot of things, like the situation in the Balkans, which have now erupted with a vengeance." In the 1980s, nearly 60% of the overall intelligence budget was focused upon the Soviet Union and the Warsaw Pact nations. At first glance, it would seem that this amount could now be cut. But with the fluid geopolitical situation and the emergence of dozens of new players, the requirements in Eastern Europe are increasing, the agencies argue. Not surprisingly, so is the use of computing. "We've all had to develop an understanding of computing and how to use it in out day-today work," says a CIA public affairs officer. While mainframes still dominate, PCs are appearing on intelligence desktops, joining older systems rather than replacing them. There's still a long way to go for real change. And the intelligence community's wary attitude could mean necessary changes are made later rather than sooner. "There's this sort of intellectual understanding of change, but there's none of that understanding, somewhere between emotional and intellectual, where you 'get it,'" says analyst Dyson. "Some of them do, but to me a good intelligence service is smarter than everybody else." [ related story ] Downsizing: Is It Safe? An ongoing debate is raging within the U.S. intelligence community about large-scale computer systems. Michael Dillard, chairman of the information policy board in the Office of the Director of Central Intelligence, talks about reviewing standalone systems to see if they can be combined, or at least made co-resident, with other systems on similar hardware. This would cut operations and maintenance staffing, but it would also make such systems more vulnerable to compromise. Such a melding of data sets violates the well-established culture of keeping secrets by separating them on a "need-to-know" basis. Given the literally millions of people who have Confidential, Secret, Top Secret, and higher clearances, the real surprise is not that there is an occasional traitor such as Jonathan Pollard or John Walker, but that there are not more such breaches of security. Of course, for the intelligence community, one is too many. Pollard, for instance, is said to have given 85,000 documents to his Israeli handlers. And the full extent of the damage done by Walker during his 20 years of spying for the Soviets may never be known, but certainly codes and other vital intelligence sources and methods were compromised. "Sources and methods" are, of course, the most closely held secrets of any intelligence service. While former director of central intelligence Robert Gates initiated a vigorous declassification program, a National Archives official recently complained that the review and declassification of documents from the 1960s alone would take nearly 20 years to complete at the present rate. In fact, the U.S. government still holds classified documents that date back to World War I. "Why shouldn't there be one national policy concerning the protection of valuable national assets?" asks Maynard C. Anderson, an assistant deputy undersecretary of defense, in a recent letter to Security Management magazine. He notes that laws such as the Atomic Energy Act, the Arms Control Act, and the Privacy Act have added categories of information to be protected but not a mechanism for the overall administration of information security. "The lack of a single, coordinated, national information policy has resulted in the fragmentation of policy-making and prevented the allocation of resources where they are needed most." Such issues are consciously avoided by both civilian and military intelligence officers who view themselves as the implementors rather than the makers of policy. The highly compartmentalized approach of sharing information only with those who "need to know" is the ultimate protection of sources and methods. Dire Consequences More important, it saves lives. An agent-in-place can be run for years with his or her true identity known only to a handful of people within one agency. In such a circumstance, the data from the source must be heavily filtered to avoid compromising the source's identity, which could have fatal consequences for the operation and the agent. The downside is that it allows ad hoc operations to take place, such as Iran-Contra, which was mounted from within the basement of the National Security Council offices in the White House. (It also explains why Robert Gates was not informed about the operation despite his position at the time as deputy director of intelligence.) Computer networks have not proven themselves to be absolutely secure, so the creation of an electronic system vulnerable to compromise goes very much against the grain of senior officers. But the need for quicker processing is apparent, as is the need for absolute security. It is a big problem not easily resolved. In fact, resolution may depend upon software yet to be developed, possibly by a new generation of programmers who will be offered well-paying jobs by private enterprise at a time when government research dollars are being absorbed by current program needs. -F.H. 8<------- End forwarded article -------- Paul Ferguson | "Confidence is the feeling you get Network Integrator | just before you fully understand Centreville, Virginia USA | the problem." fergp at sytex.com | - Murphy's 7th Law of Computing Quis Custodiet Ipsos Custodes? From claborne at ccgate.sandiegoca.NCR.COM Wed Jul 7 22:06:38 1993 From: claborne at ccgate.sandiegoca.NCR.COM (Chris Claborne) Date: Wed, 7 Jul 93 22:06:38 PDT Subject: Encrypted postings. Message-ID: <9307071256.ab02776@ncrcom.DaytonOH.NCR.COM> >I've had a couple of people ask to have their names added to the >encrypted list forwarder I put together. I'm soliciting feedback on >how this service should work. Could we send our postings to the mailer in encrypted format? That is... I would encrypt the message with the public key for the mailer, the mailer would decrypt and re-post to the clear-text mailer and to the PGP group. Granted, because the mailer must be run in full auto mode, it won't be the most secure. It would mean that all inbound as well as outbound cypherpunk traffic to my node would be in an electronic envelope. 2 -- C -- From smm at engr.uark.edu Wed Jul 7 22:07:11 1993 From: smm at engr.uark.edu (MILLIGAN STEVEN M) Date: Wed, 7 Jul 93 22:07:11 PDT Subject: hello Message-ID: hey there. I just joined the group about a week ago and have held off writting, until I sort of got a feel for what goes on. I still don't think I have the feel for it , but what the hell I'm writting anyway. If it is possible is there anyone who could take a little time to give me a few hints on how to send, receive, and forward encyrpted messages. any help at all would be appreciated. Thanx, Steve Milligan smm at engr.uark.edu "George Washington fought for his country and ended up in the White House... Sitting Bull fought for HIS country and ended up in a tent show." From whitfield.diffie at Eng.Sun.COM Wed Jul 7 22:07:33 1993 From: whitfield.diffie at Eng.Sun.COM (whitfield.diffie at Eng.Sun.COM) Date: Wed, 7 Jul 93 22:07:33 PDT Subject: Happens to `best' of them Message-ID: <9307072015.AA25620@ushabti.Eng.Sun.COM> The following delicious item appeared at the bottom of page 4 in the National Edition of The New York Times on Saturday, 3 July 1993. The Iraq Raid: Snoop Gets Scoop Special to The New York Times Washington, July 2 --- An electronic hacker was able to listen in as top aides to Secretary of State Warren Christopher helped him to alert world leaders about the missile strike against Baghdad last Saturday. The conversations were intercepted beginning nearly an hour before the raid was made public. But the first calls were apparently not overheard until after Tomahawk missiles from Navy ships struck the headquarters of the Iraqi intelligence service. The calls, placed from a Government plane as Mr. Christopher returned to Washington from Maine, provided a sense of the hurried efforts made by officials in midair and in Washington to spread news of the attack. At one point, they indicate, a State Department official awakened Chancellor Helmut Kohl of of Germany only to discover that President Clinton had spoken with the German leader earlier in the day. The eavesdropping was first reported in the current issue of Business Week, which obtained a tape recording of the conversations from an electronic hacker who specializes in monitoring unsecured calls. The magazine made available a transcript of the recording. The State Department refused to comment on what is said were private conversations among Mr. Christopher's aides, but a senior official there said the transcript was essentially accurate. None of the calls made by Mr. Christopher himself was recorded, apparently because they were placed through secure channels. Any uncoded call that travels through the airwaves rather than along a wire can be intercepted, and electronic eavesdroppers have become skilled at using scanners to monitor the communications. From i6t4 at jupiter.sun.csd.unb.ca Wed Jul 7 22:12:09 1993 From: i6t4 at jupiter.sun.csd.unb.ca (Nickey MacDonald) Date: Wed, 7 Jul 93 22:12:09 PDT Subject: What do you make of this? In-Reply-To: Message-ID: On Wed, 7 Jul 1993, Mike Sherwood wrote: > I dont know about all of them, but the second one is near me and I > confirmed that there is no 244 prefix in the 510 area code, so either > ther is an error in that data, or should I venture so far as to say that > he's trying to make a point about hiding information in a seemingly > harmless format. I hope no one actually trys to call any of those numbers... I couldn't think of a way to list them without giving away the truth... You are correct, I was trying to make a point of hiding information in a seemingly harmless format (although the longer the message, the less harmless the format looks)... > I don't have the desire to actually try to find out > what it is, but it wouldnt take much more research to find out if the > list is primarily made of nonexistent numbers. Well... I'll increase your chances to figure it out, should you get the desire... The hidden text was Un*x compressed... > However, the only reason I > even looked that far is because of the nature of this group and the fact that > it was brought up as such, rather than "Local U.S. Department of Agriculture > offices" or some other title that would cause people to want to be as far > away from it as possible. I had hoped that someone would assume there was a message... I'm still hoping someone will find it... I'll release the source either way... :-) -- Nick MacDonald | NMD on IRC i6t4 at jupiter.sun.csd.unb.ca | PGP 2.1 Public key available via finger i6t4 at unb.ca | (506) 457-1931 ^{1024/746EBB 1993/02/23} From ashall at magnus.acs.ohio-state.edu Wed Jul 7 22:14:55 1993 From: ashall at magnus.acs.ohio-state.edu (Andrew S Hall) Date: Wed, 7 Jul 93 22:14:55 PDT Subject: Tim's shenanigans Message-ID: <9307071350.AA29739@photon.magnus.acs.ohio-state.edu> A brief comment. Anyone who was fooled was a dimwit. If I remember correctly, Tim's "encrypted GIF" was about 80 lines long. This isn't large enough for a stick drawing, let alone kiddie porn. A. Techno-Anarchy.Neophilia.Economic Freedom.Cryptography.Anti-Statism.Personal Liberty.Laissez-Faire.Privacy Protection.Libertarianism.No Taxes.No Bullshit. ********** Liberty BBS 1-614-798-9537 ********** ********** Dedicated to Freedom. Yours. ********** From pat at tstc.edu Wed Jul 7 22:15:15 1993 From: pat at tstc.edu (Patrick E. Hykkonen) Date: Wed, 7 Jul 93 22:15:15 PDT Subject: Live for today In-Reply-To: <9307070441.AA21415@netcom3.netcom.com> Message-ID: <9307071325.AA04823@tstc.edu> > It is true we haven't deployed digital cash, nor have we set up data > havens in cyberspace, nor a bunch of other things, but these things > are instrinsically hard to pull off. Someday they'll come. Could someone please define a 'data haven'? I understand digitial cash, it is exactly what it sounds like. However, in the context I've heard data haven used in, then there is much more than simply keeping one's data encrypted on your local hard drive. Still learning and trying to understand all of these things. -- Pat Hykkonen, N5NPL Texas State Technical College at Waco Internet: {pat,postmaster,root}@tstc.edu Instructional Network Services Packet: N5NPL at WD5KAL.#CENTX.TX.USA.NA 3801 Campus Dr. Waco, Tx 76705 V:(817) 867-4830 F:(817) 799-2843 From mnemonic at eff.org Wed Jul 7 22:15:21 1993 From: mnemonic at eff.org (Mike Godwin) Date: Wed, 7 Jul 93 22:15:21 PDT Subject: "Let's kill all the lawyers..." In-Reply-To: <93Jul6.183147pdt.14190-3@well.sf.ca.us> Message-ID: <199307071228.AA05225@eff.org> Fred Heutte writes: > We need lawyers, but do we need *so many*?! I was born and grew up > in Washington, DC. The DC Bar has over *50,000* lawyers! Even in > our nation's capital that seems excessive. They're not all in our nation's capital. The DC Bar allows lawyers admitted to other jurisdictions to "waive into" DC if their MBE score is sufficiently high--no separate bar exam. Many lawyers get admitted to the DC Bar this way in anticipation of the possibility that someday they may have to do some legal work in DC. Conversely, lots of lawyers simply come to DC without getting admitted to the DC Bar. They just don't practice in the District. --Mike From mnemonic at eff.org Wed Jul 7 22:15:48 1993 From: mnemonic at eff.org (Mike Godwin) Date: Wed, 7 Jul 93 22:15:48 PDT Subject: "Let's kill all the lawyers..." In-Reply-To: <9307070103.AA23132@servo> Message-ID: <199307071221.AA05193@eff.org> Phil writes: > Last night I saw the Saferstein remarks you mention. I think they hit > the local California TV stations before being picked up by CNN. I > fully agree that PC is *really* getting out of hand if lawyers are now > to be considered one of the downtrodden minority groups. If I were to set out to deliberate make lawyers look even sillier than they look already, I couldn't imagine a better place to start than to make a remark like Saferstein's "hate crimes" comment. --Mike From ccat at netcom.com Wed Jul 7 22:33:34 1993 From: ccat at netcom.com (ccat) Date: Wed, 7 Jul 93 22:33:34 PDT Subject: Release: July 5, 1993 Message-ID: <9307080534.AA29729@netcom2.netcom.com> Content: First Announcement/On-Line Congressional Hearing On July 26 at 9:30AM EDT, the Subcommittee on Telecommunications and Finance of the U.S. House of Representatives will hold the first Congressional Hearing ever held over a computer network. The oversight hearing on "The Role of Government in Cyberspace" will take place in the Grand Ballroom of the National Press Club at 14th and F Streets, N.W., Washington, D.C. The hearing is open to the public. An open house will be held from 3-5PM on the same day in the same location and is also open to the public. Chairman Markey has asked that this historic occasion demonstrate the potential and diversity of the global Internet. Thirty Sparcstations will be in the hearing room, allowing members of Congress, staff, and their guests to read e-mail, use Gopher menus, read testimony in WAIS databases, browse the World Wide Web, and otherwise use the resources of the global Internet as part of the hearing. Some witnesses for the hearing will testify remotely, sending audio and video over the Internet. Audio and video of the hearing will also be multicast over the Multicast Backbone (MBONE). We are hoping that C-SPAN and other traditional media will also carry the event. *MORE DETAILS ON MBONE AND OTHER WAYS TO WATCH THE HEARINGS REMOTELY WILL BE FORTHCOMING SHORTLY.* One of the primary points that we are hoping to demonstrate is the diversity and size of the Internet. We have therefore established an electronic mail address by which people on the Internet can communicate with the Subcommittee before and during the hearing: congress at town.hall.org We encourage you to send your comments on what the role of government should be in the information age to this address. Your comments to this address will be made part of the public record of the hearing. Feel free to carry on a dialogue with others on a mailing list, cc'ing the e-mail address. Your cards and letters to congress at town.hall.org will help demonstrate that there are people who use the Internet as part of their personal and professional lives. We encourage you to send comments on the role of government in cyberspace, on what role cyberspace should play in government (e.g., whether government data be made available on the Internet), on how the Internet should be built and financed, on how you use the Internet, and on any other topic you feel is appropriate. This is your chance to show the U.S. Congress that there is a constituency that cares about this global infrastructure. If you would like to communicate with a human being about the hearing, you may send your comments and questions to: hearing-info at town.hall.org Support for the Internet Town Hall is provided by Sun Microsystems and O'Reilly & Associates. Additional support for the July 26 on-line congressional hearing is being provided by ARPA, BBN Communications, the National Press Club, Xerox PARC, and many other organizations. Network connectivity for the Internet Town Hall is provided by UUNET Technologies. From blankmklp at aol.com Wed Jul 7 23:28:41 1993 From: blankmklp at aol.com (blankmklp at aol.com) Date: Wed, 7 Jul 93 23:28:41 PDT Subject: stop the feed Message-ID: <9307080228.tn04952@aol.com> I was not prepared to receive newsgroup mail on a service like AOL. I just can't deal with it because I can't read it offline and respond with my Point like I do my newsgroups from UUCP. Please turn off the flow; stop sending me this. All I want to know is if this newsgroup can be req from the internet via UUCP. Michael Pearce From hhll at u.washington.edu Thu Jul 8 00:21:15 1993 From: hhll at u.washington.edu (Steven Hodas) Date: Thu, 8 Jul 93 00:21:15 PDT Subject: Release: July 5, 1993 In-Reply-To: <9307080534.AA29729@netcom2.netcom.com> Message-ID: This hearing has been "indefinitely postponed" due tothe realization of some bright young thing that in this country, at least, private corporations do not sponsor government hearings. perhaps this is a way to raise some much needed reveneu, but for now it's a no-go. Steven On Wed, 7 Jul 1993, ccat wrote: > Content: First Announcement/On-Line Congressional Hearing > > On July 26 at 9:30AM EDT, the Subcommittee on Telecommunications > and Finance of the U.S. House of Representatives will hold the first > Congressional Hearing ever held over a computer network. The oversight > hearing on "The Role of Government in Cyberspace" will take place in > the Grand Ballroom of the National Press Club at 14th and F Streets, > N.W., Washington, D.C. The hearing is open to the public. An open > house will be held from 3-5PM on the same day in the same location and > is also open to the public. > > Chairman Markey has asked that this historic occasion demonstrate > the potential and diversity of the global Internet. Thirty Sparcstations > will be in the hearing room, allowing members of Congress, staff, and > their guests to read e-mail, use Gopher menus, read testimony in WAIS > databases, browse the World Wide Web, and otherwise use the resources > of the global Internet as part of the hearing. > > Some witnesses for the hearing will testify remotely, sending audio > and video over the Internet. Audio and video of the hearing will also > be multicast over the Multicast Backbone (MBONE). We are hoping that > C-SPAN and other traditional media will also carry the event. *MORE > DETAILS ON MBONE AND OTHER WAYS TO WATCH THE HEARINGS REMOTELY WILL BE > FORTHCOMING SHORTLY.* > > One of the primary points that we are hoping to demonstrate is > the diversity and size of the Internet. We have therefore established > an electronic mail address by which people on the Internet can communicate > with the Subcommittee before and during the hearing: > > congress at town.hall.org > > We encourage you to send your comments on what the role of government > should be in the information age to this address. Your comments to this > address will be made part of the public record of the hearing. Feel free > to carry on a dialogue with others on a mailing list, cc'ing the e-mail > address. > > Your cards and letters to congress at town.hall.org will help > demonstrate that there are people who use the Internet as part of their > personal and professional lives. We encourage you to send comments on > the role of government in cyberspace, on what role cyberspace should play > in government (e.g., whether government data be made available on the > Internet), on how the Internet should be built and financed, on how you > use the Internet, and on any other topic you feel is appropriate. This > is your chance to show the U.S. Congress that there is a constituency > that cares about this global infrastructure. > > If you would like to communicate with a human being about the > hearing, you may send your comments and questions to: > > hearing-info at town.hall.org > > Support for the Internet Town Hall is provided by Sun Microsystems > and O'Reilly & Associates. Additional support for the July 26 on-line > congressional hearing is being provided by ARPA, BBN Communications, > the National Press Club, Xerox PARC, and many other organizations. > > Network connectivity for the Internet Town Hall is provided by > UUNET Technologies. > > From XXCLARK at indst.indstate.edu Thu Jul 8 00:44:32 1993 From: XXCLARK at indst.indstate.edu (XXCLARK at indst.indstate.edu) Date: Thu, 8 Jul 93 00:44:32 PDT Subject: Motorola Message-ID: <9307080744.AA04899@toad.com> >Anyone know anything about Motorola's new phones (models VST 100, >VST 350,VST 550, locally priced at $179, $249 and $299 Canadian)? Secure Clear (tm) Technology is the only... What's in a name? In this case, bullshit. I believe they do a simple frequency inversion, known in the `20's, easily defeated with a $15 kit added to one's scanner or for $5 in parts. Technology of the `20's packaged and named for the `90's. To quote a Canadian general, former commander of UN forces in Bosnia: "The UN doesn't have much in the way of communications. All we have is Motorola [radios]." --------------------------------------------------------------------- internet : xxclark at indst.indstate.edu RelayNet (488) Vanilla BITNET: XXCLARK at INDST FidoNet (1:2230/114) Phone: 911 TechNet 11:800/0 We're all Bozos on this bus. --------------------------------------------------------------------- From pcw at access.digex.net Thu Jul 8 06:50:16 1993 From: pcw at access.digex.net (Peter Wayner) Date: Thu, 8 Jul 93 06:50:16 PDT Subject: Crypto Phones... Message-ID: <199307081350.AA11853@access.digex.net> I realize that it is quite possible to design a secure phone with a Vocoder, a modem and some cpu power to do the encryption, but I think that an easier solution may be on the horizon. I believe that Microsoft and many others are exploring hooking phones to PCs so people can do things like ship pictures of their weekend fun to friends. When PC's can easily access phone communications, then developing encrypted conversations should be as easy as programming for Windows :-). Another solution may be for the Digital Phone companies to make a phone that is reprogrammable so people can hook up their laptops or run software on the phone itself. This is, I believe, a valid marketting strategy because it could make the phone that more desirable when third parties start offering Sharp Wizard/Newton/EO interfaces so people can hook up their address books to the phones. What do you think, Phil? You said that you had plenty of cycles left over to do DES with the last digital phone you designed. Do you have enough left to bring up Windoze? -Peter From rbg at panix.com Thu Jul 8 08:03:04 1993 From: rbg at panix.com (Rachel Beth Goldstein) Date: Thu, 8 Jul 93 08:03:04 PDT Subject: text p.d. cryptosystems for email Message-ID: <199307081503.AA28828@panix.com> this is probably a faq, but pardon me, since this is my first mail to the cypherpunks list. the problem is this: i once worked for a (nameless) finance company that had pseudo-wizard-dorkos for sa's, and a gravitationally-challenged boss that routinely read employees' (ie. *my*) personal email. i knew this because he asked me specific questions regading the email subjects. both he and the dorkos relished this ability and probably got some power trip from it. to prevent further abuse, i resorted to using crypt and uuencode when sending personal email to friends. i found mr. megaton and his pseudo-wizards complaining about this. they were having a heck of a time trying to decrypt my mail, esp. since they could not easily recognize uuencode output. (hence the pseudo-wizard label). however, friends told me that (1) crypt is easily compromised, and (2) not all unix sites have crypt available anyway. are there text-based alternates to crypt, such that i don't have to use uuencode or btoa to mail encrypted text? as an aside, i bought an account from panix.com in order to further safeguard my privacy -- at least from those self-appointed netcops at my previous employer (and my current employer, who i'm pretty sure wont stoop to that level). the former employer left me with a lot of bad feelings towards those in charge of technology. i now send sensitive emails and netnews postings through this account (only). thanks for any reply. /Rache # ====================================================================== # Disclaimer: My bod, my mind, and yes, my opinions are my own. From norm at netcom.com Thu Jul 8 08:08:55 1993 From: norm at netcom.com (Norman Hardy) Date: Thu, 8 Jul 93 08:08:55 PDT Subject: DigiCash Message-ID: <9307081509.AA18537@netcom4.netcom.com> If someone is implementing Chaum's DigiCash I have some input. Pleas send me e-mail. From mrose at stsci.edu Thu Jul 8 08:39:01 1993 From: mrose at stsci.edu (Mike Rose) Date: Thu, 8 Jul 93 08:39:01 PDT Subject: text p.d. cryptosystems for email In-Reply-To: <199307081503.AA28828@panix.com> Message-ID: <9307081538.AA22424@MARIAN.STSCI.EDU> On Thu, 8 Jul 1993 11:03:02 -0400, Rachel Beth Goldstein said: >however, friends told me that (1) crypt is easily compromised, and >(2) not all unix sites have crypt available anyway. are there >text-based alternates to crypt, such that i don't have to use >uuencode or btoa to mail encrypted text? If they control the machine, anything is easily compromised. One way is to replace the standard crypt with a special one that secretly saves a copy of the plaintext. The alternatives you suggest suffer from the same problem. If you want to encrypt securely, you'll have to encrypt the plaintext on a system that you trust - a computer that only you have access to is best. Depending on your privacy needs, an account on a system where you trust the administrators not to abuse their privilege may be sufficient. While providing less privacy than encryption, it can be more convenient. It will certainly make it harder for them to harrass you. Mike From nobody at cicada.berkeley.edu Thu Jul 8 08:41:47 1993 From: nobody at cicada.berkeley.edu (nobody at cicada.berkeley.edu) Date: Thu, 8 Jul 93 08:41:47 PDT Subject: Test. Sorry. Message-ID: <9307081541.AA12054@cicada.berkeley.edu> This is a test. Apologies for wasted bandwidth. AA01851; Thu, 8 Jul 93 11:40:10 EDT Received: by snark.shearson.com (4.1/SMI-4.1) id AA22568; Thu, 8 Jul 93 11:40:08 EDT Message-Id: <9307081540.AA22568 at snark.shearson.com> To: Rachel Beth Goldstein Cc: cypherpunks at toad.com Subject: Re: text p.d. cryptosystems for email In-Reply-To: Your message of "Thu, 08 Jul 1993 11:03:02 EDT." <199307081503.AA28828 at panix.com> Reply-To: pmetzger at lehman.com X-Reposting-Policy: redistribute only with permission Date: Thu, 08 Jul 1993 11:40:08 -0400 From: "Perry E. Metzger" Rachel Beth Goldstein says: > > this is probably a faq, but pardon me, since this is my first mail to > the cypherpunks list. the problem is this: i once worked for a > (nameless) finance company that had pseudo-wizard-dorkos for sa's, and > a gravitationally-challenged boss that routinely read employees' (ie. > *my*) personal email. i knew this because he asked me specific > questions regading the email subjects. both he and the dorkos > relished this ability and probably got some power trip from it. This is likely a violation of federal law, but never mind that. > however, friends told me that (1) crypt is easily compromised, and > (2) not all unix sites have crypt available anyway. are there > text-based alternates to crypt, such that i don't have to use > uuencode or btoa to mail encrypted text? What you want is PGP. Doubtless someone out there is likely to tell you more about it... Perry From nate at VIS.ColoState.EDU Thu Jul 8 10:27:12 1993 From: nate at VIS.ColoState.EDU (CVL staff member Nate Sammons) Date: Thu, 8 Jul 93 10:27:12 PDT Subject: I need a way to... Message-ID: <9307081726.AA05797@vangogh.VIS.ColoState.EDU> -----BEGIN PGP SIGNED MESSAGE----- Guys, (and, of course, all species that may be getting this) I need a way to be able to have pgp envoked on a mail message that is encrypted, or that has a pgp signature on it. I would like it if it just printed a banner about the fact that "this is a PGP encrypted and signed meessage", then, if necessary, it asks me for my password, etc.... and then says "message has been validated as coming from so-and-so" etc.... thanks, - -nate sammons +-------------------------------------------------------------------- | Nate Sammons email: nate at VIS.ColoState.Edu | Colorado State University Computer Visualization Laboratory | Finger me at nate at monet.VIS.ColoState.Edu for my PGP key | #include | "I have but one single desire - to tear down the sky" -A. Toomba +----------------------+ -----BEGIN PGP SIGNATURE----- Version: 2.3 iQCVAgUBLDxY0tTgi1fmrpxlAQH8ZgP7BHGGnAP2MGLg0pbhJ8HpgU/1t6Ai+ln5 xzpcsvbG4cJwhKBrX5luVLGmdHSZxdZ3kyv4+G6ypcIb5MZMpiPzbGH7z2kuRc4y XlHBwrjOlbZDcyupJJUzSi8LuoQmXVu+M1r7EAkiK7JOMgljyOQ//E5ctJbt3qHl 8eA0uJGQFqs= =4oo0 -----END PGP SIGNATURE----- From khijol!erc at apple.com Thu Jul 8 11:14:05 1993 From: khijol!erc at apple.com (Ed Carp) Date: Thu, 8 Jul 93 11:14:05 PDT Subject: text p.d. cryptosystems for email In-Reply-To: <9307081540.AA22568@snark.shearson.com> Message-ID: > What you want is PGP. Doubtless someone out there is likely to tell > you more about it... I'd be careful with PGP - since the source code is freely available, it'd be simplicity itself to insert one or two lines of C code to snarf away a copy of your cleartext before encryption. Somewhere where ye olde sysadmin could peruse it at his/her leisure... The only way to be sure is to get PGP off the net (from an ftp site out of the control of your admin folks) and build it yourself. -- Ed Carp erc at wetware.com 510/659-9560 For anonymous mailers --> anonymus+5300 at charcoal.com "Disagreements are not meant to be challenges. They are just a different reality." -- Risa D'Angeles From jet at nas.nasa.gov Thu Jul 8 11:24:06 1993 From: jet at nas.nasa.gov (J. Eric Townsend) Date: Thu, 8 Jul 93 11:24:06 PDT Subject: scanning (was Happens to `best' of them In-Reply-To: <9307072015.AA25620@ushabti.Eng.Sun.COM> Message-ID: <9307081824.AA28647@boxer.nas.nasa.gov> > Any uncoded call that travels through the airwaves rather than > along a wire can be intercepted, and electronic eavesdroppers have > become skilled at using scanners to monitor the communications. one can 'become skilled' at scanning about as easily as one can 'become skilled' at using a non-Macintosh micro. MacScanner, anyone? From mdavis at pro-sol.cts.com Thu Jul 8 11:30:58 1993 From: mdavis at pro-sol.cts.com (Morgan Davis) Date: Thu, 8 Jul 93 11:30:58 PDT Subject: I need a way to... Message-ID: nate at VIS.ColoState.EDU (CVL staff member Nate Sammons) writes: >-----BEGIN PGP SIGNED MESSAGE----- > [useful content deleted] > >+-------------------------------------------------------------------- >| Nate Sammons email: nate at VIS.ColoState.Edu >| Colorado State University Computer Visualization Laboratory >| Finger me at nate at monet.VIS.ColoState.Edu for my PGP key >| #include >| "I have but one single desire - to tear down the sky" -A. Toomba >+----------------------+ > >-----BEGIN PGP SIGNATURE----- >Version: 2.3 > >iQCVAgUBLDxY0tTgi1fmrpxlAQH8ZgP7BHGGnAP2MGLg0pbhJ8HpgU/1t6Ai+ln5 >xzpcsvbG4cJwhKBrX5luVLGmdHSZxdZ3kyv4+G6ypcIb5MZMpiPzbGH7z2kuRc4y >XlHBwrjOlbZDcyupJJUzSi8LuoQmXVu+M1r7EAkiK7JOMgljyOQ//E5ctJbt3qHl >8eA0uJGQFqs= >=4oo0 >-----END PGP SIGNATURE----- This is my first post here, so go easy if I'm way off base. Why would you want to include a PGP signature (in addition to your net .signature) for a message that is NOT encoded? I've included the pageful of useless text from your message as an example of how wasteful this seems to me. I'm all for personal privacy and message security, but this smacks of either paranoia, showing off, or laziness. Genuinely curious. /\/\ Morgan Davis Group (619/670-0563) / /__\ Internet: mdavis at pro-sol.cts.com From rtannen at borland.com Thu Jul 8 11:32:54 1993 From: rtannen at borland.com (Bob Tannen) Date: Thu, 8 Jul 93 11:32:54 PDT Subject: encrypted email software Message-ID: I've been looking for email software (smtp) that does encryption on the fly with something more secure than DES. I was told that you might be able to help me. Thanks in advance. -- Bob Tannen Borland International 1800 Greenhills Rd. Scotts Valley, CA. 95066 rtannen at borland.com RTANNEN @ BORLAND (MHS) From newsham at wiliki.eng.hawaii.edu Thu Jul 8 11:59:20 1993 From: newsham at wiliki.eng.hawaii.edu (Timothy Newsham) Date: Thu, 8 Jul 93 11:59:20 PDT Subject: encrypted email software In-Reply-To: Message-ID: <9307081859.AA19346@toad.com> > > I've been looking for email software (smtp) that does encryption on the > fly with something more secure than DES. I was told that you might be > able to help me. suddenly everyone thinks that someone is going to decrypt their email that has been DES'ed. > > Thanks in advance. > -- > Bob Tannen > Borland International > 1800 Greenhills Rd. > Scotts Valley, CA. 95066 > > rtannen at borland.com > RTANNEN @ BORLAND (MHS) > From claborne at ccgate.sandiegoca.NCR.COM Thu Jul 8 11:59:28 1993 From: claborne at ccgate.sandiegoca.NCR.COM (Chris Claborne) Date: Thu, 8 Jul 93 11:59:28 PDT Subject: Motorola phones Message-ID: <9307081220.ad11912@ncrcom.DaytonOH.NCR.COM> >Anyone know anything about Motorola's new phones (models VST 100, VST >350, VST 550, locally priced at $179, $249 and $299 Canadian)? I have the 550. It has a demo mode on it so that you can hear what it sounds like to other phones. I is one of the few phones that will work in my office (because of all of the EMI). The range doesn't seem to be as good as the AT&T phone. People seem to be able to tell that I am using it as opposed to when I used my AT&T cordless (it was stolen). The sound on my end is _very_ clear. I tried out the demo mode and you can possible pick out a few words on it. I feel much safer using it as apposed to other cordless phones. The only company that I have seen sell the Motorola is Sears. 2 -- C -- From nobody at shell.portal.com Thu Jul 8 12:06:01 1993 From: nobody at shell.portal.com (nobody at shell.portal.com) Date: Thu, 8 Jul 93 12:06:01 PDT Subject: ANON: Steshenko, nntp Message-ID: <9307081437.AA10106@jobe.shell.portal.com> -----BEGIN PGP SIGNED MESSAGE----- The discussion on Mr. Steshenko's termination of employment has taken off in misc.jobs.misc and news.admin.policy. Some people have e-mailed me saying that what happened to Mr. Steshenko isn't uncommon at all. This fact bothered me all weekend long, that somebody can get fired for views expressed in a private e-list, which probably extrapolates to USENET posting as well. Apparently, Mr. Steshenko forgot to include the "disclaimer: my opinions" with his email. Is this all that is required? If he merely would have added the disclaimer, would his former employer be facing possible legal action? Would he still be employed? Is there some "minimal" text that must be included? I mean, I've seen disclaimers that are nearly a paragraph long to ones that try to be cute (#include and so forth). I'm not saying his employer is in the wrong (I haven't really thought about this issue too much) since they are a private company and can censor and control use of their machines and all that stuff; it just goes to show sometimes you have to be really careful what you say and to whom. (If you missed the post to alt.comp.acad-freedom.talk and various other groups and don't get usenet let me know and I'll post it to the list if there is enough interest. I'm not sure if email copies I sent out made it since some bounces occured. Plus the good old "cannot deliver for 3 days; message queued" sort of error.) It bugged me because I really beleive that it is impossible to carry on a rational discussion if one side is afraid to voice an opinion. I'm not advocating libel or misuse (personal attacks, threats of violence, etc.) but every once in a while a really hot topic comes up which stirs the emotions. So, we can all forge mail with smtp, use the cypherpunk remailers, use "anonymous" servers like penet and charcoal, email-to-usenet gateways, etc. I've never seen instructions on how to forge a usenet post, so here goes: 1) Telnet to an NNTP server (see Yanoff's internet services list) 2) Type 'post'. After a bit, you'll get an OK message. 3) Type in what you want to appear. Have in mind before you start what fields you want in the header, or check other posts to see what they have. 4) End with a period on a line all by itself. After a bit, you'll get a "Post OK" message. 5) Type 'quit' For example, I was experimenting and telnetted to news.fu-berlin.de 119: ====================================================================== menudo> telnet news.fu-berlin.de 119 Trying 130.133.4.250... Connected to gibb.math.fu-berlin.de. Escape character is '^]'. 200 gibb NNTP server version 1.5.11 (10 February 1991) ready at Thu Jul 8 16:19:05 1993 (posting ok). post 340 Ok Newsgroups: alt.binaries.pictures.d Path: one!two!three From: mr.smiley at other plane Subject: A test II Content-Type: text Sender: the MailMan Nntp-Posting-Host: castle Organization: other plane hackers Date: Thu, 8 Jul 1993 07:45:00 GMT Lines: 1 This is another test. From zane at genesis.mcs.com Thu Jul 8 12:13:49 1993 From: zane at genesis.mcs.com (Sameer Parekh) Date: Thu, 8 Jul 93 12:13:49 PDT Subject: scanning (was Happens to `best' of them In-Reply-To: <9307081824.AA28647@boxer.nas.nasa.gov> Message-ID: In a recent message J. Eric Townsend wrote > > > Any uncoded call that travels through the airwaves rather than > > along a wire can be intercepted, and electronic eavesdroppers have > > become skilled at using scanners to monitor the communications. > >one can 'become skilled' at scanning about as easily as one can >'become skilled' at using a non-Macintosh micro. > Remember that some people think that becoming skilled at using a non-Mac is tough. -- | Sameer Parekh-zane at genesis.MCS.COM-PFA related mail to pfa at genesis.MCS.COM | | Apprentice Philosopher, Writer, Physicist, Healer, Programmer, Lover, more | | "Be God" - Me __ "Specialization is for Insects" - Robert A. Heinlein ____/ From dmandl at lehman.com Thu Jul 8 12:15:14 1993 From: dmandl at lehman.com (David Mandl) Date: Thu, 8 Jul 93 12:15:14 PDT Subject: I need a way to... Message-ID: <9307081914.AA22838@disvnm2.shearson.com> > From: mdavis at pro-sol.cts.com (Morgan Davis) > > This is my first post here, so go easy if I'm way off base. Why would > you want to include a PGP signature (in addition to your net .signature) > for a message that is NOT encoded? I've included the pageful of useless > text from your message as an example of how wasteful this seems to me. > I'm all for personal privacy and message security, but this smacks of > either paranoia, showing off, or laziness. Genuinely curious. > > /\/\ Morgan Davis Group (619/670-0563) > / /__\ Internet: mdavis at pro-sol.cts.com > Simply to confirm that the file is from who it's supposed to be from. If I send a file to you with my signature on it (assuming no major security breaches), you can be absolutely certain that the file came from me. This is of tremendous importance if we're dealing with electronic contracts or the like, but there are plenty of other situations where you need to be sure. The file itself may or may not be confidential, so it may or may not need to be encrypted. The signature is valid either way. Yep, it's true that most routine e-mail and Usenet postings don't NEED to be signed, but it's good practice and good propaganda: it helps to promote the widespread use of crypto, helps spread the word, and gets people in the habit of doing it. Believe me, it's not laziness, since as of today it's not too convenient to send and receive encrypted email without going through gyrations. Several cypherpunks have come up with good workarounds for this on various platforms, but we still have a ways to go. --Dave. From jet at nas.nasa.gov Thu Jul 8 12:21:45 1993 From: jet at nas.nasa.gov (J. Eric Townsend) Date: Thu, 8 Jul 93 12:21:45 PDT Subject: scanning (was Happens to `best' of them Message-ID: <9307081921.AA28998@boxer.nas.nasa.gov> Sameer Parekh writes: > Remember that some people think that becoming skilled at using > a non-Mac is tough. Which is why I made the statement about MacScanner. Access to this sort of technology should not be limited to ham freaks, private eyes, and followers of the great Radio Shack. I bought an ICOM R-1 because it does almost everything interesting to the average person (FM & AM), scans a wide range of stuff, and is relatively cheap and lightweight. It's easy to use, modulo tiny buttons. It doesn't have all sorts of ham stuff (special SSB mode, for example). The R-1 is not 'MacScanner', but it's closer. It's sort of like having Windows on a PC. Once I got it up and running, figured out a few wierd things, and ignored the rest, I can use it quite easily. :-) What would be way cool is a handheld scanner with buttons marked: "Fire", "Emergency", "State Police", "Sheriff", "Police Jury", "Municipal Police", "Cellular", "Cordless Phone", "FM Radio", "AM Radio". It would also be nice to have built in DTMF decoding, blah blah blah. And it would really crank up the desire to have crypto phones. :-) From shipley at merde.dis.org Thu Jul 8 12:27:56 1993 From: shipley at merde.dis.org (Peter shipley) Date: Thu, 8 Jul 93 12:27:56 PDT Subject: I need a way to... In-Reply-To: <9307081726.AA05797@vangogh.VIS.ColoState.EDU> Message-ID: <9307081910.AA01788@merde.dis.org> A non-text attachment was scrubbed... Name: not available Type: text/x-pgp Size: 933 bytes Desc: not available URL: From jet at nas.nasa.gov Thu Jul 8 12:28:44 1993 From: jet at nas.nasa.gov (J. Eric Townsend) Date: Thu, 8 Jul 93 12:28:44 PDT Subject: ANON: Steshenko, nntp In-Reply-To: <9307081437.AA10106@jobe.shell.portal.com> Message-ID: <9307081928.AA29036@boxer.nas.nasa.gov> nobody at shell.portal.com writes: > This fact bothered me all weekend long, that somebody can get > fired for views expressed in a private e-list, which probably > extrapolates to USENET posting as well. Apparently, Mr. Steshenko If I spend an hour a day using the phone at work for non-work purposes, and I get fired, nobody's going to care. If I spend an hour a day using the computing resources at work for non-work purposes, and I get fired, people go nonlinear. -eric From nobody at rosebud.ee.uh.edu Thu Jul 8 12:34:53 1993 From: nobody at rosebud.ee.uh.edu (nobody at rosebud.ee.uh.edu) Date: Thu, 8 Jul 93 12:34:53 PDT Subject: ANON: nntp Message-ID: <9307081934.AA20234@toad.com> -----BEGIN PGP SIGNED MESSAGE----- Oops...looks like my message got trimmed somewhere by a sig catcher. Here is the usenet forging part: So, we can all forge mail with smtp, use the cypherpunk remailers, use "anonymous" servers like penet and charcoal, email-to-usenet gateways, etc. I've never seen instructions on how to forge a usenet post, so here goes: 1) Telnet to an NNTP server (see Yanoff's internet services list) 2) Type 'post'. After a bit, you'll get an OK message. 3) Type in what you want to appear. Have in mind before you start what fields you want in the header, or check other posts to see what they have. 4) End with a period on a line all by itself. After a bit, you'll get a "Post OK" message. 5) Type 'quit' For example, I was experimenting and telnetted to news.fu-berlin.de 119: ====================================================================== menudo> telnet news.fu-berlin.de 119 Trying 130.133.4.250... Connected to gibb.math.fu-berlin.de. Escape character is '^]'. 200 gibb NNTP server version 1.5.11 (10 February 1991) ready at Thu Jul 8 16:19:05 1993 (posting ok). post 340 Ok Newsgroups: alt.binaries.pictures.d Path: one!two!three From: mr.smiley at other.plane Subject: A test II Content-Type: text Sender: the MailMan Nntp-Posting-Host: castle Organization: other plane hackers Date: Thu, 8 Jul 1993 07:45:00 GMT Lines: 1 This is another test. From davros at ecst.csuchico.edu Thu Jul 8 13:07:13 1993 From: davros at ecst.csuchico.edu (Tyler Yip - UnixWeenie (tm)) Date: Thu, 8 Jul 93 13:07:13 PDT Subject: a simple elm script for RIPEM and PGP Message-ID: <9307082006.AA03122@hairball.ecst.csuchico.edu> #!/bin/ksh # use the elm "pipe" feature to automatically detect which type of privacy # enchanced mail the message is under, and then automatically send the message # with the correct options to the cipher program. # usage from elm # | elm2pem # you can also put this as the default reader in elm, but sometimes it barfs # if you get a pgp signed message and don't have the sender's key. umask 077 clear cat > $HOME/.tmp/mbox.enc PGP="BEGIN PGP" PEM="BEGIN PRIVACY" if grep "$PGP" $HOME/.tmp/mbox.enc > /dev/null then pgp -m $HOME/.tmp/mbox.enc elif grep "$PEM" $HOME/.tmp/mbox.enc > /dev/null then ripem -d -i $HOME/.tmp/mbox.enc | more -d else more $HOME/.tmp/mbox.enc fi rm -f $HOME/.tmp/mbox.enc From i6t4 at jupiter.sun.csd.unb.ca Thu Jul 8 13:26:47 1993 From: i6t4 at jupiter.sun.csd.unb.ca (Nickey MacDonald) Date: Thu, 8 Jul 93 13:26:47 PDT Subject: ANON: Steshenko, nntp In-Reply-To: <9307081437.AA10106@jobe.shell.portal.com> Message-ID: On Thu, 8 Jul 1993 nobody at shell.portal.com wrote: > (If you missed the post to alt.comp.acad-freedom.talk and various > other groups and don't get usenet let me know and I'll post it to the > list if there is enough interest. I'm not sure if email copies I sent > out made it since some bounces occured. Plus the good old "cannot > deliver for 3 days; message queued" sort of error.) I'd like to see this... A couple of points... It looks like you were trying to stress test someones software.. I saw a --- BEGIN PGP SIGNED MESSAGE --- at the start of your message, but no matching signature block... And it is kind of annoying to the rest of the group to request "let me know and I'll..." and then use an anonymous remailer to prevent replies... Oh well... -- Nick MacDonald | NMD on IRC i6t4 at jupiter.sun.csd.unb.ca | PGP 2.1 Public key available via finger i6t4 at unb.ca | (506) 457-1931 ^{1024/746EBB 1993/02/23} From nobody at mead.u.washington.edu Thu Jul 8 13:30:54 1993 From: nobody at mead.u.washington.edu (nobody at mead.u.washington.edu) Date: Thu, 8 Jul 93 13:30:54 PDT Subject: ANON: nntp, apology Message-ID: <9307082030.AA26026@mead.u.washington.edu> I feel silly. It just occurred to me that the remailers operate by piping to sendmail directly; thus a lone period is interpreted as "the end". So I have cunningly arranged for my message to be indented by one space (emacs has lots of functions!). I apologize for posting this essentially three times. I'm sure by now nobody cares how to forge a usenet post :-) -----BEGIN PGP SIGNED MESSAGE----- So, we can all forge mail with smtp, use the cypherpunk remailers, use "anonymous" servers like penet and charcoal, email-to-usenet gateways, etc. I've never seen instructions on how to forge a usenet post, so here goes: 1) Telnet to an NNTP server (see Yanoff's internet services list) 2) Type 'post'. After a bit, you'll get an OK message. 3) Type in what you want to appear. Have in mind before you start what fields you want in the header, or check other posts to see what they have. 4) End with a period on a line all by itself. After a bit, you'll get a "Post OK" message. 5) Type 'quit' For example, I was experimenting and telnetted to news.fu-berlin.de 119: ====================================================================== menudo> telnet news.fu-berlin.de 119 Trying 130.133.4.250... Connected to gibb.math.fu-berlin.de. Escape character is '^]'. 200 gibb NNTP server version 1.5.11 (10 February 1991) ready at Thu Jul 8 16:19:05 1993 (posting ok). post 340 Ok Newsgroups: alt.binaries.pictures.d Path: one!two!three From: mr.smiley at other.plane Subject: A test II Content-Type: text Sender: the MailMan Nntp-Posting-Host: castle Organization: other plane hackers Date: Thu, 8 Jul 1993 07:45:00 GMT Lines: 1 This is another test. . 340 Post successful quit ====================================================================== and this is what appeared: ====================================================================== Newsgroups: alt.binaries.pictures.d Path: menudo.uh.edu!swrinde!cs.utexas.edu!math.ohio-state.edu!howland.reston.ans.net!noc.near.net!uunet!math.fu-berlin.de!one!two!three From: mr.smiley at other.plane Subject: A test II Content-Type: text Message-ID: <706EBA2L at math.fu-berlin.de> Sender: the MailMan Nntp-Posting-Host: castle Organization: other plane hackers Date: Thu, 8 Jul 1993 07:45:00 GMT Lines: 1 This is another test. ====================================================================== Although Path: contains the one!two!three I typed at the end, it reveals math.fu-berlin.de as the origin of the post. Also, the Message-ID field reveals math.fu-berlin.de. More works needs to be done on how to suppress or further disguise these fields, if possible. -----BEGIN PGP SIGNATURE----- Version: 2.3 iQCVAgUBLDyDDoOA7OpLWtYzAQHwvAP/bb8B+tMtZomonKfYfVEyzy4qVsRDcsy6 jekqxWf2F5xi/aA4EVoXvg6sBbYuO/H0o63xNnDXeA1GzYpAdDp7Ouhztvj0bhn3 TdT5nQHFU/8E5WxhttF6NHs8GNFRDb2QXAxTd5idScMyAEU0RD10VmkwryQXuPez GC93HrcCKyo= =NJA2 -----END PGP SIGNATURE----- From khijol!erc at apple.com Thu Jul 8 13:36:42 1993 From: khijol!erc at apple.com (Ed Carp) Date: Thu, 8 Jul 93 13:36:42 PDT Subject: ANON: Steshenko, nntp In-Reply-To: <9307081928.AA29036@boxer.nas.nasa.gov> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- > nobody at shell.portal.com writes: > > This fact bothered me all weekend long, that somebody can get > > fired for views expressed in a private e-list, which probably > > extrapolates to USENET posting as well. Apparently, Mr. Steshenko > > > If I spend an hour a day using the phone at work for non-work > purposes, and I get fired, nobody's going to care. > > If I spend an hour a day using the computing resources at work for > non-work purposes, and I get fired, people go nonlinear. Good point. Err, I'm at work, and my lunch hour's up, so ... ;) - -- Ed Carp erc at wetware.com 510/659-9560 For anonymous mailers --> anonymus+5300 at charcoal.com "Disagreements are not meant to be challenges. They are just a different reality." -- Risa D'Angeles -----BEGIN PGP SIGNATURE----- Version: 2.3 iQCVAgUBLDyBHxFgrV+S2pJNAQHaEgP/alRvqS8clLzQIrnBjx/Iy3xuLgIJbxmF uSjgDP/J+BfDKuLfEFpmh+b5GNiAJGMjwrVOCRtpjQUZgcUR+BpU3btx+c40p60u DBD+J9CopBR690oR6HXLcDReqSRg/QIlLTgZfDnPvp8cKm03wS0rHAUkyiH7wqFN cq7htdKAycA= =Eb7Q -----END PGP SIGNATURE----- From mrose at stsci.edu Thu Jul 8 13:44:18 1993 From: mrose at stsci.edu (Mike Rose) Date: Thu, 8 Jul 93 13:44:18 PDT Subject: PGP in emacs rmail Message-ID: <9307082044.AA22724@MARIAN.STSCI.EDU> Has anyone written elisp code for running pgp? I found crypt++, but in its default configuration it only does conventional crypto, nothing like signing, verification, and pubkey encryption. Has someone already done this, or am I pioneering new ground? Mike From eichin at cygnus.com Thu Jul 8 14:05:59 1993 From: eichin at cygnus.com (Mark Eichin) Date: Thu, 8 Jul 93 14:05:59 PDT Subject: PGP in emacs rmail In-Reply-To: <9307082044.AA22724@MARIAN.STSCI.EDU> Message-ID: <9307082104.AA29758@cygnus.com> There's one mode (that I'm not going to post without asking the author first) that uses terminal-mode... however, pgp-2.2 had a feature added which should make it much easier to write one, namely it lets you specify that a key gets stuffed in via a file descriptor -- so you run pgp (using a pty, rather than a pipe), feed it the private key password, then the file, and it spits back the text (and other info.) I've been lazy, and haven't actually implemented it, but it's much cleaner than terminal mode (since you're trusting emacs with your key anyway, having it read the input isn't much of a problem, though I'd suggest a "limit coredumpsize 0" first :-) _Mark_ MIT Student Information Processing Board Cygnus Support From warlord at MIT.EDU Thu Jul 8 14:13:32 1993 From: warlord at MIT.EDU (Derek Atkins) Date: Thu, 8 Jul 93 14:13:32 PDT Subject: PGP in emacs rmail In-Reply-To: <9307082044.AA22724@MARIAN.STSCI.EDU> Message-ID: <9307082113.AA04633@toxicwaste.MEDIA.MIT.EDU> You can look in the contrib directory of PGP 2.{2,3}.. There are a number of elisp implementations.. And there is also rat-pgp.el, or something like that, which I know is available via anonymous ftp but I don't know what machine its on... It should be in 2.4, hopefully. I have not tested any of these implementations. -derek From ashall at magnus.acs.ohio-state.edu Thu Jul 8 14:19:14 1993 From: ashall at magnus.acs.ohio-state.edu (Andrew S Hall) Date: Thu, 8 Jul 93 14:19:14 PDT Subject: META:Digital Signatures Message-ID: <9307082119.AA05694@photon.magnus.acs.ohio-state.edu> Is there anyway for the list software to incorporate digital signatures as verifying the poster is a list member? I know Tim posted a whistle-blowing trial balloon, and I have used my anonymous acct to post here. It would be nice if the software used digital signatures to verify list members regardless of their actual origin of posting. Presumably the signature recognition base would be seperate from the names base. This is primarily directed to the Extropians mailing list, but overlaps to cypherpunks. What I am considering is that a user could chose to only accept digitally verified postings. That would eliminate noise like subscription requests. It would also "verify" anonymous postings as being from a "valid" (as in list member) source. I know there are some problems such as maintaining anonymity, but I think verifying would have some interesting and positive results. We could trade HeX shares based on signatures, not names. That would eliminate the element of personality (or some of it) contest. Some one who is considered persona non gratia could redeem themselves with a series of high quality, but anonymous posts. A. Techno-Anarchy.Neophilia.Economic Freedom.Cryptography.Anti-Statism.Personal Liberty.Laissez-Faire.Privacy Protection.Libertarianism.No Taxes.No Bullshit. ********** Liberty BBS 1-614-798-9537 ********** ********** Dedicated to Freedom. Yours. ********** From jet at nas.nasa.gov Thu Jul 8 14:56:10 1993 From: jet at nas.nasa.gov (J. Eric Townsend) Date: Thu, 8 Jul 93 14:56:10 PDT Subject: job listing, supercomputer systems administration Message-ID: <9307082149.AA00409@boxer.nas.nasa.gov> -----cut here---- Computer Sciences Corporation (CSC) has an immediate opening for two Parallel Systems Analysts to support the Numerical Aerodynamic Simulation (NAS) Program at NASA Ames Research Center, including a possible lead analyst position. The position is for a Systems Analyst in the Parallel Systems (PS) group of the Computational Services branch. This group provides support for the NAS parallel systems, which currently include a 128 node Thinking Machines CM-5, a 128 node Intel iPSC/860, and a 224 node Intel Paragon XP/S. Other systems may added in late 1993. While the group is part of a support organization, the immaturity of parallel supercomputers provides opportunitities for a significant amount of development work. Routine system administration and user assistance is provided by a separate user services organization, leaving only the more difficult problems and policy issues to be resolved by the parallel systems analysts. Network, distributed software, and parallel scientific programming (i.e. FORTRAN) support is also provided by separate groups, and on-site vendor analysts provide additional assistance. Current group members are involved in projects ranging from the development and modification of UNIX tools to kernel development work, as well as day to day system maintenance and evaluation tasks. The parallel systems group also has a close relationship with the proprietor of the best Indian restaurant in the known Universe. The NAS parallel systems operate in a networked (UltraNet, HiPPI, FDDI, Ethernet) heterogeneous environment that consists of a Cray Y-MP 8/8256, a Cray C-90, a large mass storage system, several general purpose support processors, and over 200 high performance workstations. UNIX and UNIX-derivatives are used exclusively. Located at NASA Ames Research Center in Mountain View, California, the NAS Program is recognized internationally as a leader in large-scale scientific computing. Its mission is to act as the pathfinder in advanced, large-scale computer system capability through systematic incorporation of state-of-the- art improvements in computer hardware and software technologies; provide a national computational capability, available to NASA, industry, DoD, other Government agencies, and universities as a necessary element in ensuring continuing leadership in computational fluid dynamics and related computational aerospace disciplines. NAS considers parallel supercomputers to be the future of supercomputing, and opportunities for a motivated individual are extensive. Required Skills: o Bachelor's degree in computer science or related field, or unrelated bachelor's degree with equivalent experience. o Fluency with C and at least one UNIX shell, and excellent UNIX skills. o Experience as a system administrator in a UNIX network environment. o Good problem-solving and communications skills. o Willingness and ability to learn new skills. o U.S. Citizenship. Desired Skills: o Experience with parallel computers. o Experience with OSF/1, Mach 3.0, or other multiprocessor-capable operating systems. o Experience in a large scale scientific programming environment. Note: Computer Sciences Corporation policy requires pre-employment drug screening. Any job candidate who receives an offer letter from CSC must report for testing within 48 hours. Please forward your resume to: Eric Townsend Computer Sciences Corporation NASA Ames Research Center M/S 258-6 Moffett Field, CA 94035-1000 or email jet at nas.nasa.gov From khijol!erc at apple.com Thu Jul 8 15:12:15 1993 From: khijol!erc at apple.com (Ed Carp) Date: Thu, 8 Jul 93 15:12:15 PDT Subject: ANON: nntp, apology In-Reply-To: <9307082030.AA26026@mead.u.washington.edu> Message-ID: > I apologize for posting this essentially three times. I'm sure by now > nobody cares how to forge a usenet post :-) I thought it was pretty good. After all, the implications of such a scheme are widespread. I can imagine someone posting a message to talk.politics.guns, purporting to be from clinton at whitehouse.gov (or whatever the White House email address is these days), saying that personally he thinks Sarah Brady is an idiot, but that he has to go along with the Brady Bill for political reasons, and hell, he's just an Arkansas boy who goes out behind the Oval Office and target practices with the Secret Service staff on weekends... Of course, along more sinister lines, someone anonymously posting death threats to Clinton might not be caught, but the Secret Service would sure be all over someone's system REAL FAST. I suppose it's an interesting "denial of service" attack against a site that you don't like... -- Ed Carp erc at wetware.com 510/659-9560 For anonymous mailers --> anonymus+5300 at charcoal.com "Disagreements are not meant to be challenges. They are just a different reality." -- Risa D'Angeles From elee9sf at Menudo.UH.EDU Thu Jul 8 15:30:14 1993 From: elee9sf at Menudo.UH.EDU (elee9sf at Menudo.UH.EDU) Date: Thu, 8 Jul 93 15:30:14 PDT Subject: ANON: Steshenko usenet posting In-Reply-To: Message-ID: <199307082230.AA06511@Menudo.UH.EDU> > I'd like to see this... It's attached to this message. > A couple of points... It looks like you were trying to stress test > someones software.. I saw a --- BEGIN PGP SIGNED MESSAGE --- at the start > of your message, but no matching signature block... And it is kind of > annoying to the rest of the group to request "let me know and I'll..." and > then use an anonymous remailer to prevent replies... Oh well... Sorry, but I had a period on a line all by itself. This caused sendmail to truncate the rest of the message and my signature. The post sent through the phantom remailer should clear this up. Here is the post: ---------------------------------------------------------------------- Newsgroups: soc.rights.human,soc.human-rights,alt.comp.acad-freedom.talk,soc.culture.ukrainian,soc.culture.soviet,talk.politics.soviet From: viznyuk at ohstpy.bitnet (Serge Viznyuk) Subject: Politics, human rights, and Microsoft Corp. Organization: J. Random Misconfigured Site Date: Thu, 1 Jul 1993 02:17:26 GMT X-Posted-From: avalon.mps.ohio-state.edu NNTP-Posting-Host: sol.ctr.columbia.edu This letter has been sent to a number of UseNet newsgroups, e-mail lists, newspapers and information agencies. Carbon copy to administration of Microsoft Corp. It is a deplorable fact that in supposedly democratic country USA considers itself there could be a cases when someone not in government/public office is persecuted and loses his/her job for expressing his/her political views. It is even more deplorable given that it happened to a person who has undergone persecution and imprisonment for political motives in former USSR. Now one has to admit that similar to that of former USSR atmosphere of fear and oppression routinely exists in and is being maintained by administration officials of some US companies, in particular of Microsoft Corporation. Here is the case of Mr.Steshenko, Senior Software Engineer who has been fired by administration of Microsoft Corp. for participation in discussions on RUSSIA at ARIZVM1.CCIT.ARIZONA.EDU and UKRAINE at ARIZVM1.CCIT.ARIZONA.EDU e-mail lists. Those are moderated e-mail lists devoted to discussions on various political, social, economic, and cultural topics concerning related countries. As everybody knows, the disputes and even flames are necessary components of discussions on these and similar e-mail lists, and UseNet newsgroups. There are and will always be persons whose views and opinions do not coincide, or are opposite to each other. The tolerance to and respect for the opinion of your opponent are the prerequisites any society must satisfy to be considered civilized and democratic. However these basics seem to be unknown to administration of Microsoft Corp. whose reaction to complains filed by some paranoiac and hysteric individuals on behalf of Mr.Steshenko was unexpected and sweeping: --- > From: gregory steshenko <72410.626 at COMPUSERVE.COM> > > Today Microsoft Corp. dismissed me on the base of complaints > of certain Ukrainian users about my posting on this network. > I was told ( and even given writing ), that since my > posting were considered as offensive by these users and > since they complained to Microsoft about it, continuation of > my work for that company may hurt Microsoft business. > > Regards, > Gregory Steshenko. --- > From: Gregory Steshenko <72410.626 at COMPUSERVE.COM> > > Dismissal note from administration of Microsoft Corp. > > "On June 21st and June 24th we received several complaints > from UseNet subscribers regarding your comments to various > Net news groups. The subscribers found your comments > offensive and degrading to various ethnic and cultural > groups and have complained to the Postmaster. In Employee > Handbook, it clearly states that electronic bulletin boards > should not be used to broadcast offensive material and > should bear a disclaimer which indicates that the views of > author do not represent Microsoft views. None of your > messages carried this disclaimer and your comments > expressed on the bulletin board were offensive. Your > comments disparaging ethnic groups demonstrate your lack of > discretion, judgement and professionalism. Therefore, your > employment has been terminated effective June 29, 1993. " > > Signed: Glenn Noyama. Mr.Steshenko has not been given neither any options, nor prior warnings. This action of Microsoft constitutes the case of persecution for political motives typical for a totalitarian society, where anonymous reports and notes from informers serve as a basis for oppressive actions. Hopefully this letter might help urge Microsoft officials to reconsider their practices. All concerned persons are welcome to send a protest letters (some follow below) to: Mr. Bill Gates Microsoft Corp. One Microsoft Way Redmond, WA 98052 ( billg at microsoft.com, postmaster at microsoft.com ). --- > From: ST403231 at BROWNVM.BITNET > Subject: My extreme disappointment > > Dear Mr Gates, > > I am a subscriber to the newsgroup _Russia and her neighbors_, > housed at arizvm1. I was extremely disappointed to learn over > that newsgroup yesterday that one of Microsoft's employees, > Gregory Steshenko, was dismissed because of complaints to > Microsoft's management that some of Mr Steshenko's posting > in that newsgroup had been construed as insulting to Ukrainians. > > I am a graduate student in Slavic Languages. In the course of > my training, I have spent a good deal of time in the former > Soviet Union and in other formerly Communist countries of Eastern > Europe. One of the things about those societies that most > disturbed me was the role political denunciation could play > in ruining someone's career. I have had friends who lost > their jobs and the ability to work in the profession for which > they had been trained because of a carefully made, politically > motivated denunciation. I always took comfort in the knowledge > that in our country it was not so easy to eliminate someone > with whom you disagree. Or so I thought. > > It disturbs me a great deal that this dismissal was carried > out without making other options available to Mr Steshenko > (such as instructions to post to the Eastern European-related > newsgroups from another account, for example). And it disturbs > me most of all that he was dismissed on the basis of people who > complained about him because they were unable to best him by > using their own intellect. We call this bullying in English. > And I am extremely upset that as solid and successful an > organization as Microsoft caved in to bullies on this occasion. > > I have been an enthusiastic user of Microsoft Word for the > Macintosh for as long as I have been in graduate school and > have had access to computers. Over the past seven years, I > have done my best to convince my friends and family, as they > have become computer-literate, to use Word for their writing. > I am in the process of writing my dissertation in Word. But > just as I do not buy Chinese-made goods, because of my objection > to the Chinese government's exploitation of prison labor, so I > will be forced to examine whether I can in good conscience buy > and use the goods of an organization that is willing to yield > so quickly and completely to the demands of bullies who seek to > censor speech that they are not clever enough to combat by using > free speech on their own. > > Sincerely, > > Frank McLellan > (st403231 at brownvm.brown.edu) > --- > From: Jan Labanowski > > After reading a note from Gregory Steshenko that he will have to leave > Microsoft Inc., as a result of denunciations from Russia & her neighbors > list readers, I am really stunned. > People who made this happen were well trained in the methods used in the > Soviet Union. Congratulations to our Ukrainian friends! You have great > future in the US !!! Now go after your neighbors, coworkers, etc. > Beware only that while you can destroy people's lives this way, it will > not bring you any personal gains. They hate informers here, and some day > the favor will be returned. > > The Microsoft Inc. had to do what they had to do. Companies in this > litigation driven society cannot risk defamation suits and have to > be most careful not to endanger public relations. > > However, the fact that people resort to denunciations rather than > discussion means only they do not need discussion. We all know that > the most secure way to silence your opponent is to decapitate him/her. > Some of us, however, do not think that this is an ethical solution. > And whatever reasons are given (the "good name", "truth", "honor", > "national pride"), if you want to hit somebody, it is always easy to > find a reason. And the "national pride", "the absolute truth", "honor" > were used by several charismatic leaders now and in the past to justify > doing things which we still wonder how they could have happened. > > So congratulations again... As a result, this list may become > a Politically Correct Forum for exchanging polite hiperbolas which do not > hurt anybody's feelings, as they are contents free. BRAVO... > > Jan Labanowski > Myself (but you can send your denunciations to my institution, if you > so desire --- at some point in the game it becomes a second nature...). --- > From: CATHYF at EARLHAM.BITNET > > Has anybody who understands the disputed language written > to Microsoft about all this? They are concerned about their > image, but that image might be damaged more by responding in > this way to that sort of pressure. > Peace, Cathy Flick cathyf at yang.earlham.edu This letter has been sent/posted to: RUSSIA at ARIZVM1.CCIT.ARIZONA.EDU and UKRAINE at ARIZVM1.CCIT.ARIZONA.EDU e-mail lists. soc.rights.human,soc.human-rights,alt.comp.acad-freedom.talk, soc.culture.ukrainian,soc.culture.soviet,talk.politics.soviet, relcom.comp.os.windows.prog,relcom.comp.os.windows,relcom.msdos, relcom.politics,relcom.talk,relcom.fido.su.general,alt.politics, alt.politics.misc,alt.politics.correct,alt.politics.reform, alt.politics.usa.misc,news.admin,news.admin.misc,news.admin.policy, news.misc,news.sysadmin,comp.os.msdos.misc,comp.os.msdos.programmer, comp.sys.ibm.pc.hardware,misc.jobs.misc.comp.os.ms-windows, comp.os.ms-windows.advocacy,comp.os.ms-windows.misc. Radio Liberty postmaster at RFERL.ORG Moscow office of US National Republican Radio postmaster at nrrusa.msk.su Voice of America Radio postmaster at voa.msk.su All-Russia TV and Radio Broadcasting Corporation postmaster at vgtrk.msk.su InterFax News Agency postmaster at interfax.msk.su Postfaktum News Agency postmaster at postf.msk.su Reuter News Agency postmaster at reuter.msk.su RUFA News Agency postmaster at rufa.msk.su TASS News Agency postmaster at tass.msk.su UPI News Agency postmaster at UPupi.msk.su Baltic News Agency postmaster at bns.msk.su Information Agency Ala-Press postmaster at alapress.msk.su Moscow office of "Dallas Morning News" postmaster at dmn.msk.su Moscow office of "Financial Times" postmaster at fntms.msk.su Newspaper "Komsomolskaya Pravda" postmaster at kompr.msk.su Moscow office of newspaper "Koelner Stadt Anzeiger" postmaster at ksta.msk.su Moscow office of newspaper "Los Angeles Times" postmaster at latimes.msk.su Newspaper "Moscow News" postmaster at moscow-news.msk.su Newspaper "Nesavisimaya Gaseta" postmaster at nega.msk.su Moscow office of newspaper "Philadelphia Inquirer" postmaster at phinq.msk.su Newspaper "Poisk" postmaster at poisk.msk.su Newspaper "Business World" postmaster at busworld.msk.su Moscow office of "Christian Science Monitor TV" postmaster at csmtv.msk.su Agency of Economic News postmaster at css.ena.msk.su --- S.Viznyuk From i6t4 at jupiter.sun.csd.unb.ca Thu Jul 8 15:40:38 1993 From: i6t4 at jupiter.sun.csd.unb.ca (Nickey MacDonald) Date: Thu, 8 Jul 93 15:40:38 PDT Subject: ANON: Steshenko, nntp In-Reply-To: Message-ID: On Thu, 8 Jul 1993, Nickey MacDonald wrote: > A couple of points... It looks like you were trying to stress test > someones software.. I saw a --- BEGIN PGP SIGNED MESSAGE --- at the start > of your message, but no matching signature block... And it is kind of > annoying to the rest of the group to request "let me know and I'll..." and > then use an anonymous remailer to prevent replies... Oh well... Oh dear... I fear that someone somewhere has gotten into a loop... This is about my 10th copy of the above message... I hope I'm the only one getting all of them!! -- Nick MacDonald | NMD on IRC i6t4 at jupiter.sun.csd.unb.ca | PGP 2.1 Public key available via finger i6t4 at unb.ca | (506) 457-1931 ^{1024/746EBB 1993/02/23} From mdavis at pro-sol.cts.com Thu Jul 8 16:51:10 1993 From: mdavis at pro-sol.cts.com (Morgan Davis) Date: Thu, 8 Jul 93 16:51:10 PDT Subject: Thanks for the enlightenment Message-ID: Let me thank all of those who set me straight on the PGP signature stuff. I got about half a dozen messages that politely educated me on the use of PGP secured messages. (This also served as a test to make sure our news program is properly interfacing with this mailing list -- and it is.) /\/\ Morgan Davis Group (619/670-0563) / /__\ Internet: mdavis at pro-sol.cts.com From ciamac at hplms2.hpl.hp.com Thu Jul 8 17:07:58 1993 From: ciamac at hplms2.hpl.hp.com (Ciamac Moallemi) Date: Thu, 8 Jul 93 17:07:58 PDT Subject: PGP in emacs rmail Message-ID: <9307090007.AA18726@cello.hpl.hp.com> eichin> There's one mode (that I'm not going to post without asking the author eichin> first) that uses terminal-mode... however, pgp-2.2 had a feature added eichin> which should make it much easier to write one, namely it lets you eichin> specify that a key gets stuffed in via a file descriptor -- so you run eichin> pgp (using a pty, rather than a pipe), feed it the private key eichin> password, then the file, and it spits back the text (and other info.) eichin> I've been lazy, and haven't actually implemented it, but it's much eichin> cleaner than terminal mode (since you're trusting emacs with your key eichin> anyway, having it read the input isn't much of a problem, though I'd eichin> suggest a "limit coredumpsize 0" first :-) I wrote elisp code for vm that does this if anyone is interested. Ciamac. From mdiehl at triton.unm.edu Thu Jul 8 18:08:09 1993 From: mdiehl at triton.unm.edu (J. Michael Diehl) Date: Thu, 8 Jul 93 18:08:09 PDT Subject: Thanks for the enlightenment In-Reply-To: <1993Jul8.153647.94@pro-sol.cts.com> Message-ID: <9307090108.AA16663@triton.unm.edu> According to Morgan Davis: > > Let me thank all of those who set me straight on the PGP signature stuff. > I got about half a dozen messages that politely educated me on the use of > PGP secured messages. (This also served as a test to make sure our news > program is properly interfacing with this mailing list -- and it is.) > This has puzzled me for some time, too. Would you please summarize? Thanx. +-----------------------+-----------------------------+---------+ | J. Michael Diehl ;-) | I thought I was wrong once. | PGP KEY | | mdiehl at triton.unm.edu | But, I was mistaken. |available| | mike.diehl at fido.org | | Ask Me! | | (505) 299-2282 +-----------------------------+---------+ | | +------"I'm just looking for the opportunity to be -------------+ | Politically Incorrect!" | +-----If codes are outlawed, only criminals wil have codes.-----+ +----Is Big Brother in your phone? If you don't know, ask me---+ From nate at VIS.ColoState.EDU Thu Jul 8 18:20:22 1993 From: nate at VIS.ColoState.EDU (CVL staff member Nate Sammons) Date: Thu, 8 Jul 93 18:20:22 PDT Subject: using pgp with vanilla berkeley mail Message-ID: <9307090120.AA07026@vangogh.VIS.ColoState.EDU> -----BEGIN PGP SIGNED MESSAGE----- Hey guys, I set PAGER to "pgp -m" (with the full path, of course) in my .mailrc, and I use the PGPmail wrapper from Jason L. Steiner (way to go Jason!) to sign and encrypt mail. This seems to work fine, since it leaves the message encrypted and all in the mbox (or wherever) unless I choose to save it (when pgp asks) thanks for all the help. - -nate +-------------------------------------------------------------------- | Nate Sammons email: nate at VIS.ColoState.Edu | Colorado State University Computer Visualization Laboratory | Finger me at nate at monet.VIS.ColoState.Edu for my PGP key | #include | "I have but one single desire - to tear down the sky" -A. Toomba +----------------------+ -----BEGIN PGP SIGNATURE----- Version: 2.3 iQCVAgUBLDzHutTgi1fmrpxlAQG2FgP+IiMAUOhteLeLMfRw5oQ0Q4bv8MUpwsep UVvTn839CFD4s1qHZ9mhmYGFKHy2UHi0VkBsnWLYKfQgedMXdFXOlRrdFIAFufpG 743XIaSvYrcOODjRHlyQRQXw0RN0b76VJwBw9CLNJsTuRdT4yrWaxtw45li2bat3 8t+x/O9oJH4= =BTN9 -----END PGP SIGNATURE----- From gnu Thu Jul 8 18:47:32 1993 From: gnu (John Gilmore) Date: Thu, 8 Jul 93 18:47:32 PDT Subject: Loop stopped, I hope. Message-ID: <9307090147.AA02502@toad.com> The loop appeared to be at pro-storm.cts.com or pro-sol.cts.com, so I temporarily removed two people at those sites from the list. Neither is on the Intenet, so I can't check from here what the exact problem is. John From nate at VIS.ColoState.EDU Thu Jul 8 19:05:50 1993 From: nate at VIS.ColoState.EDU (CVL staff member Nate Sammons) Date: Thu, 8 Jul 93 19:05:50 PDT Subject: copy of "From Crossbows to Cryptography" anyone? Message-ID: <9307090205.AA07226@vangogh.VIS.ColoState.EDU> -----BEGIN PGP SIGNED MESSAGE----- Inned a copy, and I think that there is a problem with the one at soda... when I decompress it, the last few pages are a bit skewed.. thanks, - -nate sammons +-------------------------------------------------------------------- | Nate Sammons email: nate at VIS.ColoState.Edu | Colorado State University Computer Visualization Laboratory | Finger me at nate at monet.VIS.ColoState.Edu for my PGP key | #include | "I have but one single desire - to tear down the sky" -A. Toomba +----------------------+ -----BEGIN PGP SIGNATURE----- Version: 2.3 iQCVAgUBLDzSZdTgi1fmrpxlAQHwIwP9GcQQD8vdcmFPA+EU7HSrvId6he5rQYQs far/oI+a/UKgFNkcapLY2CoBMcecdFWjaOxmq5kbJggER8jKmbGyaiYFds85aAF6 h09yWieFYKXDuM1UyT6s9EXQWBEQks24iCxERen5d0o/DiL3xT44zNWN97XRDCcd apYQdULSh9Q= =Qnsp -----END PGP SIGNATURE----- From miron at extropia.wimsey.com Thu Jul 8 20:30:25 1993 From: miron at extropia.wimsey.com (Miron Cuperman) Date: Thu, 8 Jul 93 20:30:25 PDT Subject: ANON: nntp, apology In-Reply-To: <9307082030.AA26026@mead.u.washington.edu> Message-ID: <1993Jul9.023606.12732@extropia.wimsey.com> -----BEGIN PGP SIGNED MESSAGE----- nobody at mead.u.washington.edu writes: >I feel silly. It just occurred to me that the remailers operate by >piping to sendmail directly; thus a lone period is interpreted as "the >end". So I have cunningly arranged for my message to be indented by >one space (emacs has lots of functions!). This is a bug. I've added the '-oi' option to sendmail invocations in my remail scripts. I recommend that other remail operators do the same. - -- Miron Cuperman | NeXTmail/Mime ok Unix/C++/DSP, consulting/contracting | Public key avail AMIX: MCuperman | Laissez faire, laissez passer. Le monde va de lui meme. -----BEGIN PGP SIGNATURE----- Version: 2.3 iQCVAgUBLDzZQJNxvvA36ONDAQHYKQP+Mpok7m5fABZG/PTkQ5TAVFtPUHdSyzQT MpZF6MhWSEdR3Tj+8tpUahS3J/ZXfXENeacL9r2Nd2ORXwCNDziGoCkdjV1sKmS9 NR+HKS8uq/WVt7rlpZMHmf/9nSlvx4l5KTVJ/5iy8FtppbbJrlFpf0HsDvDMF7if /PEAoSZs11I= =0U6k -----END PGP SIGNATURE----- From zane at genesis.mcs.com Thu Jul 8 23:40:38 1993 From: zane at genesis.mcs.com (Sameer) Date: Thu, 8 Jul 93 23:40:38 PDT Subject: Release: July 5, 1993 In-Reply-To: <9307080534.AA29729@netcom2.netcom.com> Message-ID: In message <9307080534.AA29729 at netcom2.netcom.com>, ccat writes: > If you would like to communicate with a human being about the > hearing, you may send your comments and questions to: > > hearing-info at town.hall.org I guess it's official: Congresscritters aren't human. -- | Sameer Parekh-zane at genesis.MCS.COM-PFA related mail to pfa at genesis.MCS.COM | | Apprentice Philosopher, Writer, Physicist, Healer, Programmer, Lover, more | | "Symbiosis is Good" - Me_"Specialization is for Insects" - R. A. Heinlein_/ \_______________________/ \______________________________________________/ From zane at genesis.mcs.com Thu Jul 8 23:40:40 1993 From: zane at genesis.mcs.com (Sameer) Date: Thu, 8 Jul 93 23:40:40 PDT Subject: Release: July 5, 1993 In-Reply-To: <9307080534.AA29729@netcom2.netcom.com> Message-ID: In message <9307080534.AA29729 at netcom2.netcom.com>, ccat writes: > If you would like to communicate with a human being about the > hearing, you may send your comments and questions to: > > hearing-info at town.hall.org I guess it's official: Congresscritters aren't human. -- | Sameer Parekh-zane at genesis.MCS.COM-PFA related mail to pfa at genesis.MCS.COM | | Apprentice Philosopher, Writer, Physicist, Healer, Programmer, Lover, more | | "Symbiosis is Good" - Me_"Specialization is for Insects" - R. A. Heinlein_/ \_______________________/ \______________________________________________/ From zane at genesis.mcs.com Thu Jul 8 23:40:43 1993 From: zane at genesis.mcs.com (Sameer) Date: Thu, 8 Jul 93 23:40:43 PDT Subject: USENET newsreaders and cryptography: features/suggestions/questions In-Reply-To: <9307080348.AA10446@polaris.unm.edu> Message-ID: In message <9307080348.AA10446 at polaris.unm.edu>, Clifford A Adams writes: > 1. Does anyone know if including code like > system("pgp -m foobar") might cause legal problems? Strn doesn't > implement any cryptographic techniques. I wouldn't know, but to stay completely safe, it *might* be a good idea to use environment variables. CRYPTOPROGRAM=pgp system(strcat(getenv("CRYPTOPROGRAM"), " -m foobar")) (I'm not well-versed in strcat, so this could be wrong, but you know what I mean.) Then you're not mentioning PGP at all in the code. (Env. variables for the options would be a good idea as well.. that way you can't be attacked under the premise, "It's OBVIOUSLY for PGP, because the options are PGP-options.") > 3. It would be greatly convenient if someone would implement > a "verify signature only" switch for PGP. Most of the applications I > would like to use don't involve data hiding--just signature verification. > I'm also lobbying the RIPEM author to include a similar feature. One feature I'd like would be easy to parse PGP output. That way PGP can be more easily integrated with other programs. For example, doing the following: (-p for "easyparse"?) pgp -p 01/01/93 12:34:56 GMT Then a program can parse it very easily. A successful sig would give a return code of 0, and failed sig would have a nonzero return code. -- | Sameer Parekh-zane at genesis.MCS.COM-PFA related mail to pfa at genesis.MCS.COM | | Apprentice Philosopher, Writer, Physicist, Healer, Programmer, Lover, more | | "Symbiosis is Good" - Me_"Specialization is for Insects" - R. A. Heinlein_/ \_______________________/ \______________________________________________/ From zane at genesis.mcs.com Thu Jul 8 23:40:46 1993 From: zane at genesis.mcs.com (Sameer) Date: Thu, 8 Jul 93 23:40:46 PDT Subject: USENET newsreaders and cryptography: features/suggestions/questions In-Reply-To: <9307080348.AA10446@polaris.unm.edu> Message-ID: In message <9307080348.AA10446 at polaris.unm.edu>, Clifford A Adams writes: > 1. Does anyone know if including code like > system("pgp -m foobar") might cause legal problems? Strn doesn't > implement any cryptographic techniques. I wouldn't know, but to stay completely safe, it *might* be a good idea to use environment variables. CRYPTOPROGRAM=pgp system(strcat(getenv("CRYPTOPROGRAM"), " -m foobar")) (I'm not well-versed in strcat, so this could be wrong, but you know what I mean.) Then you're not mentioning PGP at all in the code. (Env. variables for the options would be a good idea as well.. that way you can't be attacked under the premise, "It's OBVIOUSLY for PGP, because the options are PGP-options.") > 3. It would be greatly convenient if someone would implement > a "verify signature only" switch for PGP. Most of the applications I > would like to use don't involve data hiding--just signature verification. > I'm also lobbying the RIPEM author to include a similar feature. One feature I'd like would be easy to parse PGP output. That way PGP can be more easily integrated with other programs. For example, doing the following: (-p for "easyparse"?) pgp -p 01/01/93 12:34:56 GMT Then a program can parse it very easily. A successful sig would give a return code of 0, and failed sig would have a nonzero return code. -- | Sameer Parekh-zane at genesis.MCS.COM-PFA related mail to pfa at genesis.MCS.COM | | Apprentice Philosopher, Writer, Physicist, Healer, Programmer, Lover, more | | "Symbiosis is Good" - Me_"Specialization is for Insects" - R. A. Heinlein_/ \_______________________/ \______________________________________________/ From ld231782 at longs.lance.colostate.edu Fri Jul 9 00:12:53 1993 From: ld231782 at longs.lance.colostate.edu ( L. Detweiler ) Date: Fri, 9 Jul 93 00:12:53 PDT Subject: `ad hominem' ad nauseam Message-ID: <9307090712.AA11718@longs.lance.colostate.edu> I'd like to respond to a few introspective cypherpunkesque notes by P. Farrell and T.C. May. I've considered the general attitudes toward e.g. Denning and Sternlight seriously, particularly my own. I freely admit to banging out scathing verbiage on behalf of both here and elsewhere and critical reactions both publicly and privately. First, a general observation. It strikes me that many have not recognized the true meaning of `ad hominem' in their casual and careless use of it (perhaps even it is the only Latin term known to some tossing it about because of its frequent appearance in cyberspatial flame wars). I think it has taken a new meaning on the net to be something like `making someone look like a fool'. By my view, it means *calling* someone a fool completely without justification (e.g. attacking irrelevent aspects of their reputation). However, devastating their flimsy arguments and false beliefs to the point they *look* like a fool is not an ad hominem attack. Perhaps I will be accused of splitting fibers but I think the distinction is transparent. P.F.: >I'm more than a little concerned about the vicious personal attacks that >this list makes on folks that have strongly held beliefs that disagree with >some (or all) of the beliefs of hot headed posters to cypherpunks. >I thought this was a technical mailing list, that dabbled in politics only >as necessary. I see no justification for the personal attacks, especially on >3rd parties that do not read this list. These uncalled for attacks will not >convince anyone on the list, and do not become the poster. First, I will not argue that ad hominem or vicious attacks are warranted. However, they are there because they are *motivated* by tangible reasons that you fail to address. Let's look at each case: [D. Denning] >She just happens to support a view that she >strongly believes in. The fact that I think her side is dead wrong does not >make her an idiot. Name calling accomplishes nothing but does hurt the >signal to noise ratio of this list. First, it is not clear why Denning doggedly pursues the key escrow scheme and advocation of Clipper, and she has never expressed any conceivable reason. Your invention of `strong belief' is nothing but pure speculation and in the glaring lack of any statements on the subject by her, not any superior in plausibility than attributions of black machinations by others. Yet, on the other hand, virtually everyone who is (admittedly) equally dogmatically opposed to Clipper supplies a continuous torrent of personal motivations, anecdotes, and background for their characteristic position and drive. D. Denning once volunteered some weak statistics on wiretapping a long time ago but has long since abandoned them. Others suggested they showed to the contrary that wiretapping did not have a socially significant effect despite severe compromises and sacrifices to institute it. >Even more annoying are the attacks on Jim Bidzos. He is trying to make a >buck, which was legal last time I looked. And on many issues, he is far more >in our camp than against us. He at least likes strong cryptography, and his >disputable patents expire in a relatively short time. He has agreed to allow >a PGP-compatible program to use RSA without cost, providing the legal >version that many U.S. users would like to see. Again, you are postulating hypothetical motivations. You supply no direct evidence for your claims whatsoever, despite very disturbing evidence to the contrary (PGP hassling, DSA scheming, patent-mongering, laywer-breeding, etc.). As for the PGP case you cite, why has it taken years for him to reverse the companies well-known belligerence despite overtures by PRZ? Probably because of strong public pressure and PR opportunism, IMHO. I don't claim my opinion is correct, but I do claim that it is most plausible in light of all the data. [T.M.] >What really bothers me is the type of criticism, which I also tend to call >"ad hominem" (but which rhetoriticians may have a special name for), in >which people impute _motives_ to others. Thus, we see seemingly endless >comments about the motives of Denning, of Bidzos, of Sternlight, and of >others. >[...] >While I think Dorothy Denning is, for various reasons, hopelessly in the >camp of the NSA and FBI, I see nothing to be gained by demonizing her. This was a bit confusing to me to hear Mr. May first criticize imputing motives, and then to say that `Denning is for various reasons hopelessly in the camp of the NSA and FBI'. What are her various reasons for her bizarre lone intransigence? The whole *point* is that these reasons are unclear, and most of the `endless comments about the motives' by others are actually encouraging bait for those parties to publicly `come clean' with their associations and affiliations. These people's actions are completely baffling from our own point of view and troubling in light of other hazy but discernable ulterior trend-patterns. What is their version of reality? Particularly with Denning and Bidzos their public comments on their motivations, despite the sheer strangeness of it all, are essentially nonexistent. I must admit a bit of frustration and annoyance (to say the least) with T.C. May's habitual tendency to don rosy glasses in viewing the actions of Denning and Bidzos and others (speaking in spineless psychoanalytic babble like `cognitive dissonance'), seemingly reflecting a continual forebearance and willingness to grant them `the benefit of the doubt' despite increasingly sinister evidence of motives to the contrary. Denning, in particular, has explicitly claimed no knowledge of Clipper despite her uncannily prescient proposals (she was the *first* to propose the `split key' idea on sci.crypt in an infamous `Copper Balloon' message). Bidzos appears to me to be playing different cyberpunks against each other and making lame statements such as that the DSS arrangement is completely sensible and rational despite the historical convolutions preceding it. We are dealing with people who are failing to level with us at best and tricking and deceiving us at worst, and the `demonizing' represents our desperation. To the contrary, it is attribution of their motives to `socializing' and `support' from their `peer group' that dangerously trivializes, underestimates, misjudges them. [`demonizing'] >... weakens our cause, for two reasons. First, it >cuts off dialog with those we disagree with. Second, we tend to >underestimate people we have written off as stooges or dunces. As the sci.crypt melee you valiantly instigated dramatically proves, dialogue has so far been completely useless. Despite the most critical reception possible to the idea of key escrow about 6 months before the release of Clipper, no modification of the plan was apparent. D. Denning may as well be a brick wall when it comes to rational consideration of opposing viewpoints on the subject (which she conveniently delegates to others to explore). She simply will not budge from her basic premise that key-escrow is wholly desirable and necessary. In short, at present we have an impasse, not `dialogue'. Furthermore, it is precisely in scathingly criticizing opponents that we encourage others *not* to underestimate these people and their dangerous ideas. That is the point: all of Denning, Bidzos, and Sternlight are too intelligent to write of as `stooges or dunces' and something more `intentional' and `systematic' is more likely. That is what is so alarming. >... we ought not to use cheap shots and cheap rhetorical tricks >(one I hate especially is the "sound effect" jab, the "" >sort of comment inserted into postings ... While I've never done this, it is futile for you to request otherwise. This is one of the most colorful aspects of Usenet. Nothing is sacred in cyberspace. Professional academicians will get ruthlessly ridiculed or humiliated like anyone else if they doggedly advocate feeble ideas through deluded arguments. They are just another email address and bursting bit pattern in the ultimate egaltarianocracy. Who can escape or transcend the glare of multitudinous eyes glued on a computer screen? From ld231782 at longs.lance.colostate.edu Fri Jul 9 00:24:42 1993 From: ld231782 at longs.lance.colostate.edu ( L. Detweiler ) Date: Fri, 9 Jul 93 00:24:42 PDT Subject: Clipper committee: open meetings required by law? Message-ID: <9307090724.AA11795@longs.lance.colostate.edu> Subject: Clipper review committee must hold open meetings, etc! Date: Tue, 06 Jul 93 15:48:18 -0700 From: gnu at cygnus.com According to the Federal Advisory Committee Act (5 USC app. 2), the panel of cryptographers who are reviewing the Skipjack algorithm qualify as an advisory committee, and must hold open meetings, announce the location and duration of meetings, make transcripts available under FOIA, etc. 5 U.S.C app. 2 (sec. 3) (2) The term "advisory committee" means any committee, board, commission, council, conference, panel, task force, or other similar group, or any subcommittee or other subgroup thereof (hereafter in this paragraph referred to as "committee"), which is: (A) established by statute or reorganization plan, or (B) established or utilized by the President, or (C) established or utilized by one or more agencies, in the interest of obtaining advice or recommendations for the President or one or more agencies or officers of the Federal Government, except that such term excludes (i) the Advisory Commission on Intergovernmental Relations, (ii) the Commission on Government Procurement, and (iii) any committee which is composed wholly of full-time officers or employees of the Federal Government. (3) The term "agency" has the same meaning as in section 551(1) of Title 5. ... (sec 10) (a) (1) Each advisory committee meeting shall be open to the public. (2) Except when the President tdetermines otherwise for reasons of national security, timely notice of each such meeting shall be published in the Federal Registers, and the Administrator shall proescribe regulations to provide for other types of public notice to insure that all interested persons are notified of such meeting prior thereto. [Administrator = Administrator of General Services] (3) Interested persons shall be permitted to attend, appear before, or file statements with any advisory committee, subject to such reasonable rules or regulations as the Administrator may prescribe. (b) Subject to section 552 of Title 5, United States Code [the FOIA], the records, reports, transcripts, minutes, appendixes, working papers, drafts, studies, agenda, or other documents which were made available to or prepared for or by each advisory committee shall be available for public inspection and copying at a single location in the offices of the advisory committee or the agency to which the advisory committee reports until the advisory committee ceases to exist. (c) Detailed minutes of each meeting...shall be kept... (d) Subsections (a)(1) and (a)(3) of this section shall not apply to any portion of an advisory committee meeting where the President, or the head of the agency to which the advisory committee reports, determines that such portion of such meeting may be closed to the public in accordance with subsection (c) of section 552b of Title 5, United States Code [the Government in the Sunshine Act]. Any such determination shall be in writing and shall contain the reasons for such determination... [This lets them close portions of the meeting that are classified. But they must hold an open meeting anytime their discussion is not classified. And they must vote publicly about what portions of the meeting to close.] ... (sec 11) (a) Except where prohibited by contractural agreements entered into prior to the effective date of this Act, agencies and advisory committees shall make available to any person, at actual cost of duplication, copies of transcripts of agency proceedings or advisory committee meetings. Read over the whole act (it's in the annual Justice Dept. "FOIA Case List" publication) and then let's find out whether NIST is following the rules here... The Sept 91 case list has about 40 FACA cases listed. The recent controversy over Hilary's health care advisory task force is also an FACA case. Thanks to Whit Diffie for thinking of this. John ------- End of Forwarded Message From ld231782 at longs.lance.colostate.edu Fri Jul 9 00:28:40 1993 From: ld231782 at longs.lance.colostate.edu ( L. Detweiler ) Date: Fri, 9 Jul 93 00:28:40 PDT Subject: Phiber Optik pleads guilty Message-ID: <9307090728.AA11840@longs.lance.colostate.edu> From: farber at central.cis.upenn.edu (David Farber) Subject: Two messages that may interest you re: "Phiber Optik," Date: Tue, 6 Jul 1993 17:31:39 -0500 The following appears on Newsbytes today. Newsbytes is a copyrighted commercial service which appears on GEnie, Compuserve, America OnLine, Newsnet, DIALOG, Clarinet and other networks. This story is posted here with the permission of the authors. ========================================================================== Phiber Optik Pleads Guilty 07/06/93 NEW YORK, NEW YORK, U.S.A., 1993 JUL 6 (NB) -- Mark Abene, better known throughout the computer world by the hacker handle "Phiber Optik," plead guilty on July 2 in Federal Court to felony charges of conspiracy and unauthorized access to computers. Abene had been due to go to trial on these counts today. The plea by Abene, entered before Judge Louis Stanton in the Southern District of New York, admitted intrusion into computers owned by NYNEX, BellSouth, and Southwestern Bell. In his statement, Abene said that he had, in his actions, "never tried to damage any computer systems and, to my knowledge, I never have." In the course of the proceedings, Judge Stanton asked Abene a series of questions including: whether he understood the charges; whether he realized that, by pleading guilty to felony charges, he was exposing himself to possible loss of civil liberties such as the right to vote, sit on jury or hold public office; whether he realized that he could face a maximum sentence of 10 years imprisonment and a maximum fine of $500,000; whether he understood that he could be required to make restitution for damages; and whether he was satisfied that he had received adequate legal counsel. He replied yes to all the above, but no to the question of whether he had been threatened or coerced by the United States Attorney's office to change his plea. Following the questioning, the judge asked Abene to say what he did. Abene responded by admitting that he had conspired with others to gain access to various computer systems, including those belonging NYNEX, BellSouth and Southwestern Bell; he had intercepted data on networks belonging to British Telcom and Tymnet; and that he had misrepresented himself to employees of phone companies to gain access to their systems. It was during these admissions that Abene said that he had never, to his knowledge, damaged any systems. At the end of Abene's statement, Assistant US Attorney Fishbein stated that Abene had fraudulently used computer accounts at New York University to access the remote computer systems. When asked by the judge to confirm Fishbein's assertion, Abene did. Judge Stanton then stated, "Mr. Abene is fully competent to make an informed plea in this case. He is knowledgeable of the charges against him and is aware of the possible consequences. I accept his guilty pleas." Judge Stanton then set sentencing for 9:30AM Wednesday, November 3rd. He asked Abene's attorney, Paul Ruskin, to insure that he do everything possible to cooperate with the probation staff in its development of a background of Abene for the sentencing procedure. Abene was then released on his own recognizance. Abene, together with Elias Ladopoulpos, a/k/a "Acid Phreak;" Paul Stira, "Scorpion;" John Lee, "Corrupt;" and Julio Fernandez, "Outlaw," were indicted on July 8, 1992. Ladopulous, Stira, Lee, and Fernandez previously plead guilty to charges relating to the indictment. Lee, the only one sentenced to date, has received a year and a day. Stira and Ladopoulos are scheduled for sentencing on July 23. In a prepared statement after court adjournment, United States Attorney Mary Jo White said that the investigation leading to the indictment was performed jointly by the United Secret Service and the Federal Bureau of Investigation. She praised both the Secret Service and FBI and thanked the Department of Justice Computer Crime Unit for "their important assistance in the investigation." Ruskin, Abene's attorney, told Newsbytes, "My personal opinion is that Mark has outgrown the phase in his life in which he performed the activities to which he confessed. He wants to use his considerable computer talents in manners that will be productive to society." Fishbein told Newsbytes, "The government is satisfied with the successful end to an important case. We hope that other people involved in illegal computer activities recognize that the Federal Government takes these cases very seriously." (Barbara E. McMullen & John F. McMullen/19930706) John F. McMullen mcmullen at mindvox.phantom.com Consultant, knxd at maristb.bitnet mcmullen at well.sf.ca.us Writer, 70210.172 at compuserve.com mcmullen at panix.com Student, GEnie - nb.nyc mcmullen at eff.org Teacher Subject: Perhaps you could help From: mcmullen (John F. McMullen) Comments: Message-ID: Date: Tue, 06 Jul 93 16:43:10 EDT Organization: [Phantom Access] / the MindVox system I received this from Mark and, with his permission, am sending it to you in the hope that you might write something. John ========================================================================== >From panix.com!mark Tue Jul 6 15:31:07 1993 Return-Path: Received: from panix.com by mindvox.phantom.com with smtp (Smail3.1.28.1 #5) id m0oDIjD-0009STC; Tue, 6 Jul 93 15:30 EDT Received: by panix.com id AA14749 (5.65c/IDA-1.4.4 for mcmullen); Tue, 6 Jul 1993 15:25:42 -0400 From: Phiber Optik Subject: Personal request... Friends and fellow netters: I regret to inform you all that after much stress and anxiety, I decided the risk of loss to be too great, and have accepted a guilty plea in my case. All things considered, it seemed the only thing to do in order to avoid the possibility of a much harsher sentence in the event things did not go well during trial. I entered my plea on Friday, July 2nd, and am to be sentenced this November. I'm sending this letter to those who were under consideration for testifying in my favor as character/expert witnesses, and I would greatly appreciate if you could put together letters of recommendation attesting to my character. These letters would be considered by the judge and the probation department and would help me in my review for sentencing. If there are any questions, feel free to reply, or you can contact my lawyers, Paul Ruskin and Carl Hartmann, at 212/223-3330. Thank you, - -Mark. ------- End of Forwarded Message From i6t4 at jupiter.sun.csd.unb.ca Fri Jul 9 01:02:12 1993 From: i6t4 at jupiter.sun.csd.unb.ca (Nickey MacDonald) Date: Fri, 9 Jul 93 01:02:12 PDT Subject: USENET newsreaders and cryptography: features/suggestions/questions In-Reply-To: Message-ID: On Thu, 8 Jul 1993, Sameer wrote: > CRYPTOPROGRAM=pgp > > system(strcat(getenv("CRYPTOPROGRAM"), " -m foobar")) > > (I'm not well-versed in strcat, so this could be wrong, but you > know what I mean.) I know you put a disclaimer, but I'll warn you that the above code is very dangerous... strcat() concatenates to its first argument, and the value returned by getenv is not a suitable argument in this case... the fix: char enccmd[100]; strcpy(enccmd, getenv("CRYPTOPROGRAM")); strcat(enccmd, " -m foobar"); system(enccmd); However, I still find this unsatisfying, as the'-m' is probably a PGP sepcific option, and it seems to me that a more general solution would be either some form of template in the environment variable: CRYPTOPROGRAM="pgp encode=-e decode= sign=-s stdin=-f text=-t ascii=-a conventional=-c userid=-u %u forcepager=-m pagemode=-m wipeorig=-w recoverorigfilename=-p detatchsig=-b leavesigintact=-d adresseelist=%a ...and so on..." or a set of environment variables, such as: CRYPTOENCODE= CRYPTODECODE= CRYPTOSIGN= CRYPTOVERIFYSIGNATURE= ...and so on... Either way is a lot more work, but probably a lot more general as well... This is a piece of code that only needs to be written once... would take more work to do the documentation that the code... Any takers, or should I put this on my TODO list as well? -- Nick MacDonald | NMD on IRC i6t4 at jupiter.sun.csd.unb.ca | PGP 2.1 Public key available via finger i6t4 at unb.ca | (506) 457-1931 ^{1024/746EBB 1993/02/23} From mdavis at pro-sol.cts.com Fri Jul 9 03:05:27 1993 From: mdavis at pro-sol.cts.com (Morgan Davis) Date: Fri, 9 Jul 93 03:05:27 PDT Subject: If the cypherpunks list gets this, the loop is at pro-sol.cts.com Message-ID: gnu at toad.com writes: >There's been a message loop running in cypherpunks today. Did you guys >add cypherpunks at toad.com to your local list or something? Please remove >it, if so! > > John Gilmore > postmaster at toad.com No. Our local list alias is "cypherpunks-list" and the only recipient is an incoming news processor that posts messages in a local newsgroup (pro.cypherpunks). The only transmissions to the cypherpunks at toad.com address are when posts are made in our local newsgroup. I will double-check everything though. /\/\ Morgan Davis Group (619/670-0563) / /__\ Internet: mdavis at pro-sol.cts.com From nobody at entropy.linet.org Fri Jul 9 05:58:28 1993 From: nobody at entropy.linet.org (nobody at entropy.linet.org) Date: Fri, 9 Jul 93 05:58:28 PDT Subject: anonymous mail Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Some people have e-mailed me saying that what happened to Mr. Steshenko isn't uncommon at all. This fact bothered me all weekend long, that somebody can get fired for views expressed in a private e-list, which probably extrapolates to USENET posting as well. Apparently, Mr. Steshenko forgot to include the "disclaimer: my opinions" with his email. Is this all that is required? If he merely would have added the disclaimer, would his former employer be facing possible legal action? Would he still be employed? Is there some "minimal" text that must be included? I mean, I've seen disclaimers that are nearly a paragraph long to ones that try to be cute (#include and so forth). (If you missed the post to alt.comp.acad-freedom.talk and various other groups and don't get usenet let me know and I'll post it to the list if there is enough interest. I'm not sure if email copies I sent out made it since some bounces occured. Plus the good old "cannot deliver for 3 days; message queued" sort of error.) It bugged me because I really beleive that it is impossible to carry on a rational discussion if one side is afraid to voice an opinion. I'm not advocating libel or misuse (personal attacks, threats of violence, etc.) but every once in a while a really hot topic comes up which stirs the emotions. So, we can all forge mail with smtp, use the cypherpunk remailers, use "anonymous" servers like penet and charcoal, email-to-usenet gateways, etc. I've never seen instructions on how to forge a usenet post, so here goes: 1) Telnet to an NNTP server (see Yanoff's internet services list) 2) Type 'post'. After a bit, you'll get an OK message. 3) Type in what you want to appear. Have in mind before you start what fields you want in the header, or check other posts to see what they have. 4) End with a period on a line all by itself. After a bit, you'll get a "Post OK" message. 5) Type 'quit' For example, I was experimenting and posted this to alt.binaries.pictures.d: ====================================================================== Newsgroups: alt.binaries.pictures.d From: anyone at here.and.there Subject: A test Content-Type: text Nntp-Posting-Host: nowhere Organization: none Date: Wed, 7 Jul 1993 11:14:00 GMT This is merely a test. ====================================================================== I just typed all that stuff in (including a lone period, but that doesn't show in your message) and it showed up after a while. If you examine the post closer, particularly the Path and Sender fields, the fact the message originated at the nntp server in Germany is revealed. I guess I'll work on more sophisticated methods in my spare time :-) -----BEGIN PGP SIGNATURE----- Version: 2.3 iQCVAgUBLDseRoOA7OpLWtYzAQF+HQP+NUd41Sw3QVzBcisaG7o5W2tld02A+e6u 6TDNnwioCsTq/n9arLJ7+dDOEI15c4TTQ2d4f/YoFi5JpMGdc8svC4DFGVY9kZRR bZjnW3/EPaeqbh2dB5AJj3o5X4+UQc4KnB3RuEY62QOvVQ4mzWVMC/D55EH53o9y AYs0scqMwJI= =Dh7z -----END PGP SIGNATURE----- From marc at GZA.COM Fri Jul 9 09:21:50 1993 From: marc at GZA.COM (Marc Horowitz) Date: Fri, 9 Jul 93 09:21:50 PDT Subject: IETF Message-ID: <9307091621.AA12178@dun-dun-noodles.aktis.com> Is anyone else on this list going to be there? Marc From hfinney at shell.portal.com Fri Jul 9 09:58:15 1993 From: hfinney at shell.portal.com (hfinney at shell.portal.com) Date: Fri, 9 Jul 93 09:58:15 PDT Subject: Encrypted postings. Message-ID: <9307090322.AA03678@jobe.shell.portal.com> From: Chris Claborne Could we send our postings to the mailer in encrypted format? That is... I would encrypt the message with the public key for the mailer, the mailer would decrypt and re-post to the clear-text mailer and to the PGP group. You can already do this, in a way. Just post to the list using one of the existing encrypted remailers like the one at extropia (or the one at portal, for that matter). You need to put: :: Request-Remailing-To: cypherpunks at toad.com Subject: And a blank line at the top of your message, encrypt the whole thing with the public key of the remailer, and add: :: Encrypted: PGP and a blank line to the PGP file just before the "-----BEGIN PGP MESSAGE-----" line. There are some scripts on the cypherpunks ftp site (soda.berkeley.edu, /pub/cypherpunks/remailer) to automate this process. The one disadvantage with this approach is that the source of the message (namely, you) gets stripped off. We might want to think about changing our remailers to have a non-anonymous remailing command as well as an anonymous one. This way you could have "local" privacy from any sysop who snoops on your mail going out, while still making it easy for people to reply to you. Hal From shipley at merde.dis.org Fri Jul 9 10:42:12 1993 From: shipley at merde.dis.org (Peter shipley) Date: Fri, 9 Jul 93 10:42:12 PDT Subject: No Subject Message-ID: <9307082128.AA02549@merde.dis.org> -----BEGIN PGP SIGNED MESSAGE----- I suppose this should be added to the the ftp site on soda. -Pete -----BEGIN PGP SIGNATURE----- Version: 2.3 iQBVAgUBLDyRNHynuL1gkffFAQGWigH6A6/aLAoAtJElN++r0qyMyD+aWQTVr7FH gGb8C+4wNozzPAmr+wIpN0oBW7Cti7U1+G4oOW+FMQKdOljAyLJxQA== =cinp -----END PGP SIGNATURE----- ;; ;; ;; From: mpf at theory.lcs.mit.edu (Michael P. Frank) ;; A quick summary: ;; ;; Key Command name Notes ;; ------- ------------------ ---------------- ;; C-c p e pgp-encrypt-region Prompts for recipient's ID. ;; C-c p d pgp-decrypt-region The first time, prompts for your pass phrase. ;; C-c p s pgp-sign-region Ditto. Uses CLEARSIG. ;; C-c p S pgp-sign-and-encrypt-region Doesn't use CLEARSIG. Encrypts also. ;; C-c p v pgp-verify-region Checks signature (in a new window). ;; C-c p p pgp-set-passphrase Sets or changes PGP pass phrase. ;; C-c p c pgp-clear-passphrase Erases pass phrase. ;; ;; Thanks are due to Bob Anderson for ;; writing a very helpful explanation of how to do the guts of these ;; commands. However, any bugs are my own. ;; ;; Enjoy! ;; ;; -Mike ;; ;;; ;;; Emacs Support for PGP ;;; ;;; People can see your PGP passphrase if: ;;; * They watch over your shoulder as you type it. (It's not invisible.) ;;; * They do "ps auxww" (SunOS) on your machine while you're ;;; decrypting/signing. ;;; * They type C-h v *pgp-passphrase* in your emacs after you've ;;; entered your passphrase. ;;; ;;; Plus the system suffers from all the normal Unix and X-windows ;;; security holes. ;;; (defun pgp-set-passphrase (arg) "Prompts for PGP pass phrase." (interactive "sPGP pass phrase: ") (setq *pgp-passphrase* arg)) (defun pgp-clear-passphrase () "Clears the PGP pass phrase." (interactive) (makunbound '*pgp-passphrase*)) (defun pgp-encrypt-region (start end pgp-user-id &optional flag) "Encrypt the region using PGP. Prompts for a PGP user ID. With prefix arg, puts result in serparate window. Noninteractive args are START, END, PGP-USER-ID, and optional FLAG." (interactive "r\nsUser ID to encrypt to: \nP") (shell-command-on-region start end (concat "pgp -fea " pgp-user-id) (not flag))) (defun pgp-decrypt-region (start end &optional flag) "Decrypt the region using PGP. Prompts for the user's pass phrase, if not already known. With prefix arg, puts result in separate window. Noninteractive args are START and END and optional FLAG." (interactive "r\nP") (if (not (boundp '*pgp-passphrase*)) (call-interactively 'pgp-set-passphrase)) (shell-command-on-region start end (concat "pgp -f -z \"" *pgp-passphrase* "\"") (not flag))) (defun pgp-sign-and-encrypt-region (start end pgp-user-id &optional flag) "Sign and encrypt the region using PGP. Prompts for a user to encrypt to and a pass phrase, if not already known. With prefix arg puts result in separate window. Noninteractive args are START, END, and PGP-USER-ID, and optional FLAG." (interactive "r\nsUser ID to encrypt to: \nP") (if (not (boundp '*pgp-passphrase*)) (call-interactively 'pgp-set-passphrase)) (shell-command-on-region start end (concat "pgp -safe " pgp-user-id " -z \"" *pgp-passphrase* "\"") (not flag))) (defun pgp-sign-region (start end &optional flag) "Sign the region using PGP. Prompts for a pass phrase, if not already Known. With prefix arg puts result in separate window. Noninteractive args are START and END and optional FLAG." (interactive "r\nP") (if (not (boundp '*pgp-passphrase*)) (call-interactively 'pgp-set-passphrase)) (shell-command-on-region start end (concat "pgp -saft +clearsig=on" " -z \"" *pgp-passphrase* "\"") (not flag))) (defun pgp-verify-region (start end) "Verify the signature on the text in the given region using PGP." (interactive "r") (shell-command-on-region start end "pgp -f")) (global-set-key "\C-cpp" 'pgp-set-passphrase) (global-set-key "\C-cpc" 'pgp-clear-passphrase) (global-set-key "\C-cpe" 'pgp-encrypt-region) (global-set-key "\C-cpd" 'pgp-decrypt-region) (global-set-key "\C-cps" 'pgp-sign-region) (global-set-key "\C-cpS" 'pgp-sign-and-encrypt-region) (global-set-key "\C-cpv" 'pgp-verify-region) From eichin at cygnus.com Fri Jul 9 11:05:19 1993 From: eichin at cygnus.com (Mark Eichin) Date: Fri, 9 Jul 93 11:05:19 PDT Subject: emacs stuff In-Reply-To: <9307082128.AA02549@merde.dis.org> Message-ID: <9307091804.AA03813@cygnus.com> >> ;;; * They do "ps auxww" (SunOS) on your machine while you're >> ;;; decrypting/signing. It should be possible, with pgp 2.2, to eliminate this vulnerability. >> ;;; * They type C-h v *pgp-passphrase* in your emacs after you've That's easy to clear optionally. What's hard to clear is "m-x view-lossage" which has the raw characters. (I think emacs should have support for safe reading and clearing, but I don't know if rms would go for it. You'd need an excuse *other* than passwords.) >> ;;; * They watch over your shoulder as you type it. (It's not invisible.) Didn't read-password or read-no-echo ever make it into an emacs release? Here are some ancient bits that I use. _Mark_ MIT Student Information Processing Board Cygnus Support ;; ucbvax!brahms!weemba Matthew P Wiener/UCB Math Dept/Berkeley CA 94720 ;;; GNU Emacs library to read in passwords from the minibuffer ;;; Standard GNU copying privileges apply (setq minibuffer-local-no-echo-map (make-keymap)) (mapcar '(lambda (x) (aset minibuffer-local-no-echo-map (car x) (cdr x))) (cdr minibuffer-local-map)) (let ((i ?\040)) (while (< i ?\177) (aset minibuffer-local-no-echo-map i 'read-char-no-echo) (setq i (1+ i)))) (aset minibuffer-local-no-echo-map ?\177 'delete-char-no-echo) ;; This function squirrels each typed-in character away. (defun read-char-no-echo () (interactive) (setq no-echo-list (append no-echo-list (list (this-command-keys))))) ;; This function erases the last character from the input list. (defun delete-char-no-echo () (interactive) (setq no-echo-list (nreverse (cdr (nreverse no-echo-list))))) ;; This is the function the user actually uses. (defun read-string-no-echo (prompt) "Get a password from the minibuffer, prompting with PROMPT." (let (no-echo-list) (read-from-minibuffer prompt nil minibuffer-local-no-echo-map) (mapconcat 'identity no-echo-list nil))) ;;;;;;;;;;;;;;;;;;;;;This crudity is just for demo!;;;;;;;;;;;;;;;;;;;; (defun read-password () "Prompts for a password, and doesn't echo it, stores it in 'secret'" (interactive) (setq secret (read-string-no-echo "Password: "))) (defun shell-password () "Prompts for password, no echo, and sends it to the shell" (interactive) (process-send-string (get-buffer-process (current-buffer)) (concat (read-string-no-echo "Password: ") "\n"))) From tedwards at wam.umd.edu Fri Jul 9 11:16:43 1993 From: tedwards at wam.umd.edu (technopagan priest) Date: Fri, 9 Jul 93 11:16:43 PDT Subject: Hmm...hardware secure phone? Message-ID: <199307091816.AA09211@rac3.wam.umd.edu> I've been reading up on Codecs. Motorola has the MC145505 PCM Codec which samples at 8khz and the PCM output is at 64kbps. We can then use the MC145532 ADPCM Transcoder to reduce the data stream to 16kbps. With the breaks in spoken languages, perhaps we could get this to compress just enough to go through a 14.4 kbps modem. Anyway, who knows of a DES or RSA chip which will do 16kbps? Then all we need is a microcontroller to run the show, and perform D-H or RSA key exchange. -Thomas From ab357 at freenet.carleton.ca Fri Jul 9 11:30:03 1993 From: ab357 at freenet.carleton.ca (Helena Dang) Date: Fri, 9 Jul 93 11:30:03 PDT Subject: UNSUBSCRIBE ! Message-ID: <9307091828.AA25441@freenet.carleton.ca> Please unsubscribe me. Thanks. -- --------------------------------------------------------------------- | HELENA DANG | hdang at math.carleton.ca | | =)8-> | ab357 at freenet.carleton.ca | --------------------------------------------------------------------- From 76630.3577 at CompuServe.COM Fri Jul 9 12:13:32 1993 From: 76630.3577 at CompuServe.COM (Duncan Frissell) Date: Fri, 9 Jul 93 12:13:32 PDT Subject: Politically Incorrect Sheep Message-ID: <930709190617_76630.3577_EHK5-1@CompuServe.COM> (Sneal) >>>a chance to work a PGP angle into some sensational story that creates a lot of public outcry. Linking PGP to terrorism, drug dealing, or kiddie porn would be a great first step towards getting some laws against "unlicensed cryptography" on the books.<<< Too late. Open systems are beyond the point of no return. Worriers forget the "tipping factor". Once half of the mass of an object is above its center of gravity, it starts to fall over fast. The unsexy bits of the digital revolution - EDI, electronic trading, the quants, the ISO reference model have already worked their wonders and started the tipping process. Perestroika (restructuring) is here to stay. Without PGP, without cypherpunks, without UUNET, without any of it governments would still see their mechanisms of control crumble. Cheap computing and telecoms by themselves are enough to render the nation state technologically obsolete. Read from the bottom up: Anarchists Application Communists or Communication Socialists System Trust Transport Never Network Departments Datalink Police Physical Duncan Frissell ******************************************************************** * DUNCAN FRISSELL Attorney at Law, Writer, and Privacy * * CIS 76630,3577 Consultant since the Nixon * * Internet: Administration * * 76630.3577 at compuserve.com * * or frissell at panix.com * * Easylink 62853962 * * Attmail !dfrissell * * TLX: 402231 FRISSELL NYK * * * * Privacy Checkup still only $29.95. Buy today before price * * controls force me to raise my prices. * * * * Rebecca Schaefer was shot to death on her own doorstep * * because she told the State of California where she lived. * * Don't make her mistake. Hire me to teach you to guard * * your privacy. * * * ******************************************************************** -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.2 mQCNAirtsUkAAAEEAN4wvnp5CE1ZUyqq8HnBDk78WP9WpyIFbINw/qvDxRGHPK4e JFR7XBaMnd3Ek0x8c20syHwPVNrDUpdgRmJzperbNTeaS1lof4npfR8kPnGJ3wvv wJtIXSM+4ePDy+pfGQkyY+Y0qJEbBTxYNW01ciMrVS2Uac5C3YVO4r4sgSPhAAUR tCtEdW5jYW4gRnJpc3NlbGwgPDc2NjMwLjM1NzdAY29tcHVzZXJ2ZS5jb20+ =I88k -----END PGP PUBLIC KEY BLOCK----- From newsham at wiliki.eng.hawaii.edu Fri Jul 9 12:19:02 1993 From: newsham at wiliki.eng.hawaii.edu (Timothy Newsham) Date: Fri, 9 Jul 93 12:19:02 PDT Subject: Hmm...hardware secure phone? In-Reply-To: <199307091816.AA09211@rac3.wam.umd.edu> Message-ID: <9307091918.AA03899@toad.com> > > > I've been reading up on Codecs. Motorola has the MC145505 PCM Codec > which samples at 8khz and the PCM output is at 64kbps. We can then > use the MC145532 ADPCM Transcoder to reduce the data stream to > 16kbps. With the breaks in spoken languages, perhaps we could get > this to compress just enough to go through a 14.4 kbps modem. > > Anyway, who knows of a DES or RSA chip which will do 16kbps? > Then all we need is a microcontroller to run the show, and > perform D-H or RSA key exchange. > > -Thomas > with a DSP chip you can compress voice down to the 4.8kbps to 9.6kbps range with CELP the 400 bps to 4800 bps range with LPC If you have enough cycles and memory left over afterwards you can do DES on the same DSP (depending on which brand you choose this may or may not be feasible). If you are using a host computer the computer can do DES and framing for you. From eichin at cygnus.com Fri Jul 9 12:20:15 1993 From: eichin at cygnus.com (Mark Eichin) Date: Fri, 9 Jul 93 12:20:15 PDT Subject: Hmm...hardware secure phone? In-Reply-To: <199307091816.AA09211@rac3.wam.umd.edu> Message-ID: <9307091919.AA05781@cygnus.com> >> Anyway, who knows of a DES or RSA chip which will do 16kbps? >> Then all we need is a microcontroller to run the show, and (kbits? kbytes?) Well, a quick check of some C code gets me 200Kbytes[*] (1.6Mbits) per second on a SparcStation ELC. I'll have numbers for the i960 microcontroller[**] later this weekend -- you might be able to have the microcontroller do the encryption too :-) _Mark_ [*] That's 50,000 calls to des_ecb_encrypt and 50,000 calls to des_ecb_decrypt, so 100K ecbs, each ecb is 8 bytes, so that's 800K bytes, and it took 3.98 user CPU seconds, so that's 200K bytes. Yep, the math checks. Compiler: Solaris gcc -O (a few months old); DES code: Ferguson's, as folded into Kerberos 4. [**] Yeah, it's marketed as a microcontroller. If you put it in a toaster, you wouldn't need a heating element. Still, it's part of the background for my talk at the Embedded Systems conference in October on "Security Issues in Embedded Networking". From newsham at wiliki.eng.hawaii.edu Fri Jul 9 12:25:19 1993 From: newsham at wiliki.eng.hawaii.edu (Timothy Newsham) Date: Fri, 9 Jul 93 12:25:19 PDT Subject: encrypted email software In-Reply-To: Message-ID: <9307091925.AA04151@toad.com> > > > DES isnt secure? And where was it that you got this precious > > little piece of information? > > > You mean to tell me you believe what your government tells you about DES? > Come on now! It's been public knowledge for quite some time that the NSA > has a backdoor to DES and the FBI and other agencys know it. Its public knowledge? were's the proof? Not one academic researcher has found it (and lived to publish about it). On the other hand some very respectable cryptographers have been able to show that the design critereon has made for very well chosen parameters. The FBI has shown that they dont know a backdoor in DES or at least they wont use it against suspects. There have been cases were data was encrypted with DES and the suspect refused to turn over the keys. > > I certainly hope you were kidding! > > -- > Bob Tannen > Borland International > 1800 Greenhills Rd. > Scotts Valley, CA. 95066 > > rtannen at borland.com > RTANNEN @ BORLAND (MHS) > From 76630.3577 at CompuServe.COM Fri Jul 9 12:39:33 1993 From: 76630.3577 at CompuServe.COM (Duncan Frissell) Date: Fri, 9 Jul 93 12:39:33 PDT Subject: Subject Message-ID: <930709174934_76630.3577_EHK67-1@CompuServe.COM> (Tim May) >>>more and more universities are using the "sexual harassment" laws/codes to stop certain newsgroups, to halt the distribution of sexually oriented images, and to take disciplinary action against students (mostly male) who have put GIFs on their computers or workstations (apparently female students who walk past an office in which female models are used as startup screens have decided they are being "sexually assaulted" or "harassed").<<< Here is a free sample of my legal drafting skills. Post this notice and you will be immune: ***************************************************************************** NOTICE All speeches, writings, representations, or actions constituting symbolic speech; made, produced, or performed by me which are believed by anyone to be; or which are held by any person or organization to be; RACIAL, SEXUAL, OR ANY OTHER FORM OF HARASSMENT were made, produced, or performed by me with the specific intent to return the legal status of the person to whom they were directed to that legal status which they would have enjoyed prior to the year 1900. Such speech, writing, representation, or action constituting symbolic speech; is thus POLITICAL SPEECH and is absolutely protected by the First Amendment to the United States Constitution. Therefore, No government agency or private institution acting under the orders of any government agency can legally punish me for such speech, writing, representation, or action constituting 8 symbolic speech. ****************************************************************************** Make it clear that any move against you will cause you to wheel on in to federal court and sue their rear ends. Also if your attacker is "of the Left" say: "Look thousands of American boys died to save the world from commie scum like you. If I have to put up with persons of *your* ilk, then you have to put up with *my* personal peculiarities as well." They tend to leave you alone after that. "Kids don't try this until you've been to law school." In any case, net censorship is ridiculous when I can open 25 accounts per day with Email access to Internet. Duncan Frissell ******************************************************************** * DUNCAN FRISSELL Attorney at Law, Writer, and Privacy * * CIS 76630,3577 Consultant since the Nixon * * Internet: Administration * * 76630.3577 at compuserve.com * * or frissell at panix.com * * Easylink 62853962 * * Attmail !dfrissell * * TLX: 402231 FRISSELL NYK * * * * Privacy Checkup still only $29.95. Buy today before price * * controls force me to raise my prices. * * * * In 1870, a German couple registered the birth of their * * little girl with the town clerk. 70 years later, the * * woman that that little girl had become was executed * * because of her parent's actions. Don't let this happen * * to you or your children. Give a gift of privacy this year. * * * ******************************************************************** -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.2 mQCNAirtsUkAAAEEAN4wvnp5CE1ZUyqq8HnBDk78WP9WpyIFbINw/qvDxRGHPK4e JFR7XBaMnd3Ek0x8c20syHwPVNrDUpdgRmJzperbNTeaS1lof4npfR8kPnGJ3wvv wJtIXSM+4ePDy+pfGQkyY+Y0qJEbBTxYNW01ciMrVS2Uac5C3YVO4r4sgSPhAAUR tCtEdW5jYW4gRnJpc3NlbGwgPDc2NjMwLjM1NzdAY29tcHVzZXJ2ZS5jb20+ =I88k -----END PGP PUBLIC KEY BLOCK----- From pmetzger at lehman.com Fri Jul 9 12:43:35 1993 From: pmetzger at lehman.com (Perry E. Metzger) Date: Fri, 9 Jul 93 12:43:35 PDT Subject: encrypted email software In-Reply-To: <9307091925.AA04151@toad.com> Message-ID: <9307091941.AA00142@snark.shearson.com> Timothy Newsham says: > > > > > DES isnt secure? And where was it that you got this precious > > > little piece of information? > > > > > You mean to tell me you believe what your government tells you about DES? > > Come on now! It's been public knowledge for quite some time that the NSA > > has a backdoor to DES and the FBI and other agencys know it. > > Its public knowledge? > were's the proof? > Not one academic researcher has found it (and lived to publish > about it). 100% correct. Although DES is likely breakable by brute force, that can only be done at tremendous expense. The back door notion, although still possible, is now not believed to be true. Perry From thug at phantom.com Fri Jul 9 12:47:23 1993 From: thug at phantom.com (Murdering Thug) Date: Fri, 9 Jul 93 12:47:23 PDT Subject: Hmm...hardware secure phone? In-Reply-To: <199307091816.AA09211@rac3.wam.umd.edu> Message-ID: > I've been reading up on Codecs. Motorola has the MC145505 PCM Codec > which samples at 8khz and the PCM output is at 64kbps. We can then > use the MC145532 ADPCM Transcoder to reduce the data stream to > 16kbps. With the breaks in spoken languages, perhaps we could get > this to compress just enough to go through a 14.4 kbps modem. How about just feeding the 16kbps stream to either a DES chip or a microcontroller programmed for IDEA encryption/decryption? And don't even bother with 14.4. Zyxel modems can do 16.8 & 19.2kbps full duplex. But Zyxel's modulation is proprietary. A new standard called v.32terbo has emerged which standardizes 16.8 and 19.2 modulation - I believe some of AT&T's new modems support v.32terbo. Down the road a bit 21.6, 24.4 & 28.8 modulation (v.FAST) will be more common. The way I see it, the hassle of squeezing 16kbps into a 14.4kbps bandwidth pipe is not worth the agrivation when you can pipe it straight into a Zyxel or v.32terbo modem right now. > Anyway, who knows of a DES or RSA chip which will do 16kbps? They all do, some chips even go as high as several megabits per second for DES. I don't know of any chips that do RSA though. > Then all we need is a microcontroller to run the show, and > perform D-H or RSA key exchange. Exactly. --- thug at phantom.com From jet at nas.nasa.gov Fri Jul 9 12:57:52 1993 From: jet at nas.nasa.gov (J. Eric Townsend) Date: Fri, 9 Jul 93 12:57:52 PDT Subject: anonymous mail In-Reply-To: Message-ID: <9307091957.AA07710@boxer.nas.nasa.gov> nobody at entropy.linet.org writes: > that somebody can get fired for views expressed in a private > e-list, which probably extrapolates to USENET posting as well. > Apparently, Mr. Steshenko forgot to include the "disclaimer: my > opinions" with his email. Apparently, Mr. Steshenko thought it was appropriate to use company resources for non-company activities. On top of that, those activities misrepresented the company. Steshenko's firing is something all the libertarians on this list should applaud. From peb at PROCASE.COM Fri Jul 9 14:12:35 1993 From: peb at PROCASE.COM (Paul Baclace) Date: Fri, 9 Jul 93 14:12:35 PDT Subject: anonymous mail Message-ID: <9307092112.AA07438@banff.procase.com> >Apparently, Mr. Steshenko thought it was appropriate to use company >resources for non-company activities. Use of phone, desk, email, bathroom, grounds, chairs, kitchen, are all company facilities that are necessary for working for a company, but it is widely accepted that they can also be used personally as perks. At the extreme of a perk-that-is-necessary is "calling your doctor". This is not company business, but if you can't make such calls at the office, you end up working less in order to get around such restrictions. The other extreme is something that takes up company resources due to purely individual convenience: posting to usenet for personal business. This can be done via a private account and does not have to be done from the office, but many companies allow this because they also expect people to work overtime for free and this keeps them at work. Depending upon many factors at a company, the amount of perk usage allowed varies. Some companies have policies about this while others do not. I think the reason no policy exists in many places is that defining it is a form of encouragement (like saying you have exactly 5 sick days a year, and they don't carry over to the next; this causes people to call in sick even when they are not. One company I worked for took sick days out of your vacation days (but you got more vacation days than was ordinary); this encouraged honesty, but also led to sick people coming to work). > On top of that, those activities misrepresented the company. This gets into the disclaimer bit. I *never* assume a person is speaking for the company unless they are making a product announcement; for anything else, it is fairly easy to see that postings are personal (even if they regard business related subjects like commendts about the quality of particular software). It would be far easier for everyone to assume that no messages represent the company, board of directors, etc., unless explicitly stated as such, simply because official messages are rare and personal/unofficial ones are frequent. >Steshenko's firing is something all the libertarians on this list >should applaud. The cost of accounting/surveillance/policing/ill-will must be balanced with the benefits of having a trusting/open/honest/self-policed-perks policy; this is a tradeoff all organizations must make and has nothing to do with free markets. Libertarian thought doesn't say anything about this tradeoff, except that governments shouldn't coerce a company into a particular position. Paul E. Baclace peb at procase.com From remail at tamsun.tamu.edu Fri Jul 9 14:21:52 1993 From: remail at tamsun.tamu.edu (remail at tamsun.tamu.edu) Date: Fri, 9 Jul 93 14:21:52 PDT Subject: REMAILER: really anon? Message-ID: <9307092121.AA24627@tamsun.tamu.edu> If you can trace the origin (sender) of this message please send me mail personally rather than to the list. I'm using my favorite remailer here and I want to make sure it's working right. I have sent mail to the below sites as a test for anonymous remailing returns and to see what headers I get back. It has been maybe 4 days now since I began this experiment, some of the sites below have still not remailed my test message. My main curiosity in this quest is to determine what each header will look like when the mail is recieved. I think this is important in determining which remailer to use. The below is the list of remailers with the "unique header to remailer" info below each site number. If you wish to discuss this matter further, please send a follow up message to the cypher list with your address included and "Re: Unique header". I'm really not too concerned about remaining anonymous (that is, I will come out of hiding), I just want to see if this scheme is really airtight! Thanks! -z **Please take note of remailer 12 of this list.** The typical header received looks similar to the below: (I have removed the date, time, etc. to protect my privacy) >From rebma!remailer at kksys.mn.org Thu Jul x 00:38:01 1993 Received: by ahost.some.school.edu (5.57/Ultrix3.0/cc-ix.mc-1.5) id AA02491; Thu, x Jul 93 19:00:54 -0500 Received: from kksys.mn.org by uum1.mn.org with bsmtp (Smail3.1.28.1 #3) id m0oE6Du-00007JC; Thu,x Jul 93 00:21 CDT Received: from rebma by kksys.mn.org with uucp (Smail3.1.28.1 #13) id m0oE5jG-0007TsC; Thu,x Jul 93 00:50 CDT Received: by rebma.rebma.mn.org (Smail3.1.28.1 #1) id m0oE6nS-0002CzC; Thu, 8 Jul 93 17:58 PDT Message-Id: Date: Thu, x Jul 93 17:58 PDT To: me at myhost.some.school.edu From: nobody at rebma.rebma.mn.org Subject: 9 Remailed-By: Mr. Nobody Status: O =========This is where the list of remailers begins=========== *** Please keep in mind that in the below I included only the "unique to *** remailer" parts of the header.*** 1: nowhere at bsu-cs.bsu.edu From: Anonymous To: omitted X-Remailed-By: Anonymous X-Ttl: 0 X-Notice: This message was forwarded by a software- automated anonymous remailing service. 2: hh at cicada.berkeley.edu From: nobody at cicada.berkeley.edu 3: hh at pmantis.berkeley.edu No response after 4 days 4: hh at soda.berkeley.edu From: nobody at soda.berkeley.edu Remailed-By: Eric Hollander 5: 00x at uclink.berkeley.edu From: nobody at uclink.berkeley.edu Remailed-By: Tommy the Tourist 6: hal at alumni.caltech.edu From: nobody at alumni.cco.caltech.edu Comments: This message is NOT from the person listed in the From line. It is from an automated software remailing service operating at that address. Please report problem mail to . 7: ebrandt at jarthur.claremont.edu From: nobody at eli-remailer Remailed-By: Eli Brandt Source-Info: From (or Sender) name not authenticated. 8: phantom at mead.u.washington.edu No response after 4 days 9: remailer at rebma.mn.org (this reply took almost 3+ days!) From: nobody at rebma.rebma.mn.org Remailed-By: Mr. Nobody 10: elee7h5 at rosebud.ee.uh.edu From: nobody at rosebud.ee.uh.edu 11: hfinney at shell.portal.com From: nobody at shell.portal.com Comments: This message is NOT from the person listed in the From line. It is from an automated software remailing service operating at that address. Please report problem mail to . 12: remail at tamsun.tamu.edu From: remail at tamsun.tamu.edu Remailed-By: Anonymous Received: by tamsun.tamu.edu id AA04104 (5.65b/IDA-1.4.3 for you at yourhost); Tue, 6 Jul 93 04:15:57 -0500 you at yourhost = your address! ...really! 13: remail at tamaix.tamu.edu From: remail at tamsun.tamu.edu Remailed-By: Anonymous 14: remailer at utter.dis.org Received: by soda.berkeley.edu (5.65/KAOS-1) id AA13859; Tue, 6 Jul 93 03:09:09 -0700 Received: by merde.dis.org (4.1/SMI-4.2) id AA04354; Tue, 6 Jul 93 03:11:48 PDT From: nobody at dis.org Remailed-By: remailer bogus account 15: remail at extropia.wimsey.com No response after 4 days NOTES: #1-#5 no encryption of remailing requests #6-#14 support encrypted remailing requests #15 special - header and message must be encrypted together #9,#14,#15 introduce larger than average delay (not direct connect) #9,#14,#15 running on privately owned machines From nick at martigny.ai.mit.edu Fri Jul 9 15:06:01 1993 From: nick at martigny.ai.mit.edu (Nick Papadakis) Date: Fri, 9 Jul 93 15:06:01 PDT Subject: Can FBI/NSA break DES? In-Reply-To: <9307091925.AA04151@toad.com> Message-ID: <9307092205.AA08207@toad.com> > The FBI has shown that they dont know a backdoor in DES or at least > they wont use it against suspects. For what it is worth, an FBI agent here in Boston once told me a story (over lunch) about a drug case involving a seized PC with DES encrypted files. The FBI folks called up "some friends" at NSA, who were able to decrypt the files. They couldn't use the info in court (since that would reveal what the NSA could do), but the information was valuable to them nonetheless. Now, I don't know whether to believe this or not. There was at least one interesting detail/inconsistency in the story (he mentioned that when they got the PC back from NSA they were somehow able to tell by examining some file-modification times that the decrypt had taken 12 minutes. It's not immediately obvious to me why this would be so.) The guy who told me the story isn't particularly technical; neither is he totally non-technical (at one point he told another story about how difficult it is to explain hexadecimal to a jury.) I don't think he would be above a little desinformatsiya. I don't see what he would gain from it, other than appearing to be more technical/powerful/in-the-know than he really is. That NSA can break DES is widely suspected, even if unproved. Cheers, - nick P.s. The truly funny postscript to this story is that halfway through the aforementioned lunch with this FBI fellow, I looked down and realized I was wearing one of the hack LOD T-Shirts. After I finished choking on my biriyani, he wanted to know where *he* could get one ... From mike at EGFABT.ORG Fri Jul 9 15:47:08 1993 From: mike at EGFABT.ORG (Mike Sherwood) Date: Fri, 9 Jul 93 15:47:08 PDT Subject: encrypted email software In-Reply-To: <9307091941.AA00142@snark.shearson.com> Message-ID: "Perry E. Metzger" writes: > 100% correct. Although DES is likely breakable by brute force, that > can only be done at tremendous expense. The back door notion, although > still possible, is now not believed to be true. People first thought there was a back door because they wouldn't release enough info on the algorithm to give people a chance to see if they trusted it or not. After it was all common knowledge, people examined it and came to the conclusion that it was secure, though questions are still around about why it was changed from 64 bit to 56 bit, which is also why it is believed that the NSA has computers that can break it by brute force in a reasonable amount of time, but nevertheless it is a brute force attack. That's how I've heard (from various sources) the whole story with DES goes, and it seems like a reasonable one. -- Mike Sherwood internet: mike at EGFABT.ORG uucp: ...!sgiblab!egfabt!mike From eichin at cygnus.com Fri Jul 9 16:04:58 1993 From: eichin at cygnus.com (Mark Eichin) Date: Fri, 9 Jul 93 16:04:58 PDT Subject: encrypted email software In-Reply-To: Message-ID: <9307092304.AA14157@cygnus.com> >> it and came to the conclusion that it was secure, though questions are >> still around about why it was changed from 64 bit to 56 bit, ... Didn't someone figure out a way that the 64 bit version would be more vulnerable to differential cryptanalysis (which was known to IBM as the "sliding attack" back when DES was being developed) than the 56 bit one was? And I've heard indications that the predecessor "Lucifer" at 128 bits had some trivial "meet-in-the-middle" attack that left it at least as weak as 64 bits. The only "backdoor" concept I've heard which had a technical basis behind it was a few years back, when some researcher figured out a way to *produce* S-boxes with particular types of holes, and concluded that it was impossible to identify if the holes where there or not unless you knew the precise formulation... I think it even had a two-of-three challenge, ie, published 3 sets of s-boxes, one or two of which were "trapped" in this way, as a challenge for people to find methods of locating them. (The technical basis stops there -- the psychological or political question that follows is "did NSA/IBM know about this technique? Assuming they did, did they choose the s-boxes with or without holes?") _Mark_ MIT Student Information Processing Board Cygnus Support From honey at citi.umich.edu Fri Jul 9 18:44:20 1993 From: honey at citi.umich.edu (peter honeyman) Date: Fri, 9 Jul 93 18:44:20 PDT Subject: encrypted email software In-Reply-To: Message-ID: <9307100144.AA14701@toad.com> > People first thought there was a back door because they wouldn't release > enough info on the algorithm to give people a chance to see if they > trusted it or not. not the algorithm, which was public from the start, but the rationale behind the selection of its parameters. > After it was all common knowledge, people examined > it and came to the conclusion that it was secure, the rationale remains classified; some people question nsa's motivation in keeping that aspect of des secret. i believe nsa keeps it secret to avoid teaching potential (or imaginary) adversaries advanced cryptographic techniques. (and also because keeping secrets is what nsa is all about. they seem to be very, very good at it.) > though questions are > still around about why it was changed from 64 bit to 56 bit, you mean 112 -> 56. this has been resolved -- it seems that longer keys don't impose any additional complexity on des attacks. although these attacks were discovered by the open crypto community only a few years ago, nsa had these techniques in hand long before. the bottom line is that additional key bits would not make des more secure. double des or triple des do. > which is > also why it is believed that the NSA has computers that can break it by > brute force in a reasonable amount of time, but nevertheless it is a > brute force attack. it has long been believed that a dedicated des-cracker is within the budget of extremely well financed organizations. > That's how I've heard (from various sources) the whole story with DES > goes, and it seems like a reasonable one. your story is pretty close to the spin i'm familiar with. peter From miron at extropia.wimsey.com Fri Jul 9 19:50:39 1993 From: miron at extropia.wimsey.com (Miron Cuperman) Date: Fri, 9 Jul 93 19:50:39 PDT Subject: REMAILER: really anon? In-Reply-To: <9307092121.AA24627@tamsun.tamu.edu> Message-ID: <1993Jul10.015524.18877@extropia.wimsey.com> Somebody writes: >15: remail at extropia.wimsey.com >No response after 4 days Tell me the originating email address, and I'll check the logs. BTW, if you want error reporting, subscribe to the error list as described earlier this week. Miron From wcs at anchor.ho.att.com Fri Jul 9 22:39:16 1993 From: wcs at anchor.ho.att.com (wcs at anchor.ho.att.com) Date: Fri, 9 Jul 93 22:39:16 PDT Subject: Can FBI/NSA break DES? Message-ID: <9307100423.AA16160@anchor.ho.att.com> Nick's story of the FBI agent telling him about having the NSA crack DES files found on a PC in a drug case could of course be the agent pulling his leg, but it could perfectly well be true. After all, brute-force may not work well for searching 2**56 randomly- generated session keys, but it's just fine for searching a million or so easy-to-remember short stupid keys from dictionaries and such. It's even faster if you augment your dictionary with the filenames on the machine, first names of stupid people and the victim's friends, family, customers, etc. If Crack can do a good job finding root passwords for computer-literate sysadmins, it ought to be pretty good at finding passwords for semi-literate folks as well. Bill # Bill Stewart wcs at anchor.ho.att.com +1-908-949-0705 Fax-4876 # AT&T Bell Labs, Room 4M-312, Crawfords Corner Rd, Holmdel, NJ 07733-3030 From jpp at markv.com Fri Jul 9 23:15:55 1993 From: jpp at markv.com (jpp at markv.com) Date: Fri, 9 Jul 93 23:15:55 PDT Subject: Secure comm program, Sockets + LINK In-Reply-To: <9306090653.AA23961@triton.unm.edu> Message-ID: <9307092314.aa24145@hermix.markv.com> Supose you opened up a socket on the local machine. And that you ran your usual telnet to connect to it. The program listening on the local socket would be responsible for running one end of a 'LINK' like secure protocol. It would connect to either the remote telnet socket, or a special purpose socket at the remote end. There either you can use a pipe to a pty (standard telnet -> login shell -> LINK -> pty), or in a special socket through LINK out the telnet socket. (There is an obvious extention with multiple hops through LINK-socket programs which should provide the same kind of anonymity that is provided by the CP remailers.) In this way, the data passing over the (presumed unsecure) net connection (which might well be slip) is encrypted. I am presuming that both the local and remote kernels are 'secure' enough that you would want to use them. The upside is that you get to use 'comercial grade' telnet==comm programs. Of course this stratagy is no use for folks who don't have sockets on both ends of the channel. It is also likely to be obsoleted as soon as secure-ip gets out. Some ambitious sole might want to try the analogous stratagy where a local pseudo-serial-device is created in software, thus again getting 'comercial grade' comm==telnet programs. I sugest this stratagy, because it is one I am concidereing under MS Windows. I have a telnet which is acceptable, I have slip, and I have the source to LINK, so... (local-telnet) --kernel--> (local-LINK-SOCKET) ----unsecure-network---+ | (remote-telnet) <--kernel-- (remote-LINK-SOCKET) <--+ | (remote-pty) <--kernel-- (remote-LINK) <--kernel-- (remote-telnet) <--+ Infact it would be nice to see some socket (perhaps 32?) become the standard for the secure telnet service. Meanwhile, I did peruse the LINK source and am a little unhappy with the actual protocol used in setting up the secure channel. It is only authenticated in one direction, rather than both (as I understand it). I would like to see two way authentication, and (perhaps) Diffe-Helman key exchange. j' From geoffw at nexsys.net Sat Jul 10 00:13:07 1993 From: geoffw at nexsys.net (Geoff White) Date: Sat, 10 Jul 93 00:13:07 PDT Subject: 738 ANS CO+RE Security to Use RSA Public Key Cryptography Message-ID: <9307100703.AA27907@nexsys.nexsys.net> --X- ANS CO+RE Security to Use RSA Public Key Cryptography ----------------------------------------------------------------------------- Contacts: ANS CO+RE Systems Inc. RSA Data Security Inc. Carol Harvey, Public Affairs Kurt Stammberger, Technology Marketing 703/758-7700 415/595-8782 harvey at ans.net kurt at rsa.com ANS CO+RE's Security Services to Incorporate RSA Public Key Cryptography REDWOOD CITY, CA and ELMSFORD, NY -- ANS CO+RE Systems Inc. announced major new extensions to its advanced InterLock family of security services. The new features focus around the incorporation of RSA Data Security Inc.'s Public Key Cryptosystem. RSA's techniques are widely acknowledged as being the most secure means of data encryption and authentication available today. InterLock is a suite of security services that control access among segments of an enterprise's private IP network and/or among multiple enterprises that communicate over a IP private network. InterLock also controls access between private networks and the public Internet. In addition to RSA key exchange- enabled end-to-end encryption, InterLock services include TELNET, FTP, SMTP, X windows, and NNTP. Network access is controlled by a rule base that can be configured for each user according to userid, network service, inbound/outbound connection, time of day, day of week, public/private network and/or host address, authentication method and enforced encryption. ANS CO+RE developed the new product with RSA's BSAFE 2.0 toolkit, the world's best-selling cryptography software developer's kit. BSAFE is the same toolkit that served as the encryption "engine" for the developers of Novell NetWare 4.0, Lotus Notes, WordPerfect InForms and Fischer International Workflow.2000. BSAFE provides an easy path towards integration of state-of- the-art encryption and digital signature technology -- without requiring the developer to have a background in cryptography or number theory. RSA security technology is a standard on the Internet, the world's largest network, and on the secure networks of businesses and financial institutions worldwide. RSA president Jim Bidzos, commenting on the deal, said, "As the Internet grows, more and more confidential and mission-critical data is flowing over it -- unfortunately, the open nature of the Internet makes that information relatively easy to steal, alter or forge. The RSA-based Internet PEM (privacy-enhanced mail) standards have provided a good start by offering secure messaging capabilities to Internet users -- but now any IP user can get a complete network security implementation, with RSA built right in, with ANS CO+RE InterLock." Al Hoover, VP of Information and Applications for ANS CO+RE stated, "We've been looking to incorporate a public-key based key management system that is both as advanced as the other InterLock services and easy to integrate. RSA's Public Key Cryptography fills that need perfectly, and we will be pleased to offer it to our customers beginning in the fourth quarter of this year. It represents our continuing efforts to build on our foundation of quality security services." RSA Data Security Inc. is a recognized world leader in cryptography. The Company develops and markets software developer's kits, end-user products, and provides comprehensive consulting services in the cryptographic sciences. RSA technology has been embedded in the products of companies such as IBM, Apple Computer, DEC, Microsoft, Sun Microsystems, Novell, Lotus, Motorola, Northern Telecom, AT&T, WordPerfect, Fischer International, General Electric, Hughes and many others. Founded in 1982 by the inventors of the patented RSA Public Key Cryptosystem, the company is headquartered in Redwood City, California. ANS CO+RE Systems, Inc. is a wholly owned subsidiary of Advanced Network & Services, Inc. of Elmsford, NY. In addition to offering network security services, the company markets attachments to its nationwide T3 backbone network, and provides other related support, such as network management outsourcing, network design and engineering, and systems integration. ----------------------------------------------------------------------------- InterLock and the InterLock logo are servicemarks of ANS CO+RE Systems Inc. X Windows is a trademark of the Massachusetts Institute of Technology. The RSA logo and BSAFE are trademarks of RSA Data Security, Inc. Copyright 1993 HPCwire. ----- End Included Message ----- From mdiehl at triton.unm.edu Sat Jul 10 00:35:40 1993 From: mdiehl at triton.unm.edu (J. Michael Diehl) Date: Sat, 10 Jul 93 00:35:40 PDT Subject: encrypted email software In-Reply-To: <9307092304.AA14157@cygnus.com> Message-ID: <9307100735.AA09015@triton.unm.edu> According to Mark Eichin: > > The only "backdoor" concept I've heard which had a technical > basis behind it was a few years back, when some researcher figured out > a way to *produce* S-boxes with particular types of holes, and > concluded that it was impossible to identify if the holes where there > or not unless you knew the precise formulation... I think it even had > a two-of-three challenge, ie, published 3 sets of s-boxes, one or two > of which were "trapped" in this way, as a challenge for people to find > methods of locating them. (The technical basis stops there -- the > psychological or political question that follows is "did NSA/IBM know > about this technique? Assuming they did, did they choose the s-boxes > with or without holes?") Could someone tell me what an s-box is? Thanx in advance. +-----------------------+-----------------------------+---------+ | J. Michael Diehl ;-) | I thought I was wrong once. | PGP KEY | | mdiehl at triton.unm.edu | But, I was mistaken. |available| | mike.diehl at fido.org | | Ask Me! | | (505) 299-2282 +-----------------------------+---------+ | | +------"I'm just looking for the opportunity to be -------------+ | Politically Incorrect!" | +-----If codes are outlawed, only criminals wil have codes.-----+ +----Is Big Brother in your phone? If you don't know, ask me---+ From jim at tadpole.com Sat Jul 10 03:08:23 1993 From: jim at tadpole.com (jim at tadpole.com) Date: Sat, 10 Jul 93 03:08:23 PDT Subject: Secure comm program, Sockets + LINK Message-ID: <9307101007.AA22836@ono-sendai> > Supose you opened up a socket on the local machine. And that you > ran your usual telnet to connect to it. The program listening on the > local socket would be responsible for running one end of a 'LINK' like > secure protocol. It would connect to either the remote telnet socket, > or a special purpose socket at the remote end. There either you can > use a pipe to a pty (standard telnet -> login shell -> LINK -> pty), > or in a special socket through LINK out the telnet socket. (There is > an obvious extention with multiple hops through LINK-socket programs > which should provide the same kind of anonymity that is provided by > the CP remailers.) This is the kind of thing which is just perfect for a streams-based tty/networking environment. Create a streams module that implements Link and DH key excng. Push it on your tty stream at both ends. Works over modems, telnet/rlogin, what-have-you. A similar module could be created to sit below the IP module in SVRx-based Un*xes. > It is also likely to be obsoleted as soon as secure-ip gets out. And once the vendors for both endpoints update to it. Could be a while. > Infact it would be nice to see some socket (perhaps 32?) become the > standard for the secure telnet service. I think it would be much better to develop something that will work with the current port numbers, else we stand a good chance of asking for a 'new' secure port foreach well-known service. (Secure SMTP, Secure ftp-cmd, secure ftp-data,...) Jim From fergp at sytex.com Sat Jul 10 08:43:10 1993 From: fergp at sytex.com (Paul Ferguson) Date: Sat, 10 Jul 93 08:43:10 PDT Subject: Racal Datacryptor Message-ID: <0L0g7B1w165w@sytex.com> While looking through my weekly snail after getting home last night, I opened up a advertising card deck put together by Info Security News. One particular advertisement got my attention, which I am going to send for more technical information and perhaps a catalogue. (I have used Racal-Datacom routing, bridging and mux equipment extensively, and all-in-all, they're pretty solid boxes. Caveat: This point, however, has no reflection on the quality of their s-boxes.) Here is the complete text on the postcard: "Encryption You Can Depend On! Racal-Datacom, a world leader in data encryption, offers a full range of high-quality Datacryptor (Registered Trademark) encryptors for use in Government, Banking and Finance, R&D, and any application that needs secure data transmissions! Datacryptor highlights include: - Automatic/manual key changes - Generates and stores up to 400 keys - Easy to manage and program - Centarlized of front-panel operation - Protects Dial-up, Leased Line, or Shared Packet Transmissions - Up to E-1 rates - DES and proprietary algorithms - ANSI X9.17 - FED-STD 1027 - RSA Public Key - And More! For more information on Racal-Datacom Datacryptors, return this card or call 1-800-RACAL-55." The address (should anyone be interested) is: Racal-Datacom ATTN: Pre-Sales Support 155 Swanson Road Boxborough, MA 01719-9980 (The small, black and white picture on the postcard reveals a small box, not unlike an external modem, with two key-locks on the front panel.) Paul Ferguson | "Confidence is the feeling you get Network Integrator | just before you fully understand Centreville, Virginia USA | the problem." fergp at sytex.com | - Murphy's 7th Law of Computing Quis Custodiet Ipsos Custodes? From tango at world.std.com Sat Jul 10 12:04:42 1993 From: tango at world.std.com (john l dowrick) Date: Sat, 10 Jul 93 12:04:42 PDT Subject: unsubscribe Message-ID: <199307101904.AA27017@world.std.com> tango at world.std.com From newsham at wiliki.eng.hawaii.edu Sat Jul 10 12:26:47 1993 From: newsham at wiliki.eng.hawaii.edu (Timothy Newsham) Date: Sat, 10 Jul 93 12:26:47 PDT Subject: encrypted email software In-Reply-To: <9307100735.AA09015@triton.unm.edu> Message-ID: <9307101926.AA08581@toad.com> > > > Could someone tell me what an s-box is? Thanx in advance. The Data Encryption Standard (any many other crypto systems devised since) use a process of substitutions (replacing one block of bits with another) and permutations (re-arranging the bits). This process is iterated a number of times and the key is mixed in at different points. This R This L | | v | [E Expansion] | | | \ | XOR <------------- key for this round (subkey) | | | ----------------------------------- | | | | | | | | | | v v v v v v v v | ========================================= | | S1 | S2 | S3 | S4 | S5 | S6 | S7 | S8 | | ========================================= | | | | | | | | | | ----------------------------------- / | / [P Permutation] / | / \____________________________________/__ | / \ v / \ XOR <----------- | v v Next R Next L This is the basic structure of DES (if I didnt make a mistake, this is from memory). Anyway the basic idea is you take half the key (called L and R for Left and Right, but hey, I'm lysdexic). You put it through an expansion, this just mixes up the order of the bits and duplicates a few of them. Then you XOR it with the sub-key (the Key Generator is not shown). Then you split it up into 8 6-bit chunks and do a table lookup in the S-boxes, each Sbox has 6 inputs and 4 outputs. Then you re-arrange the bits in the P permutation. Finally you XOR that value with the L to get next R, and put the pre-XOR'ed value into the next L. This is 1 iteration and is done 16 times in DES, and 16*25 times in crypt(3). Crypt(3) also has the salt values which cause the swapping of two bits in the E expansion for every salt bit that is set. Before pulling apart the 64 bit input into 2 32 bit halfs (L and R) the data is passed through an Initial Permutation (IP), and at the end of the whole thing passed through (IP^-1) its inverse (this permutation isnt cryptographically that significant). The subkeys are generated by taking the input 56 bits of key, mixing them up and then successively rotating those bits, and passing them through a permutation. It outputs 48 bits of key each iteration to match the 48 bits after the E expansion. I hope I didnt make too many mistakes in the above discussion, but you get the general idea. > +-----------------------+-----------------------------+---------+ > | J. Michael Diehl ;-) | I thought I was wrong once. | PGP KEY | > | mdiehl at triton.unm.edu | But, I was mistaken. |available| > | mike.diehl at fido.org | | Ask Me! | > | (505) 299-2282 +-----------------------------+---------+ > | | > +------"I'm just looking for the opportunity to be -------------+ > | Politically Incorrect!" | > +-----If codes are outlawed, only criminals wil have codes.-----+ > +----Is Big Brother in your phone? If you don't know, ask me---+ From newsham at wiliki.eng.hawaii.edu Sat Jul 10 12:35:48 1993 From: newsham at wiliki.eng.hawaii.edu (Timothy Newsham) Date: Sat, 10 Jul 93 12:35:48 PDT Subject: Secure comm program, Sockets + LINK In-Reply-To: <9307092314.aa24145@hermix.markv.com> Message-ID: <9307101935.AA08791@toad.com> > Meanwhile, I did peruse the LINK source and am a little unhappy with > the actual protocol used in setting up the secure channel. It is only > authenticated in one direction, rather than both (as I understand > it). I would like to see two way authentication, and (perhaps) > Diffe-Helman key exchange. I assume you're talking about the link program I wrote. If so: I never really considered the RSA exchange as authentication although it can be thought of that way I guess. The reason for the RSA part was primarily to exchange a private session key. Only one side initiates the key exchange because of a flaw in the implementation right now (if both send key exchange messages at the exact same time, both ends will end up using different keys). Even though only one end sends a message, both ends must "match up" in that they must both have 1/2 of the RSA key (the "encryption" and "decryption" or "public" and "private" keys). Hence if they end up with the same session key you can consider it a match and hence a sort of authentication I guess. If (when) I implement DH key exchange I guess I should add some sort of authentication. I would like to put DH exchange in but I havent seen (or really looked that hard :) for good DH source. Anyone know of a fast implementation that is public domain (or that I have permission to use) and preferably available outside of the USA already? > > j' > From uri at watson.ibm.com Sat Jul 10 19:05:03 1993 From: uri at watson.ibm.com (uri at watson.ibm.com) Date: Sat, 10 Jul 93 19:05:03 PDT Subject: encrypted email software In-Reply-To: <9307100144.AA14701@toad.com> Message-ID: <9307110204.AA13167@buoy.watson.ibm.com> peter honeyman says: > > still around about why it was changed from 64 bit to 56 bit, > you mean 112 -> 56. this has been resolved -- it seems that longer keys > don't impose any additional complexity on des attacks. although these > attacks were discovered by the open crypto community only a few years ago, > nsa had these techniques in hand long before. the bottom line is that > additional key bits would not make des more secure. double des or triple > des do. Well, first - I believe DES was designed with 64 bit keys in mind, and then due to some technical (unspecified :-) reasons he key was shortened to 56 bits (and 56-bit version was submitted to NBS). While longer key indeed offers little protection against attacks like differential cryptanalysis - it's hard to argue that it can blow brute-force attack out of the water... And I'd be somewhat more concerned about an adversary cracking my DES-encrypted mail via brute force, than tapping my channel and collecting 2^45 of plaintext-ciphertext pairs to deduce my DES [randomly selected] key (:-). N'est pas? > it has long been believed that a dedicated des-cracker is within the budget > of extremely well financed organizations. Well, of course a government (any government :-) could build such a thing... After all, don't they get all those tax money? (:-) -- Regards, Uri uri at watson.ibm.com scifi!angmar!uri N2RIU ----------- From jpp at markv.com Sat Jul 10 19:59:58 1993 From: jpp at markv.com (jpp at markv.com) Date: Sat, 10 Jul 93 19:59:58 PDT Subject: Secure comm program, Sockets + LINK In-Reply-To: <9307101235.aa02134@hermix.markv.com> Message-ID: <9307101959.aa26573@hermix.markv.com> Andrew Betty KCA=Initial key K0 in s/w KCB=Initial key K0 in s/w KCB=Initial key K0 in s/w KCA=Initial key K0 in s/w KCi= KCA + KCB KCi= KCA + KCB KCo= KCA + KCB KCo= KCA + KCB Use KCi for reading, and Use KCi for reading, and KCo for writeing to the KCo for writeing to the chanell for a while chanell for a while Requset a new sesion key Requset a new sesion key DES(KCo,RSA(BP,K1A)) KRB=DES(KCo,RSA(AP,K1B)) \_____________ ______________/ KCi=KCA+KCB \ / KCi=KCB+KCA KCo=K1A+KCB X KCo=K1B+KCA _____________/ \______________ / \ Sevice new key request TA=DES(KCi,KRB) K1B=RSA(AS,TA) KCi=K1A+K1B From jpp at markv.com Sat Jul 10 20:01:28 1993 From: jpp at markv.com (jpp at markv.com) Date: Sat, 10 Jul 93 20:01:28 PDT Subject: Secure comm program, Sockets + LINK In-Reply-To: <9307101235.aa02134@hermix.markv.com> Message-ID: <9307101959.aa26576@hermix.markv.com> Oops, ignore that previous message. It got away from me (*blush*). j' From eichin at cygnus.com Sat Jul 10 20:45:09 1993 From: eichin at cygnus.com (Mark Eichin) Date: Sat, 10 Jul 93 20:45:09 PDT Subject: encrypted email software In-Reply-To: <9307110204.AA13167@buoy.watson.ibm.com> Message-ID: <9307110345.AA10983@cygnus.com> >> Well, first - I believe DES was designed with 64 bit keys in mind, and then they apparently discovered it to be sensitive to the "sliding attack", ie. differential cryptanalysis... >> While longer key indeed offers little protection against attacks >> like differential cryptanalysis - it's hard to argue that it can >> blow brute-force attack out of the water... But isn't the idea differential cryptanalysis *can* blow brute-force out of the water if the algorithm is sensitive to it, and the symmetries that could be introduced by 64-bit DES keying might have made it thus sensitive. It isn't just that extra key "offers little protection", it might actually *weaken* the algorithm. (No, I'm not an expert on DES, but I've followed the net, read the FIPS, read Biham-Shamir, and thought about it a bit for myself.) _Mark_ From remail at tamsun.tamu.edu Sat Jul 10 22:24:09 1993 From: remail at tamsun.tamu.edu (Carlos Macedo Gomes) Date: Sat, 10 Jul 93 22:24:09 PDT Subject: REMAILER: really anon? Message-ID: <9307110524.AA25281@tamsun.tamu.edu> > If you can trace the origin (sender) of this message please send me mail > personally rather than to the list. I'm using my favorite remailer here > and I want to make sure it's working right. [stuff deleted] > My main curiosity in this quest is to determine what each header will look > like when the mail is recieved. I think this is important in determining > which remailer to use. [stuff deleted] > Thanks! > -z > **Please take note of remailer 12 of this list.** 12: remail at tamsun.tamu.edu > From: remail at tamsun.tamu.edu > Remailed-By: Anonymous > > Received: by tamsun.tamu.edu id AA04104 > (5.65b/IDA-1.4.3 for you at yourhost); Tue, 6 Jul 93 04:15:57 -0500 > > you at yourhost = your address! ...really! > > 13: remail at tamaix.tamu.edu > > From: remail at tamsun.tamu.edu > Remailed-By: Anonymous The remailed email from tamsun and tamaix have the same format, but you have interpreted the headers incorrectly. Please note that you at yourhost mentioned above is not the sender's address but rather the recipients address. You might have been confused by this if you were sending and reading from the same account. The mail from tamsun and tamaix IS anonymous. Take a look at this piece of the header for your message to the cypherpunks list: Received: by tamsun.tamu.edu id AA24627 (5.65b/IDA-1.4.3 for cypherpunks at toad.com); Fri, 9 Jul 93 16:21:06 -0500 As you can see you at yourhost as you demarked in your message actually refers to the recepient's address and not the sender's. If I have misunderstood your message, please excuse. I just felt compelled to clear any doubts about the anonymity of these two remailers. Please feel free to reply to me personally if you'd like to get a close look at the remailers. ciao, Carlos -- [ Carlos Macedo Gomes ][ Quis Costodiet ][: .8. :]------ [ gomes at tamu.edu ][ Ipsos Custodes? ][ . ooo . ]000000 [ cmghelp at tamsun.tamu.edu ][ ----------- ][ : =o(Y)o= : ]000000 [ PGP 2.2 key by finger ][30 37 40 N, 96 20 03 W][oo .ooooo. oo]------ From jpp at markv.com Sat Jul 10 22:48:54 1993 From: jpp at markv.com (jpp at markv.com) Date: Sat, 10 Jul 93 22:48:54 PDT Subject: Secure comm program, Sockets + LINK In-Reply-To: <9307101235.aa02134@hermix.markv.com> Message-ID: <9307102248.aa04285@hermix.markv.com> From: Timothy Newsham I assume you're talking about the link program I wrote. Yes, I was talking about your program Link. If so: I never really considered the RSA exchange as authentication although it can be thought of that way I guess. Right. The only person who can participate (on one side) of the exchange is the one with the private key which matches the other side's public key. This does provide a weak level of authentication. (An opponent can record 'authentication' sequences, and replay them later. For this to be usefull, the opponent will have to have discovered the session key which is/was being selected by the sequence.) If (when) I implement DH key exchange I guess I should add some sort of authentication. I was concidering a different authentication, and secret session key selection protocol (the one that got away :>). It would only use RSA (or any other suitable public key system) to sign and check signatures, as well as encrypt and decrypt data. No new number theory. However, it would require both parties to know the public key of the other. This sort of protocol would be ideal for logins. Both parties authenticate the other, and no-one else can read the channel. No passwords are ever transmitted over the channel either. You and I use a "sum" (xor perhaps?) of our two key halves as the session key. At any time one of us can simultaneously request changeing the sesion key, and chalange the identity of the other. To do this, I send you a new key half encrypted under your public key. You respond with a signature of the resulting session key encrypted under my public key. We then start using the new sesion key. At this point both directions are authenticated, and observers can't determin the new sesion key. Things are complicated a little by the fact that all comunication is done under a secret session key. Things also become a bit more complex because there may be data you sent before recieving my key change request. j' From jpp at markv.com Sat Jul 10 22:52:31 1993 From: jpp at markv.com (jpp at markv.com) Date: Sat, 10 Jul 93 22:52:31 PDT Subject: Secure comm program, Sockets + LINK In-Reply-To: <9307101007.AA22836@ono-sendai> Message-ID: <9307102251.aa04501@hermix.markv.com> I agree it is a cleaner design to use streams. But I don't have streams under windows :( so I am not very interested in working on it. I do have sockets though... j' From akcs.brendan at vpnet.chi.il.us Sun Jul 11 09:07:39 1993 From: akcs.brendan at vpnet.chi.il.us (Sex, Drugs, and Rock and Roll) Date: Sun, 11 Jul 93 09:07:39 PDT Subject: No Subject Message-ID: Unsubscribe From root at Cloud.Cuckoo.Land Sun Jul 11 14:26:18 1993 From: root at Cloud.Cuckoo.Land (me) Date: Sun, 11 Jul 93 14:26:18 PDT Subject: PINE Message-ID: One of the many neat features of PINE is that it allows one to talk to the SMTP server _directly_, bypassing sendmail (and its security checks). What this means is that instead of doing a "telnet xxxx smtp", you can build and configure a PINE client to do it for you, and retain all the nice features. PINE source code is freely available, and does not require root privs to run (any more than it requires root privs to "telnet xxx smtp"). The pine executable does take up a Meg and a half though, which could be a problem for folks without a lot of space to play with. Coming down the pike though, I see SMTP, maybe even NNTP protocols being secured (check out the magazine someone mentioned earlier: INFO-SECURITY. You just have to fill out a bingo card to get it, Write:INFO-SECURITY NEWS 498 Concord St, Framingham MA 01701-2357). If that happens, the days of EZ phreaking are over..... From nate at VIS.ColoState.EDU Sun Jul 11 14:28:24 1993 From: nate at VIS.ColoState.EDU (CVL staff member Nate Sammons) Date: Sun, 11 Jul 93 14:28:24 PDT Subject: PGPcompose, a mail wrapper Message-ID: <9307112128.AA15649@vangogh.VIS.ColoState.EDU> -----BEGIN PGP SIGNED MESSAGE----- CypherPunks, I have been looking for a good mailer lately, or at least a mail wrapper to sign and encrypt my mail easily. I was not completely satisfied with the wrappers that I could find, and especially since they mostly need perl. So, in a fit of frustration, I did what any good CypherPunk would do: I wrote one. It is called "PGPcompose" and if you invoke it with a username, it will prompt for the subject, open vi for editing, then ask you if you want to sign the message, and encrypt it (either, or both), then it asks for the key to use for encryption (if you choose to encrypt the message). It will then ask if you want to send, edit, or abort the message. it uses /usr/ucb/mail instead of sendmail, since I could not figure out how to parse the ~/.mailrc file, and since it took less than a few hours to hack out. Anyway, here it is, it's free, so do whatever you want with it. - ---------------------BEGIN PGPcompose------------------- /* "PGPcompose" (comp) -- a replacement for the mail composition */ /* program. It allows for PGP signatures and encryption */ /* for mail. It asks for the ID of who the file is to be */ /* encrypted for... I did this because I have lots of */ /* public keys, and some of the other mailers became */ /* confused on occation and did not find the right key to */ /* use for the encryption. It also asks if you want to continue, */ /* abort or edit the message... */ /* */ /* This software is free for the taking... if you modify it, send */ /* me the modification, since I'll be curious. */ /* -nate sammons, July 11, 1993, nate at vis.colostate.edu */ #include main(int argc, char *argv[]) { int intPID; int signMess, cryptMess; char subject[130]; char cryptWho[100]; char charPID[10]; char theChoice[5]; char messageName[100]; char messageHeaderName[100]; char messageCypherName[100]; char commandLine[300]; char scriptName[100]; FILE *tmp; FILE *script; FILE *message; intPID = getpid(); tmp = fopen("/tmp/PID.tmp", "w"); fclose(tmp); tmp = fopen("/tmp/PID.tmp", "a"); fprintf(tmp, "%d", intPID); fclose(tmp); tmp = fopen("/tmp/PID.tmp", "r"); fscanf(tmp, "%s", charPID); fclose(tmp); strcpy(messageName, "/tmp/message.tmp."); strcat(messageName, charPID); strcpy(messageCypherName, "/tmp/message.cypher."); strcat(messageCypherName, charPID); strcpy(scriptName, "/tmp/message.script."); strcat(scriptName, charPID); message = fopen(messageName, "w"); switch(argc) { case 2: printf("PGPcompose, (c)1993 Nate Sammons\n"); printf("Subject: "); gets(subject); editIt: strcpy(commandLine, "vi "); strcat(commandLine, messageName); system(commandLine); signIt: printf("Sign this message? [y,n] : "); gets(theChoice); switch(theChoice[0]) { case 'y': case 'Y': signMess = 1; break; case 'n': case 'N': signMess = 0; break; default: goto signIt; break; } cryptIt: printf("Encrypt this message? [y,n] : "); gets(theChoice); cypherWithWho: switch(theChoice[0]) { case 'y': case 'Y': printf(" With whose key? : "); gets(cryptWho); if (cryptWho[1] == NULL) { goto cypherWithWho; } cryptMess = 1; break; case 'n': case 'N': cryptMess = 0; break; default: goto cryptIt; } Continue: printf("send, abort, edit? : "); gets(theChoice); switch(theChoice[0]) { case 's': case 'S': goto sendIt; case 'a': case 'A': system("/bin/rm -rf /tmp/message*"); system("/bin/rm -rf /tmp/PID.tmp"); exit(0); case 'e': case 'E': goto editIt; default: goto Continue; } sendIt: if((signMess == 1) && (cryptMess == 1)) { script = fopen(scriptName, "w"); fprintf(script, "cat %s | pgp -feast +clearsig=on \"%s\" > %s\n", messageName, cryptWho, messageCypherName); fclose(script); strcpy(commandLine, "chmod +x "); strcat(commandLine, scriptName); system(commandLine); system(scriptName); script = fopen(scriptName, "w"); fprintf(script, "cat %s | /usr/ucb/mail -s \"%s\" %s", messageCypherName, subject, argv[1]); fclose(script); system(commandLine); system(scriptName); } if((signMess == 1) && (cryptMess == 0)) { script = fopen(scriptName, "w"); fprintf(script, "cat %s | pgp -fast +clearsig=on > %s\n", messageName, messageCypherName); fclose(script); strcpy(commandLine, "chmod +x "); strcat(commandLine, scriptName); system(commandLine); system(scriptName); script = fopen(scriptName, "w"); fprintf(script, "cat %s | /usr/ucb/mail -s \"%s\" %s", messageCypherName, subject, argv[1]); fclose(script); system(commandLine); system(scriptName); } if((signMess == 0) && (cryptMess == 1)) { script = fopen(scriptName, "w"); fprintf(script, "cat %s | pgp -fea \"%s\" > %s\n", messageName, cryptWho, messageCypherName); fclose(script); strcpy(commandLine, "chmod +x "); strcat(commandLine, scriptName); system(commandLine); system(scriptName); script = fopen(scriptName, "w"); fprintf(script, "cat %s | /usr/ucb/mail -s \"%s\" %s", messageCypherName, subject, argv[1]); fclose(script); system(commandLine); system(scriptName); } if((signMess == 0) && (cryptMess == 0)) { script = fopen(scriptName, "w"); fprintf(script, "cat %s | /usr/ucb/mail -s \"%s\" %s", messageName, subject, argv[1]); fclose(script); strcpy(commandLine, "chmod +x "); strcat(commandLine, scriptName); system(commandLine); system(scriptName); } system("/bin/rm -rf /tmp/message*"); system("/bin/rm -rf /tmp/PID.tmp"); break; default: printf("Useage: comp username\n"); exit(0); } } - ---------------------END PGPcompose--------------------- - -nate sammons +-------------------------------------------------------------------- | Nate Sammons email: nate at VIS.ColoState.Edu | Colorado State University Computer Visualization Laboratory | Finger me at nate at monet.VIS.ColoState.Edu for my PGP key | #include | "I have but one single desire - to tear down the sky" -A. Toomba +----------------------+ -----BEGIN PGP SIGNATURE----- Version: 2.3 iQCVAgUBLECF4NTgi1fmrpxlAQGhbgP6AiZCyU2+qf5O06r3mE1JB4XWDocuK175 CO/HJU/8+QekgBG7+6PewERnqLt0pVPuTVmdWkHJyQ+VJyrPRiDlWzI7G2yJqwvG sTCI9CT6cHbp0jBRzQhj48SFcN+Gr+nZ06Nc8/93X7/+QGZVtz+0MMTFXz8oVcEe TWYeBNkXhDg= =P0IW -----END PGP SIGNATURE----- From uri at watson.ibm.com Sun Jul 11 14:44:38 1993 From: uri at watson.ibm.com (uri at watson.ibm.com) Date: Sun, 11 Jul 93 14:44:38 PDT Subject: encrypted email software In-Reply-To: <9307110345.AA10983@cygnus.com> Message-ID: <9307112144.AA13032@buoy.watson.ibm.com> Mark Eichin says: > >> While longer key indeed offers little protection against attacks > >> like differential cryptanalysis - it's hard to argue that it can > >> blow brute-force attack out of the water... > But isn't the idea differential cryptanalysis *can* blow > brute-force out of the water if the algorithm is sensitive to it, and > the symmetries that could be introduced by 64-bit DES keying might > have made it thus sensitive. It isn't just that extra key "offers > little protection", it might actually *weaken* the algorithm. (No, I'm > not an expert on DES, but I've followed the net, read the FIPS, read > Biham-Shamir, and thought about it a bit for myself.) Well, to the best of my knowledge, "sliding attack" does NOT care about the length of a key - because it deduces the subkeys DIRECTLY. This means - one doesn't WEAKEN an algorithm by increasing the key length, it just doesn't help against "sliding attack"... And in order to pull out this "sliding attack" one HAS to have either enough of PLAINTEXT-CIPHERTEXT pairs, or even better - to be able to run CHOSEN-PLAINTEXT attack. How much are you afraid of such an attack against your e-mail? [Assuming you use one-time RSA-encrypted DES key, of course :-] -- Regards, Uri uri at watson.ibm.com scifi!angmar!uri N2RIU ----------- >From cypherpunks-request Sun Jul 11 20:17:07 1993 From newsham at wiliki.eng.hawaii.edu Sun Jul 11 15:08:06 1993 From: newsham at wiliki.eng.hawaii.edu (Timothy Newsham) Date: Sun, 11 Jul 93 15:08:06 PDT Subject: Secure comm program, Sockets + LINK In-Reply-To: <9307102248.aa04285@hermix.markv.com> Message-ID: <9307112208.AA20350@toad.com> > > From: Timothy Newsham > > I assume you're talking about the link program I wrote. > > Yes, I was talking about your program Link. > > If so: I never really considered the RSA exchange as authentication > although it can be thought of that way I guess. > > Right. The only person who can participate (on one side) of the > exchange is the one with the private key which matches the other > side's public key. This does provide a weak level of authentication. > (An opponent can record 'authentication' sequences, and replay them > later. For this to be usefull, the opponent will have to have > discovered the session key which is/was being selected by the > sequence.) This is a matter of perspective. You are thinking of the matching keys as being 'public' and 'private'. You can also think of them both being half of a key, both being unknown to any third parties. In such a case the mere possession of a matching key is a type of authentication. This because you only gave out one half to a specific person in a private way, and you kept the other half for yourself. This is half way true in the sense of my link program but not totally true, because both halves were generated on one machine and one half transmitted (probably over an insecure channel) to the remote. This second key is secure in that it only got transfered once and then exists in only one place that may be secure. It is insecure in that it might have been observed in that window of vulnerability. Why is it that you want both sides to authenticate, btw? In the case of a human<->human connection? I can definitely add authentication (two way). From jet at nas.nasa.gov Sun Jul 11 17:09:04 1993 From: jet at nas.nasa.gov (J. Eric Townsend) Date: Sun, 11 Jul 93 17:09:04 PDT Subject: security vs. PINE In-Reply-To: Message-ID: <9307120008.AA20041@boxer.nas.nasa.gov> me writes: > to the SMTP server _directly_, bypassing sendmail (and its security checks). [...] > Coming down the pike though, I see SMTP, maybe even NNTP protocols being > secured (check out the magazine someone mentioned earlier: INFO-SECURITY. > You just have to fill out a bingo card to get it, Write:INFO-SECURITY NEWS > 498 Concord St, Framingham MA 01701-2357). If that happens, the days of EZ > phreaking are over..... I think that avoiding security avoids the real problem. Many gov't agencies are swinging away from wide open SMTP in an effort to find something that has security and authentication. Having some boffo mailer that bypasses sendmail does no good in such a case. From wmo at rebma.rebma.mn.org Sun Jul 11 17:12:22 1993 From: wmo at rebma.rebma.mn.org (Bill O'Hanlon) Date: Sun, 11 Jul 93 17:12:22 PDT Subject: REMAILER: really anon? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- > > 9: remailer at rebma.mn.org (this reply took almost 3+ days!) > > From: nobody at rebma.rebma.mn.org > Remailed-By: Mr. Nobody A little background on my remailer... My machine is connected to the net at large via UUCP... And I only have one phone line at home, which me and the family share with the computer. So it only polls out for mail when we're asleep (22:30 CDT - 7:30 CDT). And, I'll admit, when the weather gets ugly enough here in Minnesota, the machine gets powered down to keep the place cooler. That's the disadvantage of the remailer at rebma. The advantage is that since I own the machine, the remailer will stay in operation, period. (I think my service provider does have a clause in the agreement that mentions that use that prevents other users from getting service will not be tolerated, but that's it.) So, if you're looking for fast turnaround time, remailer at rebma.mn.org is not for you. If a long delay can be used as an advantage, more power to you. - -Bill -----BEGIN PGP SIGNATURE----- Version: 2.2 iQCVAgUBLD8NHRiQVHeOVJ+HAQF5AwP9HmELtb3xCOo79cxT5UpBdIiM8mJmT0D0 Fiacai6jxzZxGeq6mSgco96IgR8V3M57EJ66788v8I+vwPsuKoRS7ESgKyF7ijqn b1AfCEgh3VJfEUmPFg3Ulmg6LtDCQ5EkYEFcrhdKHqa9edvm3xVFexodKwOPDzhL tbTkxzdyiIk= =cPEm -----END PGP SIGNATURE----- From mdiehl at triton.unm.edu Sun Jul 11 20:11:59 1993 From: mdiehl at triton.unm.edu (J. Michael Diehl) Date: Sun, 11 Jul 93 20:11:59 PDT Subject: Radical Paranoia? Message-ID: <9307120311.AA07241@triton.unm.edu> I'm having a philisophical problem reguarding when to sign someone else's public key. Obviously, if you watch someone generate a key, and they physicaly hand you a copy of it, you should sign it. Fortunately, life has been this good to me about 5 times. But what if life isn't so good? Lets say someone emails me a key and the return address matches that of the address in the key. Do I assume no one is spoofing me? You have to admit that this is possible albeit unlikely. What good is key certification if it only "probably valid?" I've noticed that many of the keys on the server are signed with the same person's key. I doubt that these people have had physical contact with each of the people who's key that they've signed. Am I just being paranoid, or is there a valid issue here? I welcome any of your comments. +-----------------------+-----------------------------+---------+ | J. Michael Diehl ;-) | I thought I was wrong once. | PGP KEY | | mdiehl at triton.unm.edu | But, I was mistaken. |available| | mike.diehl at fido.org | | Ask Me! | | (505) 299-2282 +-----------------------------+---------+ | | +------"I'm just looking for the opportunity to be -------------+ | Politically Incorrect!" | +-----If codes are outlawed, only criminals wil have codes.-----+ +----Is Big Brother in your phone? If you don't know, ask me---+ From chaos at aql.gatech.edu Sun Jul 11 22:08:34 1993 From: chaos at aql.gatech.edu (Paul Goggin) Date: Sun, 11 Jul 93 22:08:34 PDT Subject: Radical Paranoia? Message-ID: <9307120508.AA01947@toad.com> >Lets say someone emails me a key and the return address matches that of >the address in the key. Do I assume no one is spoofing me? You have to >admit that this is possible albeit unlikely. What good is key certification >if it only "probably valid?" I've noticed that many of the keys on the >server are signed with the same person's key. I doubt that these people >have had physical contact with each of the people who's key that they've >signed. Am I just being paranoid, or is there a valid issue here? I >welcome any of your comments. I understand your precaution and problem very well. I have had similar fears. Recently, I was in similar situation recently. I wanted to exchange keys with someone I have met only once. The situation as it arose actually ended up working okay. We exchanged keys after encrypting them with the normal encryption option, with a password being someone at the place we meet. Knowledge common to only a few select people. Then we started a talk session at a prescribed time at the relevant addresses and tried to rely on information specific dialogue to verify one's person as the one in question. Without physically being there this seems like at least a little extra security. As to the broader question you are really asking on verification I am unsure on how it can be solved. Obviously my situation was unique that we had met and could decide on an information basis, that would seemingly be hard to duplicate, but this is not always available. Paul -- R O All Comments Copyright by | Technofetisht A N Paul S. Goggin (1993) | Cypher, Cyber, Chaos V Information Broker | Ergoflux, Interzone E chaos at aql.gatech.edu | Carpe Diem: Stop the Clipper wiretap chip Finger account for latest _Phrack_ | Public Key: PGP and RIPEM available For anonymous communication:---> anonymus+4744 at charcoal.com ------------------------------------------------------------------------------ Title 18 USC 2511 and 18 USC 2703 Protected -- Monitoring Absolutely Forbidden From wcs at anchor.ho.att.com Sun Jul 11 23:24:44 1993 From: wcs at anchor.ho.att.com (wcs at anchor.ho.att.com) Date: Sun, 11 Jul 93 23:24:44 PDT Subject: Radical Paranoia? Message-ID: <9307120625.AA13929@anchor.ho.att.com> Email is *not* enough. Easily forged, easily intercepted, not secure. This mail could be coming from me, it could be coming from the NSA, it could be my cat jumping on my keyboard's function keys triggering emacs form-letter-mode. No way to tell. Cat already dumped my password and modem dialcodes into this mail message, and he's still pretty young :-) Building and maintaining a web of trust means we're all responsible for signing keys carefully, and making sure people know how careful our signatures are. Read through the READMEs a couple more times until you really understand the procedures! My view is that you should only sign a key if you really *know* that the person whose key your signing is that person and you've verified with them that you've got the right key. If somebody *you recognize* hands you their key, fine - I recognize about 10 or so well-known cypherpunks that I could do this with (plus other people who might be interested but aren't verbose contributors here :-) On the other hand, if Vesselin Bontchev asked me to sign his key, I wouldn't do it, because I don't know him by sight, unless somebody I know knows him personally introduced us. If somebody you know by *voice* wants you to sign their key, you'd better at least have a voice telephone call with them where you read key fingerprints over the phone. This is how I had Phil sign my key, and there are 3-4 others here I could probably do this with if I wanted. When you're adding people to your PGP keyring, pgp asks you how well you trust people to sign keys. You can trust me to do that much for identifying people, but on the other hand I've got a diskless workstation as the only thing I have that can do PGP until I get it on my wife's laptop, so you can't trust that my keyring hasn't been hacked -- that's why my pgp userid says "multiuser" in it. I really won't feel comfortable signing keys until I've got a secure system and we've got an RSAREF implementation that makes use of RSA kosher. If you're likely to sign keys for people you don't really know well, such as giving out starter PGP floppies at a trade show or rave or something, I suppose you could generate a separate key/userid that says it's not very secure, signed by your regular key, but do try to at least check easily-forged ID like driver's licenses for people you don't know, and encourage them to generate real keys and get them signed by people that *they* really know. It's not ideal; do people feel that's acceptable to get people initial connections? Bill # Bill Stewart wcs at anchor.ho.att.com +1-908-949-0705 Fax-4876 # AT&T Bell Labs, Room 4M-312, Crawfords Corner Rd, Holmdel, NJ 07733-3030 From greg at ideath.goldenbear.com Mon Jul 12 00:27:08 1993 From: greg at ideath.goldenbear.com (Greg Broiles) Date: Mon, 12 Jul 93 00:27:08 PDT Subject: SMTP, PINE, and security Message-ID: -----BEGIN PGP SIGNED MESSAGE----- me writes: > One of the many neat features of PINE is that it allows one to talk > to the SMTP server _directly_, bypassing sendmail (and its security checks). > What this means is that instead of doing a "telnet xxxx smtp", you can > build and configure a PINE client to do it for you, and retain all the > nice features. PINE source code is freely available, and does not require > root privs to run (any more than it requires root privs to "telnet xxx smtp") [stuff deleted] > If that happens, the days of EZ phreaking are over..... I dunno; if things change such that it's considered normal for users to connect to local or outside SMTP and NNTP ports, that would seem to create an convenient smokescreen/excuse for folks who use those ports for their own (non-approved) ends. It'll be a lot harder to look through a log for unknown connections. See the discussion on comp.dcom.telecom about how difficult it is to provide authentication of cellular phones and fraud prevention, while allowing people to buy new phones easily, roam, and do all of that other stuff that people do. I think the SMTP/NNTP/PINE/whatever stuff is very similar - I think it may prove so difficult to truly authenticate unknown and untraceable users that people will turn to other means for identifying a few trusted machines/people/processes. Public-key crypto, perhaps? :) Security and convenience are basically incompatible; I'm hoping that we opt for convenience. -----BEGIN PGP SIGNATURE----- Version: 2.3 iQCVAgUBLEEIfn3YhjZY3fMNAQGVfwQAoestrAnd168C061KVqb+znRBFNoAIS1k Ic7JtsVxzj9xaFc5v5nKDUgHD4g47ulTyc1jqEFKmUjfqfal5xZVhN+/4wHFaN0v 2gNbYByvd7/QL685+lkGGkFr1ff7qTdWqVk5LV6b4fRyhJcTHIH48x/55QO0Oo3y DYdA6GDuChk= =SOFw -----END PGP SIGNATURE----- -- Greg Broiles greg at goldenbear.com Golden Bear Computer Consulting +1 503 465 0325 Box 12005 Eugene OR 97440 BBS: +1 503 687 7764 From edgar at spectrx.Saigon.COM Mon Jul 12 02:54:22 1993 From: edgar at spectrx.Saigon.COM (Edgar W. Swank) Date: Mon, 12 Jul 93 02:54:22 PDT Subject: "Data Haven" def Message-ID: <7wBk7B6w165w@spectrx.saigon.com> Patrick E. Hykkonen Inquired: Could someone please define a 'data haven'? I understand digitial cash, it is exactly what it sounds like. However, in the context I've heard data haven used in, then there is much more than simply keeping one's data encrypted on your local hard drive. Webster's Seventh New Coll. Dict.: Haven: 1: HARBOR, PORT 2: A place of safety :ASYLUM My analysis: A "data haven" is some entity where data can be placed and have some assurance against either accidental or deliberate destruction. Encrypted data on your hard disk is safe enough against -disclosure-, but is very vulnerable to destruction, either accidental or deliberate. Certain individuals and governments have such strong views on certain forms of data that they will destroy them if they even suspect encryption is hiding such data. A data haven would ensure such data could not be destroyed without permission of its owner. The owner might or might not permit distribution of the data either free or for a fee. Examples of data at risk for deliberate destruction: Pornography, especially child ponography. According to recent news, a BBS in Denmark (Holland?) may be a data haven for that. Politically incorrect programs. For example, the German government is trying (and may have succeeded) to destroy all copies of a game program called "Concentration Camp Commander". This was on the news a few months ago. The USA would be a data haven for this program, generally speaking, since as political speach it would be protected by the First Amendment. (But I don't know if any copies have ever made it here; I net-chat with a few people in Europe & none of them have ever heard of it.) -- edgar at spectrx.saigon.com (Edgar W. Swank) SPECTROX SYSTEMS +1.408.252.1005 Cupertino, Ca From M..Stirner at f28.n125.z1.FIDONET.ORG Mon Jul 12 04:06:19 1993 From: M..Stirner at f28.n125.z1.FIDONET.ORG (M. Stirner) Date: Mon, 12 Jul 93 04:06:19 PDT Subject: Remailer test Message-ID: <1032.2C414356@shelter.FIDONET.ORG> Just a quick note to say that I sent out a packet of tests for the remailers via the RBBSnet UUCP gate following the standard Cypherpunks form: To: remailer at some.place.edu :: Request-Remailing-To: me at my.address.com This is a test of the ... remailer... I sent this message to each of the following: hh at pmantis.berkeley.edu hh at cicada.berkeley.edu hh at soda.berkeley.edu phantom at mead.u.washington.edu 00x at uclink.berkeley.edu remailer at utter.dis.org I received the test message via the remailer at utter.dis.org quickly & without problems. I have yet to get the other messages, nearly a week later. With the exception of remailer at utter.dis.org, all of these have been habitually unresponsive to regular tests. I have been able to get the soda remaier to work once, & with the efforts of the remailer operator, was able to get the phantom remailer to work once. I have been unable to get the anonymus+info at charcoal.com remailer to accept mail after some six attempts. The Charcoal daemon bounces back the messages as coming to an unknown addressee. The Extropia PGPed remailer seems to work well, as does the hal at alumni.caltech.edu remailer. Nearly everything else seems very iffy. Which remailers claim to be able to mail directly to newsgroups? ********************************************************************* * - PGP Key D30909 via servers * * > What country can preserve its liberties if its rulers are not <* * > warned from time to time that their people preserve the spirit <* * > of resistance? Let them take arms!" - Thomas Jefferson, 1787 <* ********************************************************************* ... Starve a feeding bureaucrat, vote Libertarian. ___ Blue Wave/QWK v2.12 -- M. Stirner - via FidoNet node 1:125/1 UUCP: ...!uunet!kumr!shelter!28!M..Stirner INTERNET: M..Stirner at f28.n125.z1.FIDONET.ORG From dmandl at lehman.com Mon Jul 12 06:02:30 1993 From: dmandl at lehman.com (David Mandl) Date: Mon, 12 Jul 93 06:02:30 PDT Subject: anonymous mail Message-ID: <9307121301.AA06341@disvnm2.shearson.com> > From: jet at nas.nasa.gov (J. Eric Townsend) > > nobody at entropy.linet.org writes: > > that somebody can get fired for views expressed in a private > > e-list, which probably extrapolates to USENET posting as well. > > Apparently, Mr. Steshenko forgot to include the "disclaimer: my > > opinions" with his email. > > Apparently, Mr. Steshenko thought it was appropriate to use company > resources for non-company activities. On top of that, those > activities misrepresented the company. > > Steshenko's firing is something all the libertarians on this list > should applaud. This "libertarian" (note small "l"--if you mean "Libertarian," you should be more careful in the future) doesn't "applaud" Mr. S's firing. What a stupid thing to say. You should either be fried by your more humane Libertarian colleagues, or (if there is general agreement with your message), you should be declared the Missing Link that some of us have been searching for for years. This is so typical. If the State had pulled something like this, you'd be screaming your head off, but when a "private" corporation does it, you not only don't protest, but actually cheer them on? This is just the kind of rigid, stupid, pro-authoritarian thinking that many people expect from the more zomboid Libs, though we rarely get to see anyone display it so candidly. Looking at your email address, I notice that you're an employee of mine. I strongly disapprove of your using this ID for your own leisure activities. However, I'm a nice guy, so I'll give you, oh, two more chances. Then, you're out of here. Direct all flames anywhere but dmandl at panix.com or dmandl at lehman.com. --Dave. From elee9sf at Menudo.UH.EDU Mon Jul 12 06:10:56 1993 From: elee9sf at Menudo.UH.EDU (elee9sf at Menudo.UH.EDU) Date: Mon, 12 Jul 93 06:10:56 PDT Subject: Remailer test In-Reply-To: <1032.2C414356@shelter.FIDONET.ORG> Message-ID: <199307121310.AA20979@Menudo.UH.EDU> M..Stirner at f28.n125.z1.fidonet.org (M. Stirner) wrote > I received the test message via the remailer at utter.dis.org quickly & > without problems. I have yet to get the other messages, nearly a week > later. With the exception of remailer at utter.dis.org, all of these have > been habitually unresponsive to regular tests. I have been able to get > the soda remaier to work once, & with the efforts of the remailer > operator, was able to get the phantom remailer to work once. Hm...something funny is going on here. I test the remailers about once every other week and generally here from all of them! Can I try sending mail to you through each remailer? Maybe this will help figure out the ones which can't reach you. > Which remailers claim to be able to mail directly to newsgroups? As far as I know, none of the remailers mail directly to newsgroups. But, you can have them remail to an email-to-usenet gateway like group-name at cs.utexas.edu. There are others (pws.bull.com, decwrl's, demon); I'll find my list and send it. /-----------------------------------\ | Karl L. Barrus | | elee9sf at menudo.uh.edu | <- preferred address | barrus at tree.egr.uh.edu (NeXTMail) | \-----------------------------------/ From dmandl at lehman.com Mon Jul 12 06:50:48 1993 From: dmandl at lehman.com (David Mandl) Date: Mon, 12 Jul 93 06:50:48 PDT Subject: Radical Paranoia? Message-ID: <9307121350.AA06834@disvnm2.shearson.com> > From: J. Michael Diehl > > Lets say someone emails me a key and the return address matches that of > the address in the key. Do I assume no one is spoofing me? You have to > admit that this is possible albeit unlikely. What good is key certification > if it only "probably valid?" I've noticed that many of the keys on the > server are signed with the same person's key. I doubt that these people > have had physical contact with each of the people who's key that they've > signed. Am I just being paranoid, or is there a valid issue here? I > welcome any of your comments. Anything is possible. It's best to play it VERY safe when it comes to certifying or accepting keys. The ideal thing is to accept only keys that have been signed by a key you know to be good. Start with a key that's been handed to you personally (or that you are absolutely certain is legit), and work from there. Some folks (bless them) have signed oodles of keys and are very trustworthy; if you can work through the web to them eventually (being careful along the way about who you trust as a certifier), you'll eventually have a windfall. No, most people on the public servers have probably not met face to face; they've worked their way to each other using trusted signatures and certifiers. Just be careful about who you trust. --Dave. From nate at VIS.ColoState.EDU Mon Jul 12 06:55:49 1993 From: nate at VIS.ColoState.EDU (CVL staff member Nate Sammons) Date: Mon, 12 Jul 93 06:55:49 PDT Subject: Help! not getting any CypherPunk mail! Message-ID: <9307121355.AA16591@vangogh.VIS.ColoState.EDU> -----BEGIN PGP SIGNED MESSAGE----- Help! I am not getting any mail from the CypherPunks mailing list, although my posts are apparently getting through OK. Please help! thanks, - -nate sammons +-------------------------------------------------------------------- | Nate Sammons email: nate at VIS.ColoState.Edu | Colorado State University Computer Visualization Laboratory | Finger me at nate at monet.VIS.ColoState.Edu for my PGP key | #include | "I have but one single desire - to tear down the sky" -A. Toomba +----------------------+ -----BEGIN PGP SIGNATURE----- Version: 2.3 iQCVAgUBLEFtRtTgi1fmrpxlAQFzyAP8C6V9nVURq13bPYPa+FPnCFiYc71wAKKI o+t1HGdcylMuY24lKk+UhI2yEMO/JEyqDYJnpeOV6kn+izfx4OyrWLVmN7rYD4Nf Yr8wb18+3Zd9cFPsn6QwSLzd/2XVY+tmzrIMwVShmgIAl2gobuScey+q7JBK3j8X ImzeUJF20Hw= =Y2eB -----END PGP SIGNATURE----- From nate at VIS.ColoState.EDU Mon Jul 12 08:51:38 1993 From: nate at VIS.ColoState.EDU (CVL staff member Nate Sammons) Date: Mon, 12 Jul 93 08:51:38 PDT Subject: please send cypherpunk mail to me at Message-ID: <9307121551.AA17109@vangogh.VIS.ColoState.EDU> -----BEGIN PGP SIGNED MESSAGE----- Please send the CP mail to me at nate at vangogh.vis.colostate.edu I am having problems getting the CP mail forwarded to me, and this may very well help. thanks, - -nate +-------------------------------------------------------------------- | Nate Sammons email: nate at VIS.ColoState.Edu | Colorado State University Computer Visualization Laboratory | Finger me at nate at monet.VIS.ColoState.Edu for my PGP key | #include | "I have but one single desire - to tear down the sky" -A. Toomba +----------------------+ -----BEGIN PGP SIGNATURE----- Version: 2.3 iQCVAgUBLEGIb9Tgi1fmrpxlAQFMOwP9Gq8DUzldiPDSfRRrlBCjRKBAyXU9fZ8z 6wOBelKJqVNHwgDBOMDkgKWe0iSwANT1/yJ0szcOZmERT9pod75HGzHtDogNGyfL 4ZjrqVCtAA95Y+HnyTfGQ7Ej86NEqRaN8F+hE7ZqwurtCYBf3Ag0jES4iI/YvjbN bSPpjSPItPA= =PkJT -----END PGP SIGNATURE----- From jet at nas.nasa.gov Mon Jul 12 09:38:57 1993 From: jet at nas.nasa.gov (J. Eric Townsend) Date: Mon, 12 Jul 93 09:38:57 PDT Subject: anonymous mail In-Reply-To: <9307121301.AA06341@disvnm2.shearson.com> Message-ID: <9307121638.AA24768@boxer.nas.nasa.gov> First off, I'm not a [l,L]ibertarian. For the most part, I've found them to be closeted Amway salesdroids who give lip service to civil rights and who are only interested in their 'right' to make as much money as possible at the expense of everyone else's rights. Most of my exposure to [l,L]ibertarianism has been in Texas, however, so maybe there's hope for the party as a whole. David Mandl writes: >If the State had pulled something like >this, you'd be screaming your head off, but when a "private" corporation does >it, you not only don't protest, but actually cheer them on? This is just the Saying that 'group should be happy' is not cheering on anyone. Get a clue. > Looking at your email address, I notice that you're an employee of mine. I Actually, I'm an employee of Computer Sciences Corporation. > strongly disapprove of your using this ID for your own leisure activities. What makes you think this is 'leisure activity'? From jet at nas.nasa.gov Mon Jul 12 09:57:29 1993 From: jet at nas.nasa.gov (J. Eric Townsend) Date: Mon, 12 Jul 93 09:57:29 PDT Subject: SMTP, PINE, and security In-Reply-To: Message-ID: <9307121629.AA24751@boxer.nas.nasa.gov> Greg Broiles writes: > I dunno; if things change such that it's considered normal for users to > connect to local or outside SMTP and NNTP ports, that would seem to create This assumes that the gateways at one's sites will pass stuff on these ports from non-authorized hosts. True, one could go to different ports on a relay box, but that's a bit more complicated than what the 'average user' is willing to put up with. From M..Stirner at f28.n125.z1.FIDONET.ORG Mon Jul 12 14:28:50 1993 From: M..Stirner at f28.n125.z1.FIDONET.ORG (M. Stirner) Date: Mon, 12 Jul 93 14:28:50 PDT Subject: Mailer tests Message-ID: <1040.2C41D6C6@shelter.FIDONET.ORG> Just a quick note to say that I sent out a packet of tests for the remailers via the RBBSnet UUCP gate following the standard Cypherpunks form: To: remailer at some.place.edu :: Request-Remailing-To: me at my.address.com This is a test of the ... remailer... I sent this message to each of the following: hh at pmantis.berkeley.edu hh at cicada.berkeley.edu hh at soda.berkeley.edu phantom at mead.u.washington.edu 00x at uclink.berkeley.edu remailer at utter.dis.org I received the test message via the remailer at utter.dis.org quickly & without problems. I have yet to get the other messages, nearly a week later. With the exception of remailer at utter.dis.org, all of these have been habitually unresponsive to regular tests. I have been able to get the soda remaier to work once, & with the efforts of the remailer operator, was able to get the phantom remailer to work once. I have been unable to get the anonymus+info at charcoal.com remailer to accept mail after some six attempts. The Charcoal daemon bounces back the messages as coming to an unknown addressee. The Extropia PGPed remailer seems to work well, as does the hal at alumni.caltech.edu remailer. Nearly everything else seems very iffy. Which remailers claim to be able to mail directly to newsgroups? ********************************************************************* * - PGP Key D30909 via servers * * > What country can preserve its liberties if its rulers are not <* * > warned from time to time that their people preserve the spirit <* * > of resistance? Let them take arms!" - Thomas Jefferson, 1787 <* ********************************************************************* ___ Blue Wave/QWK v2.12 -- M. Stirner - via FidoNet node 1:125/1 UUCP: ...!uunet!kumr!shelter!28!M..Stirner INTERNET: M..Stirner at f28.n125.z1.FIDONET.ORG From mdiehl at triton.unm.edu Mon Jul 12 19:29:28 1993 From: mdiehl at triton.unm.edu (J. Michael Diehl) Date: Mon, 12 Jul 93 19:29:28 PDT Subject: pgp patent. Message-ID: <9307130229.AA20226@triton.unm.edu> Hi all, just a quick question. Exactly when does the patent expire which will make pgp legal? Enquiring minds want to know? ;^) +-----------------------+-----------------------------+---------+ | J. Michael Diehl ;-) | I thought I was wrong once. | PGP KEY | | mdiehl at triton.unm.edu | But, I was mistaken. |available| | mike.diehl at fido.org | | Ask Me! | | (505) 299-2282 +-----------------------------+---------+ | | +------"I'm just looking for the opportunity to be -------------+ | Politically Incorrect!" | +-----If codes are outlawed, only criminals wil have codes.-----+ +----Is Big Brother in your phone? If you don't know, ask me---+ From mdiehl at triton.unm.edu Mon Jul 12 19:30:41 1993 From: mdiehl at triton.unm.edu (J. Michael Diehl) Date: Mon, 12 Jul 93 19:30:41 PDT Subject: xor data hiding? Message-ID: <9307130230.AA20305@triton.unm.edu> I heard something interesting which made me think. (gasp) I heard that if you encrypt a file with the xor encryption alg. multiple times with different keys, you get an encrypted file with a coorisponding effective key which has some interesting properties. The key in such a system would have a length equal to the Least Common Multiple of the lengths of the original key. So, if you used keys of length 1,2,3,5,7,11,13, you would have an effective key-length of 30,030 bytes! Of course, you could use more than one 5-byte key if you wanted, and some of the bytes should be greater than 127. Not knowing any better, it occurs to me that given a 30,030 byte key, and the task of finding the original keys that make it up, (if any) I'd be out of luck. It would seem that "factoring" this large key into smaller keys would be a tough job...perhapse almost as hard as the factoring problem in a finite group? Brute-force and known plaintext attacks are possible, but lets forget that for (just) a moment. If someone DID find the required 30,030 bytes required to read your massage, you could just as easily show them another 30,030 bytes which would decode the message into the U.S. Bill of Rights if you wanted to. You could keep such One Time Pads laying around your hard disk if you wanted to...in zip format, perhapse. You would always be able to get the true plaintext by simply knowing the 7 key-words. But few others would be so lucky. The point being that there would be some degree of plausible deniability with such a cypher. For the sake of arguement, lets say that the plaintext was first encrypted with some strong crypto. Then we used the xor crypto with 7 keys. It would be pretty hard to see what had been done. Now we deal with the brute force attack to get the original keys. Lets say that someone does get 7 words which will decrypt your ciphertext into a plot to distribute to ? If you had to, I'm sure you could reverse engineer a completely different set of keys which will form the same plaintext. If you absolutely had to, you might be able to come up with 7 words which will decrypt your ciphertext back into the Bill of Rights, thus giving you absolute plausible deniability. As far as known plaintext attacks go...well, we hope that doesn't happen. ;^) Well, I'm about to wrap this up. Some time ago, I proposed hiding messages on the end of other files such as executable. Well, if we pgp encrypted a file, then xor encrypted the result with 7 keys and stuck that on the end of 4dos.com, which is over 64K BTW, I find it hard to believe that you would be caught readily. I haven't had time to investigate the harmonic qualities of such a cypher, but it seems feasible. You could delete and wipe the encryption program from your harddisk. (after uploading the source/executable to your local bbs) There would be tough times for anyone who had to pin a given message on you. Well, what do you think? I hope to drum up as much discussion here as with the "radical paranoia" thread, from which I learned a lot. Well, I promised to wrap this up, so I guess I'm done. +-----------------------+-----------------------------+---------+ | J. Michael Diehl ;-) | I thought I was wrong once. | PGP KEY | | mdiehl at triton.unm.edu | But, I was mistaken. |available| | mike.diehl at fido.org | | Ask Me! | | (505) 299-2282 +-----------------------------+---------+ | | +------"I'm just looking for the opportunity to be -------------+ | Politically Incorrect!" | +-----If codes are outlawed, only criminals wil have codes.-----+ +----Is Big Brother in your phone? If you don't know, ask me---+ From pmetzger at lehman.com Mon Jul 12 20:06:58 1993 From: pmetzger at lehman.com (Perry E. Metzger) Date: Mon, 12 Jul 93 20:06:58 PDT Subject: xor data hiding? In-Reply-To: <9307130230.AA20305@triton.unm.edu> Message-ID: <9307130306.AA15377@snark.shearson.com> J. Michael Diehl says: > I heard something interesting which made me think. (gasp) > > I heard that if you encrypt a file with the xor encryption alg. > multiple times with different keys, you get an encrypted file with a > coorisponding effective key which has some interesting properties. The key > in such a system would have a length equal to the Least Common Multiple of > the lengths of the original key. Sadly, the Friedmans already cracked the "multiple repeating xored keys" cypher a while back -- about fifty years ago. Don't be embarassed, by the way -- everyone comes up with cyphers that have been cracked before. However, I would suggest reading "The Codebreakers" and the current literature before proposing new systems. Perry From ld231782 at longs.lance.colostate.edu Mon Jul 12 21:38:05 1993 From: ld231782 at longs.lance.colostate.edu ( L. Detweiler ) Date: Mon, 12 Jul 93 21:38:05 PDT Subject: State Dept. shuts down DEC machine Message-ID: <9307130437.AA19964@longs.lance.colostate.edu> A very hot topic (and one of my favorites to track) on this list is the shutting down of various sites due to various factors. I'd be interested in hearing more of the BBS shutdown cases here, which are oft-rumored on Internet but rarely discussed authoritatively. Anyway, here's some strange actions by the State Dept. in shutting down a DEC FTP site. I wonder if this was *after* that little DES FTP retrieval demonstration before congress--did that give some people ideas? Anyway, this is disturbing, and the question always is `is this an isolated action or a trend emerging'--if hostility reaches the people who are responsible they are unlikely to do it again; even ivory tower bureacrats have a large CYA instinct (that's how they get there and stay there). Note that this was NOT the DECWRL machine but another at DEC. ===cut=here=== Subject: State Dept. shuts down open-access Internet DEC-Alpha via export ctl! Date: Thu, 08 Jul 93 01:34:07 -0700 From: gnu at cygnus.com DEC was the first company to put up one of their machines on the Internet so that people could log in and port their (free or commercial) software to it. This is a great idea, which I'm encouraging others to emulate. But the government objects... The machine was called axposf (AXP is the model, OSF is the operating system) .pa.dec.com (in the Palo Alto office of the DEC computer company). Anyone could connect to it over the Internet, using a standard protocol (telnet), and type to it, as if they were sitting at its console. This was WONDERFUL for people who are working on software. The AXP is a new "64-bit" machine, and most software will need at least minor revisions to accomodate it. But most software authors and companies won't immediately buy an AXP. Making one available for casual use on the Internet means that much more software would appear on the AXP sooner. The State Dept. regulates "remote access to computers" as equivalent to "export of computers". I shudder to think what would happen if they discovered that ordinary email can invoke processing remotely. Unfortunately, the machine is at DEC, which is gunshy about export problems, after getting a multimillion dollar fine (which I don't think they ever challenged in court) because some customer trans-shipped a Vax to Eastern Europe in the '70s. A more modern company might simply tell the State Dept. to shove it, and beat them in court over the unconstitutionality of the export laws. Are they seriously telling us that we can't put a public access machine on the Internet? Can we attach phone lines to it instead? If not, a few thousand BBS's running on fast machines are violating export laws... If so, what is the specific difference between the Internet and a phone line, that lets a company distinguish a legal act of commerce or communication from an illegal act of export? John, can you make sure the Congressional committees hear about this? As far as I know, they are still not on email. John Gilmore ------- Forwarded Message Date: Wed, 7 Jul 93 02:12:04 -0700 From: paul at vix.com (Paul Vixie) Message-Id: <9307070912.AA15402 at gw.home.vix.com> To: gdb at cygnus.com, mike at mbsun.mlb.org Subject: fyi ... I helped set up axposf.pa.dec.com before I left DECWRL, and I know that the U. S. State Department demanded that it be shut down since there were no access controls to prevent foreign nationals (even those we are not friendly with right now, e.g., Iraq) from telnetting in and getting access. Since the DEC Alpha machines fit the legal description of "supercomputer", this access amounts to "exporting munitions" even though the hardware doesn't move and the crypt(3) sources aren't online. Anyway the service is down right now and the relevant folks at DECWRL and DECNSL are working hard to get it back up again but meanwhile there are no guest DEC Alpha ("AXP") machines on the Internet just now. [gw:i386] telnet axposf.pa.dec.com Trying 16.1.0.14... Connected to axposf.pa.dec.com. Escape character is '^]'. OSF/1 (axposf.pa.dec.com) (ttyp1) login: axpguest Password: Login incorrect login: Connection closed by foreign host. [gw:i386] date Wed Jul 7 02:00:08 PDT 1993 - -- Paul Vixie "Be neither a conformist or a rebel, for they are really the same thing. decwrl!vixie!paul Find your own path, and stay on it." (me) ------- End of Forwarded Message To: farber at pcpond.cis.upenn.edu Subject: Re: When did the DECWRL machine get pulled off the net? Date: Thu, 08 Jul 93 12:13:41 PDT From: Paul A Vixie it happened about two months ago, while i was still brian reid's employee. note that DECWRL is still there, it's the corporate internet gateway. what got taken off the net was an AXP-OSF/1 guest machine. the state department said it was legally a supercomputer and since dec could not guarantee that folks on the SD's DNP ("denied parties list") (Iraq, for example) would be prevented from using it, they insisted that the machine be shut down. we got the notification from the lord-high-weenie of dec's legal department, and since they more-or-less outranked us we had to pull the machine off the net. i don't work for dec any more so i'm free to discuss this. brian reid, my old boss, is not free to discuss this. the whole thing makes me really really angry. From mdiehl at triton.unm.edu Mon Jul 12 21:42:01 1993 From: mdiehl at triton.unm.edu (J. Michael Diehl) Date: Mon, 12 Jul 93 21:42:01 PDT Subject: xor data hiding? In-Reply-To: <9307130306.AA15377@snark.shearson.com> Message-ID: <9307130441.AA24227@triton.unm.edu> According to Perry E. Metzger: > Sadly, the Friedmans already cracked the "multiple repeating xored > keys" cypher a while back -- about fifty years ago. I knew it was crackable. That wasn't the point. The point was data hiding. > Don't be embarassed, by the way -- everyone comes up with cyphers that > have been cracked before. However, I would suggest reading "The > Codebreakers" and the current literature before proposing new systems. I'm not embarassed; I didn't develope the crypto I was discussing. I was simply discussing a new application for it. I will read Codebreakers. Thanx. +-----------------------+-----------------------------+---------+ | J. Michael Diehl ;-) | I thought I was wrong once. | PGP KEY | | mdiehl at triton.unm.edu | But, I was mistaken. |available| | mike.diehl at fido.org | | Ask Me! | | (505) 299-2282 +-----------------------------+---------+ | | +------"I'm just looking for the opportunity to be -------------+ | Politically Incorrect!" | +-----If codes are outlawed, only criminals wil have codes.-----+ +----Is Big Brother in your phone? If you don't know, ask me---+ From mdiehl at triton.unm.edu Tue Jul 13 00:11:18 1993 From: mdiehl at triton.unm.edu (J. Michael Diehl) Date: Tue, 13 Jul 93 00:11:18 PDT Subject: Thesis pointer. Message-ID: <9307130604.AA26837@triton.unm.edu> About a month ago, one of the cypherpunks posted that he had just finished his thesis and had put it up for ftp. I have since lost my mailbox and can't even remember who's thesis it was. All I can remember is that I wanted to read it. Can you send me a pointer? Thanx in advance. +-----------------------+-----------------------------+---------+ | J. Michael Diehl ;-) | I thought I was wrong once. | PGP KEY | | mdiehl at triton.unm.edu | But, I was mistaken. |available| | mike.diehl at fido.org | | Ask Me! | | (505) 299-2282 +-----------------------------+---------+ | | +------"I'm just looking for the opportunity to be -------------+ | Politically Incorrect!" | +-----If codes are outlawed, only criminals wil have codes.-----+ +----Is Big Brother in your phone? If you don't know, ask me---+ From sommerfeld at orchard.medford.ma.us Tue Jul 13 07:20:22 1993 From: sommerfeld at orchard.medford.ma.us (Bill Sommerfeld) Date: Tue, 13 Jul 93 07:20:22 PDT Subject: State Dept. shuts down DEC machine In-Reply-To: <9307130437.AA19964@longs.lance.colostate.edu> Message-ID: <9307131310.AA00173@orchard.medford.ma.us> Note that the machine wasn't (only) an FTP server; it let anyone who wanted get at a shell with compilers, debuggers, tools, etc., so that the alleged Bad Guys from third world countries in a country with IP connectivity on a student visa could run their nuclear bomb design/simulation programs there.... never mind that the simulation for the Manhattan Project was done with a horde of clerks, decks of punched cards, and a big bunch of IBM card tabulators (see Feinmann's autobiographies for more details..). This looks annoyingly like a variant of the "initiative" a few years back where the State Dept. wanted makers of high performance workstations to export them only in a locked-down configuration capable of executing only the applications they were originally purchased to run; compilers need not apply... fortunately, that died a quick & quiet death. - Bill From mbl at mail.msen.com Tue Jul 13 07:30:33 1993 From: mbl at mail.msen.com (Matthew B Landry) Date: Tue, 13 Jul 93 07:30:33 PDT Subject: Whose opinion? (was Re: anonymous mail) Message-ID: On the subject of whether personal postings should be considered as representing the company, I should point out that: 1: NSF and several regional nets have acceptable use policies which do not permit commercial use. 2: Messages posted by the company (or by someone who is assumed to represent the company) would be in violation of these policies if the messages crossed the applicable networks. 3: There is no way to prevent a specific message over usenet from crossing a specific network. 4: The owner of a network site (the company) is assumed to be responsible for any "unacceptable use" traffic that comes from the site. 5: This liability would leave the company open to having its net feed cut off for such unacceptable use. It is therefore in the best interests of any corporation with Internet/Usenet access to _assume_ that messages posted by its employees are not company business. So what's all the fuss about? :-) -- Matthew B. Landry | mbl at mail.msen.com President of Project SAVE | (313)971-5469 (H/W) My opinions are my most prized posession. I don't share them. From dsinclai at acs.ucalgary.ca Tue Jul 13 07:41:33 1993 From: dsinclai at acs.ucalgary.ca (Douglas Sinclair) Date: Tue, 13 Jul 93 07:41:33 PDT Subject: xor data hiding? In-Reply-To: <9307130230.AA20305@triton.unm.edu> Message-ID: <9307131439.AA46888@acs1.acs.ucalgary.ca> What you are talking about sounds like the original Vernam cipher that Dave Kahn talks about in _CodeBreakers_. There, he was using a teletype with two XORing tapes. One tape was 1000 characters long, the other was 999. Thus, 999000 characters would have to go past before the system repeated. HOWEVER, once it does repeat, all security is compromized. Even before that time, I believe there are subtle attacks you can use based on the repetition of the keys. So, this is not a secure cipher method. I would personally suggest tacking an 128 bit IDEA key onto 4dos.com instead. Or use DES even. BTW: Though you could come up with a 30Kb+ string which when XORed would give you any plaintext, you could not come up with a few small strings which when used over each other would give you that. There just isn't enough information to make that possible. -- PGP 2.3 Key by finger From elee9sf at Menudo.UH.EDU Tue Jul 13 07:42:50 1993 From: elee9sf at Menudo.UH.EDU (Karl Barrus) Date: Tue, 13 Jul 93 07:42:50 PDT Subject: ANON: in the news Message-ID: <199307131442.AA08331@Menudo.UH.EDU> -----BEGIN PGP SIGNED MESSAGE----- Anonymous posting and mail have up three times in the past few days, in non-cypherpunk readings of mine. 1) In the Young Scientists Network, one of the list moderators mentioned that an anonymous post was received, and to please not do that in the future. However, the reason given was that it is difficult to contact the author of the post. Since the moderator mentioned he was unable to contact the author, I am guessing a cypherpunk remailer was used. Importantly though, anonymous submissions were discouraged only because of the inconvenience of contacting the author. 2) The latest Computer Underground Digest #5-51. The issue it about the "cleansing" of the AIS BBS run by Kim Clancy. Read the issue; Jim Thomas was upset at this form of witch-hunting, in which accusations were made anonymously. A cypherpunk remailer was used in this situation. Although Jim and others were understandable upset about the situation, I felt they were more upset about what the anonymous poster(s) said; not so much the fact he(they) posted anonymously. Or rather, the fact anonymity was used in the manner it was. 3) Phrack 43 - includes a list of cypherpunk remailers in one of the articles! Looks like the remailers are getting some publicity, as well as the ftp site. -----BEGIN PGP SIGNATURE----- Version: 2.3 iQCVAgUBLELJgIOA7OpLWtYzAQF+dgP/U9Evz5lM91FJnMEGBfDHyLwRGlgAAGbq gnitNN9LA7NKIb8yWdHSSB1iQ0WX4Ae8NRK5m4c7MW2Ps9JekXA6Eu3zQPYwQJ34 nWdkY4y82l1suyo0/D5mrKcXysjvVVGw18Ypt7ErYl1B0qWxCEPp+eTkL7471yUX ODZ1X8hVecs= =lBwU -----END PGP SIGNATURE----- From paul at poboy.b17c.ingr.com Tue Jul 13 07:46:03 1993 From: paul at poboy.b17c.ingr.com (Paul Robichaux) Date: Tue, 13 Jul 93 07:46:03 PDT Subject: PGP 2.3 now avail for Intergraph Clipper CPU Message-ID: <199307131440.AA01891@poboy.b17c.ingr.com> I recently finished porting and testing PGP 2.3 for the Intergraph Clipper C400 CPU. Anyone interested in getting an executable or source diffs should contact me; I've already sent in the makefile changes to Phil Z, so you can wait until 2.4 if you'd rather. I'm also working on a C400 assembler equivalent of the machine-specific fast math functions.. that should help performance a bit. Of course, this effort is not supported (officially or otherwise) by Integraph, and it's certainly not a product :) -Paul -- Paul Robichaux, KD4JZG | I knew Clinton was _really_ the President when I Intergraph Federal Systems | heard Somalis yelling "Down with Clinton!" on CNN. ** Every day, Jim Meadlock is grateful that I don't speak for Intergraph. ** From yerazunis at aidev.enet.dec.com Tue Jul 13 08:02:35 1993 From: yerazunis at aidev.enet.dec.com (In search of cognitive dissonance... 13-Jul-1993 1036) Date: Tue, 13 Jul 93 08:02:35 PDT Subject: State Departnemt shuts down DEC machine Message-ID: <9307131502.AA08846@enet-gw.pa.dec.com> >This looks annoyingly like a variant of the "initiative" a few years >back where the State Dept. wanted makers of high performance >workstations to export them only in a locked-down configuration >capable of executing only the applications they were originally >purchased to run; compilers need not apply... fortunately, that died >a quick & quiet death. And people wonder why DEC is setting up production lines in both Ireland and Israel to build Alpha chips, and contracting with Kyocera to make them in Singapore as well... It's not export if it never started out in the USA now, is it? :-) [this is my opinion ONLY, and is not necessarily the opinion or strategy of my employer] -Bill From smb at research.att.com Tue Jul 13 08:13:10 1993 From: smb at research.att.com (smb at research.att.com) Date: Tue, 13 Jul 93 08:13:10 PDT Subject: new crypto standard to be announced Message-ID: <9307131513.AA12102@toad.com> Today's NY Times says that Novell and a bunch of other companies (including AT&T, but I haven't been able to track down any details yet) *and* the British Ministry of Defense are going to announce a new crypto standard. The article indicated that RSA and DES were going to be used, and portrayed the announcement as a rebuff to Clipper. --Steve Bellovin From pcw at access.digex.net Tue Jul 13 08:32:45 1993 From: pcw at access.digex.net (Peter Wayner) Date: Tue, 13 Jul 93 08:32:45 PDT Subject: PGP 2.3 now avail for Intergraph Clipper CPU Message-ID: <199307131532.AA13611@access.digex.net> PGP is now available for the Clipper? Now Phil has sold out just like Jim Bidzos! :-) -Peter From warlord at MIT.EDU Tue Jul 13 11:07:34 1993 From: warlord at MIT.EDU (Derek Atkins) Date: Tue, 13 Jul 93 11:07:34 PDT Subject: Thesis pointer. In-Reply-To: <9307130604.AA26837@triton.unm.edu> Message-ID: <9307131807.AA08361@toxicwaste.MEDIA.MIT.EDU> Hi. It was I who posted about my Thesis being available for FTP. You can obtain it from toxicwaste.mit.edu:/pub/charon/thesis.ps.Z -derek From nowhere at bsu-cs.bsu.edu Tue Jul 13 11:14:15 1993 From: nowhere at bsu-cs.bsu.edu (Chael Hall) Date: Tue, 13 Jul 93 11:14:15 PDT Subject: Remailer test In-Reply-To: <199307121310.AA20979@Menudo.UH.EDU> Message-ID: <9307131813.AA22955@bsu-cs.bsu.edu> >M..Stirner at f28.n125.z1.fidonet.org (M. Stirner) wrote > >> I received the test message via the remailer at utter.dis.org quickly & >> without problems. I have yet to get the other messages, nearly a week >> later. With the exception of remailer at utter.dis.org, all of these have >> been habitually unresponsive to regular tests. I have been able to get >> the soda remaier to work once, & with the efforts of the remailer >> operator, was able to get the phantom remailer to work once. > >Hm...something funny is going on here. I test the remailers about >once every other week and generally here from all of them! Can I try >sending mail to you through each remailer? Maybe this will help >figure out the ones which can't reach you. > >> Which remailers claim to be able to mail directly to newsgroups? > >As far as I know, none of the remailers mail directly to newsgroups. >But, you can have them remail to an email-to-usenet gateway like >group-name at cs.utexas.edu. There are others (pws.bull.com, decwrl's, >demon); I'll find my list and send it. I have always had difficulty sending directly to Fidonet... If you send to username%f1.n2.z3.fidonet.org at gator.rn.com it will usually go through, though. So by sending it through the remailer, then gator, then Fidonet, it should go. Chael -- Chael Hall nowhere at bsu-cs.bsu.edu, 00CCHALL at BSUVC.BSU.EDU, chall at bsu.edu (317) 776-4000 from 8 am - 5 pm CST From mdiehl at triton.unm.edu Tue Jul 13 17:51:48 1993 From: mdiehl at triton.unm.edu (J. Michael Diehl) Date: Tue, 13 Jul 93 17:51:48 PDT Subject: xor data hiding? In-Reply-To: <9307131439.AA46888@acs1.acs.ucalgary.ca> Message-ID: <9307140017.AA03238@triton.unm.edu> According to Douglas Sinclair: > > What you are talking about sounds like the original Vernam cipher that Dave > Kahn talks about in _CodeBreakers_. There, he was using a teletype with two > XORing tapes. One tape was 1000 characters long, the other was 999. Thus, > 999000 characters would have to go past before the system repeated. HOWEVER, > once it does repeat, all security is compromized. Even before that time, > I believe there are subtle attacks you can use based on the repetition of the > keys. So, this is not a secure cipher method. I would personally > suggest tacking an 128 bit IDEA key onto 4dos.com instead. Or use > DES even. The point wasn't to be unbreakably secure; it was to be UNFINDABLY secure. We convolute an allready encrypted message to the point of not being recognizable as cyphertext, then we hide it on the end of a file. We want it to look like garbage. > BTW: Though you could come up with a 30Kb+ string which when XORed would > give you any plaintext, you could not come up with a few small strings > which when used over each other would give you that. There just isn't enough > information to make that possible. Agreed. This leaves us with several OTP's laying around in zip format. This isn't so bad as long as we don't forget the original 7 keys. The main purpose of all of this is plausible deniability. Thanx for your comments. Still listening. +-----------------------+-----------------------------+---------+ | J. Michael Diehl ;-) | I thought I was wrong once. | PGP KEY | | mdiehl at triton.unm.edu | But, I was mistaken. |available| | mike.diehl at fido.org | | Ask Me! | | (505) 299-2282 +-----------------------------+---------+ | | +------"I'm just looking for the opportunity to be -------------+ | Politically Incorrect!" | +-----If codes are outlawed, only criminals wil have codes.-----+ +----Is Big Brother in your phone? If you don't know, ask me---+ From fnerd at smds.com Tue Jul 13 17:52:09 1993 From: fnerd at smds.com (FutureNerd Steve Witham) Date: Tue, 13 Jul 93 17:52:09 PDT Subject: PGP 2.3 now avail for Intergraph Clipper CPU Message-ID: <9307132318.AA16955@smds.com> paul at poboy.b17c.ingr.com (Paul Robichaux) says: > I recently finished porting and testing PGP 2.3 for the Intergraph Clipper > C400 CPU. ... Bravo! Cypherpunk makes moral statement and scores rhetorical point with code! Except, I wish the targets of the joke could decode it. -fnerd quote me From RCLARKE at ac.dal.ca Tue Jul 13 17:58:15 1993 From: RCLARKE at ac.dal.ca (RCLARKE at ac.dal.ca) Date: Tue, 13 Jul 93 17:58:15 PDT Subject: subscribe Egon Message-ID: <01H0ICA6XZZ600556T@AC.DAL.CA> subscribe Egon From jet at nas.nasa.gov Tue Jul 13 19:11:17 1993 From: jet at nas.nasa.gov (J. Eric Townsend) Date: Tue, 13 Jul 93 19:11:17 PDT Subject: collecting references on parallel implementations of crypto s/w Message-ID: <9307140211.AA11496@boxer.nas.nasa.gov> Any pointers? I'm about to head off to Boston for two weeks to do work at a vendor, need some 'light reading' for the hotel and plane... -- J. Eric Townsend jet at nas.nasa.gov 415.604.4311| personal email goes to: CM-5 Administrator, Parallel Systems Support | jet at well.sf.ca.us NASA Ames Numerical Aerodynamic Simulation |--------------------------- PGP2.2 public key available upon request or finger jet at simeon.nas.nasa.gov From mdiehl at triton.unm.edu Tue Jul 13 20:02:25 1993 From: mdiehl at triton.unm.edu (J. Michael Diehl) Date: Tue, 13 Jul 93 20:02:25 PDT Subject: new crypto standard to be announced In-Reply-To: <9307131513.AA12102@toad.com> Message-ID: <9307140302.AA09844@triton.unm.edu> According to smb at research.att.com: > > Today's NY Times says that Novell and a bunch of other companies (including > AT&T, but I haven't been able to track down any details yet) *and* It would seem that AT&T has taken waffing-lessons from Clinton. They are now on both sides of the game, if this report is true. > the British Ministry of Defense are going to announce a new crypto > standard. The article indicated that RSA and DES were going to be > used, and portrayed the announcement as a rebuff to Clipper. Maybe Billary is too..... ;^) +-----------------------+-----------------------------+---------+ | J. Michael Diehl ;-) | I thought I was wrong once. | PGP KEY | | mdiehl at triton.unm.edu | But, I was mistaken. |available| | mike.diehl at fido.org | | Ask Me! | | (505) 299-2282 +-----------------------------+---------+ | | +------"I'm just looking for the opportunity to be -------------+ | Politically Incorrect!" | +-----If codes are outlawed, only criminals wil have codes.-----+ +----Is Big Brother in your phone? If you don't know, ask me---+ From greg at ideath.goldenbear.com Tue Jul 13 20:08:14 1993 From: greg at ideath.goldenbear.com (Greg Broiles) Date: Tue, 13 Jul 93 20:08:14 PDT Subject: Whose opinion? (was Re: anonymous mail) Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Matthew B Landry writes: > On the subject of whether personal postings should be considered > as representing the company, I should point out that: > > 1: NSF and several regional nets have acceptable use policies which > do not permit commercial use. > 2: Messages posted by the company (or by someone who is assumed to > represent the company) would be in violation of these policies if the > messages crossed the applicable networks. I don't think a description of a policy is at all clearly "commercial use". Advertising, and use of net resources in the course of doing business seem to be commercial use - but a discussion with outside folks about policies or conditions doesn't seem to be commercial use. To suggest that net traffic originating at a site with a .com domain name is commercial seems to over-reach. > 3: There is no way to prevent a specific message over usenet from crossing > a specific network. > 4: The owner of a network site (the company) is assumed to be responsible > for any "unacceptable use" traffic that comes from the site. I don't think I buy this one, either. If I can't control traffic (see #3) how is it reasonable to say that I am responsible for it (#4)? > 5: This liability would leave the company open to having its net feed > cut off for such unacceptable use. This assumes that the net feed comes from a provider which restricts commercial use. Some providers (like Alternet) welcome commercial use. > It is therefore in the best interests of any corporation with > Internet/Usenet access to _assume_ that messages posted by its employees > are not company business. It is probably convenient for policymakers to make this assumption. It is, however, perhaps naiive. If I see a posting from Jim Bizdos, I *do* assume that he is speaking for RSADSI/PKP, unless he makes efforts to disclaim such attribution. Ditto for other folks who I know or suspect hold positions of power or influence with other institutions. I suspect other folks on the net react similarly to posts (apparently) coming from people who may have some impact on corporate/institutional policy/behavior. I think it's probably best to assume that people *will* associate what people post from a site's name with that site, especially absent disclaimers to the contrary. -----BEGIN PGP SIGNATURE----- Version: 2.3 iQCVAgUBLEN3H33YhjZY3fMNAQHMAQP/VJX86pXxyZqXaEHsWIeH1cLnjsPW/9cR gfNdp/3KRwZBwLAR/BbqPlfZUnY6VHJKtbJUHVDSMAOcgRZ9E9+3L6ghBFX3J4lO aKS9SnAsEDOSY5PMqAF7z9YShP1FqVuRRq7XKMF6KjIfH/+rIsjj5AR0kSa5BB6p kbBW/jis1U0= =iuOy -----END PGP SIGNATURE----- -- Greg Broiles greg at goldenbear.com Golden Bear Computer Consulting +1 503 465 0325 Box 12005 Eugene OR 97440 BBS: +1 503 687 7764 From jpp at markv.com Tue Jul 13 20:43:52 1993 From: jpp at markv.com (jpp at markv.com) Date: Tue, 13 Jul 93 20:43:52 PDT Subject: Secure comm program, Sockets + LINK In-Reply-To: <9307111507.aa07868@hermix.markv.com> Message-ID: <9307132043.aa10612@hermix.markv.com> My concerns about two way authentication become clear when you concider the LINK+sockets program a substitute for rsh, rexec, login or similar programs. You don't want to be spoofed, and you don't want others using your account. When you are using LINK in the way it was originaly designed, you more or less *have* authentication in both directions. From you to it since discovering a private key given a public key is concidered hard. From it to you since *presumably* the only user able to read the key file on the shared machine is you. The bootstrap problem (how you get the public key to the machine with only unsecure chanels at your disposal) is interesting though. I wonder if it can be solved without DH key exchange? j' From khijol!erc at apple.com Tue Jul 13 22:18:24 1993 From: khijol!erc at apple.com (Ed Carp) Date: Tue, 13 Jul 93 22:18:24 PDT Subject: Whose opinion? (was Re: anonymous mail) In-Reply-To: Message-ID: > > It is therefore in the best interests of any corporation with > > Internet/Usenet access to _assume_ that messages posted by its employees > > are not company business. Someone wrote this, sorry the attribution got cut off. Anyone who thinks that ANYONE on usenet speaks for their company, unless explicitly stated, should have their damned head examined. It was a clear ploy to attempt to get the poor guy fired by someone who disagreed with his opinion and decided to get nasty about it. What an asshole. Unfortunately, it worked. I think Microsoft ought be boycotted for this outrageous crap. IMO. I also think the guy that complained to Microsoft ought to have his head examined ... AFTER his mailbox grows a couple hundred megs or so from outraged people sending him mail expressing THEIR opinion. -- Ed Carp erc at wetware.com 510/659-9560 For anonymous mailers --> anonymus+5300 at charcoal.com "Disagreements are not meant to be challenges. They are just a different reality." -- Risa D'Angeles From TO1SITTLER at APSICC.APS.EDU Tue Jul 13 23:10:37 1993 From: TO1SITTLER at APSICC.APS.EDU (Kragen Sittler) Date: Tue, 13 Jul 93 23:10:37 PDT Subject: sorry if you already read this, but... Message-ID: <930714000544.1441@APSICC.APS.EDU> From: SMTP%"more at hpcwire.ans.net" 13-JUL-1993 23:35:43.74 To: to1sittler at apsicc.aps.edu CC: Subj: 738 ANS CO+RE Security to Use RSA Public Key Cryptography Date: Tue, 13 Jul 1993 22:38:28 -0700 From: More Select News Message-Id: <199307140538.AA23787 at hpcwire.ans.net> To: to1sittler at apsicc.aps.edu Subject: 738 ANS CO+RE Security to Use RSA Public Key Cryptography ANS CO+RE Security to Use RSA Public Key Cryptography ----------------------------------------------------------------------------- Contacts: ANS CO+RE Systems Inc. RSA Data Security Inc. Carol Harvey, Public Affairs Kurt Stammberger, Technology Marketing 703/758-7700 415/595-8782 harvey at ans.net kurt at rsa.com ANS CO+RE's Security Services to Incorporate RSA Public Key Cryptography REDWOOD CITY, CA and ELMSFORD, NY -- ANS CO+RE Systems Inc. announced major new extensions to its advanced InterLock family of security services. The new features focus around the incorporation of RSA Data Security Inc.'s Public Key Cryptosystem. RSA's techniques are widely acknowledged as being the most secure means of data encryption and authentication available today. InterLock is a suite of security services that control access among segments of an enterprise's private IP network and/or among multiple enterprises that communicate over a IP private network. InterLock also controls access between private networks and the public Internet. In addition to RSA key exchange- enabled end-to-end encryption, InterLock services include TELNET, FTP, SMTP, X windows, and NNTP. Network access is controlled by a rule base that can be configured for each user according to userid, network service, inbound/outbound connection, time of day, day of week, public/private network and/or host address, authentication method and enforced encryption. ANS CO+RE developed the new product with RSA's BSAFE 2.0 toolkit, the world's best-selling cryptography software developer's kit. BSAFE is the same toolkit that served as the encryption "engine" for the developers of Novell NetWare 4.0, Lotus Notes, WordPerfect InForms and Fischer International Workflow.2000. BSAFE provides an easy path towards integration of state-of- the-art encryption and digital signature technology -- without requiring the developer to have a background in cryptography or number theory. RSA security technology is a standard on the Internet, the world's largest network, and on the secure networks of businesses and financial institutions worldwide. RSA president Jim Bidzos, commenting on the deal, said, "As the Internet grows, more and more confidential and mission-critical data is flowing over it -- unfortunately, the open nature of the Internet makes that information relatively easy to steal, alter or forge. The RSA-based Internet PEM (privacy-enhanced mail) standards have provided a good start by offering secure messaging capabilities to Internet users -- but now any IP user can get a complete network security implementation, with RSA built right in, with ANS CO+RE InterLock." Al Hoover, VP of Information and Applications for ANS CO+RE stated, "We've been looking to incorporate a public-key based key management system that is both as advanced as the other InterLock services and easy to integrate. RSA's Public Key Cryptography fills that need perfectly, and we will be pleased to offer it to our customers beginning in the fourth quarter of this year. It represents our continuing efforts to build on our foundation of quality security services." RSA Data Security Inc. is a recognized world leader in cryptography. The Company develops and markets software developer's kits, end-user products, and provides comprehensive consulting services in the cryptographic sciences. RSA technology has been embedded in the products of companies such as IBM, Apple Computer, DEC, Microsoft, Sun Microsystems, Novell, Lotus, Motorola, Northern Telecom, AT&T, WordPerfect, Fischer International, General Electric, Hughes and many others. Founded in 1982 by the inventors of the patented RSA Public Key Cryptosystem, the company is headquartered in Redwood City, California. ANS CO+RE Systems, Inc. is a wholly owned subsidiary of Advanced Network & Services, Inc. of Elmsford, NY. In addition to offering network security services, the company markets attachments to its nationwide T3 backbone network, and provides other related support, such as network management outsourcing, network design and engineering, and systems integration. ----------------------------------------------------------------------------- InterLock and the InterLock logo are servicemarks of ANS CO+RE Systems Inc. X Windows is a trademark of the Massachusetts Institute of Technology. The RSA logo and BSAFE are trademarks of RSA Data Security, Inc. Copyright 1993 HPCwire. From remail at tamsun.tamu.edu Tue Jul 13 23:19:46 1993 From: remail at tamsun.tamu.edu (remail at tamsun.tamu.edu) Date: Tue, 13 Jul 93 23:19:46 PDT Subject: REMAILER HEADERS Message-ID: <9307140619.AA11420@tamsun.tamu.edu> Some of you know the sender of the below message, please don't blow my cover, I'm testing the remailers and people's knowledge of message id's (if that would even be an accurate way of tracing the message). Cypherpunks remailer addresses and headers from those sites appear below. If you can trace the origin (sender) of this message please send me mail personally rather than to the list. I'm using my favorite remailer here and I want to make sure it's working right. I have sent mail to the below sites as a test for anonymous remailing returns and to see what headers I get back. It has been maybe 4 days now since I began this experiment, some of the sites below have still not remailed my test message. My main curiosity in this quest is to determine what each header will look like when the mail is recieved. I think this is important in determining which remailer to use. The below is the list of remailers with the "unique header to remailer" info below each site number. If you wish to discuss this matter further, please send a follow up message to the cypher list with your address included and "Re: Unique header". I'm really not too concerned about remaining anonymous, I just want to see if this scheme is really airtight! Thanks! -z A typical mail header looks similar to the below: (I have removed the date, time, etc. to protect my privacy) >From rebma!remailer at kksys.mn.org Thu Jul x 00:38:01 1993 Received: by ahost.some.school.edu (5.57/Ultrix3.0/cc-ix.mc-1.5) id AA02491; Thu, x Jul 93 19:00:54 -0500 Received: from kksys.mn.org by uum1.mn.org with bsmtp (Smail3.1.28.1 #3) id m0oE6Du-00007JC; Thu,x Jul 93 00:21 CDT Received: from rebma by kksys.mn.org with uucp (Smail3.1.28.1 #13) id m0oE5jG-0007TsC; Thu,x Jul 93 00:50 CDT Received: by rebma.rebma.mn.org (Smail3.1.28.1 #1) id m0oE6nS-0002CzC; Thu, 8 Jul 93 17:58 PDT Message-Id: Date: Thu, x Jul 93 17:58 PDT To: me at myhost.some.school.edu From: nobody at rebma.rebma.mn.org Subject: 9 Remailed-By: Mr. Nobody Status: O ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Check out the pub/cypherpunks directory at soda.berkeley.edu (128.32.149.19). Instructions on how to use the remailers are in the remailer directory, along with some unix scripts and dos batch files. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ =========This is where the list of remailers and headers begins=========== *** Please keep in mind that in the below I included only the "unique to *** remailer" parts of the header.*** 1: nowhere at bsu-cs.bsu.edu From: Anonymous To: omitted X-Remailed-By: Anonymous X-Ttl: 0 X-Notice: This message was forwarded by a software- automated anonymous remailing service. 2: hh at cicada.berkeley.edu From: nobody at cicada.berkeley.edu 3: hh at pmantis.berkeley.edu No response after 4 days 4: hh at soda.berkeley.edu From: nobody at soda.berkeley.edu Remailed-By: Eric Hollander 5: 00x at uclink.berkeley.edu From: nobody at uclink.berkeley.edu Remailed-By: Tommy the Tourist 6: hal at alumni.caltech.edu From: nobody at alumni.cco.caltech.edu Comments: This message is NOT from the person listed in the From line. It is from an automated software remailing service operating at that address. Please report problem mail to . 7: ebrandt at jarthur.claremont.edu From: nobody at eli-remailer Remailed-By: Eli Brandt Source-Info: From (or Sender) name not authenticated. 8: phantom at mead.u.washington.edu No response after 4 days 9: remailer at rebma.mn.org From: nobody at rebma.rebma.mn.org Remailed-By: Mr. Nobody ** The reamiler at rebma.mn.org took 3+ days to remail. This could be an advantage to some, disadvantage to others. You decide. 10: elee7h5 at rosebud.ee.uh.edu From: nobody at rosebud.ee.uh.edu 11: hfinney at shell.portal.com From: nobody at shell.portal.com Comments: This message is NOT from the person listed in the From line. It is from an automated software remailing service operating at that address. Please report problem mail to . 12: remail at tamsun.tamu.edu From: remail at tamsun.tamu.edu Remailed-By: Anonymous 13: remail at tamaix.tamu.edu From: remail at tamsun.tamu.edu Remailed-By: Anonymous 14: remailer at utter.dis.org Received: by soda.berkeley.edu (5.65/KAOS-1) id AA13859; Tue, 6 Jul 93 03:09:09 -0700 Received: by merde.dis.org (4.1/SMI-4.2) id AA04354; Tue, 6 Jul 93 03:11:48 PDT From: nobody at dis.org Remailed-By: remailer bogus account 15: remail at extropia.wimsey.com No response ever! ...unless you use encryption. Details will follow in the near future. NOTES: #1-#5 no encryption of remailing requests #6-#14 support encrypted remailing requests #15 special - header and message must be encrypted together #9,#14,#15 introduce larger than average delay (not direct connect) #9,#14,#15 running on privately owned machines From gnu Tue Jul 13 23:24:34 1993 From: gnu (John Gilmore) Date: Tue, 13 Jul 93 23:24:34 PDT Subject: Hoptoad disk screwup Message-ID: <9307140624.AA10036@toad.com> The partition that holds /var/spool has had two hiccups in the last few days. This has caused some downtime, and possibly caused some mail to be lost. As far as I know, the NSA didn't do it :-))), so y'all can keep your paranoia at the usual level, whatever that is. John From wmo at rebma.rebma.mn.org Tue Jul 13 23:43:00 1993 From: wmo at rebma.rebma.mn.org (Bill O'Hanlon) Date: Tue, 13 Jul 93 23:43:00 PDT Subject: Remailer comments Message-ID: While checking for problems in the rebma remailer's logs, I noticed the following: Some folks have sent PGP encrypted test messages without including the :: Encrypted: PGP text, or the Encrypted: header. Also, some folks have tried some variations on the :: Request-Remailing-To: line, such as just To:, putting the :: and the Request- line together, etc. Those things won't work, and you'll get nothing back. Anyone who has tried to use the remailer here and has failed, send me a note and I'll send you the instructions. Or, I think Karl (Karl Barrus ) has a complete set of information and scripts to help out. Karl, you might consider including a terse list of instructions with your regular remailer mailing. (Oh, to avoid starting the remailer-operator-responsibilities-discussion, I'll state my policy on logs on this machine. I glance at 'em to make sure that there aren't any errors in the scripts, and then I remove 'em. If you're going to be an asshole via my remailer, I'd appreciate it if you used PGP so that there's no clear text here, so that I don't have to ever revise this simple policy.) -Bill From clark at metal.psu.edu Wed Jul 14 00:43:04 1993 From: clark at metal.psu.edu (Clark Reynard) Date: Wed, 14 Jul 93 00:43:04 PDT Subject: Relation between number theory and cryptography Message-ID: <9307140815.AA03221@metal.psu.edu> Hi. Me again. I asked this one a while back and got no response. sci.crypt was equally unresponsive. It concerns the possibly obscure relation between cryptography, number theory and information theory. Is there considered to be a one-to-one isomorphism between the units in a plaintext-cyphertext pair? By this, I mean, are they considered to contain the same information? If not, does encryption lessen or increase the amount of information in the units of the plaintext-cyphertext pair, and why? Is this affected by whether or not the key is known? If the key has been irretrievably lost, does this lessen the amount of information, or does the 'potential' informational content remain the same? Is cryptography considered to be as simple as, say, Huffman coding, for purposes of informational content? That is, is the relationship between the units of a plaintext-cyphertext pair considered to be more or less 'transparent,' or entirely isomorphic? Does the Second Law of Thermodynamics enter into this? Is there a minimum amount of energy required to extract information from cyphertext, or a minimum amount of waste of energy? If these questions are too difficult to answer in a short article, does anyone have citations to a source which could explain this to me? I'm not certain how much research has been done into this rather esoteric topic, and my main interest is theoretical, though I'd be interested in knowing any practical applications of information theory and number theory to cryptography. ---- Robert W. Clark Just Say No! to the rclark at nyx.cs.du.edu Big Brother Chip From clark at metal.psu.edu Wed Jul 14 00:45:41 1993 From: clark at metal.psu.edu (Clark Reynard) Date: Wed, 14 Jul 93 00:45:41 PDT Subject: WARNING: NON-CYPHERPUNK QUESTION Message-ID: <9307140818.AA03244@metal.psu.edu> WARNING: NON-CRYPTOPRIVACY-RELATED QUESTION FOLLOWS: Are there any fast, quick, reliable methods of forestalling phone disconnection due to failure to pay the bills, and the ugly reconnection fee which ensues thereupon? Being a professional deadbeat, and having given up phone phreaking since my nasty bust--I did get off better than poor Phiber, though--, I find phone rates extortionate. This is not to say that I do not intend to pay the phone bill; I have no choice, since there is, as in most areas, only ONE phone company for local service. What might have been called a 'vertical monopoly' in the days of the robber barons, who have been reincarnated as phone company magnates. In either case, does anyone know of any federal laws which one can cite to delay a phone service shutdown? I only need about two or three weeks before I can pay in full (I'm waiting on some blasted residuals on work I did months ago). I've kind of stalled on this, and now have until Friday before the axe-man cometh. If you believe that your answer to THIS question would be relevant to the list at large, please post. If not, send it to me personally. But please hurry; by Friday, I may not be able to receive your mail. [Oh, and for a partial answer to the second question, for anyone in the same circumstance: try 'sickness in the family' and be vague. If you've had a cold, it's more or less an honest excuse. When the representative of the phone company goes silent, after asking for the minimum you can pay immediately, do not say anything. They are instructed to remain silent (as are any salesmen, myself included) and wait for an answer. Just stay on the line and not say anything. I waited five minutes. Eventually they start to talk; THEN, you've won the silence-battle. Get them to cough up the absolute minimum, and send THAT to them. Complain about the disconnect notice, saying you just got it, and it was for days ago. Then ask how you can pay it before the time allotted, since if you sent it out today, it might not be there for days. Get an extension. Send them less than you said you would, claiming any full-bore lie you can imagine; I used "car repairs," which was half-true. With similar half-truths you can forestall disconnection for months. However, I have reached the point where the phone company is rapidly losing patience, and I want to know of any sure-fire methods of delaying them.] Thank you for your kind consideration and indulgence. From mbl at mail.msen.com Wed Jul 14 07:16:17 1993 From: mbl at mail.msen.com (Matthew B Landry) Date: Wed, 14 Jul 93 07:16:17 PDT Subject: Whose opinion? (was Re: anonymous mail) Message-ID: > > 1: NSF and several regional nets have acceptable use policies which > > do not permit commercial use. > > 2: Messages posted by the company (or by someone who is assumed to > > represent the company) would be in violation of these policies if the > > messages crossed the applicable networks. > > I don't think a description of a policy is at all clearly "commercial use". > Advertising, and use of net resources in the course of doing business seem > to be commercial use - but a discussion with outside folks about policies > or conditions doesn't seem to be commercial use. To suggest that net traffic > originating at a site with a .com domain name is commercial seems to > over-reach. If you don't think that talking to the public about what your company is doing constitutes commercial activity, I have some friends in the corporate media relations business who would be very interested to know about that. > > > 3: There is no way to prevent a specific message over usenet from crossing > > a specific network. > > 4: The owner of a network site (the company) is assumed to be responsible > > for any "unacceptable use" traffic that comes from the site. > > I don't think I buy this one, either. If I can't control traffic (see #3) > how is it reasonable to say that I am responsible for it (#4)? I didn't say that it was reasonable, only that it was true. > > > 5: This liability would leave the company open to having its net feed > > cut off for such unacceptable use. > > This assumes that the net feed comes from a provider which restricts > commercial use. Some providers (like Alternet) welcome commercial use. But I don't know of any providers which encourage people to send traffic over government nets which violates government policies. As long as the traffic stays within the commercial net, they're happy, but I don't know of any provider that doesn't have a policy staing that its users must follow the policies for any other networks that their traffic crosses. Usenet posts will almost by definition cross all of the IP nets, so they should conform to all of the acceptable use policies. (So far as I know, this has never been enforced, but it's still the rule. > > however, perhaps naiive. If I see a posting from Jim Bizdos, I *do* assume > that he is speaking for RSADSI/PKP, unless he makes efforts to disclaim such We aren't talking about Jim Bizdos. I agree that it's fair to assume he speaks for PKP. But mail originating from a company machine doesn't necessarily come from someone who speaks for the company. -- Matthew B. Landry | mbl at mail.msen.com President of Project SAVE | (313)971-5469 (H/W) My opinions are my most prized posession. I don't share them. From pmetzger at lehman.com Wed Jul 14 08:47:40 1993 From: pmetzger at lehman.com (Perry E. Metzger) Date: Wed, 14 Jul 93 08:47:40 PDT Subject: xor data hiding? In-Reply-To: <9307140017.AA03238@triton.unm.edu> Message-ID: <9307141547.AA28336@snark.shearson.com> J. Michael Diehl says: > According to Douglas Sinclair: > The point wasn't to be unbreakably secure; it was to be UNFINDABLY > secure. We convolute an allready encrypted message to the point of > not being recognizable as cyphertext, then we hide it on the end of > a file. We want it to look like garbage. Cyphertext from any decent system ALREADY looks random. Whats the point of doing more to it? Perry From pmetzger at lehman.com Wed Jul 14 09:01:14 1993 From: pmetzger at lehman.com (Perry E. Metzger) Date: Wed, 14 Jul 93 09:01:14 PDT Subject: Secure comm program, Sockets + LINK In-Reply-To: <9307132043.aa10612@hermix.markv.com> Message-ID: <9307141600.AA28360@snark.shearson.com> jpp at markv.com says: > The bootstrap problem (how you get the public key to the machine > with only unsecure chanels at your disposal) is interesting though. I > wonder if it can be solved without DH key exchange? You can't even solve the problem with DH key exchange -- you are subject to "man in the middle" attacks. You must share SOME information via a secure channel in order to have both authentication and privacy on a channel. However, the information exchanged could be small and fairly one-time -- like the public key of a trusted entity that signs other public keys. Perry From jim at tadpole.com Wed Jul 14 10:52:57 1993 From: jim at tadpole.com (jim at tadpole.com) Date: Wed, 14 Jul 93 10:52:57 PDT Subject: Secure comm program, Sockets + LINK Message-ID: <9307141752.AA00397@ono-sendai> > You can't even solve the problem with DH key exchange -- you are > subject to "man in the middle" attacks. You must share SOME > information via a secure channel in order to have both authentication > and privacy on a channel. However, the information exchanged could be > small and fairly one-time -- like the public key of a trusted entity > that signs other public keys. How do STU-III phones work then? Do they have some key in rom? Jim From pmetzger at lehman.com Wed Jul 14 10:57:08 1993 From: pmetzger at lehman.com (Perry E. Metzger) Date: Wed, 14 Jul 93 10:57:08 PDT Subject: Secure comm program, Sockets + LINK In-Reply-To: <9307141752.AA00397@ono-sendai> Message-ID: <9307141756.AA28722@snark.shearson.com> jim at tadpole.com says: > > > You can't even solve the problem with DH key exchange -- you are > > subject to "man in the middle" attacks. You must share SOME > > information via a secure channel in order to have both authentication > > and privacy on a channel. However, the information exchanged could be > > small and fairly one-time -- like the public key of a trusted entity > > that signs other public keys. > > How do STU-III phones work then? Do they have some key in rom? I dunno enough about STU-III phones. Maybe they don't care about man in the middle, or maybe they use fixed conventional of some sort for authentication. I have a vague memory of someone telling me that some of them have code keys. However, just as an exercise, I suggest people convince themselves of how easy it is to play "man in the middle" on a D-H connection. Its valuable to go through it in your head. .pm From smb at research.att.com Wed Jul 14 11:36:49 1993 From: smb at research.att.com (smb at research.att.com) Date: Wed, 14 Jul 93 11:36:49 PDT Subject: Secure comm program, Sockets + LINK Message-ID: <9307141836.AA25170@toad.com> > You can't even solve the problem with DH key exchange -- you are > subject to "man in the middle" attacks. You must share SOME > information via a secure channel in order to have both authenticatio n > and privacy on a channel. However, the information exchanged could b e > small and fairly one-time -- like the public key of a trusted entity > that signs other public keys. How do STU-III phones work then? Do they have some key in rom? RAM, actually. The phones are keyed for some set of individuals; these keys are tied to ``crypto ignition keys'' possessed by these individuals. When you insert your key, the phone knows who you are, and transmits a certificate containing your public key to the far end. Other information in the certificate includes your security clearance, and (I think) your name. On some models at least, the key storage can be erased instantly by pressing a single button. The uses for that feature are obvious... I highly commend this paper to the cypherpunks readership: @article{Diffie88, author = {Whitfield Diffie}, journal = {Proceedings of the IEEE}, month = {May}, number = {5}, pages = {560--577}, title = {The First Ten Years of Public Key Cryptography}, volume = {76}, year = {1988} } From wcs at anchor.ho.att.com Wed Jul 14 14:06:02 1993 From: wcs at anchor.ho.att.com (Bill_StewartHOY0021305) Date: Wed, 14 Jul 93 14:06:02 PDT Subject: Secure comm program, Sockets + LINK Message-ID: <9307142023.AA01586@anchor.ho.att.com> > > How do STU-III phones work then? Do they have some key in rom? I don't remember the details (and if I did I'd have to kill you :-), but they use a little plastic key-shaped dongle that's got some memory in it, probably EEPROM, which contains keying information. Each key works in only a few phones, and each phone only supports a few keys. The keying information tells it what level of classification the phone is authorized for when the key is in it, and phone calls negotiate that when they set up. If the phone decides it doesn't like something, it's able to zero out the key's memory. > I dunno enough about STU-III phones. Maybe they don't care about man > in the middle, or maybe they use fixed conventional of some sort for > authentication. I have a vague memory of someone telling me that some > of them have code keys. When you're making a TOP SECRET phone call, you *do* care about man in the middle, just as you care about being in a soundproofed room. The session key exchange is done with Diffie-Hellman with authentication; I'm not sure if the authentication uses public-key or secret-key technology, but my guess is it's basic secret-key stuff. The military version of the phone uses classified secret-key algorithms, so presumably the key handling does too. Bill From peb at PROCASE.COM Wed Jul 14 14:31:11 1993 From: peb at PROCASE.COM (Paul Baclace) Date: Wed, 14 Jul 93 14:31:11 PDT Subject: Relation between number theory and cryptography Message-ID: <9307142130.AA08720@banff.procase.com> These are very interesting questions. I like the idea that the physical work of encryption and decryption might be accounted for by the increased entropy of the message. >Is this affected by whether or not the key is known? If the key is unknown, then the meaning or affect of the message on the recipient is that of noise (or more accurately, "this message exists but you can't read it"), but information theory has nothing to say about this since it is concerned only with the communication itself. Perhaps the AI theory of Language As Action could be connected to information theory (yeah, recast meaning as communication to a homunculous...) Somewhere I have a paper on Maxwell's Daemon and Data Compression, which seems related to this. I can dig it up if you want a ref. (I haven't read it yet; it's ftp available.) Paul E. Baclace peb at procase.com From fergp at sytex.com Wed Jul 14 14:56:09 1993 From: fergp at sytex.com (Paul Ferguson) Date: Wed, 14 Jul 93 14:56:09 PDT Subject: The right to be secure (fwd Computerworld article) Message-ID: ComputerWorld Volume 27, Number 28 July 12, 1993 page 28 Advanced Technology The right to be secure Government-backed data security standard raises Big Brother issues By James Daly Two months ago, the Clinton administration dropped a bomb on the world of computer security. In an effort to assist law enforcement officers looking for a legal back door into coded criminal communications, officials from the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) said they intend to establish as a federal standard an approach to voice and data encryption called "key escrow." This method would require the technology needed to unlock a coded conversation to be kept by government-approved agencies and retrieved in the event of government-approved wiretaps. Data encryption would be done in silicon via a device called the "Clipper chip," which would be installed in machines needing its coding and decoding capabilities. To put it mildly, the Clipper chip proposal has generated a lot of excitement among privacy advocates who fear abuses by a technologically empowered Big Brother. Computerworld recently tried to talk with officials from both the NIST and the NSA to further explore the Clipper issue, but neither allowed a face-to-face interview with a staff member. Instead, we had to submit written questions. Here are the answers provided by officials from the NIST and the NSA. Q. The proposed Clipper chip technology has generated an awful lot of acrimony since it was announced in April. Has the government lessened its level of commitment to the chip? A. The administration remains committed too the initiative and is proceeding with the following actions: the acquisition of key escrow encryption devices by law enforcement agencies; the naming of key escrow agents to hold the keys for the key escrow microcircuits and the establishment of procedures by the attorney general for the access of the keys; the evaluation of the key escrow encryption algorithm by respected experts; the promulgation of a standard by the secretary of commerce to facilitate the procurement and use of key escrow encryption devices in federal communications systems; and the comprehensive review of encryption policy. In addition, discussions with industry and other concerned groups have proved very productive. The administration does not intend to arbitrarily end its study of the issue while helpful consultations are under way. It should also be understood that the use of products implementing the key escrow encryption microcircuit is voluntary. There has been no attempt to either mandate its use or to deny the entry of other encryption technologies into the marketplace. Q. Privacy advocates say that if the keys needed to de-crypt data are placed in the hands of government authorities, there is the potential for abuse. What kinds of safeguards would be implemented to prevent this? A. The government may conduct electronic surveillance only when lawfully authorized. Moreover, the key escrow procedures being developed provide that each key will be split into two parts, and different key escrow authorities will hold each part. Neither part alone can be used to decrypt messages. To obtain the key needed to unlock the encryption, law enforcement must present evidence of its authority for a key, typically a court order, to both key escrow authorities. Finally, the system will be designed to ensure that law enforcement destroys the keys it receives when its authority to conduct the electronic surveillance has expired. Q. Vendors who have extensive business overseas say they would not be able to sell Clipper-equipped machines on foreign shores. How do you respond? A. Key-escrowed products will be exportable to U.S. persons and companies operating overseas. One issue under consideration in the presidential review is whether a broader export policy is advisable. Should a broader export policy be adopted, we believe products implementing the key escrow technology will find favor among consumers who desire the superb encryption security offered. Q. If Clipper would be the standard, would the use of non-Clipper encryption devices be outlawed? If so, how would you find out who was using these non-Clipper devices? A. No. Use of key-escrowed products by the private sector would be entirely voluntary. Federal agencies will have the option of using this technology once it becomes a Federal Information Processing Standard. DES [Data Encryption Standard], the existing federal encryption standard, will still be available for use in federal systems. Q. Regarding DES, some security experts say that with powerful chips such as Pentium already on the market and the 686 and 786 in design stages, DES is getting near to being crackable. Is DES nearing the end of its useful life? A. NIST will recommend that DES be renewed for another five years as a Federal Information Processing Standard. We do recognize, however, that as computer technology advances, the expected effort needed to break DES-encrypted messages decreases. In time, DES will become less valuable for securing sensitive information. Q. What eventually made DES and other cryptosystems acceptable was their ease of use in software. Do you feel companies will be willing to go back to the hassle and additional expenses of hardware-based cryptography? A. Again, we must emphasize that use of this technology is voluntary. Software containing other cryptosystems is still available to consumers. As for use of this technology in hardware, new products are already being developed to lessen the "hassle" of hardware-based cryptography. One example would be its use of PCMCIA [Personal Computer Memory Card International Association] cards. Moreover, encryption implemented in software generally provides less security than hardware encryption. Q. What happens when the Clipper chip's technology cannot keep up with faster networks and becomes a bottleneck? Do we then have to have a multiyear review process wherein we select a Clipper-2 chip and retrofit all the devices across the country? A. We expect the key escrow microcircuits will be enhanced to keep pace with future data requirements. As with the introduction of any next-generation technology, consumers will decide the extent to which they require, and are willing to pat for, the new technology. We do not envision an "across the country" retrofit of all devices. Q. What should the role of the government, if any, in developing a nationwide computer security policy guideline? A. The government has a strong interest in computer security policies in light of the federal agencies' need to protect their own information: for law enforcement agencies to conduct lawfully authorized electronic intercepts in order to combat crime and terrorism; to protect national security through export controls of cryptographic technologies; and the growing U.S. economic interest in protecting corporations and citizens' information that is stored and transmitted electronically. That does not mean, however, that a government-imposed security policy is appropriate. Government must be actively involved in setting computer security standards for its own use and making its technology, expertise and guidance available to the private sector when requested and appropriate. Private sector organizations can then make appropriate risk-based, cost-effective decisions as to protecting their information assets. Paul Ferguson | "Confidence is the feeling you get Network Integrator | just before you fully understand Centreville, Virginia USA | the problem." fergp at sytex.com | - Murphy's 7th Law of Computing Quis Custodiet Ipsos Custodes? From 72440.2236 at CompuServe.COM Wed Jul 14 16:53:23 1993 From: 72440.2236 at CompuServe.COM (Michael Glazer) Date: Wed, 14 Jul 93 16:53:23 PDT Subject: PGP Message-ID: <930714235026_72440.2236_EHB28-1@CompuServe.COM> Folks, I'm trying to learn more about practical cryptography in general and PGP and similar programs in particular. Any advice? Thanks in advance. Michael From TO1SITTLER at APSICC.APS.EDU Wed Jul 14 17:35:23 1993 From: TO1SITTLER at APSICC.APS.EDU (Kragen Sittler) Date: Wed, 14 Jul 93 17:35:23 PDT Subject: stu-iii phones Message-ID: <930714183032.189c@APSICC.APS.EDU> I believe that there is a centralized location keeping track of which phones have which keys, etc. Don't quote me, this is just a piece of information that I ran across somewhere(dunno where) and may be inaccurate. kragen From M..Stirner at f28.n125.z1.FIDONET.ORG Wed Jul 14 18:16:37 1993 From: M..Stirner at f28.n125.z1.FIDONET.ORG (M. Stirner) Date: Wed, 14 Jul 93 18:16:37 PDT Subject: Mail failed, returning to Message-ID: <1091.2C449C47@shelter.FIDONET.ORG> Uu> * Reply to msg originally in u_privacy AS> Is the anonymous server in Finland (anon at anon.penet.fi) down for good? Uu> We shall see. There may be monkey business afoot. Charcoal is also Uu> down. We'll see if this message goes through. Mail to Penet did indeed bounce. What's going on? There has been no mail from cypherpunks at toad.com for well over a week at this site. Mail to cypherpunks bounces showing insane routing. Charcoal is down. Penet is down. Most cypherpunks remailers are down. What's going on? Did the cypherpunks piece on The Hightower Report finally get Deadly Attention? Anyone? ********************************************************************* * - PGP Key D30909 via servers * * > What country can preserve its liberties if its rulers are not <* * > warned from time to time that their people preserve the spirit <* * > of resistance? Let them take arms!" - Thomas Jefferson, 1787 <* ********************************************************************* ___ Blue Wave/QWK v2.12 -- M. Stirner - via FidoNet node 1:125/1 UUCP: ...!uunet!kumr!shelter!28!M..Stirner INTERNET: M..Stirner at f28.n125.z1.FIDONET.ORG From wcs at anchor.ho.att.com Wed Jul 14 18:51:31 1993 From: wcs at anchor.ho.att.com (Bill_StewartHOY0021305) Date: Wed, 14 Jul 93 18:51:31 PDT Subject: The right to be secure (fwd Computerworld article) Message-ID: <9307150109.AA04795@anchor.ho.att.com> Paul Ferguson sent out a copy of a ComputerWorld article "The right to be secure" (ComputerWorld, Volume 27, Number 28, July 12, 1993, page 28, James Daly), which had NIST/NSA Q&A on Clipper. A couple things were mildly interesting (assertion that use of escrow products would be voluntary (if we can trust them)), but one was complex and nasty: To obtain the key needed to unlock the encryption, law enforcement must present evidence of its authority for a key, typically a court order, to both key escrow authorities. ^^^^^^^^^^^^^^^^^^^^^^^^ Finally, the system will be designed to ensure that law enforcement destroys the keys it receives when its authority to conduct the electronic surveillance has expired. "Typically", of course, means "not always", and it's coupled with the phrase "establishment of procedures by the attorney general for the access of the keys" in a previous answer, which means that anything the attorney general wants, he can get. It also suggests that keys *can* be kept longer than court orders permit if the attorney general wants. Bill Stewart From honey at citi.umich.edu Wed Jul 14 19:02:10 1993 From: honey at citi.umich.edu (peter honeyman) Date: Wed, 14 Jul 93 19:02:10 PDT Subject: PGP Message-ID: <9307150202.AA02423@toad.com> my advice is to obtain a copy of pgp, play with it, and read the docs. the sci.crypt faq is also valuable. peter From shipley at tfs.COM Wed Jul 14 19:20:30 1993 From: shipley at tfs.COM (Peter Shipley) Date: Wed, 14 Jul 93 19:20:30 PDT Subject: The right to be secure (fwd Computerworld article) In-Reply-To: <9307150109.AA04795@anchor.ho.att.com> Message-ID: <9307150220.AA01203@edev0.tfs.com.TFS> > Finally, the system will be designed to ensure that law > enforcement destroys the keys it receives when its authority > to conduct the electronic surveillance has expired. > >. It also suggests that keys *can* be kept longer than court >orders permit if the attorney general wants. > if also suggests there no safeguard in the system for keys to expire; thus an underground can form for keys since there is no expiration date. From wet!naga Wed Jul 14 20:27:24 1993 From: wet!naga (Peter Davidson) Date: Wed, 14 Jul 93 20:27:24 PDT Subject: PGP tutorial Message-ID: >Date: 14 Jul 93 19:50:26 EDT >From: Michael Glazer <72440.2236 at CompuServe.COM> >Subject: PGP > >Folks, > > I'm trying to learn more about practical cryptography in general > and PGP and similar programs in particular. Any advice? @article{Nathan92, author = {Paco Xander Nathan}, journal = {Fringeware Review}, month = {July}, number = {1}, pages = {17--18}, title = {Tutorial: PGP}, volume = {1}, year = {1992} Fringeware Review is available for $3.50 from Fringeware Inc., P. O. Box 49921, Austin, TX 78765 (512-477-1366, fringeware at wixer.bga.com) This issue also has articles on inter-experiential snorkeling, cruzin' the internet, email lists, tom jennings, the abolition of work, mind control, cyborganics, melt-o-media and even cypherpunx. From julf at penet.FI Wed Jul 14 21:42:53 1993 From: julf at penet.FI (Johan Helsingius) Date: Wed, 14 Jul 93 21:42:53 PDT Subject: Anon down - and up again In-Reply-To: <1091.2C449C47@shelter.FIDONET.ORG> Message-ID: <9307150635.aa05832@penet.penet.FI> (with a broken return address) writes: > Mail to Penet did indeed bounce. Yes. I had a major system failure due to the temperature in the machine room getting close to 90F. The main disk and the CPU board failed. To recover, I have now changed to a new, more powerful machine (again), and while doing that I also changed the OS from Interactive's crap to BSDI. So anon.penet.fi is back again. There might be minor problems due to the new OS. Julf From hfinney at shell.portal.com Wed Jul 14 21:50:10 1993 From: hfinney at shell.portal.com (hfinney at shell.portal.com) Date: Wed, 14 Jul 93 21:50:10 PDT Subject: Relation between number theory and cryptography Message-ID: <9307150419.AA29734@jobe.shell.portal.com> Clark Reynard, , asks about information and cryptography. As I see it, a cyphertext has at most the same information as the sum of the original message, the key, and the encryption algorithm. Without knowing the key a cyphertext may appear random, but actually it is not. If it is the encryption of a lower-information plaintext (such as English text) then it still basically possesses that low level of information, it's just not obvious how to compress it. It's not unusual for different compression algorithms to achieve very different levels of compression. In a sense, these different algorithms disagree about the amount of information in the original data. We discussed digitized speech here some time back. Ordinary compression algorithms such as Lempel- Ziv or Huffman encoding don't compress digitized speech much at all. Special algorithms such as linear predictive coding can achieve great compression. In the same way, there is no contradiction between the fact that an encrypted file looks random and incompressible, and the fact that knowing the key it becomes clear that the file actually can be compressed. Any calculation of the information content of a file can only be considered an upper bound. A more clever algorithm may always exist which will reveal the data to have much less information than was originally thought. This is basically the situation you have when faced with an encrypted file for which you don't have the key. Hal Finney hfinney at shell.portal.com From mdiehl at triton.unm.edu Wed Jul 14 22:24:12 1993 From: mdiehl at triton.unm.edu (J. Michael Diehl) Date: Wed, 14 Jul 93 22:24:12 PDT Subject: Relation between number theory and cryptography In-Reply-To: <9307150419.AA29734@jobe.shell.portal.com> Message-ID: <9307150524.AA03608@triton.unm.edu> According to hfinney at shell.portal.com: > Clark Reynard, , asks about information and cryptography. > > As I see it, a cyphertext has at most the same information as the sum of > the original message, the key, and the encryption algorithm. Without > knowing the key a cyphertext may appear random, but actually it is not. > If it is the encryption of a lower-information plaintext (such as English > text) then it still basically possesses that low level of information, it's > just not obvious how to compress it. Well, you may have placed an upper-limit on the amount of information in an encrypted message. I will try to place a lower limit. Consider the case where there is less information in the ciphertext than in the plaintext. Clearly, in this case, there is no way to retrieve the entire plaintext from the ciphertext since we no longer have enough information. So we have to have at least as much information in the CT as we do in the PT. If I bought your original arguement, I'd have to say there is no net change in information content. Unfortunately, I don't buy your arguement. What if we were to add some noise in the process of crypting the PT? If we did it algorithmicly, we have added some kind of information to your CP, totally unrelated to the actuall message. But nontheless, it is information of SOME type; it may simply be 0xFE if the message was writen in the daytime or 0xAC if not. This is information in a very "uncompressed" form. Strictly speaking this is only 1 bit of information encoded into a byte, but the net result is a gain in information content in our CT. I don't know, is there a flaw in my reasoning? Laters. +-----------------------+-----------------------------+---------+ | J. Michael Diehl ;-) | I thought I was wrong once. | PGP KEY | | mdiehl at triton.unm.edu | But, I was mistaken. |available| | mike.diehl at fido.org | | Ask Me! | | (505) 299-2282 +-----------------------------+---------+ | | +------"I'm just looking for the opportunity to be -------------+ | Politically Incorrect!" | +-----If codes are outlawed, only criminals wil have codes.-----+ +----Is Big Brother in your phone? If you don't know, ask me---+ From mdiehl at triton.unm.edu Wed Jul 14 22:36:32 1993 From: mdiehl at triton.unm.edu (J. Michael Diehl) Date: Wed, 14 Jul 93 22:36:32 PDT Subject: xor data hiding? In-Reply-To: <9307141547.AA28336@snark.shearson.com> Message-ID: <9307150536.AA03891@triton.unm.edu> According to Perry E. Metzger: > J. Michael Diehl says: > > According to Douglas Sinclair: > > The point wasn't to be unbreakably secure; it was to be UNFINDABLY > > secure. We convolute an allready encrypted message to the point of > > not being recognizable as cyphertext, then we hide it on the end of > > a file. We want it to look like garbage. > > Cyphertext from any decent system ALREADY looks random. Whats the > point of doing more to it? Many encryption tools such as ripem, pgp, and dolphin can recognize their own output...which indicates that there is a footprint to that particular implimentation. +-----------------------+-----------------------------+---------+ | J. Michael Diehl ;-) | I thought I was wrong once. | PGP KEY | | mdiehl at triton.unm.edu | But, I was mistaken. |available| | mike.diehl at fido.org | | Ask Me! | | (505) 299-2282 +-----------------------------+---------+ | | +------"I'm just looking for the opportunity to be -------------+ | Politically Incorrect!" | +-----If codes are outlawed, only criminals wil have codes.-----+ +----Is Big Brother in your phone? If you don't know, ask me---+ From ld231782 at longs.lance.colostate.edu Thu Jul 15 00:27:05 1993 From: ld231782 at longs.lance.colostate.edu ( L. Detweiler ) Date: Thu, 15 Jul 93 00:27:05 PDT Subject: reaction to Infoworld NIST/NSA queries Message-ID: <9307150726.AA12754@longs.lance.colostate.edu> This is very interesting information, because it is extremely current and represents the first direct reactions by the behind-the-scenes authorities on some crucial aspects of Clipper and its scalding reception. > It should also be understood that the use of products > implementing the key escrow encryption microcircuit is > voluntary. There has been no attempt to either mandate its use > or to deny the entry of other encryption technologies into the > marketplace. Note in the answer to `has acrimony lessened the government commitment' the feeble whimpering ultimately falls back on the aspect that it is voluntary. Ah, the last refuge of these scoundrels! If there are any plans to restrict or limit domestic cryptography, the policy-makers (and I use the term loosely) are painting themselves into a corner. If the only redeeming feature of Clipper is that it is voluntary, then anything less is wholly unredeeming! But again, the text conspicuously does not rule out that option. > Finally, the system will be designed to ensure that law > enforcement destroys the keys it receives when its authority > to conduct the electronic surveillance has expired. Correct me if I'm wrong, but this is the first time I've seen any official indication of this requirement to `destroy keys after surveillance' -- this *is* clearly an extremely serious weakness with the scheme, and I don't use past tense there because this lip service doesn't remedy it in the least. However, we can take consolation: it appears there have been direct responses to the criticisms of the key escrow aspects. In fact, they appear to have the key-escrow issues thought out to the least (hence my very uneasy suspicions), were surprised by the focused critical analysis, and have been consistently attempting to strengthen the `baroque activities in a vault' (as one esteemed cypherpunk put it). The attempts look a little bit like desperate scramblings to me. They still don't have a clue on the escrow agencies! > Should a broader export policy be adopted, we > believe products implementing the key escrow technology will > find favor among consumers who desire the superb encryption > security offered. `superb'? hee, hee. First claim of security outside of the `superior to many other schemes on the market' weasel quote in the announcement. This sounds like vintage Sternlight. >Q. If Clipper would be the standard, would the use of non-Clipper > encryption devices be outlawed? If so, how would you find out > who was using these non-Clipper devices? > >A. No. Use of key-escrowed products by the private sector would > be entirely voluntary. here they appear to be directly suggesting that they will *not* attempt domestic cryptographic restriction. (?) > Federal agencies will have the option > of using this technology once it becomes a Federal Information > Processing Standard. This little FIPS thing (Federal Information Processing Standard) is clearly very important to all the Clipper conspirators right now (Bidzos is plugging it too, and it was in the PKP-NSA-DSA patent agreement announcement). Is there some way to sabotage the FIPS process? Cypherpunks, this is a critical window. >A. NIST will recommend that DES be renewed for another five years > as a Federal Information Processing Standard. wow, I don't recall seeing that before. >A. Again, we must emphasize that use of this technology is > voluntary. Software containing other cryptosystems is still > available to consumers. they plug the `voluntary' bit so much here you'd think they're talking about Bush's Thousand Points of Light. >A. We expect the key escrow microcircuits will be enhanced to keep > pace with future data requirements. hee, hee. They can't even keep up with *current* requirements. The chips last for an astonishingly durable 2 days. (Actually, with Clipper this is a very attractive feature!) > That does not mean, however, that a government-imposed > security policy is appropriate. Government must be actively > involved in setting computer security standards for its own > use and making its technology, expertise and guidance > available to the private sector when requested and > appropriate. wow. At first I thought this was a typo and the statement was supposed to be `does not mean it is *in*appropriate'. `when requested and appropriate'? Good lord, is this the NSA talking or did they have the day off? Maybe they actually understand they have no domestic legal regulatory standing whatsoever. From ld231782 at longs.lance.colostate.edu Thu Jul 15 00:40:54 1993 From: ld231782 at longs.lance.colostate.edu ( L. Detweiler ) Date: Thu, 15 Jul 93 00:40:54 PDT Subject: Clip the Clipper Consortium Message-ID: <9307150740.AA13067@longs.lance.colostate.edu> This is an AP news release on the industry rumblings we've been hearing about. Novell, AT&T, Citicorp, Hughes Aircraft, Motorola? European Community? British Ministry of Defense? ye gads! (Does GCHQ know about this? Maybe they're not into jumping off bridges like their friend NSA.) [anonymous `White House' Clipper sympathizer] > ``I think this won't drive us crazy,'' the official said. >``We'll look at this and evaluate it on its technical merits.'' hee, hee. Sounds like a hardware engineer in a competing cryptography company. These people simultaneously reside in the U.S. government and Fantasy Land. (Don't you just love that `we're giving this thorough evaluation' phrase? with Clipper it was `hm, what can we actually get away with?' here it's a euphemism for `what the hell are we going to do?') The 64k question of course: what's the CCC algorithm? p.s. if anyone could pass on the Markoff NYT article on the same please post it. ===cut=here=== Group To Set Rules For Computer Encoding< NEW YORK (AP) _ Novell Inc., the leader in network software for corporate computer systems, is set to reveal plans for protecting information stored in computers or transmitted over networks, according to a published report. Novell, leading an international industry group, was to make the announcement in New York on Wednesday, The New York Times reported Tuesday. The announcement was seen as an indirect challenge to the Clinton Administration's effort to impose a national encoding standard for computer and telephone communications, the newspaper said. The other companies involved are AT&T, Computer Associates, Citicorp, Hughes Aircraft, Motorola and smaller firms specializing in data security. Representatives from the European Community standard setting committee and the British Ministry of Defense were also to participate in the announcement. Computer and communications companies, as well as corporate users of information technology, are worried about the government's plan, which would enable it to use wiretaps with a court's authorization, the newspaper said. But an unidentified White House official told the Times that the administration could live with the move. ``I think this won't drive us crazy,'' the official said. ``We'll look at this and evaluate it on its technical merits.'' The government can influence the use of communications encoding standards by controlling what types of hardware and software that companies can export, but it has no legal means of imposing its own standard or of blocking the development of an industry standard. From mike at EGFABT.ORG Thu Jul 15 00:43:47 1993 From: mike at EGFABT.ORG (Mike Sherwood) Date: Thu, 15 Jul 93 00:43:47 PDT Subject: xor data hiding? In-Reply-To: <9307150536.AA03891@triton.unm.edu> Message-ID: <0HwP7B2w165w@EGFABT.ORG> J. Michael Diehl writes: > Many encryption tools such as ripem, pgp, and dolphin can recognize their own > output...which indicates that there is a footprint to that particular > implimentation. in this case, you're just trying to garble what people see so why not just xor "hello, world." /bin/csh or \command.com on top of it to avhieve that result. No need for anything significant, I mean, if you xor 'X' over the whole thing, you've achieved the same result - after all, if someone wants to xor 'X' to knock that level of encryption(if I may call simple substitution "encryption") then it's fair to assume that the person knows it's cyphertext and they want the information below it, so that's a good place to use some decent encryption.. "congratulations, you have found the secret message. send the answer to old pink care of the funny farm" (Pink Floyd, The Wall (backmasking)) is what readily comes to mind when i see what you're getting at.. after all, searching a disk for data that fits specific patterns is one thing, figuring out that one of the index files for a database program with literally hundreds of database files and indecies (I used to work on programming such a database, so I know they exist and that they are a perfect hiding place for just about everything) is actually an encrypted file isn't a walk in the park. anyway, enough babbling - hope some of it makes sense. =) the park -- Mike Sherwood internet: mike at EGFABT.ORG uucp: ...!sgiblab!egfabt!mike From M..Stirner at f28.n125.z1.FIDONET.ORG Thu Jul 15 00:58:15 1993 From: M..Stirner at f28.n125.z1.FIDONET.ORG (M. Stirner) Date: Thu, 15 Jul 93 00:58:15 PDT Subject: mail failed, returnin Message-ID: <1107.2C450191@shelter.FIDONET.ORG> >What's going on? There has been no mail from cypherpunks at toad.com for >well over a week at this site. Mail to cypherpunks bounces showing Uu> There is substantial daily volume on cypherpunks. Maybe some Uu> machine on the way... Presumably, this is the case, though why mail is bouncing from so many places all of a sudden when sent from all over the country, I can't say. I was able to get pings back from penet today after having mail there bounce. I was writing in response to a complaint from another user in the midwest who could no longer get mail to run through penet. . Charcoal's still not working. . Mail has stopped bouncing at cypherpunks at toad.com apparently, though the site that receives cypherpunks for me has been getting nothing for over two weeks. Seems I can send, but that's it. . ********************************************************************* * - PGP Key D30909 via servers * * > What country can preserve its liberties if its rulers are not <* * > warned from time to time that their people preserve the spirit <* * > of resistance? Let them take arms!" - Thomas Jefferson, 1787 <* ********************************************************************* ___ Blue Wave/QWK v2.12 -- M. Stirner - via FidoNet node 1:125/1 UUCP: ...!uunet!kumr!shelter!28!M..Stirner INTERNET: M..Stirner at f28.n125.z1.FIDONET.ORG From ggoebel at sun1.ruf.uni-freiburg.de Thu Jul 15 02:37:38 1993 From: ggoebel at sun1.ruf.uni-freiburg.de (Garrett Goebel) Date: Thu, 15 Jul 93 02:37:38 PDT Subject: unsub (request-cypherpunks not working) Message-ID: <9307150937.AA04241@sun1.ruf.uni-freiburg.de> Please unsubscribe me. I am leaving this node Saturday. for one month, mail from this list will be thrown to /dev/null, thereafter if will bounce back to the list. I have tried the request address... I have writen Eric PLEASE UNSUBSCRIBE ME... Garrett -- C. Garrett Goebel From pmetzger at lehman.com Thu Jul 15 06:50:02 1993 From: pmetzger at lehman.com (Perry E. Metzger) Date: Thu, 15 Jul 93 06:50:02 PDT Subject: PGP tutorial In-Reply-To: Message-ID: <9307151349.AA05001@snark.shearson.com> Rather than pointing people to strange publications we've never heard of written by authors without credentials, might I suggest... 1) The PGP docs themselves are very good and far better as a tutorial on cryptography than any of the "PGP tutorials" that have appeared in the fringe literature. They are also free. 2) Read a real text on cryptography. It isn't a childrens game. Its a real branch of math and computer science, and really bright people devote their lives to it. If you wanted to learn about medicine, would you pick up a professional medical text, or something written in a 'zine by people you hadn't heard of? Perry Peter Davidson says: > > >Date: 14 Jul 93 19:50:26 EDT > >From: Michael Glazer <72440.2236 at CompuServe.COM> > >Subject: PGP > > > >Folks, > > > > I'm trying to learn more about practical cryptography in general > > and PGP and similar programs in particular. Any advice? > > @article{Nathan92, > author = {Paco Xander Nathan}, > journal = {Fringeware Review}, > month = {July}, > number = {1}, > pages = {17--18}, > title = {Tutorial: PGP}, > volume = {1}, > year = {1992} > > Fringeware Review is available for $3.50 from > Fringeware Inc., P. O. Box 49921, Austin, TX 78765 > (512-477-1366, fringeware at wixer.bga.com) > > This issue also has articles on inter-experiential snorkeling, > cruzin' the internet, email lists, tom jennings, the abolition > of work, mind control, cyborganics, melt-o-media and even cypherpunx. > From pmetzger at lehman.com Thu Jul 15 07:05:31 1993 From: pmetzger at lehman.com (Perry E. Metzger) Date: Thu, 15 Jul 93 07:05:31 PDT Subject: xor data hiding? In-Reply-To: <9307150536.AA03891@triton.unm.edu> Message-ID: <9307151405.AA05028@snark.shearson.com> J. Michael Diehl says: > According to Perry E. Metzger: > > J. Michael Diehl says: > > > According to Douglas Sinclair: > > > The point wasn't to be unbreakably secure; it was to be UNFINDABLY > > > secure. We convolute an allready encrypted message to the point of > > > not being recognizable as cyphertext, then we hide it on the end of > > > a file. We want it to look like garbage. > > > > Cyphertext from any decent system ALREADY looks random. Whats the > > point of doing more to it? > > Many encryption tools such as ripem, pgp, and dolphin can recognize their own > output...which indicates that there is a footprint to that particular > implimentation. Intentionally. They INTENTIONALLY put magic numbers at the head of the file. If you remove that, the file is random. You can hack PGP not to use headers if you really want to. Proposing some useless cryptosystem just to hide the headers is completely unneeded. Perry From exabyte!smtplink!mikej at uunet.UU.NET Thu Jul 15 09:12:43 1993 From: exabyte!smtplink!mikej at uunet.UU.NET (Mike Johnson) Date: Thu, 15 Jul 93 09:12:43 PDT Subject: Information theory and cryptography Message-ID: <9307150941.A01243@smtplink.exabyte.com> Robert W. Clark asks: > I asked this one a while back and got no response. sci.crypt > was equally unresponsive. It concerns the possibly obscure > relation between cryptography, number theory and information > theory. > > Is there considered to be a one-to-one isomorphism between > the units in a plaintext-cyphertext pair? By this, I mean, > are they considered to contain the same information? > > Is this affected by whether or not the key is known? If the > key has been irretrievably lost, does this lessen the amount > of information, or does the 'potential' informational content > remain the same? If you have the proper algorithm and key, then the same information can be derived from both. There may be additional information added to the cipher text that is not relevant to the plain text if _noise addition_ is used in the encryption. The noise is stripped out on decryption. Likewise, data compression may be involved, so the cipher text may be smaller or larger in physical size, but will contain the same information. Note that strictly speaking, the information in the plain text is conveyed by the combination of the ciphertext, the key, and the algorithm used. Take any of these away, and you lose information. In most cases, loss of the algorithm is not an issue, but if you forget, lose, or damage either the key or the ciphertext, you have reduced the useful information content, possibly to zero. > Is cryptography considered to be as simple as, say, Huffman > coding, for purposes of informational content? That is, is > the relationship between the units of a plaintext-cyphertext > pair considered to be more or less 'transparent,' or entirely > isomorphic? Sort of. If I encrypt my communications with Alice, and you don't have the key, then the information content of the message for Alice (who has the key) is the same as the plain text, but for you the information content is zero unless you crack the encryption scheme. > Does the Second Law of Thermodynamics enter into this? Is there > a minimum amount of energy required to extract information from > cyphertext, or a minimum amount of waste of energy? Decryption _always_ consumes energy (electrical, mechanical, biological or whatever). Do you have a computer that uses no electricity, heat, light, or sound, does not eat, and involves no mechanical work? If so, patent it quick and sell it! Don't confuse thermodynamic and information theory entropy, though. They are mathmatically similar, but measure different things. ----------------------------------------------------------------------------- Mike Johnson | Opinions expressed herein are mine, and come with no mikej at exabyte.com | warranty, expressed or implied. PGP key on request. ----------------------------------------------------------------------------- From poc at im.lcs.mit.edu Thu Jul 15 07:40:36 1993 From: poc at im.lcs.mit.edu (Physics of Computation Seminar) Date: Thu, 15 Jul 93 10:40:36 EDT Subject: Physics of Computation Seminar, Monday July 19 Message-ID: <2fe020320280403b997bad55d2966fce@NO-ID-FOUND.mhonarc.org> MIT PHYSICS OF COMPUTATION SEMINAR Date: Monday, July 19 Time: 11AM Room: 4-270 Quantum versus Classical Information: a Fruitful Dichotomy Charles H. Bennett IBM Research, Yorktown Heights Abstract: Classical information (the kind in newspapers) and quantum information (carried by certain states of elementary particles such as photons) are very different. Classical information can be read, copied, and transcribed into any medium, but it cannot be sent faster than the speed of light. Quantum information cannot be read or copied without disturbing it, but in some instances can propagate instantaneously or even backward in time. Together the two kinds of information can perform several feats that neither could do alone. These include quantum cryptographic systems, some of which have already been built, in which privacy of communications is guaranteed by the uncertainty principle; and a new technique, "quantum teleportation", by which an unknown quantum state (eg a photon of unknown polarization), can be dismembered into purely classical and purely nonclassical parts, transmitted through separate channels to a new location, and recombined there to produce a perfect reincarnation of the original state. Host: Norm Margolus, MIT Lab for Computer Science This talk is part of a new seminar series on adapting computers and computations to the constraints of, and opportunities afforded by, microphysics; and on the development and application of the physical theory of computation and information. Please forward this notice to anyone who you think might be interested. Anyone who wishes to be added to the distribution list for these seminar announcements should send email to "poc at im.lcs.mit.edu". This series is being sponsored by the MIT Information Mechanics Group (Lab for Computer Science), in conjunction with the MIT Physics and Media Group (Media Lab), the MIT Porous Flow Project (Earth, Atmospheric and Planetary Sciences), and the Mathematical Sciences Research Group at Thinking Machines Corporation. From mbriceno at aol.com Thu Jul 15 11:17:37 1993 From: mbriceno at aol.com (mbriceno at aol.com) Date: Thu, 15 Jul 93 11:17:37 PDT Subject: Who has Cypherpunks in SF? Message-ID: <9307151404.tn00223@aol.com> Is there a BBS in San Francisco that carries this list? Thanks in advance, --Marc (Yes, I know that I can get it by mail) From crunch at netcom.com Thu Jul 15 11:24:20 1993 From: crunch at netcom.com (John Draper) Date: Thu, 15 Jul 93 11:24:20 PDT Subject: Need info ASAP Message-ID: <9307151824.AA16233@netcom4.netcom.com> I am putting final touches on the Cypherpunks flyer, and need the following information. The address, phone number, and Email adddess of: a) CPSR b) EFF c) Cypherpunks Naturally I have the Email address of the Cypherpunks, but I also need a non-computer address, or phone number where non-computer folks can contact on how they can: a) Support the cypherpunks cause b) Obtain copies of PGP c) Or help out in other ways. I need this info ASAP, as I only have access to Lazerwriter today only. I would appreciate a phone call if possible as well as Email. Time is of the essence... Crunch From peb at PROCASE.COM Thu Jul 15 11:29:13 1993 From: peb at PROCASE.COM (Paul Baclace) Date: Thu, 15 Jul 93 11:29:13 PDT Subject: The right to be secure (fwd Computerworld article) Message-ID: <9307151828.AA08970@banff.procase.com> >> typically a court order, to both key escrow authorities. >"Typically", of course, means "not always", and it's coupled with the phrase I think they must be implicitly refering to the anti terrorist act which allows surveillence without a court order if national security is involved or if foreign nationals are involved, etc. From peb at PROCASE.COM Thu Jul 15 11:41:06 1993 From: peb at PROCASE.COM (Paul Baclace) Date: Thu, 15 Jul 93 11:41:06 PDT Subject: Relation between number theory and cryptography Message-ID: <9307151840.AA08973@banff.procase.com> >Maxwell's Daemon and Data Compression. I'm still looking...sorry, my WAIS index to postscript files isn't working yet...too bad most tech reports have names like tr93.21.ps and are not grep-able due to kerning, and I always compress them with gzip -9. For all the theoretical types out there, see quantum crypto abstract below. Paul E. Baclace peb at procase.com ----- Begin Included Message ----- From dmandl at lehman.com Thu Jul 15 11:58:19 1993 From: dmandl at lehman.com (David Mandl) Date: Thu, 15 Jul 93 11:58:19 PDT Subject: Need info ASAP Message-ID: <9307151857.AA12289@disvnm2.shearson.com> > From: crunch at netcom.com (John Draper) > > I am putting final touches on the Cypherpunks flyer, and need the > following information. > > The address, phone number, and Email adddess of: > > a) CPSR > b) EFF > c) Cypherpunks [...] Don't forget to make it clear that people should email to cypherpunks-request at toad.com for administrative business (like joining the list). Lots of people give the address sans "-request," and then everyone's got to see dozens of "Subscribe me" messages posted to the list itself. Good luck. --Dave. From wet!naga Thu Jul 15 12:06:56 1993 From: wet!naga (Peter Davidson) Date: Thu, 15 Jul 93 12:06:56 PDT Subject: Reply to Perry Message-ID: In reply to: > >Date: 14 Jul 93 19:50:26 EDT > >From: Michael Glazer <72440.2236 at CompuServe.COM> > >Subject: PGP > > > >Folks, > > > > I'm trying to learn more about practical cryptography in general > > and PGP and similar programs in particular. Any advice? > > @article{Nathan92, > author = {Paco Xander Nathan}, > journal = {Fringeware Review}, > month = {July}, > number = {1}, > pages = {17--18}, > title = {Tutorial: PGP}, > volume = {1}, > year = {1992} BTW the year should be 1993. This issue of Fringeware Review has just been released. > > Fringeware Review is available for $3.50 from > Fringeware Inc., P. O. Box 49921, Austin, TX 78765 > (512-477-1366, fringeware at wixer.bga.com) > > This issue also has articles on inter-experiential snorkeling, > cruzin' the internet, email lists, tom jennings, the abolition > of work, mind control, cyborganics, melt-o-media and even cypherpunx. Perry Metzger writes: >Rather than pointing people to strange publications we've never heard >of written by authors without credentials, might I suggest... > >1) The PGP docs themselves are very good and far better as a tutorial > on cryptography than any of the "PGP tutorials" that have appeared > in the fringe literature. They are also free. > >2) Read a real text on cryptography. It isn't a childrens game. Its a > real branch of math and computer science, and really bright people > devote their lives to it. If you wanted to learn about medicine, > would you pick up a professional medical text, or something written > in a 'zine by people you hadn't heard of? Over the last few months I have noticed that Perry loses no opportunity to say something negative. It looks like you have a personality problem, Perry. Have you talked with your therapist lately? Since you saw fit to post this criticism in public, I'll reply here. 1. Many cypherpunks, being cypherpunks, are interested in "strange publications" - especially those containing reports on the emerging alternative culture - which you are apparently contemptuous of (as of much else). 2. If you've never heard of Fringeware then why display your ignorance? 3. If you've never seen the article mentioned, and know nothing of the author, on what basis do you claim that the author is without credentials? Because he publishes in a magazine with "Fringe" in the title? You're obviously prejudiced, Perry. 4. Does it require an advanced degree in mathematics to write a clear and lucid tutorial for those interested in using PGP? 5. Is reading "a real text on cryptography" necessary in order to learn to use PGP? Your remark suggests it is, which is likely to discourage people from using PGP rather than encourage them. 6. Is the exchange of encrypted messages a branch of computer science? Why suggest that one has to study math to use PGP? 7. Why don't you try to make a positive contribution to cypherpunks instead of being continuously obnoxious? I'm probably not the only one here who thinks you're an asshole. From wet!naga Thu Jul 15 12:14:42 1993 From: wet!naga (Peter Davidson) Date: Thu, 15 Jul 93 12:14:42 PDT Subject: Information-content of ciphertext Message-ID: >From: Mike Johnson >To: cypherpunks at toad.com >Subject: Information theory and cryptography > >Robert W. Clark asks: >> ... >> Is this affected by whether or not the key is known? If the >> key has been irretrievably lost, does this lessen the amount >> of information, or does the 'potential' informational content >> remain the same? > >If you have the proper algorithm and key, then the same information can be >derived from both. ... >the information in the plain text is conveyed by the combination of >the ciphertext, the key, and the algorithm used. Take any of these away, and >you lose information. In most cases, loss of the algorithm is not an issue, >but if you forget, lose, or damage either the key or the ciphertext, you have >reduced the useful information content, possibly to zero. Yes. Remember what information is (in the real world): it is what reduces our uncertainty about things, it is what allows us to exclude some things from the realm of what we take to be the case. An object contains information only in the context of some method to use that object to reduce uncertainty. Thus a piece of ciphertext may contain information for Joe if he knows how to convert it to plaintext. If Fred does not know this then for Fred the ciphertext contains no information, since he is just as uncertain about the world after receiving the ciphertext as he was before. Information is information only if you can access it. What was not informative may become informative, and vice-versa. It makes no sense to think of information independently of a representational agent (something which represents a state-of-affairs to itself) who is or can be informed by it. Mathematicians have a mathematical definition of information, but mathematicians live in an ideal world, so their definition of information is different from that of the rest of us. From crunch at netcom.com Thu Jul 15 12:23:04 1993 From: crunch at netcom.com (John Draper) Date: Thu, 15 Jul 93 12:23:04 PDT Subject: Final flyer Message-ID: <9307151923.AA24672@netcom4.netcom.com> Thanx to the wonderful fast action on the part of the Cypherpunks and SFRavers I now have the final copy and flyer printed up to hand out at raves, and other social events. The flyer has following information... Keep "Big Brother" out of your face If you have a computer and modem, use Electronic mail, or keep personal data on your computer, it may soon be illegal for you to protect it by using personal encryption programs, if our snoopy government has their way. Last April, the Clinton Administration proposed a new Encryption chip called the "Clipper chip" which permits authorities with a "Master key" which unlocks encrypted data. Would you trust your authorities with a key to your house? Of course not!! Ravers should take note that our group of "Freedom fighters" called "Cypherpunks" are making important tools available you can use now to protect your sensitive mail and data that cannot be unlocked using this so called "Master key" scheme. The Electronic Frontier Foundation (EFF), and Computer Professionals for Social Responsibility (CPSR), are important lobby organizations dedicated to keeping our government in check and preserving our privacy. They need your support. Please contact them at address below. Our goals are to get the word out, and get as many people as possible to use simple encryption tools like PGP (Pretty Good Privacy) so our government cannot make their use illegal. This program PGP, is available on PC-DOS, Macintosh, and UNIX computer systems free of charge. Look for PGP distribution booths at future raves, and spread the word. For more information, contact: CPSR PO Box 717 Palo Alto, Ca. 94301 (415) 322-3778 cpsr at cpsr.org EFF 1001 G. Street NW suite 950 E. Washington DC, 20001 (202) 347-5400 eff at eff.org Cypherpunks cypherpunks-request at toad.com --- end --- From Francis.Toy at f28.n125.z1.FIDONET.ORG Thu Jul 15 12:59:15 1993 From: Francis.Toy at f28.n125.z1.FIDONET.ORG (Francis Toy) Date: Thu, 15 Jul 93 12:59:15 PDT Subject: Sci-fi needs your help! Message-ID: <1124.2C45B2F0@shelter.FIDONET.ORG> I know that this is probably not the appropriate time or place to post, however, if you are a true lover of Science Fiction literature, please access the FIDONET SCI-FI LIT conference on your local BBS(if available). Things are more or less dead over there, and stand a chance of disappearing altogether without your support(posting messages)! F. --- * SLMR 2.1a * Press any key to continue or any other key to quit -- Francis Toy - via FidoNet node 1:125/1 UUCP: ...!uunet!kumr!shelter!28!Francis.Toy INTERNET: Francis.Toy at f28.n125.z1.FIDONET.ORG From cdodhner at indirect.com Thu Jul 15 13:11:16 1993 From: cdodhner at indirect.com (Christian D. Odhner) Date: Thu, 15 Jul 93 13:11:16 PDT Subject: The right to be secure (fwd Computerworld article) In-Reply-To: <9307151828.AA08970@banff.procase.com> Message-ID: <9307152009.AA15744@indirect.com> > I think they must be implicitly refering to the anti terrorist act > which allows surveillence without a court order if national security > is involved or if foreign nationals are involved, etc. Of course, anything, such as a certain DEC machine, could be construed as a threat to national security... Wouldn't want any 'foreign nationals' getting their hands on a computer, would we... From pmetzger at lehman.com Thu Jul 15 13:13:41 1993 From: pmetzger at lehman.com (Perry E. Metzger) Date: Thu, 15 Jul 93 13:13:41 PDT Subject: query Message-ID: <9307152013.AA05768@snark.shearson.com> This is slightly off topic: I know that several cypherpunks are using automated tools to download their mail from Unix hosts to their PCs at home. Could anyone doing this please send me some mail on what package you are using? Perry From shipley at tfs.COM Thu Jul 15 14:07:46 1993 From: shipley at tfs.COM (Peter Shipley) Date: Thu, 15 Jul 93 14:07:46 PDT Subject: Sci-fi needs your help! In-Reply-To: <1124.2C45B2F0@shelter.FIDONET.ORG> Message-ID: <9307152107.AA00779@edev0.tfs.com.TFS> thank you for you email to the low volume list "Cypherpunks", you text was found to be very imformitive on the Cypherpunks topic list. >I know that this is probably not the appropriate time or place to post, >however, if you are a true lover of Science Fiction literature, please >access the FIDONET SCI-FI LIT conference on your local BBS(if available). >Things are more or less dead over there, and stand a chance of disappearing >altogether without your support(posting messages)! > >F. >--- > * SLMR 2.1a * Press any key to continue or any other key to quit >-- >Francis Toy - via FidoNet node 1:125/1 >UUCP: ...!uunet!kumr!shelter!28!Francis.Toy >INTERNET: Francis.Toy at f28.n125.z1.FIDONET.ORG From ashall at magnus.acs.ohio-state.edu Thu Jul 15 14:51:04 1993 From: ashall at magnus.acs.ohio-state.edu (Andrew S Hall) Date: Thu, 15 Jul 93 14:51:04 PDT Subject: Crypto Credentials Message-ID: <9307152150.AA24691@photon.magnus.acs.ohio-state.edu> A query was made: > > I'm trying to learn more about practical cryptography in general > > and PGP and similar programs in particular. Any advice? A response: > @article{Nathan92, > author = {Paco Xander Nathan}, > journal = {Fringeware Review}, > month = {July}, To which Perry Metzger wrote: >Rather than pointing people to strange publications we've never heard >of written by authors without credentials, might I suggest... > >1) The PGP docs themselves are very good and far better as a tutorial > on cryptography than any of the "PGP tutorials" that have appeared > in the fringe literature. They are also free. > >2) Read a real text on cryptography. It isn't a childrens game. Its a > real branch of math and computer science, and really bright people > devote their lives to it. If you wanted to learn about medicine, > would you pick up a professional medical text, or something written > in a 'zine by people you hadn't heard of? And then Peter Davidson responded: : 1,2 deleted : 3. If you've never seen the article mentioned, and know nothing of : the author, on what basis do you claim that the author is without : credentials? Because he publishes in a magazine with "Fringe" in : the title? You're obviously prejudiced, Perry. : 4. Does it require an advanced degree in mathematics to write a clear : and lucid tutorial for those interested in using PGP? : 5. Is reading "a real text on cryptography" necessary in order to : learn to use PGP? Your remark suggests it is, which is likely to : discourage people from using PGP rather than encourage them. I agree with Perry. The original query was not 'how can I be cool and use PGP to write secret notes?' It was a serious enquiry about PGP and *other* similar systems. Reading a fringe popularization about PGP will not do much. (And I consider Paco to be a competent general writer.) Using PGP is about as easy as using DOS. Understanding PGP, its capablities, its strengths, how it relates to other crypto systems, and evaluating it and other systems is not so easy. It doesn't require 'an advanced degree in mathmetics,' but just high school algebra won't do it either. I have seen FringeWare and, while the treatment is PGP is fine as a tutorial, it is not an introduction to public key cryptography. It wasn't meant to be. There is a big difference between having people just use PGP and having them understand it. I know since I have worked several pieces to explain public key crypto for a general audience. If someone really wants to learn about the subject, the PGP docs are the best place to begin. From there, the sci.crypt FAQ, and then, if you are serious, Denning's _Cryptography and Data Security_. A deep and complex topic like cryptography requires as deep and complex study as the scholar wish to apply. That can mean a lifetime. A fluff, yet hip, article in a cool, yet sophisticated fringe journal is *not* the place to begin. Perry doesn't need my defense, but I will add that this mostly-lurking cypherpunk doesn't think he is an asshole. He is brutally honest and declares his opinion. I respect that. While he is often a bit wired, I have yet to see any hostility to those who didn't deserve it. ( cf recent extropians/pagans love-in or alt.binaries.pictures.erotica.children) I apologize for excessive re-quoting, and hope someone will forward a good crypto reference list to the original inquirer. I would, but I can't find it. A. Techno-Anarchy.Neophilia.Economic Freedom.Cryptography.Anti-Statism.Personal Liberty.Laissez-Faire.Privacy Protection.Libertarianism.No Taxes.No Bullshit. ********** Liberty BBS 1-614-798-9537 ********** ********** Dedicated to Freedom. Yours. ********** From upham at cs.ubc.ca Thu Jul 15 15:13:28 1993 From: upham at cs.ubc.ca (Derek Upham) Date: Thu, 15 Jul 93 15:13:28 PDT Subject: Looking for fastest Legendre/Jacobi algorithm Message-ID: <199307152212.AA14909@grolsch.cs.ubc.ca> In 1991, Tygar and Yee published a paper describing an authentication and security system for Mach. At least two of the techniques described in the paper can be used elsewhere; one is a zero-knowledge proof of identity algorithm, and the other is a public-key algorithm for exchanging arbitrary data (i.e., private encryption keys). The security of the scheme is based on the intractability of determining quadratic residuosity. Variable $a$ is a quadratic residue on $n$---it has the Jacobi value of 1---if and only if there exists some $x$ such that $(x^2\mod n)=a$; otherwise it is not a residue and has Jacobi value -1. (If $n$ is prime, the Jacobi value is also the Legendre value). Rabin(???) has proven that working backwards from $a$ and $n$ to find $x$ is equivalent to factoring $n$, so only the person who generated $n$ will be able to check the residuosity of $a$ (if factoring $n$ is difficult, of course). In the private key exchange algorithm, for example, the Sender generates a series of quadratic residues and non-residues $a$ over $n$ and passes these values on to the Receiver. The Receiver calculates the (non-)residuosity for each and assigns it a bit value, thus building up a string of bits that determine the key. Any Tapper will be unable to calculate the residuosities from the data stream, and so will not intercept the key. I've written a bunch of programs to generate keys and run an encrypted bit exchange, but the performance is lacking. Decoding time seems to grow at $O(\el^2)$ with the length of $p,q$, which makes using any sort of secure public-key $n$ quite infeasible--- especially if people want to use these algorithms on small home boxes for dialup security. On a 386/40, receiving 56 bits encoded with a 512 bit public key takes twenty-two minutes... So: anyone know tricks to bum as much speed as possible out either the Jacobi or Legendre algorithms? For our purposes, they are equivalent. If the Tygar and Yee algorithms ever run efficiently, they could be very nice alternatives to RSA. Derek Derek Lynn Upham University of British Columbia upham at cs.ubc.ca Computer Science Department ============================================================================= "Ha! Your Leaping Tiger Kung Fu is no match for my Frightened Piglet Style!" From evans at ingres.com Thu Jul 15 15:14:45 1993 From: evans at ingres.com (Barry Evans) Date: Thu, 15 Jul 93 15:14:45 PDT Subject: Can *somebody* remove "bobs@ingres.com" from this list? Message-ID: <9307152214.AA03134@piglet.ingres.com> I've been trying all week to get someone to remove "bobs at ingres.com" from this list. Really, we are tired of seeing all the bounced emails that this mailing list is trying to send here. Who's *responsible* for this mailing list? Any why haven't they responded to my requests? ------- Forwarded Message >From Mailer-Daemon at ingres.com Thu Jul 15 13:57:02 1993 Date: Thu, 15 Jul 93 13:56:33 PDT From: Mailer-Daemon at ingres.com (Mail Delivery Subsystem) Subject: Returned mail: User unknown To: Postmaster at pony Content-Length: 891 X-Lines: 22 ----- Transcript of session follows ----- Connected to pony: >>> RCPT To: <<< 550 ... User unknown 550 ... User unknown ----- Message header follows ----- Received: from relay2.UU.NET by ingres.com (4.1/SMI-4.1/INGRES/zool/06.06.93) id AA00149; Thu, 15 Jul 93 13:56:33 PDT Received: from toad.com by relay2.UU.NET with SMTP (5.61/UUNET-internet-primary) id AA10455; Thu, 15 Jul 93 16:47:29 -0400 Received: by toad.com id AA24885; Thu, 15 Jul 93 12:06:56 PDT Return-Path: Received: from wet.UUCP by toad.com id AA24881; Thu, 15 Jul 93 12:06:54 PDT Received: by wet.uucp (/\=-/\ Smail3.1.18.1 #18.2) id ; Thu, 15 Jul 93 12:00 PDT Message-Id: Date: Thu, 15 Jul 93 12:00 PDT From: wet!naga at uunet.UU.NET (Peter Davidson) To: cypherpunks at toad.com Subject: Reply to Perry ------- End of Forwarded Message From dante at microsoft.com Thu Jul 15 15:52:10 1993 From: dante at microsoft.com (dante at microsoft.com) Date: Thu, 15 Jul 93 15:52:10 PDT Subject: unsub (request-cypherpunks not working) Message-ID: <9307152250.AA20178@netmail.microsoft.com> Please unsubscribe me too. I mailed cypherpunks-request twice to no avail. dante at microsoft.com From mdiehl at triton.unm.edu Thu Jul 15 16:45:39 1993 From: mdiehl at triton.unm.edu (J. Michael Diehl) Date: Thu, 15 Jul 93 16:45:39 PDT Subject: The right to be secure (fwd Computerworld article) In-Reply-To: <9307151828.AA08970@banff.procase.com> Message-ID: <9307152345.AA12039@triton.unm.edu> According to Paul Baclace: > >> typically a court order, to both key escrow authorities. > >"Typically", of course, means "not always", and it's coupled with the phrase > I think they must be implicitly refering to the anti terrorist act > which allows surveillence without a court order if national security > is involved or if foreign nationals are involved, etc. Now this is news to me. You mean that they can listen to me if they can rationalize that there is a threat to national security? Here's a scenerio. John Q. Public HAS a copy of pgp and some LEA knows it. It must be that he's some kind of subversive. Therefore, he is a threat to national security. It is therefore legal to infringe on his rights? Maybe this is a bit of exageration...maybe it's not.... +-----------------------+-----------------------------+---------+ | J. Michael Diehl ;-) | I thought I was wrong once. | PGP KEY | | mdiehl at triton.unm.edu | But, I was mistaken. |available| | mike.diehl at fido.org | | Ask Me! | | (505) 299-2282 +-----------------------------+---------+ | | +------"I'm just looking for the opportunity to be -------------+ | Politically Incorrect!" | +-----If codes are outlawed, only criminals wil have codes.-----+ +----Is Big Brother in your phone? If you don't know, ask me---+ From smb at research.att.com Thu Jul 15 17:30:10 1993 From: smb at research.att.com (smb at research.att.com) Date: Thu, 15 Jul 93 17:30:10 PDT Subject: The right to be secure (fwd Computerworld article) Message-ID: <9307160030.AA03190@toad.com> Now this is news to me. You mean that they can listen to me if they can rationalize that there is a threat to national security? Here's a scenerio. John Q. Public HAS a copy of pgp and some LEA knows it. It must be that he's some kind of subversive. Therefore, he is a threat to national security. It is therefore legal to infringe on his rights? Maybe this is a bit of exageration...maybe it's not.... There are safeguards in the law; whether they're adequate or not is open to discussion. But it's not nearly as easy as you portray. Warrantless wiretaps are governed by the provisions of 50 USC 1801, the Foreign Intelligence Surveillance Act. Under that act, the Feds can engage in electronic surveillance without a warrant if and only if all parties are non-Americans. If an American is picked up, they have to destroy the tape. Furthermore, under many circumstances (and I don't remember the details, and I don't seem to have a copy of that law in my folder for such things), the consent of a special court is needed. As I said -- they (or should that be ``They'') *can* do anything. But that doesn't make it legal, which was your question, and if they do it and are caught, the case will undoubtedly be thrown out of court. Furthermore, if the tap didn't fall under the exceptions of the FISA, it's barred by the ECPA, so you could sue for damages. From zane at genesis.mcs.com Thu Jul 15 18:39:29 1993 From: zane at genesis.mcs.com (Sameer) Date: Thu, 15 Jul 93 18:39:29 PDT Subject: PGP tutorial In-Reply-To: <9307151349.AA05001@snark.shearson.com> Message-ID: In message <9307151349.AA05001 at snark.shearson.com>, "Perry E. Metzger" writes: > > > Rather than pointing people to strange publications we've never heard > of written by authors without credentials, might I suggest... > Excellent comments, Perry, yes, but *I* have heard of Fringeware, so maybe I'll throw some of my comments about Paco, as an "author without credentials." (Not that I'm a cypherpunk with credentials or anything. =) (I agree that reading the PGP-docs is probably the best way to learn to use PGP, yet some people prefer simple tutorials-- when advocating encryption-for-the-masses I don't expect everyone to understand how RSA works, etc.) Fringeware is a 'zine which Paco Xander Nathan publishes, and while he's no cypherpunk, he's an intelligent guy, so I'm pretty sure his article would be a good one. -- | Sameer Parekh-zane at genesis.MCS.COM-PFA related mail to pfa at genesis.MCS.COM | | Apprentice Philosopher, Writer, Physicist, Healer, Programmer, Lover, more | | "Symbiosis is Good" - Me_"Specialization is for Insects" - R. A. Heinlein_/ \_______________________/ \______________________________________________/ From tcmay at netcom.com Thu Jul 15 19:26:04 1993 From: tcmay at netcom.com (Timothy C. May) Date: Thu, 15 Jul 93 19:26:04 PDT Subject: Crypto Credentials In-Reply-To: <9307152150.AA24691@photon.magnus.acs.ohio-state.edu> Message-ID: <9307160226.AA14540@netcom3.netcom.com> Cypherzens, Andrew Hall writes: > Perry doesn't need my defense, but I will add that this mostly-lurking > cypherpunk doesn't think he is an asshole. He is brutally honest and > declares his opinion. I respect that. While he is often a bit wired, > I have yet to see any hostility to those who didn't deserve it. ( > cf recent extropians/pagans love-in or alt.binaries.pictures.erotica.children) Well, Perry didn't give the same response *I* would have given, but then I didn't give a response at all, so I can hardly complain. (Reading lists have been sent out before, and some basic materials are contained in the pub/cypherpunks archives at soda.berkeley.edu, including a glossary of terms, the various PGP files (including the nice docs that Perry mentioned), and various "rants" by several of us. This is a good place for newcomers to browse to get a feel for what Cypherpunks is all about.) It turns out that I was smack in the middle of both events Andrew just referred to, and I can tell you first-hand that folks on the Net are getting too freaked out over the views of others. I posted the fake PGP-GIF in a.b.p.e.c., which provoked huge outcries of "Thoughtcrime!!" And on the "Extropians" mailing list I was challenged by Eric Raymond, the fellow who volunteered to write the Cypherpunks FAQ on his first day on this list, to study various writings on Paganism, Druidism, Shamanism, and Witchcraft and then judge it "rational" or not (I won't bore you with the details). When I judged it "not rational" and "inconsistent" with the technophilic emphasis of the Extropians list, all hell broke loose (figuratively, and perhaps literally if Eric's witchly connections are as he advertises!). In fact, that List (Extropians) is so contentious and polarized that I have temporarily unsubscribed for the rest of the summer (and perhaps longer, depending on how I feel in the fall). The advantage of smaller groups like Cypherpunks and Extropians, as mailing lists, is that people can come to know each other and thus better avoid flaming. Even better are in-person meetings, even if this contradicts the "jacked-in," "wired" image of cyberpunks and console cowboys! The Cypherpunks physical meetings in Mountain View are friendly, helpful, and not at all rancorous. Likewise, the Extropians events I've attended in the Bay Area (Thursday lunches, a couple of lectures, and some parties) have been friendly and free of divisiveness and flaming. This aspect of the in-person contacts has not been adequately duplicated on the Net. But small groups like ours, where reputations matter and where flamers can and should be simply expelled, are one major hope. I, for one, don't want David Sternlight on our List. (However, this could happen, as we have no membership screening process. Still, we can hope that the flame wars that rage unchecked on the Net as a whole can be limited to just small brush fires on our List.) I'd hate to see our List degenerate into the kind of flaming so common throughout the Net world. We've had a few minor flame wars, but have pulled back from the abyss each time. We ought to try to keep it that way. Cheers! -Tim -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. Note: I put time and money into writing this posting. I hope you enjoy it. From uri at watson.ibm.com Thu Jul 15 19:26:23 1993 From: uri at watson.ibm.com (uri at watson.ibm.com) Date: Thu, 15 Jul 93 19:26:23 PDT Subject: Crypto Credentials In-Reply-To: <9307152150.AA24691@photon.magnus.acs.ohio-state.edu> Message-ID: <9307160226.AA18903@buoy.watson.ibm.com> Andrew S Hall says: > .................From > there, the sci.crypt FAQ, and then, if you are serious, Denning's > _Cryptography and Data Security_. Oh, come on. With all due respect (:-) I have to disagree. Why on Earth have you to select this book?! Maybe you don't like A. Konheim "Cryptography: A Primer" Or maybe you don't feel, that Meyer & Matyas "Cryptography. A New Dimension in Data Security" covers enough of the field, at least for a beginner? Or maybe there are no new goodies like G. Simmons "Contemporary Cryptology" with lots and lots of annotated bibliography? > A deep and complex topic like cryptography > requires as deep and complex study as the scholar wish to apply. That can > mean a lifetime. Indeed. One more reason to start with a real stuff (:-). [Oh, of course, all the proper apologies for exhaling the smoke and fire, and for misquoting (slightly, I hope) the exact names of the books. :-] -- Regards, Uri uri at watson.ibm.com scifi!angmar!uri N2RIU ----------- >From cypherpunks-request Thu Jul 15 23:20:05 1993 From ashall at magnus.acs.ohio-state.edu Thu Jul 15 20:05:07 1993 From: ashall at magnus.acs.ohio-state.edu (Andrew S Hall) Date: Thu, 15 Jul 93 20:05:07 PDT Subject: Crypto Credentials Message-ID: <9307160305.AA27249@photon.magnus.acs.ohio-state.edu> Tim May writes: >It turns out that I was smack in the middle of both events Andrew just >referred to, and I can tell you first-hand that folks on the Net are >getting too freaked out over the views of others. Maybe it's just you, Tim... >Even better are in-person meetings, even if this contradicts the >"jacked-in," "wired" image of cyberpunks and console cowboys! The >Cypherpunks physical meetings in Mountain View are friendly, helpful, >and not at all rancorous. Likewise, the Extropians events I've >attended in the Bay Area (Thursday lunches, a couple of lectures, and >some parties) have been friendly and free of divisiveness and flaming. >This aspect of the in-person contacts has not been adequately >duplicated on the Net. This touches on what bugs me the most about the Net and why I post very little. People are too goddamn sensitive. Too many people sit around with a massive chip on their shoulder. I really have no idea why. I can't imagine that *all* of these people have never really experienced the hothouse atmosphere of hard-core problem-solving or brain-storming where one is often curt, harsh, hostile, obscene, etc during the exchange of ideas with no ill-effects later. Maybe people need to play rugby or soccer more. You know, kill one another for an hour and have a beer to laugh about it after. Maybe that brewski after is what is missing on the Net. The reason I am rambling on this here is that I also see a relation to cypherpunk technology. Is the relatively anonymous technology of the Net (faceless at least) causing people to forget the "polite society" which greases the skids of human contact? Will it be worse with even more anonymity? (To be fair to the anonymous posters here, I have seen no decrease of politeness from their quarter. When I have posted under my pseud, I have not been impolite either.) It would seem that we are still ape-like enough to need to see real teeth in that smile and not ASCII ones. I know we mostly like to talk tech on this list, but most of us see cypher-tech as a road to specific social goals. (see Tim's .sig) This tech does and will have social impact even if we are not sucessful in this agenda Part of the cypherpunks "job" needs to be to anticipate and help guide the social changes. Step one needs to be adapting homo sapiens to this new means of communication. A. BTW- I will stand by D. Denning's book as a crypto primer. It is a little outdated but, IMHO, is still the best starting point. Techno-Anarchy.Neophilia.Economic Freedom.Cryptography.Anti-Statism.Personal Liberty.Laissez-Faire.Privacy Protection.Libertarianism.No Taxes.No Bullshit. ********** Liberty BBS 1-614-798-9537 ********** ********** Dedicated to Freedom. Yours. ********** From ashall at magnus.acs.ohio-state.edu Thu Jul 15 20:43:18 1993 From: ashall at magnus.acs.ohio-state.edu (Andrew S Hall) Date: Thu, 15 Jul 93 20:43:18 PDT Subject: PGP and Offline Mail/News Message-ID: <9307160343.AA27507@photon.magnus.acs.ohio-state.edu> A while ago some one here (from England) mentioned a program he was involved with that was an offline mail reader that allowed one to add external protocols like PGP. He gave an FTP site (also in England). The program was called something like APPNEWS. I downloaded it, looked at it, and archived it until I could put time into installing it with my connection and work out the bugs of dynamic addressing. Now was the time, but I have lost the program. Please help me. Perry queried earlier about what off-line readers people use. I use Pop-mail and Eudora, but neither are really friendly with adding externals. The problem I want to overcome is providing multiple users on a single machine with security. Pop-mail and Eudora are designed to be used by a single user and a personal (hopefully secure) machine. The solution currently implemented is to have users save mail only to floppy. Both mailers will create personal directories, but these can be accessed both within and from outside the program. I would like to add PGP (or another scheme) so that *all* saved messages (or ones so desired) are encrypted. This would use the user's password and would be automatic. A. Techno-Anarchy.Neophilia.Economic Freedom.Cryptography.Anti-Statism.Personal Liberty.Laissez-Faire.Privacy Protection.Libertarianism.No Taxes.No Bullshit. ********** Liberty BBS 1-614-798-9537 ********** ********** Dedicated to Freedom. Yours. ********** From hfinney at shell.portal.com Thu Jul 15 23:17:18 1993 From: hfinney at shell.portal.com (hfinney at shell.portal.com) Date: Thu, 15 Jul 93 23:17:18 PDT Subject: Cypherpunks&Clipper in Scientific American Message-ID: <9307160542.AA06438@jobe.shell.portal.com> In the Science and Business section, the August 1993 Scientific American has a short, negative article on Clipper, which mentions cypherpunks: Clipper Runs Aground Everyone seems to be listening in these days: tabloids regale readers with the cellular telephone intimacies of the British royal family, and more sober articles on the business pages tell how companies - or governments - devote resources to "signals intelligence" for commercial gain. So the Clinton Administration might have thought it was doing everyone a favor in April when it proposed a new standard for encryption chips, developed with the aid of none other than the National Security Agency (NSA). Instead the administration met with outrage. Along with the message, Clipper, as the chip is named, sends out a string of bits called a law enforcement field. Its purpose is to enable the police and the Federal Bureau of Investigation to decode conversations that they wiretap pursuant to court order. In addition, the chip's encryption algorithm, known as Skipjack, is classified. Thus, only a small cadre of cryptographic experts would be able to study it to determine whether or not it was indeed secure. Early in June the administration abandoned its plan to rush Clipper into the marketplace and extended its internal review of the policy issues raised by the chip until the end of the summer. This decision presumably also delays consideration of outlawing other encoding methods. A peculiar coalition of civil libertarians and large software companies has formed to plead the cause of unregulated cryptography. Self-styled "cypherpunks" argue that the government has no more right to insist on a back door in secure telephones than it does to restrict the language or vocabulary used in telephone conversations on the grounds that dialect might hinder interpretation of wiretaps. Companies such as Microsoft, Lotus Development Corporation, Banker's Trust and Digital Equipment Corporation are worried about the administration's proposal because they believe it will hurt the U.S. in international competition. Ilene Rosenthal, general counsel at the Software Publishers Association, which numbers 1,000 companies among its members, points out that telephones containing the NSA chip would be subject to export controls because cryptographic equipment is considered "munitions" under U.S. law. This bureaucratic restraint could force U.S. manufacturers of secure telephones to develop entirely different product lines for the domestic and international markets. Indeed, she says, even if the State Department did license Clipper for widespread export, it is doubtful whether any foreign government or company would buy a system to which the U.S. literally had the keys. Rosenthal contends that the U.S. has lost control of cryptography, citing more than 100 different brands of strong encoding software sold by non-U.S. companies. Indeed, discussion groups on the Internet computer network have been buzzing with plans for a do-it-yourself secure telephone that requires little more than a personal computer, a $200 modem and a microphone. It is not clear whether the administration will abandon its attempt to stuff the unregulated-cryptography genie back in the bottle. There are already 10,000 Clipper-equipped telephones on order for government use, and Jan Kosko of the National Institute of Science and Technology says the plan for the standard "is being advanced as fast as we can move it." Nine (thus far unidentified) cryptographers have been invited to review the algorithm, and Kosko reports that decoding equipment is in the works for "law enforcement and other government agencies that feel they need it." The Justice Department is busy evaluating proposals for the "key escrow agents" that are supposed to prevent the police and the FBI from listening in on conversations without a warrant. Some companies, however, are less concerned. They hope for enormous sales once privacy issues are resolved. AT&T, for example, announced its intention to sell Clipper-based telephone scramblers the same day that the chip was made public. "What the standard is," says spokesman David Arneke, "is less important than having a standard that all manufacturers can build to." - Paul Wallich From newsham at wiliki.eng.hawaii.edu Fri Jul 16 00:02:01 1993 From: newsham at wiliki.eng.hawaii.edu (Timothy Newsham) Date: Fri, 16 Jul 93 00:02:01 PDT Subject: PGP and Offline Mail/News In-Reply-To: <9307160343.AA27507@photon.magnus.acs.ohio-state.edu> Message-ID: <9307160701.AA14473@toad.com> > > > A while ago some one here (from England) mentioned a program he was > involved with that was an offline mail reader that allowed one to add > external protocols like PGP. He gave an FTP site (also in England). > The program was called something like APPNEWS. I downloaded it, > looked at it, and archived it until I could put time into installing > it with my connection and work out the bugs of dynamic addressing. > Now was the time, but I have lost the program. Please help me. > > Perry queried earlier about what off-line readers people use. I use > Pop-mail and Eudora, but neither are really friendly with adding > externals. The problem I want to overcome is providing multiple users > on a single machine with security. Pop-mail and Eudora are designed to > be used by a single user and a personal (hopefully secure) machine. > The solution currently implemented is to have users save mail only to > floppy. Both mailers will create personal directories, but these can be > accessed both within and from outside the program. I would like to add > PGP (or another scheme) so that *all* saved messages (or ones so desired) > are encrypted. This would use the user's password and would be automatic. check out the newly released PCPINE. It is a pine client for IBMpc's. It will run either stand alone (with packet drivers, using WATTCP), under FTP's PC/TCP package, or under Novell. (There are three different files, one for each configuration). To use it you need to get a mail server running the IMAP protocol daemon 'imapd'. It is like POP but has more advanced features. You can find both at ftp.cac.washington.edu in pine or pub/pine. c-client.tar.Z <- has impad for unix boxes pcpine_p.zip packet driver version pcpine_n.zip novell version pcpine_f.zip ftp pctcp version pcpine has mostly all the PINE features, and is easily configured for external mail processing add ons (like gif viewers and crypto stuff). (note: 'easy' is a relative term :) > Techno-Anarchy.Neophilia.Economic Freedom.Cryptography.Anti-Statism.Personal > Liberty.Laissez-Faire.Privacy Protection.Libertarianism.No Taxes.No Bullshit. > ********** Liberty BBS 1-614-798-9537 ********** > ********** Dedicated to Freedom. Yours. ********** > From banisar at washofc.cpsr.org Fri Jul 16 06:39:10 1993 From: banisar at washofc.cpsr.org (Dave Banisar) Date: Fri, 16 Jul 93 06:39:10 PDT Subject: CPSR Secrecy Statement Message-ID: <00541.2825657567.4296@washofc.cpsr.org> CPSR Secrecy Statement Computer Professionals for Social Responsibility (CPSR) has called for a complete overhaul in the federal government's information classification system, including the removal of cryptography from the categories of information automatically deemed to be secret. In a letter to a special Presidential task force examining the classification system, CPSR said that the current system -- embodied in an Executive Order issued by President Reagan in 1982 -- "has limited informed public debate on technological issues and has restricted scientific innovation and technological development." The CPSR statement, which was submitted in response to a task force request for public comments, strongly criticizes a provision in the Reagan secrecy directive that presumptively classifies any information that "concerns cryptology." CPSR notes that "while cryptography -- the science of making and breaking secret security codes -- was once the sole province of the military and the intelligence agencies, the technology today plays an essential role in assuring the security and privacy of a wide range of communications affecting finance, education, research and personal correspondence." With the end of the Cold War and the growth of widely available computer network services, the outdated view of cryptography reflected in the Reagan order must change, according to the statement. CPSR's call for revision of the classification system is based upon the organization's experience in attempting to obtain government information relating to cryptography and computer security issues. CPSR is currently litigating Freedom of Information Act lawsuits against the National Security Agency (NSA) seeking the disclosure of technical data concerning the digital signature standard (DSS) and the administration's recent "Clipper Chip" proposal. NSA has relied on the Reagan Executive Order as authority for withholding the information from the public. In its submission to the classification task force, CPSR also called for the following changes to the current secrecy directive: * A return to the "balancing test," whereby the public interest in the disclosure of information is weighed against the claimed harm that might result from such disclosure; * A prohibition against the reclassification of information that has been previously released; * The requirement that the economic cost of classifying scientific and technical be considered before such information may be classified; * The automatic declassification of information after 20 years, unless the head of the original classifying agency, in the exercise of his or her non-delegable authority, determines in writing that the material requires continued classification for a specified period of time; and * The establishment of an independent oversight commission to monitor the operation of the security classification system. The task force is scheduled to submit a draft revision of the Executive Order to President Clinton on November 30. The full text of the CPSR statement can be obtained via ftp, wais and gopher from cpsr.org, under the filename cpsr\crypto\secrecy_statement.txt. CPSR is a national organization of professionals in the computing field. Membership is open to the public. For more information on CPSR, contact . July 14, 1993 Information Security Oversight Office 750 17th Street, N.W. Suite 530 Washington, DC 20006 Attention: PRD Task Force Re: Proposed Changes to the Security Classification System This submission is made in response to the Notice published in the Federal Register on May 20, 1993 (58 FR 29480). According to the Notice, the Task Force is soliciting submissions "by interested parties on proposals to change the system under which information is classified, safeguarded, and declassified in the interest of national security." Computer Professionals for Social Responsibility (CPSR), a national organization of professionals in the computing field, has a long-standing interest in the problems surrounding the current information classification system -- a system that has limited informed public debate on technological issues and has restricted scientific innovation and technological development. Based on our experience conducting litigation under the Freedom of Information Act and our efforts to assess certain government policies concerning cryptography and computer security, we have the following recommendations regarding changes to the security classification system. General Recommendations CPSR believes that the current Executive Order 12356 is far too broad in its definition of classifiable information and that post Cold War realities require the substantial revision of this outdated directive. We share the views of many public interest, journalistic, academic, historical, and scientific organizations that have recommended a complete revision of the classification scheme. We believe such a revision is both necessary and appropriate. In particular, we support the following changes to the classification system: * A return to the "balancing test," whereby the public interest in the disclosure of information is weighed against the claimed harm that might result from such disclosure; * A prohibition against the reclassification of information that has been previously released; * The requirement that the economic cost of classifying scientific and technical be completed before such information may be classified; * The automatic declassification of information after 20 years, unless the head of the original classifying agency, in the exercise of his or her non-delegable authority, determines in writing that the material requires continued classification for a specified period of time; and * The establishment of an independent oversight commission to monitor the operation of the security classification system. "Cryptology" as a Classification Category In addition to endorsing these general recommendations, we wish to address in detail one particular provision of the current Executive Order that unnecessarily restricts the dissemination of technical data that should be routinely available to the public and the scientific community. At the time EO 12356 was promulgated in 1982, a new classification category was established, simply defined as "cryptology." EO 12356, Sec. 1.3(a)(8). When the House Government Operations Committee examined the Executive Order shortly after its issuance, the Committee concluded that "[t]he need for this new category is uncertain" and noted that "[t]he word 'cryptology,' as added by the Reagan order, is not qualified or defined." H. Rep. No. 731, 97th Cong., 2d Sess. 16 (1982). This concern carries even more weight today. The designation of a routine privacy-enhancing technology as presumptively a national security matter is inconsistent with the end of the Cold War and the dramatic growth of commercial and civilian telecommunications networks. While cryptography -- the science of making and breaking secret security codes -- was once the sole province of the military and the intelligence agencies, the technology today plays an essential role in assuring the security and privacy of a wide range of communications affecting finance, education, research, and personal correspondence. Electronic communications are now widely used in the civilian sector and have become an integral component of the global economy. Computers store and exchange an ever increasing amount of personal information, including medical and financial data. In this electronic environment, the need for privacy-enhancing technologies is apparent. Communications applications such as electronic mail and electronic funds transfers require secure means of encryption and authentication -- goals that can be achieved only through the development and dissemination of robust cryptographic technology within the civilian sector. The Computer Security Act and Civilian Cryptography In recognition of the emerging significance of civilian cryptography, Congress enacted the Computer Security Act (P.L. 100-235) in 1987. When Congress enacted the legislation, it expressed particular concern that the National Security Agency ("NSA"), a secretive military intelligence agency, would improperly limit public access to information concerning civilian computer security activities. H. Rep. No. 153 (Part 2), 100th Cong., 1st Sess. 21 (1987). The House Report on the Act notes that NSA's natural tendency to restrict and even deny access to information that it deems important would disqualify that agency from being put in charge of the protection of non-national security information in the view of many officials in the civilian agencies and the private sector. Id. To alleviate these concerns, Congress granted sole authority to the National Institute of Standards and Technology ("NIST") -- a civilian agency within the Department of Commerce -- to establish technical cryptography standards for civilian computer security. During Congress' consideration of the legislation, "NSA opposed its passage and asserted that NSA should be in control of this nation's computer standards program." Id. at 7. Congress forthrightly rejected NSA's position, noting that continued military control over all cryptographic development "would jeopardize the entire Federal standards program." Id. at 26. Since the enactment of the Computer Security Act, CPSR has sought to monitor compliance with its provisions. In keeping with those efforts, CPSR requested relevant information from NIST under the Freedom of Information Act ("FOIA") concerning the development of the "digital signature standard" -- the agency's first proposed cryptographic standard since passage of the legislation. It is important to note that the proposed standard itself would be "applicable to all federal departments and agencies for the protection of unclassified information." 56 Fed. Reg. 42981 (August 30, 1991) (emphasis added). After CPSR filed a lawsuit to compel disclosure of the information, NIST acknowledged that the great bulk of responsive material was under the jurisdiction of NSA. NSA, in turn, has sought to withhold a substantial amount of that information on the grounds that it "concerns cryptology" and is therefore classified. CPSR v. National Institute of Standards and Technology, et al., C.A. 92-0972-RCL (D.D.C.). The current Executive Order is thus being used to classify information relating to a civilian agency's development of a security standard intended to protect unclassified information. Such a result contravenes Congress' intent that non-military cryptographic standards would be developed openly and subject to public scrutiny. The Public Interest in Cryptography More recent developments further illustrate how the application of cryptographic technology is moving out of the "national security" realm and is thus an inappropriate subject for presumptive classification. On April 16, 1993, the President announced that "government engineers" had developed a new cryptographic device known as the "Clipper Chip" that is intended for widespread public use. The President noted that "[s]ophisticated encryption technology has been used for years to protect electronic funds transfer ... [and] is now being used to protect electronic mail and computer files." He also recognized that "encryption technology can help Americans protect business secrets and the unauthorized release of personal information." Unfortunately, the administration subsequently acknowledged that the "Clipper" technology was developed by NSA and that the underlying technical data is classified. As in the case of the digital signature standard, a new technology that may have a significant impact on the nation's telecommunications infrastructure was developed in secrecy behind a shield of NSA- imposed classification. There is a great deal of interest in the development of civilian cryptography, but public involvement in the process has been substantially hampered by the improper classification of relevant technical information. See, e.g., Markoff, U.S. as Big Brother of Computer Age, New York Times, May 6, 1993 at D1. In the Cold War atmosphere that prevailed for 45 years, cryptography was often viewed as a national security matter and policy makers were at times willing to permit the National Security Agency and the military establishment to maintain a shroud of secrecy around the technology, even to the detriment of scientific research and public accountability. With the end of the Cold War and the growth of widely available computer network services, this view of cryptography must change. Indeed, Congress recognized the need for reform when it enacted the Computer Security Act in 1987, even before the demise of the Soviet Union. At the same time, cryptographic technology has become an increasingly vital component of the nation's civilian information infrastructure. Under these circumstances, there is no rational basis for continuing the presumption that information that "concerns cryptology" should be classified. The economic and scientific cost to the country of the continuation of this policy will be substantial and cannot be justified. We believe that cryptographic information should only be classified upon a specific showing that such disclosure will result in an identifiable harm to legitimate national security interests. Such a showing could clearly be made, for instance, with respect to the actual "keys" to government cryptographic systems. However, the wholesale classification of all information relating to this increasingly important field of computer science cannot be justified and may even slow the development of more secure systems. We urge the Task Force to recommend to the President that "cryptology" be removed from any listing of classification categories that might be contained in a revised Executive Order on security classification. * "Cryptology" should be removed from the designated "Classification Categories." Limitations on Quasi-Classification Authority In addition to our concern regarding classification for cryptology, we wish to raise several additional points about the operation of the Executive Order. One aspect of the Executive Order concerning classification authority with which we agree has not received proper notice by federal agencies. That is paragraph (b) or Part 1 which states that "Except as otherwise provided by statute, no other terms shall be used to identify classified information." It has been CPSR's experience that agencies continue to use the designation "sensitive but unclassified" to invoke a national security concern when in fact there is no basis for such a claim and when such a "quasi- classification" is disfavored by the Executive Order and contrary to the intent of the Computer Security Act. In one instance, the Federal Bureau of Investigation specifically restricted public access to information regarding the development of certain computer systems because it designated technical documents "sensitive but unclassified." We believe that these activities improperly restrict public access to government information that should otherwise be made available. For this reason, we believe that a revised Executive Order should make very clear that classification authority is narrowly restricted. * Classification authority must be narrowly construed and invoked only pursuant to designated classification levels, recognized by statute or executive order. Limitations on Classification to Conceal Misconduct We are further concerned that Section 1.6(a)-(b) and Section 5.4(b)(2)(c) in the current Executive Order have not received adequate attention by the national security community. Section 1.6(a) states that: In no case shall administrative information be classified in order to conceal violations of law, inefficiencies, or administrative error; to prevent embarrassment to a person, organization, or agency; to restrain competition; or to prevent or delay the release of information that does not require protection in the interest of national security. Section 1.6(b) further states that "[b]asic scientific information not clearly related to the national security may not be classified." Section 5.4 (Sanctions) states, in pertinent part, that: (b) Officers and employees of the United States government and its contractors, licensees, and grantees shall be subject to appropriate sanctions if they: . . . (2) knowingly and willfully classify or continue the classification of information in violation of this Order or any implementing directive; (c) sanctions may include reprimand, suspension without pay, removal, termination of classification authority, loss or denial of access to classified information, or other sanctions in accordance with applicable law and agency regulation. As indicated above, it has been CPSR's experience that the National Security Agency sought to conceal its activities under the Computer Security Act through improper assertion of the (b)(1) exemption to the Freedom of Information Act. It is clearly an improper use of classification authority to conceal agency conduct in this manner. Such activities frustrate public oversight and permit the abuse of powers. Based on this experience, we make the following recommendations: * ISOO should conduct an investigation to determine whether the NSA's classification of documents regarding cryptography was improper and, if so, whether sanctions are appropriate for the agency officials involved. * Any agency or government official exercising classification authority with the intent of concealing misconduct, inefficiencies or improper conduct should be subject to sanctions and the ISOO should make known on an annual basis its efforts to ensure that such activities do not occur. Implementation and Review It is also our belief that it would be appropriate to establish an independent commission on classification authority that would meet periodically to review the activities of the Information Security Oversight Office and to solicit public input on issues regarding information classification and national security. Such a commission could include a representative of the National Security Council and the Director of the ISOO. It would also include distinguished archivists, historians, journalists, librarians, scientists and academics. Such a commission could provide ongoing oversight of the classification program and help ensure that future policies reflect the widespread needs of our country in information policy and the changing nature of our national security interest. We appreciate this opportunity to present our views and would be pleased to provide you with any additional information you might require. Marc Rotenberg David L. Sobel CPSR Washington Director CPSR Legal Counsel From TO1SITTLER at APSICC.APS.EDU Fri Jul 16 08:08:19 1993 From: TO1SITTLER at APSICC.APS.EDU (Kragen Sittler) Date: Fri, 16 Jul 93 08:08:19 PDT Subject: steganography Message-ID: <930716090336.7b8@APSICC.APS.EDU> In a previous message, which my VMS newsreader is too stupid to remember and can just barely quote, an Evil Genius For A Better Tomorrow, mike at egfabt.org, says he thinks that xor'ing 'x' over a message would help to hide the fact that it is cyphertext. Problem: If someone is looking for encrypted information, IDEALLY we would like steganographically for it to be unconditionally impossible to determine that a file is cyphertext w/o the key. (It is of course only computationally infeasible to guess the key, if we pick our cryptosystem right.) The suggestions that the Evil Genius makes could easily be defeated with an hour or two of programming using pieces of PGP's source, or ripem, or a little piece of software designed to tell whether a file is Dolphin Encrypted or Mailsafed. The resulting program could check hundreds of database files easily, probably in almost exactly the time required for an open, a single disk access, and a close on each file. For a steganographically strong code, the cyphertext must not be recognizable to its home program. This means, among other things, no CRC's, no MD5's, etc, intended to assure data integrity. This means no delimiter-structured files. (I think--I'm not absolutely sure on this one.) Every field in the file must be either fixed-length or have a number somewhere in it (in a format indistinguishable from the rest of the cyphertext) which tells its length. And every field, individually, must not be recognizable as something unusual. (For instance, no sending of large prime numbers in the clear, as they are very unlikely to appear in a random file.) The foregoing "field" stuff has to do with things like PGP, which have a message cyphertext, encrypted with a session key, and a session key, encrypted with a PKC, in the same message. (Possible several cyphertexts of the session key.) Oh, and it would be nice, though not essential, if a corruption in the file made it completely, rather than partially, nonsense when decrypted. This way you can't have a file with no use to the recipient used as evidence against them. The important qualifications seem to rule out any crypto package in current widespread use, don't they? Kragen, an ignorant crypto-wannabe From edgar at spectrx.Saigon.COM Fri Jul 16 09:32:42 1993 From: edgar at spectrx.Saigon.COM (Edgar W. Swank) Date: Fri, 16 Jul 93 09:32:42 PDT Subject: OPIN: PGP: When to sign keys Message-ID: -----BEGIN PGP SIGNED MESSAGE----- J. Michael Diehl wrote: I'm having a philosophical problem regarding when to sign someone else's public key. Obviously, if you watch someone generate a key, and they physically hand you a copy of it, you should sign it. Fortunately, life has been this good to me about 5 times. But what if life isn't so good? Lets say someone emails me a key and the return address matches that of the address in the key. Do I assume no one is spoofing me? Bad idea! The danger is not especially that the person you're talking to isn't who he says he is. Chances are you've never met him and never will. The danger is that a third person is intercepting messages and substituting his own keys. This allows him to monitor your encrypted traffic, which is what encryption is supposed to prevent. My own rule for signing keys is that there must be a key verification independent of the net. i.e. nothing received by e-mail can be depended on to verify a key. If you live any distance from the other person, the most economical method is by postal mail. I will sign keys when I receive a mailed photocopy of any "official" picture ID, along with a signed statement containing the key "fingerprint" (-kvc), which matches the fingerprint of a key received via e-mail. You can mail a letter anywhere in the world for less than $1.00. Any "spoofer" short of governments (at either end) or organized crime will have a hard time intercepting much less altering letter mail. Another possibility is a phone verification. The person who will be signing the key should call the owner of the key at a -listed- phone number (use the out-of-town phone books at the library, or check with information at (xxx)555-1212.) Don't rely on a phone number in e-mail; it could be the spoofer's. Once again, though, a government or OC could arrange to intercept/divert incoming phone calls. I also carry business-card-size pieces of paper with my name, net address, and key fingerprint, with me. I give them out at parties, or anytime I physically meet someone who is on the net. Person's receiving the paper can use it to verify that the key I send them via e-mail has the same fingerprint as on the paper. Ideally, anyone giving you such a card should also show you a driver's license or other picture ID, before expecting you to go home and sign his key. Phil Zimmerman has endorsed the idea of mail and phone verification; this is the main reason the key fingerprint feature was added to PGP. Phil signed my key based on a phone call. Based on mail verification I just signed a key from Taiwan! I've also signed two keys from Germany with mail verification. There are those (e.g. Perry Metzker) who think this standard is too loose. Opinions differ. -----BEGIN PGP SIGNATURE----- Version: 2.3.2/EWS iQCVAgUBLEThEt4nNf3ah8DHAQGJfgP/W85P6IEkGYkmKeFe/px0XPfMvDqTMWXA 5kJ2cTIDRdSbLqDh0VdMsUaAtDR2nkWJKCFRnXA+GEttXy31gPGq6bY/Q19U8dAq VzNHY0o2ldzrDmp77BQo2kqTapENvIxKkXFiFAATleoLt6hMAgfejRlci/uTfG7Z NoCwQVeac7c= =wwV4 -----END PGP SIGNATURE----- -- edgar at spectrx.saigon.com (Edgar W. Swank) SPECTROX SYSTEMS +1.408.252.1005 Cupertino, Ca From edgar at spectrx.Saigon.COM Fri Jul 16 09:32:46 1993 From: edgar at spectrx.Saigon.COM (Edgar W. Swank) Date: Fri, 16 Jul 93 09:32:46 PDT Subject: DCASH: Two Digital Cash Reports Available Message-ID: -----BEGIN PGP SIGNED MESSAGE----- I have two reports on new ideas for digital cash which I retrieved from Amsterdam. Both are in PostScript format. I have a hardcopy of the larger one kindly supplied by mail by the author, Stephen Brands. If there is any interest, I will bring both soft and hard-copies to the next Physical Meeting, which I presume will take place on the 2nd Sat of August, 8/8, noon, at Cygnus in Mtn. View. (I didn't see any announcement/agenda for the July meeting, but I understand it occurred anyway). Here are summaries of the reports: [Newsgroup sci.crypt] Post: 1070 of 1149 From: brands at cwi.nl (Stefan Brands) Newsgroups: sci.crypt Subject: * REPORT ON PRIVACY-PROTECTING OFF-LINE CASH AVAILABLE * Date: 19 Apr 93 14:37:17 GMT Organization: CWI, Amsterdam Lines: 60 I recently published a new privacy-protecting off-line electronic cash system as a technical report at CWI. Being a PhD-student at David Chaum's cryptography-group, our group has a long history in research in the field of privacy-protecting cash systems. The report is called CS-R9323.ps.Z, contains 77 pages, and can be retrieved from ftp.cwi.nl (192.16.184.180) from the directory pub/CWIreports/AA. The postscript-file is suitable for 300dpi laserprinters. ==================================================================== ABSTRACT (from coverpage): We present a new off-line electronic cash system based on a problem, called the representation problem, of which little use has been made in literature thus far. Our system is the first to be based entirely on discrete logarithms. Using the representation problem as a basic concept, some techniques are introduced that enable us to construct protocols for withdrawal and payment that do not use the cut and choose methodology of earlier systems. As a consequence, our cash system is much more efficient in both computation and communication complexity than any such system proposed previously. Another important aspect of our system concerns its provability. Contrary to previously proposed systems, its correctness can be mathematically proven to a very great extent. Specifically, if we make one plausible assumption concerning a single hash-function, the ability to break the system seems to imply that one can break the Diffie-Hellman problem. Our system offers a number of extensions that are hard to achieve in previously known systems. In our opinion the most interesting of these is that the entire cash system (including all the extensions) can be incorporated in a setting based on wallets with observers, which has the important advantage that double-spending can be prevented in the first place, rather than detecting the identity of a double-spender after the fact. In particular, it can be incorporated even under the most stringent requirements conceivable about the privacy of the user, which seems to be impossible to do with previously proposed systems. Another benefit of our system is that framing attempts by a bank have negligible probability of success (independent of computing power) by a simple mechanism from within the system, which is something that previous solutions lack entirely. Furthermore, the basic cash system can be extended to checks, multi-show cash and divisibility, while retaining its computational efficiency. ==================================================================== Cryptographers are challenged to try to break this system! I made a particular effort to keep the report as self-contained as possible. Nevertheless, if you have any questions, please e-mail to me and I will try to reply as good as I can. Any comments are also welcome! Stefan Brands, - -------------------------------------------------------- CWI, Kruislaan 413, 1098 SJ Amsterdam, The Netherlands Tel: +31 20 5924103, e-mail: brands at cwi.nl [Newsgroup alt.privacy] Post: 452 of 458 From: Niels Ferguson Newsgroups: alt.privacy,comp.society.privacy,alt.security,comp.security.announce,comp.security.misc,sci.crypt Subject: new Electronic Cash scheme: technical report available Date: 25 Jun 93 13:48:26 GMT Organization: Computer Privacy Digest Lines: 58 Approved: comp-privacy at pica.army.mil X-Submissions-To: comp-privacy at pica.army.mil X-Administrivia-To: comp-privacy-request at pica.army.mil X-Computer-Privacy-Digest: Volume 2, Issue 054, Message 4 of 4 New electronic cash system: report available by FTP. --------------------------------------------------- Electronic cash is the equivalent of paper cash in an electronic form. It has all the same basic properties as ordinary cash: It carries value, can be used to pay other people without contacting any central organization and is completely anonymous. Recent work at the CWI has resulted in significantly improved protocols for electronic cash. The following CWI technical report is now available by FTP: Title: Single Term Off-Line Coins Author: Niels Ferguson Report: CS-R9318 Site: ftp.cwi.nl directory:/pub/CWIreports/AA file: CS-R9318.ps.Z (compressed PostScript file) Abstract -------- We present a new construction for off-line electronic coins that is both far more efficient and much simpler than previous systems. Instead of using many terms, each for a single bit of the challenge, our system uses a single term for a large number of possible challenges. The withdrawal protocol does not use a cut-and-choose methodology as with earlier systems, but uses a direct construction. This report is slightly more extensive than the version that appeared in the pre-proceedings of EuroCrypt '93. If you are interested in this report, you might also be interested in a report by my colleague Stefan Brands entitled "An Efficient Off-line Electronic Cash System based on the Representation Problem". It can be found under the name "CS-R9323.ps.Z" in the same directory. Note: Followup set to sci.crypt Niels -------------------------------------------------#include------ ... of shoes and ships and sealing-wax, of | Niels Ferguson cabbages and kings, and why the sea is boiling | CWI, Amsterdam, Netherlands hot, and whether pigs have wings ... | e-mail: niels at cwi.nl -----BEGIN PGP SIGNATURE----- Version: 2.3.2/EWS iQCVAgUBLEW2Wd4nNf3ah8DHAQFQIAP/eCwkHJzjINs+0GHpW/USH0mI/CZGbtlx wSCPZOHBfgboEOrttam/vz5SApghRHwraVcXYnCR+6cZaCkmdISkcZ8ISj6V/77w L5q992BR5SZ7vVV31lLjEgTTw8Va2n9y2ry6ubZCMF0j5nTZy44OOYIU5gLQDHhR fT0u8iwQY2s= =4CNQ -----END PGP SIGNATURE----- -- edgar at spectrx.saigon.com (Edgar W. Swank) SPECTROX SYSTEMS +1.408.252.1005 Cupertino, Ca From paul at poboy.b17c.ingr.com Fri Jul 16 12:22:01 1993 From: paul at poboy.b17c.ingr.com (Paul Robichaux) Date: Fri, 16 Jul 93 12:22:01 PDT Subject: Crypto Conference from Hell Message-ID: <199307161916.AA14652@poboy.b17c.ingr.com> The attached message was originally posted in comp.dcom.telecom. I haven't contacted these people, but some 'punk in the DC area might be able to weasel in. Consider the list of speakers: - well-known (notorious) - Denning, Bidzos, Clint Brooks from NSA, Kammer from NIST - people we should be talking to - the mgr of AT&T's Secure Comm Systems division, that same division's chief scientist - Big Wheels - Rosenthal (chief counsel for SPA), Willis Ware, Jerry Berman. Fun for the whole family! -Paul Path: infonode!uunet!spool.mu.edu!telecom-request Date: Mon, 12 Jul 1993 16:26:13 -0500 From: Matthew Lucas Newsgroups: comp.dcom.telecom Subject: Conference With Dorothy Denning: Encrypting Voice and Data Message-ID: Organization: TELECOM Digest Sender: telecom at eecs.nwu.edu Approved: telecom at eecs.nwu.edu X-Submissions-To: telecom at eecs.nwu.edu X-Administrivia-To: telecom-request at eecs.nwu.edu X-Telecom-Digest: Volume 13, Issue 468, Message 1 of 9 Lines: 151 Conference Announcement: A TeleStrategies Conference with Dr. Dorothy Denning Encrypting Voice and Data: Strategies for the Future Aug. 3-4, 1993 Washington, DC Tuesday, August 3, 1993 8:30-9:00 Registration 9:00-10:30 CRYPTOGRAPHY OVERVIEW The basic concepts of cryptography and encryption, including single-key and publickey, authentication, digital signatures, key negotiation or distribution, and cryptanalysis (code breaking) will be introduced along with the Data Encryption Standard (DES), the RSA public-key system, and the Digital Signature Standard (DSS). The speaker will also discuss the need for encryption and the role of encryption in telephony and communications networks. Dr. Dorothy E. Denning, Professor and Chair of Computer Science, Georgetown University 10:30-10:45 Coffee Break 10:45-11:45 SURVEY OF ENCRYPTION PRODUCTS The speaker will survey commercial hardware and software products that contain encryption capabilities, including the types of products that are available, their relative strengths and weaknesses, and the major vendors. Jim Bidzos, President, RSA Data Security, Inc. 11:45-12:30 CELLULAR ENCRYPTION Cellular calls are especially vulnerable to eavesdropping. PrivaFone's approach, which is interoperable on cellular and land lines, will be described. Digital cellular standards that provide voice privacy and authentication for TDMA or CDMA technologies also will be discussed. Dr. Ming Lee, President, Synacomm Technology Charles Wistar, President, PrivaFone Corp. 12:30-1:45 Hosted Lunch 1:45-2:30 THE CLIPPER AND CAPSTONE CHIPS The Clipper and Capstone Chips are part of a new U.S. technology initiative to provide secure communications and legitimate law enforcement access through a key escrow system. The speakers will describe the initiative, the security functions provided by the chips, and the use of the Clipper Chip in the AT&T Telephone Security Device. William M. Agee, Manager, Secure Communication Systems - Government, AT&T Raymond G. Kammer, Acting Director, National Institute of Standards and Technology 2:30-3:00 BUSINESS CONCERNS WITH ENCRYPTION The speaker will give a snapshot of one computer security program and discuss business concerns with encryption, including practical needs and requirements, organizational constraints, operational concerns, security of the process, and balancing concerns and practical use. Randolph N. Sanovic, Manager of Computer Security Planning, Mobil Corp. 3:00-3:15 Coffee Break 3:15-4:00 USING CRYPTOGRAPHY TO ARCHITECT DISTRIBUTED OPEN SYSTEMS SECURITY: A CASE STUDY Securing networks and computers in a distributed environment presents several new challenges. The speaker will describe Bell Atlantic's enterprise-wide approach to architecting security in such an environment, showing how encryption fits into the design. Ravi Ganesan, Specialist, Security Research and Planning, Bell Atlantic 4:00-5:00 ENCRYPTION IN ELECTRONIC COMMERCE AND ELECTRONIC MAIL Encryption is becoming an integral tool for building secure applications. The speakers will discuss the use of encryption and digital signatures in Electronic Data Interchange (EDI) and Internet Privacy Enhanced Mail (PEM). Michael S. Baum J.D., Principal, Independent Monitoring Dr. Stephen D. Crocker, Vice President, Trusted Information Systems, Inc. 5:00-6:00 Reception Wednesday, August 4, 1993 8:30-10:30 CRYPTOGRAPHY POLICY IN THE U.S. The speakers will discuss the Clipper and Capstone chips, law enforcement needs and the Digital Telephony proposal, export and import of encryption products, international markets, industry growth and competitiveness, and individual privacy. They will also report on the national policy review in progress. Dr. Willis H. Ware, Chair, Computer Systems Security and Privacy Advisory Board (Moderator) Jerry Berman, Executive Director, Electronic Frontier Foundation Clinton C. Brooks, Special Assistant to Director, National Security Agency Alan R. McDonald, Special Assistant (Legal) to the Assistant Director, Technical Services Division, Federal Bureau of Investigation Ilene Rosenthal, General Counsel, Software Publishers Association 10:30-10:45 Coffee Break 10:45-11:30 CRYPTOGRAPHY IN THE EUROPEAN COMMUNITY In the European Community, government controls on cryptography differ across countries and affect achievement of secure open systems and, consequently, achievement of the Open Market and transborder electronic trading. The speaker will summarize the current situation in Europe, describe some of the initiatives to address the issues, and comment on the recent initiatives in the US. Christopher E. Sundt, Business Strategy Manager, ICL Secure Systems 11:30-12:15 THE FUTURE OF CRYPTOGRAPHY IN TELECOMMUNICATIONS Several fast-moving trends in telecommunications demand cryptographic solutions, including wireless transmission, multi-media conferencing, and electronic commerce. As broadcast and multiple access technologies are used increasingly for information transmission, and everyday business is carried out in "cyberspace," structures that ensure privacy, authenticity, and (often) anonymity must become part of the natural landscape. Dr. David P. Maher, Chief Scientist for AT&T Secure Communications Systems, AT&T For complete information call TeleStrategies Inc. at (703) 734-7050. From anonymous at extropia.wimsey.com Fri Jul 16 12:28:19 1993 From: anonymous at extropia.wimsey.com (anonymous at extropia.wimsey.com) Date: Fri, 16 Jul 93 12:28:19 PDT Subject: WARNING: NON-CYPHERPUNK QUESTION Message-ID: <199307161907.AA19293@xtropia> Clark Reynard asked: Are there any fast, quick, reliable methods of forestalling phone disconnection due to failure to pay the bills, and the ugly reconnection fee which ensues thereupon? I can't offer a method of *eliminating* your phone bill, but I have been practicing a method of drastically *reducing* the charge for local phone service. Simply ask Pac Bell (In California) for "Lifeline" service. The monthly bill is $1.31, after "credits" for "inside wire repair" and "Tel Equip" (for buying your own phone(s)). Clark, do you think you could afford that? This gets you a local (outgoing) call allowance of 60 calls per month (about 2 a day). Unlike regular measured service, which measures (and charges) by call *and length of call*, each of your 60 calls under lifeline can be of unlimited length. Back when I had a 2400 baud modem, I frequently had single calls of 2-4 *hours* while uploading & downloading files from various local BB's. Calls beyond your 60-call allowance are charged at $.08 per call. Of course, there's a catch. Lifeline service is only offered to "poor" people. You have to sign a statement every year certifying that your combined family income doesn't exceed their guidlines. But although they warn you that the Public Utilities Commission "may investigate" your claim; they apparently never do! Unlike the PG&E lifeline program, Pac Bell doesn't ask for *any* documentation of your income like W-2 forms or copies of your tax returns. I've been on lifeline service for *years*, I think almost since they started offering it, back when the Bell system was broken up, and local phone rates were raised sharply. During most of that time, I earned around $50,000/year. Now I'm retired & my pension is about $24,000, still well above the lifeline "guideline". One caveat, I live in an area of San Jose where many of my neighbors are working-class, a few on welfare, etc. This scam might not work from an address in Hillsboro, Los Gatos, or Saratoga; but who knows, the PUC may be so incompetent and/or lazy that it might. Considering the moral factors, if you *don't* claim lifeline eligibility, then you are *charged* a few cents a month to pay for the people who *do*! You are also charged $1.75 for "access to a long distance carrier", even if you don't call long distance. (but lifeline customers get an offsetting credit and still have long distance access). So you have to choose to be a sheep or a wolf, a victim or a victimizer, to either take unfair advantage of the system or have it take unfair advantage of you; there is no middle ground. Consider the pragmatic factors. Based on my experience, the chances of getting "caught" seem remote. If I'm ever investigated, I plan to play dumb and claim I didn't understand the lifeline forms I signed. Since I didn't provide any false documentation of a low income (they didn't *ask* for any), be pretty hard to prove intent to commit fraud. So I expect the worst that could happen is that I'd have to pay some estimate of what my correct bill might have been less what I actually paid. I suspect there's a statute of limitations, which I've already exceeded for most of the time I've been on lifeline. So this sounds like a good bet. If you win, you win big; if you lose, you break even, with chances of losing being much less than 50/50. From tedwards at src.umd.edu Fri Jul 16 12:44:02 1993 From: tedwards at src.umd.edu (Thomas Grant Edwards) Date: Fri, 16 Jul 93 12:44:02 PDT Subject: No Subject Message-ID: <199307161943.AA00777@kolo.src.umd.edu> -----BEGIN PGP SIGNED MESSAGE----- Does anyone know of C source code for low speed CELP or vocoder software available on the net? I feel if we can develop even a low-speed software based answer to the secure-phone, it will probably be used and distributed to many people. I think it would have to be based around the soundblaster card though. Perhaps we can also devise an internet secure-phone standard, and clients can be written for NeXTs, Suns, PCs, and etc. I've had no luck getting our SparcStations to decompress ADPCM encoded Internet Talk Radio in real time...either the software I have is truly sad (could be), or we need to look at other compression methods such as CELP, or at worst, vocoder. - -Thomas -----BEGIN PGP SIGNATURE----- Version: 2.2 iQBVAgUBLEcE4DAI9D7h8UTJAQHGSgIAgleqJLQnpwQck4b8FQi79uL6RPGv1j01 LlLX+ICFA/yFfVheh43tWt9vsHrG0d+Vgbo3SX4FHUniDBlqAHYnfw== =QYED -----END PGP SIGNATURE----- From exabyte!smtplink!mikej at uunet.UU.NET Fri Jul 16 14:16:47 1993 From: exabyte!smtplink!mikej at uunet.UU.NET (Mike Johnson) Date: Fri, 16 Jul 93 14:16:47 PDT Subject: steganography and cryptography Message-ID: <9307161455.A01259@smtplink.exabyte.com> Kragen Sittler says: > . . . > For a steganographically strong code, the cyphertext must not be recognizable > to its home program. This means, among other things, no CRC's, no MD5's, etc, > intended to assure data integrity. This means no delimiter-structured files. > (I think--I'm not absolutely sure on this one.) Every field in the file must > be either fixed-length or have a number somewhere in it > (in a format indistinguishable from the rest of the cyphertext) which tells it s > length. And every field, individually, must not be recognizable as something > unusual. (For instance, no sending of large prime numbers in the clear, as the y > are very unlikely to appear in a random file.) > > The foregoing "field" stuff has to do with things like PGP, which have a > message cyphertext, encrypted with a session key, and a session key, encrypted > with a PKC, in the same message. (Possible several cyphertexts of the session > key.) > > Oh, and it would be nice, though not essential, if a corruption in the file > made it completely, rather than partially, nonsense when decrypted. This way > you can't have a file with no use to the recipient used as evidence against > them. > > The important qualifications seem to rule out any crypto package in current > widespread use, don't they? > . . . For a steganographically strong code, it is not enough to make it unrecognizable to its home program. The ciphertext must look like something "innocent" to either a human reader or a computer program designed to look for ciphertext. For example, the message could be hidden in the least significant intensity bits of a bitmapped picture that the intended recipient has an unmodified copy of. If data that looks like random noise is innocent enough, then it is not hard to hack PGP or write another encryption program that intentionally lacks any signature information. I wrote several programs with this property. The two best examples are CRYPTE and CRYPTMPJ, both of which are available on the Rainbow Missions BBS at 303-938-9654. This makes them a little harder to use than PGP and similar programs, because the user has to know in advance when encryption and decryption are appropriate, and which algorithm to use. Allowing a signature in the file format makes it obvious which program was used to encrypt the data (thus slightly reducing security), but it makes it easier to use the program. This increase in ease of use makes it more likely that it will be used, and that increases security. From fergp at sytex.com Fri Jul 16 14:45:29 1993 From: fergp at sytex.com (Paul Ferguson) Date: Fri, 16 Jul 93 14:45:29 PDT Subject: DCypherpunks Message-ID: Washington, DC area Cypherpunks: I have accepted a consulting position in the DC area which will not require consistent travel (unlike my current job), which I will begin the first of August. This position will be designing, implementing and configuring routed Internet access data networks for one of the big three carriers (no, not AT&T). Anyway, I'd like to find out how many of the DCypherpuuks are willing to plan a physical meeting for mid-August to discuss current happenings, sign keys and the likes. E-mail me if you are interested. Cheers. Paul Ferguson | "Confidence is the feeling you get Network Integrator | just before you fully understand Centreville, Virginia USA | the problem." fergp at sytex.com | - Murphy's 7th Law of Computing Quis Custodiet Ipsos Custodes? being used for, what I consider, unethical, immoral and possibly illegal activities. ---- begin forwarded message ------------- AIS BBS Capture log. To: all interested parties, especially Americans who may wish to ask relevant questions of relevant people. Capture log from a BBS that claims to be run by the US Treasury Department, Bureau of the Public Debt. Notice - I have not verified that the US government is actually running this BBS, only that the BBS claims that it is. The capture was made live. I have cut out parts where the same area was visited twice, and the information is identical. Also cut out, is any information that could lead to the caller being identified, as the caller wishes to retain privacy. If indeed this is being run by the US Government, the caller would not wish to be harassed by that organisation. Also omitted are the "More" prompts for paging the display. And, after the first few displays of the main menu, some of those have also been omitted for brevity. The file 27-ASM.ZIP was downloaded, to check that there really were source codes. In fact, there were mostly recompilable disassemblies, some good, some bad. I've included, at the end of this file, the beginning of 512.ASM, a disassembly of Number of the Beast. But I've only included the header, the first couple of instructions (discover Dos version) and the end (the '666'). All the meat of the code, I've omitted for brevity, and because this capture is likely to become publicly available. [End of forwarded transcript] Immediately following the above text, was contained a list of computer viruses, virus construction tools and virus disassemblies. In the subsequent storm of debate, there have been several scathing articles written about the way the situation was brought into public knowledge, including a front-page article in the Washington Post and several rather scathing articles in Computer Underground Digest (CuD 5.51) and a rebuttal (of sorts, CuD 5.52) in which I stated my own position on the matter. It is also been brought to my attention that certain underground hackers have vowed to seek revenge in some fashion, which really worries me the least. My main concern is that this instance of valid utilization of "whistleblowing" has been overshadowed by the ravings of virus exchange enthusiasts and underground virus distribution and propagation groups who are calling "Foul!" without closely examine the implications of their own actions (a topic which I will not launch into at this time). In fact, I applaud Peter G. Neumann, moderator of RISKS Forum for allowing the anonymous post to be posted to the list in the first place. Another copy of the message was sent anonymously to VIRUS-L Digest (comp.virus list) where Ken van Wyk, the moderator, decided not to post it. (A raspberry to Ken for that one.) Perhaps the remainder of the net is not quite ready to acknowledge anonymity? As I stated above, I'd really like to hear some of your thoughts on the matter... Cheers. Paul Ferguson | "Confidence is the feeling you get Network Integrator | just before you fully understand Centreville, Virginia USA | the problem." fergp at sytex.com | - Murphy's 7th Law of Computing Quis Custodiet Ipsos Custodes? From khijol!erc at apple.com Fri Jul 16 14:53:58 1993 From: khijol!erc at apple.com (Ed Carp) Date: Fri, 16 Jul 93 14:53:58 PDT Subject: your mail In-Reply-To: <199307161943.AA00777@kolo.src.umd.edu> Message-ID: > Does anyone know of C source code for low speed CELP or vocoder > software available on the net? > > I feel if we can develop even a low-speed software based answer to > the secure-phone, it will probably be used and distributed to many > people. I think it would have to be based around the soundblaster > card though. > > Perhaps we can also devise an internet secure-phone standard, and > clients can be written for NeXTs, Suns, PCs, and etc. > > I've had no luck getting our SparcStations to decompress ADPCM encoded > Internet Talk Radio in real time...either the software I have is truly > sad (could be), or we need to look at other compression methods > such as CELP, or at worst, vocoder. > > - -Thomas Have you looked at netphone? That should be fairly easy to hack to include encryption, although I haven't looked at the source.. -- Ed Carp erc at wetware.com 510/659-9560 For anonymous mailers --> anonymus+5300 at charcoal.com "Disagreements are not meant to be challenges. They are just a different reality." -- Risa D'Angeles From collins at newton.apple.com Fri Jul 16 15:48:22 1993 From: collins at newton.apple.com (Scott Collins) Date: Fri, 16 Jul 93 15:48:22 PDT Subject: Relation between number theory and cryptography Message-ID: <9307151822.AA03311@newton.apple.com> J. Michael Diehl writes: >if we were to add some noise [then] we have added [...] information Perhaps in 'Information Relativity'. With respect to the original system (and by definition), noise is not information. It is only data. Scott Collins | "Few people realize what tremendous power there | is in one of these things." -- Willy Wonka ......................|................................................ BUSINESS. voice:408.862.0540 fax:974.6094 collins at newton.apple.com Apple Computer, Inc. 1 Infinite Loop, MS 301-2C Cupertino, CA 95014 ....................................................................... PERSONAL. voice/fax:408.257.1746 catalyst at netcom.com ....................................................................... QUOTING. Full text of sources upon request. You may quote if you do the same *and* include this notice so your readers may quote similarly. From hughes Fri Jul 16 16:15:07 1993 From: hughes (Eric Hughes) Date: Fri, 16 Jul 93 16:15:07 PDT Subject: ADMIN: cypherpunks mail configuration change Message-ID: <9307162315.AA05737@toad.com> Effective immediately, all cypherpunks mail will appear to originate from 'owner-cypherpunks'. Previously the name was 'cypherpunks-request'. This change only affects those of you using mail filters which are filtering on the out-of-band "From " line. This change was made so that I can more easily separate bounce messages from list requests. Eric From norm at netcom.com Fri Jul 16 16:36:56 1993 From: norm at netcom.com (Norman Hardy) Date: Fri, 16 Jul 93 16:36:56 PDT Subject: Names and Reputations Message-ID: <9307162337.AA28881@netcom3.netcom.com> J. Michael Diehl wrote: I'm having a philosophical problem regarding when to sign someone else's public key. It strikes me that while a public key may be properly associated with someone that you know by sight it may more generally be associated with an abstract reputation. Connecting a face to a public key may be less useful than connecting a public key with someone that I recognize by reputation. I don't know Stephen Wolff by sight but I do know him by reputation and have conversed with him by e-mail. If during these conversations we had exchanged public keys, even thru insecure channels, then that would be more reliable than exchanging keys with someone that I met in person who claimed to be Steve Wolff but with whom I did not have time to converse. Steve's reputation with me arose thru a book he wrote. If he had included his private key there it would be better yet. (Public keys had not been invented then.) Having been influenced by Steve's book I would be inclined to accept Steve's opinions in related areas, if they were signed by his private key. I need not know what Steve looks like! In CyberSpace it ultimately seems that the public key supplants ordinary names and all reputations are connected to public keys! From hughes Fri Jul 16 17:05:41 1993 From: hughes (Eric Hughes) Date: Fri, 16 Jul 93 17:05:41 PDT Subject: TEST: Ignore me Message-ID: <9307170001.AA07104@toad.com> More mailing list testing. Please ignore. Eric From ciamac at hplms2.hpl.hp.com Fri Jul 16 18:34:32 1993 From: ciamac at hplms2.hpl.hp.com (Ciamac Moallemi) Date: Fri, 16 Jul 93 18:34:32 PDT Subject: Bay area August cypherpunks mtg In-Reply-To: Message-ID: <9307170134.AA18082@cello.hpl.hp.com> >>>>> On Thu, 15 Jul 93 13:10:20 PDT, edgar at spectrx.Saigon.COM (Edgar W. Swank) said: edgar> If there is any interest, I will bring both soft and hard-copies edgar> to the next Physical Meeting, which I presume will take place edgar> on the 2nd Sat of August, 8/8, noon, at Cygnus in Mtn. View. edgar> (I didn't see any announcement/agenda for the July meeting, but edgar> I understand it occurred anyway). 8/8 is a Sunday, what's the deal? I'm a newbie on this the cypherpunks list and would be very interested in attending. Could someone post details? Thanks. From mdiehl at polaris.unm.edu Fri Jul 16 19:03:14 1993 From: mdiehl at polaris.unm.edu (J. Michael Diehl) Date: Fri, 16 Jul 93 19:03:14 PDT Subject: Relation between number theory and cryptography In-Reply-To: <9307151822.AA03311@newton.apple.com> Message-ID: <9307170159.AA16388@polaris.unm.edu> According to Scott Collins: > J. Michael Diehl writes: > > >if we were to add some noise [then] we have added [...] information > Perhaps in 'Information Relativity'. With respect to the original system > (and by definition), noise is not information. It is only data. This is a good arguement, but I believe I specified "algorithmic" information to be added to the message. This, I believe, does convey information of some kind. +-----------------------+-----------------------------+---------+ | J. Michael Diehl ;-) | I thought I was wrong once. | PGP KEY | | mdiehl at triton.unm.edu | But, I was mistaken. |available| | mike.diehl at fido.org | | Ask Me! | | (505) 299-2282 +-----------------------------+---------+ | | +------"I'm just looking for the opportunity to be -------------+ | Politically Incorrect!" | +-----If codes are outlawed, only criminals wil have codes.-----+ +----Is Big Brother in your phone? If you don't know, ask me---+ From honey at citi.umich.edu Fri Jul 16 19:39:32 1993 From: honey at citi.umich.edu (peter honeyman) Date: Fri, 16 Jul 93 19:39:32 PDT Subject: Anonymity takes one on the chin Message-ID: <9307170239.AA10958@toad.com> paul, my thoughts in (extremely) brief: i applaud your resolve to correct what you saw to be wrongdoing. i totally disagree with you on the merits of the case; i think the civil servant runing the bbs (i forget her name) provides a valuable service, and serves the common good. as usual, anonymity is a lightning rod here, although it is largely peripheral to the real issues. peter From wcs at anchor.ho.att.com Fri Jul 16 19:59:33 1993 From: wcs at anchor.ho.att.com (Bill_StewartHOY0021305) Date: Fri, 16 Jul 93 19:59:33 PDT Subject: steganography Message-ID: <9307170258.AA00984@anchor.ho.att.com> I think Kragen's definition of "Steganographically Strong" is a bit overstrong. He suggests that the cyphertext should not be recognizeable by its own program, with no checksums or program-specific delimiters, headers, etc. If checksums become widely used in other data formats (e.g. MIME or whatever), having them used in "innocent-looking-format" is ok. And having a checksum that only checks out if you have the correct key for decrypting the file is relatively ok, assuming you use strong encryption; it's really no more of a giveaway than having the correctly-decrypted plaintext have other recognizeable format, such as all-ascii or MIME or GIF. The request for a feature that corrupted files decrypt to total garbage and not just partial garbage can be implemented using some variant on doubly encrypting the file, e.g. descbc file | reverse-the-file | descbc. Most encryption systems can be used in modes that only trash the corrupted block, modes that trash the corrupted block and all following blocks, or modes that trash the corrupted block and some stuff after it, but eventually resync. The latter are useful for on-line continuous encryption systems like ethernet or T1 encryptors, where you don't want to send out guys with briefcases handcuffed to their arms any time there's a noise burst :-) One wimpy steganography approach I've thought of recently is to use uuencode. Each line starts with an indicator of how many characters are on the line, normally "M" for 64, followed by the characters; you could use variable-length lines with the length encoding your real (cyphertext) data at 6 bits/line. It'd be ugly, and probably noticeable, but you could always demonstrate that it outputs normal genuinely-innocent stuff by running it through uudecode. And it's only a factor of 10 less efficient than hiding it in a GIF! Bill Stewart From mdiehl at triton.unm.edu Fri Jul 16 20:13:15 1993 From: mdiehl at triton.unm.edu (J. Michael Diehl) Date: Fri, 16 Jul 93 20:13:15 PDT Subject: Names and Reputations In-Reply-To: <9307162337.AA28881@netcom3.netcom.com> Message-ID: <9307170311.AA15511@triton.unm.edu> According to Norman Hardy: > J. Michael Diehl wrote: > I'm having a philosophical problem regarding when to sign someone > else's public key. > > It strikes me that while a public key may be properly associated with > someone that you know by sight it may more generally be associated > with an abstract reputation. Connecting a face to a public key may > be less useful than connecting a public key with someone that > I recognize by reputation. I don't know Stephen Wolff by sight > but I do know him by reputation and have conversed with > him by e-mail. If during these conversations we had exchanged > public keys, even thru insecure channels, then that would be > more reliable than exchanging keys with someone that I met > in person who claimed to be Steve Wolff but with whom I did not > have time to converse. Steve's reputation with me arose thru a book > he wrote. If he had included his private key there it would be > better yet. (Public keys had not been invented then.) > Having been influenced by Steve's book I would be inclined to > accept Steve's opinions in related areas, if they were signed > by his private key. I need not know what Steve looks like! This is a good point, but I believe that eventually, people will want to sign legal documents via pgp and such. So being able to tie a pseudonym to a reputation to a public key to a REAL LIVE PERSON is very important. I think that for many people, your attitude is one they can live with. This is what I was debating when I posted the original question. But for others, your policy may not be secure enough. I'm working on a key-signing policy for myself which I will make available via finger or request. Laters. +-----------------------+-----------------------------+---------+ | J. Michael Diehl ;-) | I thought I was wrong once. | PGP KEY | | mdiehl at triton.unm.edu | But, I was mistaken. |available| | mike.diehl at fido.org | | Ask Me! | | (505) 299-2282 +-----------------------------+---------+ | | +------"I'm just looking for the opportunity to be -------------+ | Politically Incorrect!" | +-----If codes are outlawed, only criminals wil have codes.-----+ +----Is Big Brother in your phone? If you don't know, ask me---+ From norm at netcom.com Fri Jul 16 21:03:15 1993 From: norm at netcom.com (Norman Hardy) Date: Fri, 16 Jul 93 21:03:15 PDT Subject: Names and Reputations Message-ID: <9307170401.AA24295@netcom3.netcom.com> J. Michael Diehl writes: > This is a good point, but I believe that eventually, people will want to sign > legal documents via pgp and such. So being able to tie a pseudonym to a > reputation to a public key to a REAL LIVE PERSON is very important. I think That is a good point too. Perhaps the laws and practices of Notary Publics may serve for one degree of assurance. They commonly need to know who is asking them to notarize something such as a will. I don't remember how they do this. I suppose that a Notary public should have a published public key that she uses like her seal. From ld231782 at longs.lance.colostate.edu Fri Jul 16 21:38:15 1993 From: ld231782 at longs.lance.colostate.edu ( L. Detweiler ) Date: Fri, 16 Jul 93 21:38:15 PDT Subject: Crypto Conference from Hell Message-ID: <9307170436.AA27599@longs.lance.colostate.edu> Dr. David P. Maher, Chief Scientist for AT&T Secure Communications Systems, AT&T >As broadcast and multiple access >technologies are used increasingly for information transmission, and >everyday business is carried out in "cyberspace," structures that >ensure privacy, authenticity, and (often) anonymity must become part >of the natural landscape. wow, is this guy a cypherpunk? Gad, this is really mainstream. NYT, Newsweek, SciAm, and now a cryptographic conference *with* the NSA! We've hit the big time. (Oops, he's from AT&T.) >Wednesday, August 4, 1993 > >8:30-10:30 >CRYPTOGRAPHY POLICY IN THE U.S. YIKES, the fireworks are going to fly at this one. CSSPAB (NIST), EFF, NSA, FBI, SPA all in the same room at the same time. I sure hope there'll be transcripts of this one. It would sure beat all that Congressional testimony by far for rancor per bit! Cryptography meeting of the year? From baumbach at atmel.com Fri Jul 16 21:43:16 1993 From: baumbach at atmel.com (Peter Baumbach) Date: Fri, 16 Jul 93 21:43:16 PDT Subject: subscribe Message-ID: <9307170121.AA02296@bass.chp.atmel.com> Sorry to send this to the list. (Is it still here?) I would like to resubscribe to cypherpunks, but cannot get a response from cypherpunks-request at toad.com . Any help is appreciated, Peter Baumbach baumbach at atmel.com ps. Could someone tell me if this reached the list? From felix at hu.se Sat Jul 17 01:28:15 1993 From: felix at hu.se (Felix Ungman) Date: Sat, 17 Jul 93 01:28:15 PDT Subject: PGP 2.3 for Mac Message-ID: <199307170825.AA17151@mail.swip.net> Is anyone working on the Mac port of PGP 2.3? I read about the bug fixes of PGP 2.3 DOS. Do the same bugs exists in the Mac version? ---------------------------------------------------------------------- - RealName: Felix Ungman InterNet: felix at hu.se AppleLink: SW0358 - - Felix gor det goda godare! - ---------------------------------------------------------------------- From klbarrus at milp.jsc.nasa.gov Sat Jul 17 09:55:56 1993 From: klbarrus at milp.jsc.nasa.gov (Karl Barrus) Date: Sat, 17 Jul 93 09:55:56 PDT Subject: No Subject Message-ID: <9307171655.AA04294@milp.jsc.nasa.gov > -----BEGIN PGP SIGNED MESSAGE----- This is a touchy topic! It's a tough call, since statements like: > in the UK. I am dismayed that this type of activity is being condoned > by an American Governmental Agency. I can only hope that this operation > is shut down and the responsible parties are reprimanded. I am > extremely disturbed by the thought that my tax money is being used for, > what I consider, unethical, immoral and possibly illegal activities. may be applied to MANY goverment activities: * foreign policy (Iraq, Vietnam, Contras, lots of others) * funding & the NEA * environmentalist concerns * homosexuals * gambling - lots of debate here in TX about the state lottery. Some found it unethical and immoral. Same goes for the greyhound racetrack near Houston. In the end, $$$$$$ won. * our favorite: cryptography > My main concern is that this instance of valid utilization of > "whistleblowing" has been overshadowed by the ravings of virus I'll have to say, though I disagree with your virus position and am saddened by the outcome, I don't see anything wrong with "whistleblowing" in this manner. > Perhaps the remainder of the net is not quite ready to acknowledge > anonymity? As I stated above, I'd really like to hear some of your This seem true. Just a few months ago there was an enormous flap over Julf's anonymous server. But then, like now, the issue was really over statements made and actions taken anonymously. However, anonymity became the focal point. /-----------------------------------\ | Karl L. Barrus | | elee9sf at menudo.uh.edu | <- preferred address | barrus at tree.egr.uh.edu (NeXTMail) | \-----------------------------------/ -----BEGIN PGP SIGNATURE----- Version: 2.3 iQCVAgUBLEgueYOA7OpLWtYzAQHdaQP/QEnqtm02Hkln0Mse2YccNxqcgB8v+aox 0VlZJDunfQeukSRgpVqMuAIvXPp9LPQGCr/ubAT01gxANtlSUpiVzMkfqDkxJm/b z/W1wKOogNrmWHqpR7GMkjPAVHDgRWG8iRtrpW186HKe+TcH8EH9lVmyYBtYGn78 UIjhYwqSLT4= =FIHB -----END PGP SIGNATURE----- From ral at netcom.com Sat Jul 17 11:33:31 1993 From: ral at netcom.com (Robert A. Luscombe) Date: Sat, 17 Jul 93 11:33:31 PDT Subject: PGP & ELM Message-ID: <9307171833.AA15751@netcom3.netcom.com> Would someone be able to send me the most recent verions of the utils to use PGP with ELM? Just got a new account and finally have ELM. If you can, mail 'em or anon ftp to netcom.com and put them in pub/ral/incoming. While i'm at it, has anyone ever tried to integrate PGP into VMS MAIL? Thanks, bob Robert Luscombe --------- Internet: --- --- Home: ral at netcom.com --------- 2201 Sarah Street Apt. 3 ral at drycas.club.cc.cmu.edu --------- Pittsburgh, PA 15203-2224 ral at telerama.pgh.pa.us --------- 412/488-0941 --- --- *Finger for PGP or RIPEM pub keys* From norm at netcom.com Sat Jul 17 14:14:47 1993 From: norm at netcom.com (Norman Hardy) Date: Sat, 17 Jul 93 14:14:47 PDT Subject: Diffie Hellman Message-ID: <9307172115.AA03790@netcom3.netcom.com> What is the best reference to the Diffie Hellman key exchange algorithm? (Preferably on line) Thanks From smb at research.att.com Sat Jul 17 15:39:49 1993 From: smb at research.att.com (smb at research.att.com) Date: Sat, 17 Jul 93 15:39:49 PDT Subject: Diffie Hellman Message-ID: <9307172239.AA02431@toad.com> What is the best reference to the Diffie Hellman key exchange algorithm? (Preferably on line) Thanks Any decent book on cryptography should explain it. The idea was originally proposed in @article{Diffie76, author = {Whitfield Diffie and Martin E. Hellman}, journal = {IEEE Transactions on Information Theory}, month = {November}, pages = {644--654}, title = {New Directions in Cryptography}, volume = {IT-11}, year = {1976} } The basic idea is simple. Pick a large number p (probably a prime), and a base b that is a generator of the group of integers modulo p. Now, it turns out that given a known p, b, and (b^x) mod p, it's extremely hard to find out x. That's known as the discrete log problem. Here's how to use it. Let two parties, X and Y, pick random numbers x and y, 1 < x,y < p. They each calculate (b^x) mod p and (b^y) mod p and transmit them to each other. Now, X knows x and (b^y) mod p, so s/he can calculate (b^y)^x mod p = (b^(xy)) mod p. Y can do the same calculation. Now they both know (b^(xy)) mod p. But eavesdroppers know only (b^x) mod p and (b^y) mod p, and can't use those quantities to recover the shared secret. Typically, of course, X and Y will use that shared secret as a key to a conventional cryptosystem. The biggest problem with the algorithm, as outlined above, is that there is no authentication. An attacker can sit in the middle and speak that protocol to each legitimate party. One last point -- you can treat x as a secret key, and publish (b^X) mod p as a public key. Proof is left as an exercise for the reader. --Steve Bellovin From cdodhner at indirect.com Sat Jul 17 16:44:50 1993 From: cdodhner at indirect.com (Christian D. Odhner) Date: Sat, 17 Jul 93 16:44:50 PDT Subject: PGP 2.3 for Mac In-Reply-To: <199307170825.AA17151@mail.swip.net> Message-ID: <9307172342.AA24576@indirect.com> Felix Ungman asks: > Is anyone working on the Mac port of PGP 2.3? I read about the bug fixes of > PGP 2.3 DOS. Do the same bugs exists in the Mac version? I have not heard anything about it here on the list, but according to an interview in MONDO 2000 our own John Draper (BTW John, thanks for doing all that work on the flyer) is working on an improved macintosh version with mouse-driven interface, dialog boxes, etc. Too bad I use a 486 under Linux... Anyway, quite a few people are working on it I think and it should include all of the same bug fixes, if needed. Funny how you hear things through such indirect sources, eh? Happy Hunting, -Chris Odhner From ral at netcom.com Sat Jul 17 17:16:00 1993 From: ral at netcom.com (Robert A. Luscombe) Date: Sat, 17 Jul 93 17:16:00 PDT Subject: PGP Perl scripts for Elm Message-ID: <9307180015.AA24759@netcom3.netcom.com> I have been trying to use the pgp perl scripts for elm, and i must be doing something very wrong. Perhaps someone here can help. I did edit the scripts to include the location of perl on this machine, and have specified the scripts as my pager and editor. This is what happens when i try them: Command: Mail To: ral (Robert A. Luscombe) Subject: test Copies to: Invoking editor.../u43/ral/.bin/pgpedit: =: not found /u43/ral/.bin/pgpedit: =: not found /u43/ral/.bin/pgpedit: =: not found /u43/ral/.bin/pgpedit: =: not found /u43/ral/.bin/pgpedit: =: not found /u43/ral/.bin/pgpedit: =: not found And when i try to view something: /u43/ral/.bin/pgppager: $: not found /u43/ral/.bin/pgppager: =1: not found /u43/ral/.bin/pgppager: =0: not found /u43/ral/.bin/pgppager: =: not found /u43/ral/.bin/pgppager: =/usr/local/bin/less -i -n -s -S -c -M: not found /u43/ral/.bin/pgppager: syntax error at line 12: `(' unexpected So, what did i do wrong (or didn't do)? Robert Luscombe --------- Internet: --- --- Home: ral at netcom.com --------- 2201 Sarah Street Apt. 3 ral at drycas.club.cc.cmu.edu --------- Pittsburgh, PA 15203-2224 ral at telerama.pgh.pa.us --------- 412/488-0941 --- --- *Finger for PGP or RIPEM pub keys* From anton at hydra.unm.edu Sat Jul 17 17:38:36 1993 From: anton at hydra.unm.edu (Stanton McCandlish) Date: Sat, 17 Jul 93 17:38:36 PDT Subject: PGP 2.3 for Macintosh In-Reply-To: <9307171833.AA15751@netcom3.netcom.com> Message-ID: <9307180038.AA26287@hydra.unm.edu> Some axed about MacPGP2.3: it's already on the soda site, as are the 2.3a versions for DOS and Unix. I have no clue if this is in anyway related to the "PGP 2.3a" OS/2 port; I tend to doubt it; I think the porter just named it that. Anyone seen new ports for other OSs? Like Archimedes, VMS, etc.? Windows even? Amiga? -- Stanton McCandlish * Space Migration * Networking * ChaOrder * NO GOV'T. * anton at hydra.unm.edu * Intelligence Increase * Nano * Crypto * NO RELIGION * FidoNet: 1:301/2 * Life Extension * Ethics * VR * Now! * NO MORE LIES! * Noise in the Void BBS * +1-505-246-8515 (24hr, 1200-14400, v32bis, N-8-1) * From davros at ecst.csuchico.edu Sat Jul 17 17:48:36 1993 From: davros at ecst.csuchico.edu (Tyler Yip - UnixWeenie (tm)) Date: Sat, 17 Jul 93 17:48:36 PDT Subject: No-Brainer elm script Message-ID: <9307180045.AA24848@hairball.ecst.csuchico.edu> #!/bin/ksh # use the elm "pipe" feature to automatically detect which type of privacy # enchanced mail the message is under, and then automatically send the message # with the correct options to the cipher program. # usage from elm # | elm2pem # you can also put this as the default reader in elm, but sometimes it barfs # if you get a pgp signed message and don't have the sender's key. umask 077 clear cat > $HOME/.tmp/mbox.enc PGP="BEGIN PGP" PEM="BEGIN PRIVACY" if grep "$PGP" $HOME/.tmp/mbox.enc > /dev/null then pgp -m $HOME/.tmp/mbox.enc elif grep "$PEM" $HOME/.tmp/mbox.enc > /dev/null then ripem -d -i $HOME/.tmp/mbox.enc | more -d else more $HOME/.tmp/mbox.enc fi rm -f $HOME/.tmp/mbox.enc From ccat at netcom.com Sat Jul 17 23:39:53 1993 From: ccat at netcom.com (ccat) Date: Sat, 17 Jul 93 23:39:53 PDT Subject: Show Sunday on Clipper in Bay Area Message-ID: <9307180639.AA28000@netcom3.netcom.com> I just saw a teaser for a Channel 4 treatment of the Whitehouse going onto the Internet and Clipper. Didn't see the name of the show,but caught the times,5 and 10 pm. Channel 4. -Chris. From TO1SITTLER at APSICC.APS.EDU Sun Jul 18 00:03:37 1993 From: TO1SITTLER at APSICC.APS.EDU (Kragen Sittler) Date: Sun, 18 Jul 93 00:03:37 PDT Subject: stegano codes. Message-ID: <930718005643.e25@APSICC.APS.EDU> In reference to a message by Mike Johnson: I was thinking of steganography as being in two stages: first, you encrypt, (possibly with the identity transformation) then, you embed your encrypted message in your medium of transmission. My previous message was describing requirements for a strong encryption algorithm, quite apart from the actual embedding. I stand by my statements: the purpose of steganography is to make it difficult or impossible for an interloper to determine that enciphered data are being transferred. Thus, embedding a magic number in the file defeats the purpose completely. (As opposed to "slightly reducing security.") I accept your correction regarding availability of software. I think that designing a program to embed this apparently random bitstream in an innocent-looking file is a different and much harder problem. It is probable that I have misunderstood some part of your message, and I apologize if this is the case. Kragen (Bug my sysman for a newsreader that allows quoting with >'s-his username is jim.) From TO1SITTLER at APSICC.APS.EDU Sun Jul 18 00:13:37 1993 From: TO1SITTLER at APSICC.APS.EDU (Kragen Sittler) Date: Sun, 18 Jul 93 00:13:37 PDT Subject: bill stewart on steganography Message-ID: <930718010610.e25@APSICC.APS.EDU> You are correct. I had not thought of having crc's after decryption. Your idea about PCBC'ing twice is a good one. Kragen From al007 at cleveland.freenet.edu Sun Jul 18 07:48:46 1993 From: al007 at cleveland.freenet.edu (Nombrist Beor) Date: Sun, 18 Jul 93 07:48:46 PDT Subject: subscribe Message-ID: <247@cleveland.freenet.edu> subscribe From norm at netcom.com Sun Jul 18 09:59:58 1993 From: norm at netcom.com (Norman Hardy) Date: Sun, 18 Jul 93 09:59:58 PDT Subject: Diffie-Hellman Weakness Weakness Message-ID: <9307181700.AA08369@netcom4.netcom.com> It has been mentioned several places that the Diffie-Hellman key exchange algorithm is subject to the man-in-the-meddle attack. There is a weakness in the attack that I understand. I suppose that the attack goes as follows where I am the man in the middle: I am able to install an active wire tap that allows me to substitute the data traveling in either direction. I have a fast computer to help me. I want to conceal my activity but learn what transpires. Upon receiving signals to begin DH protocol I respond to each side separatly "lets go". I establish a secret session key with each side. I am unable to cause the two keys to be equal except by passing the b^x going one way and b^y going the other. In this case I know neither x or y and can't read the traffic. I must choose my own random numbers zx and zy and replace b^x with b^zx and b^y with b^zy. X and Y now enter secure mode with the secret keys b^(x*zy) between me and X and b^(zx*y) between me and Y. I can read the traffic. If the connection is digitized voice and if X should happen to mention the low ten bits of b^zy to Y then Y would notice the discrepency since Y knows that he sent b^y. The jig is up. I don't know how to do voice recognition so as to intercept the vocal quotation of b^zy and change it to a quotation of b^y in a way that Y would not notice. I would have to simulate X's voice. Curiously there seems to be no analog of this precaution for digital DH communicators. If there is a secret protocol for comparing b^y over the nominally secured channel then there may as well have been a secret key in the first place. If there is a public protocol for comparing b^y then I can follow that protocol my self. From fergp at sytex.com Sun Jul 18 14:28:47 1993 From: fergp at sytex.com (Paul Ferguson) Date: Sun, 18 Jul 93 14:28:47 PDT Subject: It could happen to anyone (fwd Washington Post commentary) Message-ID: reprinted from: The Washington Post Sunday, July 18, 1993 Editorials/Columnists Page C7 It Could Happen to Anyone Law enforcement out of control. by David Z. Nevin Randy Weaver was an insignificant little man, struggling to survive with his family of five in a plywood cabin in the mountains of north Idaho when he became a target of his government. His story is important because it illustrates law enforcement out of control -- and because it could happen to anyone. Weaver held beliefs about racial separation that are repugnant to most Americans. But he had served honorably in the military, had no criminal record and in 1989 had violated no laws. Then the Bureau of Alcohol Tobacco and Firearms turned its gaze upon him because it believed (incorrectly) that he was a member of a neo-Nazi group. An ATF informer -- a spy -- persuaded Weaver to saw off two shotguns and sell them. ATF then sprung its trap: Weaver must infiltrate and spy on thee Nazi group himself or be indicted for sale of the shotguns. When Weaver refused to spy he was arrested, taken to court and released pending trials. Alarmed by a series of suspiciously inconsistent statements by court personnel about the date of his trial, he became fearful that the government meant to destroy his family and seize his property. He refused to leave his mountaintop cabin and did not appear for trial. Now a "fugitive," Weaver's apprehension fell to the U.S. Marshal's Service, which came loaded for bear. The marshals called in military aerial reconnaissance and had photos studied by the Defense Mapping Agency. They prowled the woods around Weaver's cabin with night vision equipment. They had psychological profiles performed and installed $130,000 worth of solar-powered long-range spy cameras. They intercepted the Weaver's mail. They even knew the menstrual cycle of weaver's teenage daughter, and planned an arrest scenario around it. They actually bought a track of land next to Weaver's where an undercover marshal was to pose as a neighbor and build a cabin in hopes of befriending Weaver and luring him away from his cabin. Although they knew his precise location throughout this elaborate investigation, not a single marshal ever met face-to-face with Weaver. Even so, Weaver offered to surrender if conditions were met to guarantee his safety. The marshals drafted a letter of acceptance, but the U.S. attorney for Idaho abruptly ordered that negotiations cease. On Aug. 21, 1992, Weaver, his son Sammy, 14, and their friend Kevin Harris, 24, heard the family dog barking. In the woods a team of six camouflaged marshals armed with fully automatic assault weapons (one with a silencer) had attracted the dog's attention. Harris and Sammy followed the dog's bark. The dog had chased the marshals. At the fork of two abandoned logging roads, the boys and the marshals met. One of the marshals shot the dog, and Sammy, in the line of fire, shot back in self defense. Thee woods erupted with gunsmoke and flying shell casings as the marshals opened up on the boy, who had by now turned to run home. One shot struck the rifle he carried, and another hit him square in the back, killing him instantly. In the melee, Kevin Harris fired in defense of himself and of Sammy, killing deputy marshal William Degan. Two of the remaining marshals made their way to a telephone and called for help. Within hours the FBI Hostage Rescue Team was in the air from Virginia and soon thronged the hills above the Weaver cabin. On the spot the HRT promulgated new rules of engagement, directing agents to shoot any armed adult male on sight, whether he posed an immediate threat or not. These rules violated Idaho law and had never been applied before. They were not even used in the extraordinary attack on the Branch Davidian compound at Waco, which took 72 lives. Late the next day, Weaver, Harris and Weaver's teenage daughter Sara left the cabin and went to an outbuilding where Sammy's body lay, washed and prepared for home burial. Sniper Lon Horiuchi, who testified he could hit a quarter-inch target at 200 meters, took two shots. The first struck Weaver under the right arm. The three then rushed back to the cabin, where Weaver's wife, Vicki, stood holding open the door, with 10-month old Elisheba in her arms. As Harris ran into the open door Horiuchi shot again, striking Vicki in the head and then Harris as he passed behind her. Vicki fell dead. Horiuchi reporting hearing a scream (it was from 10-year-old Rachel) that lasted at least 30 seconds. Weaver at last surrendered. He was charged with the sale of the shotguns and failure to appear at trial, and he and Harris were charged with Degan's murder, assault on the officers and a nine-year conspiracy to provoke a confrontation with federal officers. At trial -- Weaver and Harris were tried together with separate attorneys -- misconduct on the part of prosecutors led Judge Edward J. Lodge to assess defense attorney's fees against the government itself, a step almost unheard of in criminal cases. Well into the case, the lead prosecutor, who enjoyed a reputation of punctilious attention to professional responsibilities, collapsed and was unable to complete the trial. After 40 days of government testimony, Weaver and harris rested their cases without calling a single witness. The jury acquitted an all the substantive charges except for Weaver's failure to appear. With three human lives and some $3 million down the drain, the U.S. attorney declined to answer questions from the press. The ATF, the Marshal's Service, the FBI, even the U.S. attorney, each had the opportunity to stop this trail of horrors. Because they saw nothing wrong in any of it, none did. As late in the day as closing argument, the assistant prosecutor who took over the sagging case called all this the "honorable" tactics of proper police work. Law enforcement has become a sacred cow in America, and it happened quite naturally. It is comforting to believe that our thorny problems -- violence, drug abuse, child exploitaton, public corruption -- can be solved simply by getting tough. And every year we build more prisons and put more people in them for longer periods of time. But consigning our social problems to the criminal justice system is bad policy for two reasons. First, it won't work. Despite all the mandatory prison terms, no one seriously argues that the crime problem is diminishing. Second, it has disturbing side effects. Overwhelming expense, the degradation of constitutional protections and the country's growing sense of frustration and helplessness are a few. The sorry tale of federal law enforcement run amok in the Weaver case -- as in the Branch Davidian affair -- is another. We know that those with power will use it -- all of it. And police officers in America have vast power. Not just statutory power, although there is plenty of that, but also the power that comes from being what America believes is its last best hope. But beware: As officers perceive no genuine checks on their authority, more will take their lead from the Dirty Harry movies and do whatever it takes to get their man. And we will be left to learn again the hard way, as George Washington taught, that government, "like fire ... is a dangerous servant and a terrible master." -------------------------------------------- The writer is lead attorney for Kevin Harris. Paul Ferguson | "Confidence is the feeling you get Network Integrator | just before you fully understand Centreville, Virginia USA | the problem." fergp at sytex.com | - Murphy's 7th Law of Computing Quis Custodiet Ipsos Custodes? From tcmay at netcom.com Sun Jul 18 15:03:49 1993 From: tcmay at netcom.com (Timothy C. May) Date: Sun, 18 Jul 93 15:03:49 PDT Subject: It could happen to anyone (fwd Washington Post commentary) In-Reply-To: Message-ID: <9307182202.AA13095@netcom3.netcom.com> Many thanks to Paul Ferguson for posting that article from today's Washington Post about the Randy Weaver trial. The killing of that Fed in Idaho was fully justified, as the jury just confirmed. I am hopeful the "defendants" in whatver Waco Shootout trial occurs will likewise receive justice and be found innocent. The BATF, DEA, Marshal's Service, and their kind have essentially become a Gestapo-like band of secret police. They raid homes without proper warrants (Phil Karn has told us of the San Diego case), they entrap innocents, they use high tech satellite imagery to locate plots of land they want for various purposes and then trump up charges (the Oxnard-Santa Monica case where the County wanted a guy's land and then drew up drug charges, raided him, and killed him...no drugs were found), and they seize computers and modems of folks like Steve Jackson without bothering to do their homework. And perhaps their next target will be "crypto-terrorists" like us. After all, many of us advocate overthrowing the fascist/socialist government (I know I do, and many of you do, too), and many of us believe strong crypto is the key ingredient for bypassing tax systems, for trading weapons technology details with others (how long before some of us are charged with aiding and abetting the enemy?), and for creating a transnational cyberspace. The Feds must surely come to see us as the enemy. We need to be as prepared as Randy Weaver was! -Tim -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. Note: I put time and money into writing this posting. I hope you enjoy it. From jpp at markv.com Sun Jul 18 16:15:08 1993 From: jpp at markv.com (jpp at markv.com) Date: Sun, 18 Jul 93 16:15:08 PDT Subject: Diffie-Hellman Weakness Weakness In-Reply-To: <9307181700.AA08369@netcom4.netcom.com> Message-ID: <9307181614.aa18663@hermix.markv.com> If you compare the digital interceptor, to the voice interceptor, fairly, you will see they are in equally strong positions. When I am phoneing a person I know, I am automatically checking the `signature' of their voice. The other party on the line might be able to convince me they have a cold, but I hope I will have enough wisdom to postpone discussing the March 15th assassination plot untill the cold clears up. So we should compare a voice interceptor on a channel where the two people don't know each other's voice to the unsigned digital interceptor. In this case, the interceptor can claim to one party to be the other party, and remain undetected. This is the Diffe-Helman weakness. Alternatively we should compare the voice interceptor on a channel where the two people do know each other's voice to the signed digital interceptor. In this case, the interceptor will either be detected should some minimal authentication and verification be tried, or the interceptor will be unable to even listen in. The weakness remains here, but it has been patched over with authentication, and signed verification of the channel key. This is the Diffe-Helman weakness weakness. The (potential) interceptor is the reason why we must be so very carefull when validating other people's public keys. I know there is no interceptor between me and the people who's keys I sign. If I can be sure of no interceptors between one of them, and the person I wish to speak to, then I will be able to establish a secure channel. BTW props (respect, and thanks) to Diffe for his work creating this fascinating field of mathematics and cryptography. j' -- O I am Jay Prime Positive jpp at markv.com 1250 bit key fingerprint = B8 95 E0 AF 9A A2 CD A5 89 C9 F0 FE B4 3A 2C 3F 524 bit key fingerprint = 8A 7C B9 F2 D5 46 4D ED 66 23 F1 71 DE FF 51 48 Public keys by `finger jpp @hermix.markv.com' or pgp-public-keys at pgp.mit.edu Your feedback is welcome, directly or via symbol JPP on hex at sea.east.sun.com From nate at VIS.ColoState.EDU Sun Jul 18 17:08:50 1993 From: nate at VIS.ColoState.EDU (CVL staff member Nate Sammons) Date: Sun, 18 Jul 93 17:08:50 PDT Subject: bsd mail question Message-ID: <9307190007.AA10824@vangogh.VIS.ColoState.EDU> CPs, I am working on a revision of my PGPcompose program, and I would like to know if anyone knows a good way to get bsd mail to call a program when it is going to send mail (i.e. when you type 'mail user' or when a message is replied to.) So far, it (my app) can be called as follows: comp -s -c -b these arguments can be given in any order, as long as the recipient is at the end. It will prompt for the information that is not provided at teh command line. I just need to get mail to spit a subject and a recipient out, so I can call this app. it will do the rest. Also, is there a fast and easy way to get mail to give me the expanded version of a .mailrc alias from the command line? I read the man, and it does not look possible. thanks, -nate sammons +-------------------------------------------------------------------- | Nate Sammons email: nate at VIS.ColoState.Edu | Colorado State University Computer Visualization Laboratory | Finger nate at monet.VIS.ColoState.Edu for my PGP key | #include | "I have but one single desire - to tear down the sky" -A. Toomba | Quis Custodiet Ipsos Custodes? +----------------------+ From nate at VIS.ColoState.EDU Sun Jul 18 17:10:09 1993 From: nate at VIS.ColoState.EDU (CVL staff member Nate Sammons) Date: Sun, 18 Jul 93 17:10:09 PDT Subject: recomendations for intro books Message-ID: <9307190008.AA10831@vangogh.VIS.ColoState.EDU> CPs, can any of you give me some recomendations on introductory books on cryptography? thanks, -nate sammons +-------------------------------------------------------------------- | Nate Sammons email: nate at VIS.ColoState.Edu | Colorado State University Computer Visualization Laboratory | Finger nate at monet.VIS.ColoState.Edu for my PGP key | #include | "I have but one single desire - to tear down the sky" -A. Toomba | Quis Custodiet Ipsos Custodes? +----------------------+ From smb at research.att.com Sun Jul 18 17:43:51 1993 From: smb at research.att.com (smb at research.att.com) Date: Sun, 18 Jul 93 17:43:51 PDT Subject: recomendations for intro books Message-ID: <9307190042.AA12708@toad.com> CPs, can any of you give me some recomendations on introductory books on cryptography? The best thing would be to look at the sci.crypt FAQ. From tedwards at wam.umd.edu Sun Jul 18 17:48:50 1993 From: tedwards at wam.umd.edu (technopagan priest) Date: Sun, 18 Jul 93 17:48:50 PDT Subject: Diffie Hellman Message-ID: <199307190048.AA02432@rac3.wam.umd.edu> For a broad introduction to information theory, coding, and their applications in cryptography, I reccommend _Codes_and_Cryptgraphy_ by Dominic Welsh (Oxford Science Publications, ISBN 0-19-853288-1 and ISBN 0-19-853287-3 Pbk). Some topics: information theory, noiseless coding theory, noisy channels, error-correcting codes, source theory, natural language structure, one-time pads, computational complexity, public key systems (RSA, Knapsacks, Rabin, Elgamal), authentication and digital signatures (Diffie-Lamport, Rabin), Diffie-Helman key exchange, and random numbers and random cryptsstems. -Thomas From nate at VIS.ColoState.EDU Sun Jul 18 17:49:53 1993 From: nate at VIS.ColoState.EDU (CVL staff member Nate Sammons) Date: Sun, 18 Jul 93 17:49:53 PDT Subject: PGPcompose 1.1 source Message-ID: <9307190046.AA11214@vangogh.VIS.ColoState.EDU> -----BEGIN PGP SIGNED MESSAGE----- =============== BEGIN README ============= PGPcompose 1.0 (c) 1993 Nate Sammons PGPcompose is a C program (that needs to be compiled, oddly enough) that is designed to allow for easy incorporation of digital signatures and encryption with PGP (from Phil Zimmerman). It may be necessary to change some of the calls within PGPcompose, so that it will access the right mailer (it is set to /usr/lib/sendmail) etc... It should be placed somewhere in your path, or that you modify your path (in ~/.cshrc) so that it is. I plan to expand PGPcompose's abilities so that it will be a complete mailer package ready for use... hopefully! I want to add support for replys and for mail management. BTW, this software carries no warranty, and if in the use of it you break something, it's not my fault (this for all you legaleese-speakers out there...) - -Nate Sammons, July 18, 1993 +-------------------------------------------------------------------- | Nate Sammons email: nate at VIS.ColoState.Edu | Colorado State University Computer Visualization Laboratory | Finger nate at monet.VIS.ColoState.Edu for my PGP key | #include | "I have but one single desire - to tear down the sky" -A. Toomba | Quis Custodiet Ipsos Custodes? +----------------------+ FIGHT THE CLIPPER! =============== END README ================ =============== BEGIN COMP.C ================= #include char version[] = "1.1"; int includeFile; char fileToInclude[100]; int PID; int signMess, cryptMess; char CCwho[130]; char BCCwho[130]; char subject[130]; char toWho[130]; char cryptWho[100]; char test[50]; char whoami[30]; char spoolName[100]; char tmpName[150]; char commandLine[300]; char scriptName[150]; main(int argc, char *argv[]) { FILE *tmp; FILE *message; FILE *messageHeader; char messageName[150]; char messageHeaderName[150]; char messageCypherName[150]; char theChoice[5]; int n, q; int getSub, getCC, getBCC; getSub = 1; getCC = 1; getBCC = 1; if((argc ==2) && (strcmp(argv[1], "-h") ==0)) { printf("Useage: comp -s -c -b \n"); help(); } if(argc == 1) { system("/usr/ucb/mail"); exit(0); } PID = getpid(); sprintf(messageName, "/tmp/comp.mess.tmp.%d", PID); sprintf(messageHeaderName, "/tmp/comp.head.tmp.%d", PID); sprintf(tmpName, "tmp/comp.tmp.%d", PID); sprintf(messageCypherName, "/tmp/comp.cypher.message.tmp.%d", PID); if(argc > 2) { for(n=1;n> %s ; /bin/rm -rf %s ; mv %s %s", messageName, messageHeaderName, messageName, messageHeaderName, messageName); system(commandLine); goto editIt; default: goto Continue; } } #include extractHeader() { char tmpName[150]; char messageName[150]; char messageHeaderName[150]; int pid; FILE *tmp; FILE *message; FILE *messageHeader; char commandLine[200]; char theLine[90]; char initTheLine[90]; int rc; int n=1; int q=0; pid = getpid(); sprintf(tmpName, "/tmp/comp.tmp.%d", pid); sprintf(messageName, "/tmp/comp.mess.tmp.%d", pid); sprintf(messageHeaderName, "/tmp/comp.head.tmp.%d", pid); tmp = fopen(tmpName, "w"); fclose(tmp); tmp = fopen(tmpName, "a"); message = fopen(messageName, "r"); messageHeader = fopen(messageHeaderName, "w"); fclose(messageHeader); messageHeader = fopen(messageHeaderName, "a"); while(n!=q) { fgets(theLine, 81, message); if((theLine[0] == '-') && (theLine[1] == '-') && (theLine[2] == '-') && (theLine[3] == 'E') && (theLine[4] == 'O') && (theLine[5] == 'H') && (theLine[6] == '-') && (theLine[7] == '-') && (theLine[8] == '-')) goto Continue; fprintf(messageHeader, "%s", theLine); } Continue: while(n!=q) { fgets(theLine, 81, message); if(feof(message)) goto keepGoing; fprintf(tmp, "%s", theLine); } keepGoing: fclose(message); fclose(messageHeader); fclose(tmp); sprintf(commandLine, "/bin/rm -rf %s", messageName); system(commandLine); sprintf(commandLine, "mv %s %s", tmpName, messageName); system(commandLine); } #include sendmail() { FILE *script; int PID; extern int signMess, cryptMess; extern char CCwho[130]; extern char BCCwho[130]; extern char subject[130]; extern char toWho[130]; extern char cryptWho[100]; extern char test[50]; extern char whoami[30]; extern char tmpName[150]; char messageName[150]; char messageHeaderName[150]; char messageCypherName[150]; extern char commandLine[300]; char scriptName[150]; PID = getpid(); sprintf(messageName, "/tmp/comp.mess.tmp.%d", PID); sprintf(messageHeaderName, "/tmp/comp.head.tmp.%d", PID); sprintf(tmpName, "tmp/comp.tmp.%d", PID); sprintf(messageCypherName, "/tmp/comp.cypher.message.tmp.%d", PID); sprintf(scriptName, "/tmp/comp.script.%d", PID); if((signMess == 1) && (cryptMess == 1)) { script = fopen(scriptName, "w"); fprintf(script, "cat %s | pgp -feast \"%s\" > %s\n", messageName, cryptWho, messageCypherName); fclose(script); sprintf(commandLine, "chmod +x %s", scriptName); system(commandLine); system(scriptName); sprintf(commandLine, "cat %s >> %s ; cat %s | /usr/lib/sendmail -t", messageCypherName, messageHeaderName, messageHeaderName); system(commandLine); } if((signMess == 1) && (cryptMess == 0)) { sprintf(commandLine, "cat %s | pgp -fast +clearsig=on > %s\n", messageName, messageCypherName); system(commandLine); sprintf(commandLine, "cat %s >> %s ; cat %s | /usr/lib/sendmail -t", messageCypherName, messageHeaderName, messageHeaderName); system(commandLine); } if((signMess == 0) && (cryptMess == 1)) { script = fopen(scriptName, "w"); fprintf(script, "cat %s | pgp -fea \"%s\" > %s\n", messageName, cryptWho, messageCypherName); fclose(script); sprintf(commandLine, "chmod +x %s", scriptName); system(commandLine); system(scriptName); sprintf(script, "cat %s >> %s ; cat %s | /usr/lib/sendmail -t", messageCypherName, messageHeaderName, messageHeaderName); system(commandLine); } if((signMess == 0) && (cryptMess == 0)) { sprintf(commandLine, "cat %s >> %s ; cat %s | /usr/lib/sendmail -t", messageName, messageHeaderName, messageHeaderName); system(commandLine); } sprintf(commandLine, "/bin/rm -rf /tmp/comp.*.%d", PID); system(commandLine); } #include help() { printf("\n\n"); printf("PGPcompose 1.1, (c) 1993 Nate Sammons\n\n"); printf("This is a utility to let people who do not have perl to\n"); printf("use PGP from within standard bsd mail with ease. This\n"); printf("application relies on general UNIX system calls for several\n"); printf("of it's functions. It is meant to be fairly easy to use, and \n"); printf("as unintrusive as possible. For reading mail, I recomend setting\n"); printf("the PAGER variable in your ~/.mailrc file to \"pgp -mf\".\n\n"); printf("If you like this program, send me mail. If you don't like something,\n"); printf("tell me what you don't like.\n\n -Nate Sammons, nate at vis.colostate.edu\n\n"); exit(0); } ============================ END COMP.C =================== I hope you like it. - -nate sammons +-------------------------------------------------------------------- | Nate Sammons email: nate at VIS.ColoState.Edu | Colorado State University Computer Visualization Laboratory | Finger nate at monet.VIS.ColoState.Edu for my PGP key | #include | "I have but one single desire - to tear down the sky" -A. Toomba | Quis Custodiet Ipsos Custodes? +----------------------+ -----BEGIN PGP SIGNATURE----- Version: 2.3 iQCUAgUBLEnu7dTgi1fmrpxlAQE/JwP3XmktT5YFe5sQ/28YunJigm0CPGVKRgxS 3MqfbCGDEqmGz3tpXfaPsHvgNCl0H71Wb3sxbqLgQi30FYKrqA8f+VEF0XlyMNJC hWCBL0PwZQbQGFKThz7/Tj/dtxUWOksbaV/2mRo66avlULpDAY2PsAyAIe1HksE3 TUmCUQOyWg== =qR9G -----END PGP SIGNATURE----- From gdale at apple.com Sun Jul 18 18:48:51 1993 From: gdale at apple.com (Geoff Dale) Date: Sun, 18 Jul 93 18:48:51 PDT Subject: steganography Message-ID: <9307190147.AA07571@apple.com> Bill Stewart said: >I think Kragen's definition of "Steganographically Strong" is a bit overstrong. >He suggests that the cyphertext should not be recognizeable by its own program, >with no checksums or program-specific delimiters, headers, etc. >If checksums become widely used in other data formats (e.g. MIME or whatever), >having them used in "innocent-looking-format" is ok. >And having a checksum that only checks out if you have the correct key >for decrypting the file is relatively ok, assuming you use strong encryption; >it's really no more of a giveaway than having the correctly-decrypted >plaintext have other recognizeable format, such as all-ascii or MIME or GIF. What you want to avoid is giving any spooks/agents the ability to: A> Quickly scan GIFs (or whatever) on your hard disk (or .binary. newsgroups) for files that are "likely" to be hiding something. B> Be able to prove that you have an encrypted file. If they get that proof they can apply pressure to you to get the key. Anything that allows either of the above is only providing moderate security. From smb at research.att.com Sun Jul 18 21:23:53 1993 From: smb at research.att.com (smb at research.att.com) Date: Sun, 18 Jul 93 21:23:53 PDT Subject: Diffie-Hellman Weakness Weakness Message-ID: <9307190420.AA18807@toad.com> If you compare the digital interceptor, to the voice interceptor, fairly, you will see they are in equally strong positions. When I am phoneing a person I know, I am automatically checking the `signature' of their voice. The other party on the line might be able to convince me they have a cold, but I hope I will have enough wisdom to postpone discussing the March 15th assassination plot untill the cold clears up. So we should compare a voice interceptor on a channel where the two people don't know each other's voice to the unsigned digital interceptor. In this case, the interceptor can claim to one party to be the other party, and remain undetected. This is the Diffe-Helman weakness. Alternatively we should compare the voice interceptor on a channel where the two people do know each other's voice to the signed digital interceptor. In this case, the interceptor will either be detected should some minimal authentication and verification be tried, or the interceptor will be unable to even listen in. The weakness remains here, but it has been patched over with authentication, and signed verification of the channel key. This is the Diffe-Helman weakness weakness. The (potential) interceptor is the reason why we must be so very carefull when validating other people's public keys. I know there is no interceptor between me and the people who's keys I sign. If I can be sure of no interceptors between one of them, and the person I wish to speak to, then I will be able to establish a secure channel. The AT&T Telephone Security Device (you know, the beast with the Clipper chip...) has a display that shows a few digits of a hash of the key. Each party reads off some of it to the other; the idea is that an intruder won't be able to spoof a voice in real-time. For data connections, have a look at @article{interlock, author = {Ronald L. Rivest and Adi Shamir}, journal = {Communications of the ACM}, number = {4}, pages = {393--395}, title = {How to Expose an Eavesdropper}, volume = {27}, year = {1984} } The idea is to send half of an encrypted block. You then await a half-block from the far side, at which point you send your other half, and listen for the far side's other half. The idea is that since one can't decrypt a half-block, the intruder in the middle can't send a fraudulent one. Depending on how this scheme (known as the ``Interlock Protocol'') is used, it may be vulnerable to attack. Davies and Price, in their (excellent) book ``Security for Computer Networks'', suggest sending passwords that way. But Mike Merritt and I showed how to attack that scheme under certain circumstances. (Details to appear in IEEE Transactions on Information Theory.) --Steve Bellovin From honey at citi.umich.edu Sun Jul 18 21:45:11 1993 From: honey at citi.umich.edu (peter honeyman) Date: Sun, 18 Jul 93 21:45:11 PDT Subject: It could happen to anyone (fwd Washington Post commentary) Message-ID: <9307190444.AA19454@toad.com> > We need to be as prepared as Randy Weaver was! tell that to his dead kin. we need to be prepared, but not as randy weaver was. peter From XXCLARK at indst.indstate.edu Mon Jul 19 01:18:54 1993 From: XXCLARK at indst.indstate.edu (XXCLARK at indst.indstate.edu) Date: Mon, 19 Jul 93 01:18:54 PDT Subject: AIS BBS Message-ID: <9307190818.AA25746@toad.com> Paul Ferguson wrote: >I'd like to get some of your collective thoughts an a matter >which has stirred quite a debate in the free-information/computer- >virus-exchange arena. Okay... The stated charge against Kim Clancy is that she posted [or allowed to be posted], among other contraband, virus disassemblies [poor, by your reckoning]. But, as the complaint emerged on VIRUS-L, I suspect the actual offense, far worse in the eyes of builders of empires and reputations was that she openly and knowingly consorted with known "hackers" and other underground types. I suggest that what so belatedly brought the wrath of the self-righteous down on Kim Clancy is that she broke the rules of the inner circle of the VIRUS-L self-appointed elect. While Kim Clancy is not the only security type to knowingly and openly communicate with the unwashed, she is one of the few to demonstrate an excess of intelligence over ego. She would seem to know that no one person or group is the font of perfect knowledge. If the US military didn't learn from the VC, was it the VC's fault? There is, of course, little so conducive to the enhancement of undeserved reputation as that based upon knowledge alleged to be so dangerous and so sacrosanct that no one outside the inner circle can be trusted with possession. Sounds like a disease all too common inside and about the beltway, among TLA's and bureaucracies, both corporate and governmental. VIRUS-L Digest I find amusing, a suitable substitute for MAD Magazine. I've never seen it undigested, but if the signal-to-noise ratio is as poor as in the Digest, it must be gargantuan. Budding shrinks and social studies types looking for new ground to work just might find material for several dissertations there. VIRUS-L Digest seems the perfect place to look if one is bent on studying the cult of the self-appointed, self-important keepers of the myth of the mainframe priesthood. There is information there, but, as Eliot wrote in one of the Sweeney poems, "the trouble is, I gotta use words when I talk to you." Therefore, in VIRUS-L Digest, most of the information is between the lines. And some residing within the select inner circle don't have quite the depth of knowledge they think. For the record, Paul, I do not have knowledge of any virus exchange boards. I am sure they exist, I just don't know of any. And for yourself and Peterson, I've never inquired of anyone for any such information. I believe I can meet Peterson's criteria for admission to his tutelage, but have neither need nor desire... which may have been the point to his recent... challenge. I am curious how your foreign colleague discovered this threat to western civilization. As I understand it, the AIS BBS is a dial-up board. Was he running a demon dialer across the net? Was he working for MI-5? Your "exposure" of an open secret seems to me not unlike what happens on the playground during recess. Much ado about nothing. While the danger of viruses is real, I do believe those who would be our protectors have learned something from that branch of the Department of Corporate/High-Tech Welfare [aka Department of Defense], which, not content with probably unconstitutional military involvement in law enforcement, is now attempting to drum up new contracts to protect us from the comet/asteroid menace. Crikey. I dunno about secret cabals of "underground hackers" out to get you... I think the danger there is about as great as that to Bozo Reagan from "secret Lybian hit squads." Save me from legends in their own minds. No more fucking secrets... You asked... --------------------------------------------------------------------- internet : xxclark at indst.indstate.edu RelayNet (488) Vanilla BITNET: XXCLARK at INDST FidoNet (1:2230/114) Phone: 911 TechNet 11:800/0 One need not be a weatherman to know which way the wind is blowing. --------------------------------------------------------------------- From tcmay at netcom.com Mon Jul 19 02:08:55 1993 From: tcmay at netcom.com (Timothy C. May) Date: Mon, 19 Jul 93 02:08:55 PDT Subject: recomendations for intro books In-Reply-To: <9307190008.AA10831@vangogh.VIS.ColoState.EDU> Message-ID: <9307190907.AA11552@netcom3.netcom.com> Nate Sammons asks: > can any of you give me some recomendations on introductory books > on cryptography? > > thanks, > I like Gilles Brassard's "Modern Cryptology: A Tutorial," 1988, Springer-Verlag, a small tutorial on _modern_ crypto, with discussions of such applications as digital money, secret sharing, and the like. The IEEE Press book, "Contemporary Cryptology," edited by Gus Simmons, is also nice, with a lot of recent stuff. Good preparation for reading the proceedings of the annual "Crypto" conferences. (These proceedings are available in many technical bookstores--like Computer Literacy, Staceys, and Stanford in the Bay Area--and in well-equipped university libraries. The papers report on modern crypto results and should be looked at by nearly all Cypherpunks.) And then there are the standard textbooks: Denning, Meyer and Matyas, Salomaa, Patterson, etc. These are all cited in nearly any one of the books, are readily findable with a library card catalog, and are frequently mentioned in sci.crypt. My advice: spend a few hours at a good university library. The crypto books (and journals--"Journal of Cryptology" and "Cryptologia") are in the math section, usually with the call numbers around "QA76.9.A25." Some crypto books, especially historical cryptography (like Kahn's "The Codebreakers"), are found in Z103. Spend time perusing these books and journals to get a feel for what's happening. Crypto is a lot more than just PGP! I hope this helps. -Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. Note: I put time and money into writing this posting. I hope you enjoy it. From faust at cd.chalmers.se Mon Jul 19 04:36:14 1993 From: faust at cd.chalmers.se (faust at cd.chalmers.se) Date: Mon, 19 Jul 93 04:36:14 PDT Subject: No Subject Message-ID: <199307191135.AA05425@castafiore.cd.chalmers.se> Hi, As I'm taking my first steps towards ethernal freedom, I just wanted to try this channel with some questions: 1. Cypherpunk-remailers and multi-identities with preserved anonymity. What if I use >1 identities and don't want them to be associated with neither my username nor the other identities? When my mail leaves the last remailer in direction towards me, 'everyone' has the opportunity to read my mail. Ok, the mail may be encrypted with my public-key, but there comes the problem, by beeing encrypted with my pub.key it is also marked with one of my identities, so by monitoring my mail they can connect my 'real' name with pseudonyms I use! Of course, I can tell the senders to encrypt my mail with a passphrase (like PGP -c) before sending it to me, but that don't work in situations like: 'If you support these opinions, feel free to mail me , using this header and this key...' I guess it's not that smart to tell them 'Oh, and please encrypt my mail with PGP -c "secret" first!' ??? I may most certainly have overlooked some details about this, but if not, I would like to have a command in those remailers like: :: Conventional-encryption-password: 'password' Which invokes PGP -c 'password' on the rest of the message before sending it to next adress. 2. Server for Anonymous-headers. My problem with anonymous-headers (that is reversed chains of PGP-encrypted adresses for remailers) are that they: 1) Are too big and ugly, 2) Needs common updates as remailers goes down. Therefor, wouldn't it be nice with servers like the public-keys servers where you could request the latest header for a pseudonym? Maybe even be able to mail directly to that server with pseudonym at server... and get the mail redirected to 'pseudonym'? 3. Protection of remailers. How are the cypherpunk remailers protected from sec.key-thieves and mail monitoring? I mean, their keys can't be protected by passphrases, and they often resides in multiuser/timesharing systems? I would certainly make the first attack towards the remailers before trying brute-force on a 1024-bit RSA-key! Regards, Henrik From elee9sf at Menudo.UH.EDU Mon Jul 19 06:35:22 1993 From: elee9sf at Menudo.UH.EDU (Karl Barrus) Date: Mon, 19 Jul 93 06:35:22 PDT Subject: ANON: AP story Message-ID: <199307191334.AA09153@Menudo.UH.EDU> In today's Houston Chronicle appeared a story ("Federal employee's computer searched after whistleblowing") which ties together cypherpunk concerns: whistleblowing, privacy, etc. I'll just type in a few paragraphs. Washington - The Resolution Trust Corp.'s top lawyer authorized a secret search of an employee's computer that turned up files detailing whistleblowing activities, a document shows. An internal agency memo shows RTC officials conducted the search after failing to persuade the agency's inspector general to do it, and says that the IG assured the RTC officials they wouldn't be investigated if questions were later raised. The IG's office disputes the claim. Officials at the savings and loan cleanup agency say RTC acting general counsel Richard T. Aboussie gave the go-ahead for the search because he suspected Bruce Pederson, a mid-level agency attorney in Denver, was doing personal business on government equipment. [1 paragraph deleted] Pederson has never disputed that the agency found personal matters in his files, arguing instead that the search was an invasion of privacy. Pederson said he believes agency officials were trying to punish him for being a whisleblower. "These evens are outrageous," he said. The search of Pederson's computer, first reported in May, occurred less that six months after he had criticized agency management practives in testimony before a Seante panel. He gained assurances at the time that he would not be retaliated against for airing his views. [2 paragraphs deleted] The federal wiretap law was expanded in 1986 to prohibit employers, including the government, from accessing employee work computer records. Under the law, the government is allowed to conduct clandestine searches if the employee is suspected of espionage or theft. Pederson was under no such suspicion. [I guess this is the ECPA?] [4 paragraphs deleted] According to electronic time stamps on each document, many of the letters and memos were generated on Pederson's government computer after normal working hours, the memo revealed. [Probably not cryptographic timestamps :-)] [3 paragraphs deleted to end of article] He should've used PGP! From pmetzger at lehman.com Mon Jul 19 09:45:24 1993 From: pmetzger at lehman.com (Perry E. Metzger) Date: Mon, 19 Jul 93 09:45:24 PDT Subject: Diffie-Hellman Weakness Weakness In-Reply-To: <9307181614.aa18663@hermix.markv.com> Message-ID: <9307191643.AA27736@snark.shearson.com> jpp at markv.com says: > If you compare the digital interceptor, to the voice interceptor, > fairly, you will see they are in equally strong positions. > > When I am phoneing a person I know, I am automatically checking the > `signature' of their voice. The other party on the line might be able > to convince me they have a cold, but I hope I will have enough wisdom > to postpone discussing the March 15th assassination plot untill the > cold clears up. What if you are using a cheap vocoder because you don't have lots of available CPU? With cheap vocoders, voices are not easily recognized. What if you are using data and not voice? DH key exchange is great -- if you are willing to do something to actively authenticate the other end. Several protocols to do this have been developed. Personally, I would not recommend doing without them just on the basis that "I can recognise Fred's voice". Perry From broitman at bucrf4.bu.edu Mon Jul 19 14:15:23 1993 From: broitman at bucrf4.bu.edu (Jeff Broitman) Date: Mon, 19 Jul 93 14:15:23 PDT Subject: AP Story Message-ID: <9307192115.AA15865@bucrf4.bu.edu> > He should've used PGP! since they had his computer, they had his PUBKEY and SECKEY files... and more than likely his pass phrase in simple encryption somewhere in his files...(fairly easy to break simple encryptions...like CRYPT command on unix...) Don't you think? -JzB %#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#% Internet:broitman at koala.bu.edu J.Z.Broitman broitman at radon.bu.edu Dept. of Chemistry broitman at carbon.bu.edu Boston University broitman at xenon.bu.edu Snail:42 Maynard St. W.Newton MA. 02165 %#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#%#% From allan at elvis.tamu.edu Mon Jul 19 15:54:09 1993 From: allan at elvis.tamu.edu (Allan Bailey) Date: Mon, 19 Jul 93 15:54:09 PDT Subject: It could happen to anyone (fwd Washington Post commentary) Message-ID: <9307192249.AA26576@elvis.tamu.edu> Is it just me? Or does CNN just not cover things like the Randy Weaver trial when the gov't loses? -- Allan Bailey, UNIX programmer, CSC | "Freedom is not free." Infinite Diversity in Infinite Combinations | or: allan.bailey at tamu.edu 616c6c616e206261696c6579 | or: nefud-the-delirious at tamu.edu From khijol!erc Mon Jul 19 16:09:08 1993 From: khijol!erc (Ed Carp) Date: Mon, 19 Jul 93 16:09:08 PDT Subject: AP Story In-Reply-To: <9307192115.AA15865@bucrf4.bu.edu> Message-ID: > since they had his computer, they had his PUBKEY and SECKEY files... > and more than likely his pass phrase in simple encryption somewhere in > his files...(fairly easy to break simple encryptions...like CRYPT > command on unix...) > > Don't you think? He could've kept his secring.pgp on diskette... :) -- Ed Carp erc at apple.com 510/659-9560 For anonymous mailers --> anonymus+5300 at charcoal.com "Disagreements are not meant to be challenges. They are just a different reality." -- Risa D'Angeles From exabyte!smtplink!mikej at uunet.UU.NET Mon Jul 19 17:15:30 1993 From: exabyte!smtplink!mikej at uunet.UU.NET (Mike Johnson) Date: Mon, 19 Jul 93 17:15:30 PDT Subject: steganograpy and cryptography Message-ID: <9307191739.A01267@smtplink.exabyte.com> Kragen writes: > I was thinking of steganography as being in two stages: first, you encrypt, > (possibly with the identity transformation) then, you embed your encrypted > message in your medium of transmission. My previous message was describing > requirements for a strong encryption algorithm, quite apart from the actual > embedding. I stand by my statements: the purpose of steganography is to make > it difficult or impossible for an interloper to determine that enciphered data > are being transferred. Thus, embedding a magic number in the file defeats the > purpose completely. > (As opposed to "slightly reducing security.") True. I was refering to cryptographic security instead of steganographic security when I said "slightly reducing security." Sorry about the miscommunication. For steganographic purposes, there should be no _constant_ magic numbers or CRCs taken _after_ the encryption (and visible in the ciphertext). All magic numbers and CRCs should be embedded _before_ encryption and checked _after_ decryption when you want the ciphertext to look purely random. This way you can have _both_ cryptographic convenience and random looking ciphertext ready for steganographic hiding. > I think that designing a program to embed this apparently random bitstream in > an innocent-looking file is a different and much harder problem. Definitely. Such a program is also very likely to drastically inflate the message, depending on the definition of "innocent-looking" and the characteristics of the channel or storage medium used. For example, a message could be concealed in the number of blank characters after each line of text from an recipe book, but someone might even get suspicious about a sudden interest in cooking among cypherpunks. :) By the way, I heard a rumor from a telephone company employee who I met (face to face) who is in a position to know that a U. S. company was using DES to communicate proprietary information between one of its facilities in Japan and an office in the USA. They got a letter from the Japanese parliament asking them why they were sending encrypted data. Perhaps there is more to the question of steganography than purely academic interest... ----------------------------------------------------------------------------- Mike Johnson | Opinions expressed herein are mine, and come with no mikej at exabyte.com | warranty, expressed or implied. PGP key on request. ----------------------------------------------------------------------------- From Brad.Huntting at HK.Super.NET Mon Jul 19 18:04:08 1993 From: Brad.Huntting at HK.Super.NET (Brad Huntting) Date: Mon, 19 Jul 93 18:04:08 PDT Subject: It could happen to anyone (fwd Washington Post commentary) In-Reply-To: <9307192249.AA26576@elvis.tamu.edu> Message-ID: <199307200102.AA13763@hk.super.net> > Is it just me? Or does CNN just not cover things like the > Randy Weaver trial when the gov't loses? CNN (like every other real-time news service) is under pressure to keep costs down. So they tend to rely on tried and true sources such as the government. They're staff probably didn't hear about this case till long after it became "yesterdays news". On the other hand, perhaps they have been sucking up to "government sources" for so long, they just blindly assume that what they say is what's news worthy. brad From smb at research.att.com Mon Jul 19 18:19:08 1993 From: smb at research.att.com (smb at research.att.com) Date: Mon, 19 Jul 93 18:19:08 PDT Subject: ANON: AP story Message-ID: <9307200118.AA24979@toad.com> The federal wiretap law was expanded in 1986 to prohibit employers, including the government, from accessing employee work computer records. Under the law, the government is allowed to conduct clandestine searches if the employee is suspected of espionage or theft. Pederson was under no such suspicion. [I guess this is the ECPA?] I'd like someone to provide some statute citations or some case law to back this up. As I read the ECPA, nothing in it prevents an employer from looking at employee files. (Admittedly, the government may be different.) The following quote is from @article{hernandez, title = {{ECPA} and Online Computer Privacy}, author = {Ruel Torres Hernandez}, journal = {Federal Communications Law Journal}, volume = 41, number = 1, month = {November}, year = 1988, pages = {17--41} } ECPA protection in the employer-employee situation may indeed be non-existent. [Footnote: This legislative intent to exclude corporate monitoring of employees from ECPA was confirmed by those who followed the drafting of the legislation. According to Jerry Berman, counsel for the Americal Civil Liberties Union, a participant in the drafting of th elegislation, ``ECPA `goes right up to the water's edge [of employee privacy protection] but stops short' and to have included some employee privacy protection against employers in the corporate context `would have killed the bill.' '' Electronic message from Brock Meeks (Mar. 31, 1988)] While the corporate exception acknolwedges an employer's property rights in all parts of his business, it leaves the employee's privacy interests completely unprotected. I should note that the ECPA also explicitly permits monitoring ``as may be necessarily incident to ... the protection of the rights or property of the provider of that service''. Again, if anyone has hard citations to the contrary, I'd really like to know. In the case that has drawn the most attention, the Epson email case, the claim was based on a state law that protects employee telephone calls. From what I've read, the judge rule against the plaintiff on the grounds that only voice calls were protected. That ruling was apparently not appealed, probably because there was little chance that that holding would be overturned. --Steve Bellovin From jjl at panix.com Mon Jul 19 21:59:10 1993 From: jjl at panix.com (J. J. Larrea) Date: Mon, 19 Jul 93 21:59:10 PDT Subject: Crypto Patent Abstracts #1 Message-ID: <199307200456.AA27500@panix.com> Cypherpunks, I finally got to the library to do some patent searches. Attached to this mail is summary information on 6 significant crypto patents. Note that some of the patent numbers which have appeared in prior postings on cypherpunks were incorrect, but I managed to track down the references via other means; someone should make sure they're correct in any relavent FAQs etc. Of the 6, I have full-text for 4 of them: Schnorr: 4,995,082 Gaffney: 4,562,305 Hellman-Pohlig: 4,424,414 Rivest-Shamir: 4,405,829 and partial text for one more: Hellman-Merkle: 4,218,582 I hope to be able to get a full version of Hellman-Merkle, as well as: Hellman-Diffie: 4,200,770 within a week. So, is there an FTP site I should place these on? Have fun, J.J. Larrea O / \/ /\ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ CUT HERE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ O \ US PAT NO: 4,995,082 [IMAGE AVAILABLE] L19: 1 of 5 DATE ISSUED: Feb. 19, 1991 TITLE: Method for identifying subscribers and for generating and verifying electronic signatures in a data exchange system INVENTOR: Claus P. Schnorr, Frankfurterstr. 81, 6350 Bad Nauheim, Federal Republic of Germany APPL-NO: 07/484,127 DATE FILED: Feb. 23, 1990 ART-UNIT: 222 PRIM-EXMR: Thomas H. Tarcza ASST-EXMR: David Cain LEGAL-REP: Hill, Van Santen, Steadman & Simpson ABSTRACT: In a data exchange system working with processor chip cards, a chip card transmits coded identification data I, v and, proceeding from a random, discrete logarithm r, an exponential value x=2.sup.r (mod p) to the subscriber who, in turn, generates and transmits a random bit sequence e to the chip card. By multiplication of a stored, private key s with the bit sequence e and by addition of the random number r, the chip card calculates a y value and transmits the y value to the subscriber who, in turn, calculates an x value from the information y, v.sub.j and e and checks whether the calculated x value coincides with the transmitted x value. For an electronic signature, a hash value e is first calculated from an x value and from the message m to be signed and a y value is subsequently calculated from the information r, s.sub.j and e. The numbers x and y then yield the electronic signature of the message m. US PAT NO: 4,405,829 [IMAGE AVAILABLE] L19: 3 of 5 DATE ISSUED: Sep. 20, 1983 TITLE: Cryptographic communications system and method INVENTOR: Ronald L. Rivest, Belmont, MA Adi Shamir, Cambridge, MA Leonard M. Adleman, Arlington, MA ASSIGNEE: Massachusetts Institute of Technology, Cambridge, MA (U.S. corp.) APPL-NO: 05/860,586 DATE FILED: Dec. 14, 1977 ART-UNIT: 222 PRIM-EXMR: Sal Cangialosi LEGAL-REP: Arthur A. Smith, Jr., Robert J. Horn, Jr. ABSTRACT: A cryptographic communications system and method. The system includes a communications channel coupled to at least one terminal having an encoding device and to at least one terminal having a decoding device. A message-to-be-transferred is enciphered to ciphertext at the encoding terminal by first encoding the message as a number M in a predetermined set, and then raising that number to a first predetermined power (associated with the intended receiver) and finally computing the remainder, or residue, C, when the exponentiated number is divided by the product of two predetermined prime numbers (associated with the intended receiver). The residue C is the ciphertext. The ciphertext is deciphered to the original message at the decoding terminal in a similar manner by raising the ciphertext to a second predetermined power (associated with the intended receiver), and then computing the residue, M', when the exponentiated ciphertext is divided by the product of the two predetermined prime numbers associated with the intended receiver. The residue M' corresponds to the original encoded message M. US PAT NO: 4,200,770 [IMAGE AVAILABLE] L19: 5 of 5 DATE ISSUED: Apr. 29, 1980 TITLE: Cryptographic apparatus and method INVENTOR: Martin E. Hellman, Stanford, CA Bailey W. Diffie, Berkeley, CA Ralph C. Merkle, Palo Alto, CA ASSIGNEE: Stanford University, Palo Alto, CA (U.S. corp.) DATE ISSUED: Apr. 29, 1980 TITLE: Cryptographic apparatus and method APPL-NO: 05/830,754 DATE FILED: Sep. 6, 1977 ART-UNIT: 222 PRIM-EXMR: Howard A. Birmiel LEGAL-REP: Flehr, Hohbach, Test ABSTRACT: A cryptographic system transmits a computationally secure cryptogram over an insecure communication channel without prearrangement of a cipher key. A secure cipher key is generated by the conversers from transformations of exchanged transformed signals. The conversers each possess a secret signal and exchange an initial transformation of the secret signal with the other converser. The received transformation of the other converser's secret signal is again transformed with the receiving converser's secret signal to generate a secure cipher key. The transformations use non-secret operations that are easily performed but extremely difficult to invert. It is infeasible for an eavesdropper to invert the initial transformation to obtain either conversers' secret signal, or duplicate the latter transformation to obtain the secure cipher key. US PAT NO: 4,562,305 [IMAGE AVAILABLE] L22: 1 of 3 DATE ISSUED: Dec. 31, 1985 TITLE: Software cryptographic apparatus and method INVENTOR: John E. Gaffney, Jr., Bethesda, MD ASSIGNEE: International Business Machines Corporation, Armonk, NY (U.S. corp.) APPL-NO: 06/452,248 DATE FILED: Dec. 22, 1982 ART-UNIT: 222 DATE ISSUED: Dec. 31, 1985 TITLE: Software cryptographic apparatus and method PRIM-EXMR: Salvatore Cangialosi ASST-EXMR: Aaron J. Lewis LEGAL-REP: John E. Hoel ABSTRACT: An improved software cryptographic apparatus and method are disclosed. The apparatus and method enables the encryption of the object code of a program so as to enable relocatable code operations. The apparatus and method will adapt program execution for a mixture of encrypted and nonencrypted code. A particular advantage of the apparatus and method is its accommodation of interrupts and branches while carrying out the cryptographic function. US PAT NO: 4,424,414 [IMAGE AVAILABLE] L22: 2 of 3 DATE ISSUED: Jan. 3, 1984 TITLE: Exponentiation cryptographic apparatus and method INVENTOR: Martin E. Hellman, Stanford, CA Stephen C. Pohlig, Acton, MA ASSIGNEE: Board of Trustees of the Leland Stanford Junior University, Stanford, CA (U.S. corp.) APPL-NO: 05/901,770 DATE FILED: May 1, 1978 ART-UNIT: 222 PRIM-EXMR: Sal Cangialosi LEGAL-REP: Flehr, Hohbach, Test, Albritton & Herbert ABSTRACT: A cryptographic system transmits a computationally secure cryptogram that is generated from a secret transformation of the message sent by the authorized transmitter; the cryptogram is again transformed by the authorized receiver using a secret reciprocal transformation to reproduce the message sent. The secret transformations use secret cipher keys that are known only by the authorized transmitter and receiver. The transformations are performed with nonsecret operations, exponentiation, that are easily performed but extremely difficult to invert. It is computationally infeasible for an eavesdropper either to solve known plaintext-ciphertext pairs for the secret cipher keys, or to invert the nonsecret operations that are used to generate the cryptogram. US PAT NO: 4,218,582 [IMAGE AVAILABLE] L22: 3 of 3 DATE ISSUED: Aug. 19, 1980 TITLE: Public key cryptographic apparatus and method INVENTOR: Martin E. Hellman, Stanford, CA Ralph C. Merkle, Palo Alto, CA DATE ISSUED: Aug. 19, 1980 TITLE: Public key cryptographic apparatus and method ASSIGNEE: The Board of Trustees of the Leland Stanford Junior University , Stanford, CA (U.S. corp.) APPL-NO: 05/839,939 DATE FILED: Oct. 6, 1977 ART-UNIT: 222 PRIM-EXMR: Howard A. Birmiel ABSTRACT: A cryptographic system transmits a computationally secure cryptogram that is generated from a publicly known transformation of the message sent by the transmitter; the cryptogram is again transformed by the authorized receiver using a secret reciprocal transformation to reproduce the message sent. The authorized receiver's transformation is known only by the authorized receiver and is used to generate the transmitter's transformation that is made publicly known. The publicly known transformation uses operations that are easily performed but extremely difficult to invert. It is infeasible for an unauthorized receiver to invert the publicly known transformation or duplicate the authorized receiver's secret transformation to obtain the message sent. *** END *** From chaos at aql.gatech.edu Mon Jul 19 22:24:10 1993 From: chaos at aql.gatech.edu (Paul Goggin) Date: Mon, 19 Jul 93 22:24:10 PDT Subject: Crypto Patent Abstracts #1 In-Reply-To: <199307200456.AA27500@panix.com> Message-ID: <9307200520.AA02122@toad.com> >From: "J. J. Larrea" >Message-Id: <199307200456.AA27500 at panix.com> >Subject: Crypto Patent Abstracts #1 >To: cypherpunks at toad.com >Of the 6, I have full-text for 4 of them: > Schnorr: 4,995,082 > Gaffney: 4,562,305 > Hellman-Pohlig: 4,424,414 > Rivest-Shamir: 4,405,829 >and partial text for one more: > Hellman-Merkle: 4,218,582 >I hope to be able to get a full version of Hellman-Merkle, as well as: > Hellman-Diffie: 4,200,770 >within a week. >So, is there an FTP site I should place these on? I don't know about soda, but I have been mirroring it here at aql.gatech.edu and would love to put them up for ftp. I have /pub/cypherpunks/Incoming set up for dropoffs. Put them in and I should have them up within a day for anonymous ftp. Drop me a note also when you drop them off for quicker response. What did the [images available] besides the patent number mean? Look forward to hearing from you. Paul -- R O All Comments Copyright by | Technofetisht A N Paul S. Goggin (1993) | Cypher, Cyber, Chaos V Information Broker | Ergoflux, Interzone E chaos at aql.gatech.edu | Carpe Diem: Stop the Clipper wiretap chip Finger account for latest _Phrack_ | Public Key: PGP and RIPEM available For anonymous communication:---> anonymus+4744 at charcoal.com ------------------------------------------------------------------------------ Title 18 USC 2511 and 18 USC 2703 Protected -- Monitoring Absolutely Forbidden From pacoid at wixer.bga.com Mon Jul 19 23:14:11 1993 From: pacoid at wixer.bga.com (Paco Xander Nathan) Date: Mon, 19 Jul 93 23:14:11 PDT Subject: PGP tutorial In-Reply-To: Message-ID: <9307200548.AA07956@wixer> > In message <9307151349.AA05001 at snark.shearson.com>, "Perry E. Metzger": > > Rather than pointing people to strange publications we've never heard > > of written by authors without credentials, might I suggest... > > > Excellent comments, Perry, yes, but *I* have heard of Fringeware, > so maybe I'll throw some of my comments about Paco, as an "author > without credentials." (Not that I'm a cypherpunk with credentials or > anything. =) > ... > Fringeware is a 'zine which Paco Xander Nathan publishes, and while > he's no cypherpunk, he's an intelligent guy, so I'm pretty sure his > article would be a good one. > Sameer Parekh-zane at genesis.MCS.COM-PFA related mail to pfa at genesis.MCS.COM Thank you kindly Sameer!! I'm pleased to find a ref to FWR#1 here, in a bibliography no less :) I'll add a plug that our new magazine is in int'l distribution, ISSN 1069-5656. The tutorial was written as a practical intro for people who would *not* be comfortable reading this list, but who would probably read the PGP docs anyway. The premier issue includes an article about Cypherpunks from my interview/stay/club-hopping with Eric Hughes back in Sep 92, along with a tutorial on how to join interesting email lists, such as this one. LERI-L's cofounder Scotto adds philosophical insights about the Net, virtual communities and lists in general, plus Tom Jennings favored us with beautific wisdoms on a predominantly cypherpunk theme. Whether I am a "cypherpunk" or not is as always debatable, but to assuage your fears Perry, I've been on this list nearly a year, posting occasionally. Creditials? I have degrees in Math & CompSci from Stanford, +20 years programming experience including a lot of Unix & comm work for Bell Labs, and my writing appears in Mondo 2000, WiReD, 2600, bOING-bOING, Pix-Elation, WER, etc.. some of which, to relative extents, appear to hold value within the context of this list. (tongue placed firmly in cheek) Those of you who actually read 'em may have noticed my bent for going mano-a-mano in court and on the streets against distopian organizations such as the Secret Service, the DEA's droids and a particular multinational telecom giant which shall go unmentioned. FWR is jointly published with my biz partner Jon Lebkowsky, who shares a similar trail of magazine gigs, along with fame as illuminary/host/ gopher editor on the WELL and president of EFF-Austin.. We run a popular Interent email list, fringeware at wixer.bga.com Hopefully, knowing these tidbits, we can all rest easier at night, assured that the hallowed trust of PGP has not been tainted by an unsocialized and heathen publication. NB: Perry, we're *TICKLED* silly that you refered to us as "strange"; may we consider this as "letter to the editor" material? BTW, we'd been waiting eagerly.. FWR staff had decided to just shush and wait for SOME kind of mention/review to pop up here, eventually :) Thank you. pxn. ---- PS: even our firm's *lawyer* participates in this list: strange.. credentials.. geez! :) From edgar at spectrx.Saigon.COM Tue Jul 20 01:15:32 1993 From: edgar at spectrx.Saigon.COM (Edgar W. Swank) Date: Tue, 20 Jul 93 01:15:32 PDT Subject: OOPS! Message-ID: On July 15, I posted here: If there is any interest, I will bring both soft and hard-copies to the next Physical Meeting, which I presume will take place on the 2nd Sat of August, 8/8, noon, at Cygnus in Mtn. View. ... Of course that should have read on the 2nd Sat of August, 8/14, noon, at Cygnus in Mtn. View. ... ^^^^^^ Sorry if this error caused any confusion. It's not my fault; All the blame falls on my computer calendar which just has "S" for both Saturday and Sunday. (:} -- edgar at spectrx.saigon.com (Edgar W. Swank) SPECTROX SYSTEMS +1.408.252.1005 Cupertino, Ca From edgar at spectrx.Saigon.COM Tue Jul 20 01:15:41 1993 From: edgar at spectrx.Saigon.COM (Edgar W. Swank) Date: Tue, 20 Jul 93 01:15:41 PDT Subject: PGP: "Stealth" mode Message-ID: -----BEGIN PGP SIGNED MESSAGE----- J. Michael Diehl wrote: Many encryption tools such as ripem, pgp, and dolphin can recognize their own output...which indicates that there is a footprint to that particular implimentation. There has been discussion among us PGP developers (I guess I am one now; see my recent posts to alt.security.pgp) of implementation of a "stealth" option, which would remove all the identifying footprints from encrypted output. RSA-Encrypted files would start with the (random) IDEA key followed by IDEA-encrypted data. Conventionally encrypted files (-c) would contain only encrypted data. Possibly the armor format wouldn't change, since PGP can be used to convert any binary file to armored form (-a). But it would probably be better to convert PGP binary output to e-mailable form using a common external utility like UUENCODE to make it look even more ordinary, especially if you change the UUENCODE BEGIN statement to specify, say, xxx.ZIP instead of XXX.PGP. Of course, the UUDECODED file wouldn't be recognized by PKUNZIP. "Oh, what a shame, the file must have got corrupted somewhere on the net". That's the easy part. The hard part is designing decryption procedures. PGP would have to prompt something like: "unrecognized input file. May be stealth mode. Select procedure 1. Assume RSA file with your default secret key 2. " " " Prompt for userid of secret key to try. 3. " " " try all your secret keys (may be impractical on slower CPU's) 4. Assume conventional file. prompt for pass phrase." Also note that for each secret key tried, PGP must prompt for its pass phrase. Of course, once decryption is successful, then the usual footprints can be there for signatures and compression. AFAIK, this idea is still just in the talking stage. -----BEGIN PGP SIGNATURE----- Version: 2.3a.1/EWS iQCVAgUBLElab94nNf3ah8DHAQFIEwP/RR1+oUMpJL75smnHJCfP+8e8b4+P6uEm uFpyN1LOpVbuKwNG73tu2c/wvdmABDH39xDDs5C29rOj/RFjpGWj40wTXJcvJ878 dSI/Dmj1pAZXCay9qSOldxxrtXes/wsCuQtHL/PX9y+tcXGIaduP4TYlxMSCqXvr rwNTH1jeM5I= =t5A8 -----END PGP SIGNATURE----- -- edgar at spectrx.saigon.com (Edgar W. Swank) SPECTROX SYSTEMS +1.408.252.1005 Cupertino, Ca From anton at hydra.unm.edu Tue Jul 20 02:59:14 1993 From: anton at hydra.unm.edu (Stanton McCandlish) Date: Tue, 20 Jul 93 02:59:14 PDT Subject: Crypto Patent Abstracts #1 In-Reply-To: <9307200930.AA12485@hydra.unm.edu> Message-ID: <9307200956.AA13242@hydra.unm.edu> Well, I hereby relinquish my claim to having the most complete PGP site. Aql beats NitV hands down! But not for long... >;) Truly impressive though! PS someone requested that I UL my stuff (much of it hard-to-get Fido/PGP utils, and the like) to their site. Who was that? I've lost the msg. -- Stanton McCandlish * Space Migration * Networking * ChaOrder * NO GOV'T. * anton at hydra.unm.edu * Intelligence Increase * Nano * Crypto * NO RELIGION * FidoNet: 1:301/2 * Life Extension * Ethics * VR * Now! * NO MORE LIES! * Noise in the Void BBS * +1-505-246-8515 (24hr, 1200-14400, v32bis, N-8-1) * From elee9sf at Menudo.UH.EDU Tue Jul 20 06:16:24 1993 From: elee9sf at Menudo.UH.EDU (elee9sf at Menudo.UH.EDU) Date: Tue, 20 Jul 93 06:16:24 PDT Subject: STEG: subliminal messages In-Reply-To: <930718005643.e25@APSICC.APS.EDU> Message-ID: <199307201315.AA21726@Menudo.UH.EDU> > I was thinking of steganography as being in two stages: first, you encrypt, > (possibly with the identity transformation) then, you embed your encrypted > message in your medium of transmission. My previous message was describing An interesting related topic is subliminal channels and messages. A subliminal channel is one in which communication takes place without an external observer realizing it. The classic example is communication between two prisoners (I guess they played the prisoner's dilemma and both wound up in jail anyway). Two prisoners are allowed to communicate, but the warden is suspicious so he intercepts all traffic, reads it, and then passes it on. The prisoners demand that they be able to digitally sign messages to prevent forgeries by the warden. The warden demands he be able to read the messages (no PGP). All parties agree to these terms and the communication begins. Basically, the prisoners communicate in the open (the message readable by the warden) but they also communicate with a "subliminal channel" the warden isn't aware of: the digital signature. The prisoners sign their messages in such a way as to communicate a few bits of information with each message passed along. The digital signatures can be verified, so the warden suspects nothing. Eventually, the prisoners work out their stories and are released. :-) As I remember, and I don't have the book here with me now, Seberry and Peipryzk's book describes this, and gives several examples of subliminal channel algorithms, of which I only recall El Gamal`s at the moment. Perhaps Arto Salaama's "Public Key Cryptography" contains more information. /-----------------------------------\ | Karl L. Barrus | | elee9sf at menudo.uh.edu | <- preferred address | barrus at tree.egr.uh.edu (NeXTMail) | \-----------------------------------/ From elee9sf at Menudo.UH.EDU Tue Jul 20 06:39:15 1993 From: elee9sf at Menudo.UH.EDU (elee9sf at Menudo.UH.EDU) Date: Tue, 20 Jul 93 06:39:15 PDT Subject: AP Story In-Reply-To: <9307192115.AA15865@bucrf4.bu.edu> Message-ID: <199307201338.AA23202@Menudo.UH.EDU> > > He should've used PGP! > > since they had his computer, they had his PUBKEY and SECKEY files... > and more than likely his pass phrase in simple encryption somewhere in > his files...(fairly easy to break simple encryptions...like CRYPT > command on unix...) > > Don't you think? I apologize if this appears twice; I sent out a reply late last night but it hasn't shown up yet. And I can't remember if I sent it to the list or to the author... Okay, it would be incredible oversight on his part to "simple encrypt" his passphrase and leave it on his computer! It would be even worse if he put his passphrase in config.txt. But, he could have used "pgp -c" and IDEA encrypted his files, thus rendering pubring.pgp and secring.pgp useless information. So, he shouldn've used PGP! /-----------------------------------\ | Karl L. Barrus | | elee9sf at menudo.uh.edu | <- preferred address | barrus at tree.egr.uh.edu (NeXTMail) | \-----------------------------------/ From whitaker at eternity.demon.co.uk Tue Jul 20 09:35:37 1993 From: whitaker at eternity.demon.co.uk (Russell Earl Whitaker) Date: Tue, 20 Jul 93 09:35:37 PDT Subject: Forwarded article. Message-ID: <9913@eternity.demon.co.uk> This article was forwarded to you by whitaker at eternity.demon.co.uk (Russell Earl Whitaker): --------------------------------- cut here ----------------------------- Path: eternity.demon.co.uk!demon!news!uunet!usc!math.ohio-state.edu! magnus.acs.ohio-state.edu!dbruedig From: dbruedig at magnus.acs.ohio-state.edu (Dena L Bruedigam) Newsgroups: alt.politics.libertarian Subject: Claustrophobia Date: 20 Jul 1993 00:56:45 GMT Organization: The Ohio State University Lines: 25 Message-ID: <22ffsd$adq at charm.magnus.acs.ohio-state.edu> NNTP-Posting-Host: top.magnus.acs.ohio-state.edu The August issue of _Claustrophobia_ is hot off the press and has some great articles of interest to libertarians, such as: * NSA: The Eyes of Big Brother, an expose of the prying secret government organization * What You Should Know About Your Social Security Number * Violence on TV * The Right (?) to Health Care * And more! =========================================================================== For a free sample, just send your name and address and a 29-cent stamp to: Claustrophobia 400 N. High St. #137 Columbus, OH 43215 ============================================================================ ** The Claustrophobia staff has agreed not to sell, rent, trade, or give ** ** away our mailing list -- ever. --------------------------------- cut here ----------------------------- From MINNIS at cobaf.unt.edu Tue Jul 20 15:34:25 1993 From: MINNIS at cobaf.unt.edu (Robert Minnis) Date: Tue, 20 Jul 93 15:34:25 PDT Subject: FTP Message-ID: I have just found out about this group and am interested in becoming involved. What do I need to know to be able to use the FTP site? Robert Minnis MINNIS at COBAF.UNT.EDU From fergp at sytex.com Tue Jul 20 15:49:24 1993 From: fergp at sytex.com (Paul Ferguson) Date: Tue, 20 Jul 93 15:49:24 PDT Subject: Congressional contacts list Message-ID: <1J9Z7B1w165w@sytex.com> On Tue, 20 Jul 1993 11:22:00 -0700, Peter shipley wrote - > can you resend me you list of Congressional FAX numbers, I lost > what you sent before. > > -Pete Hi, Pete. While your original message was sent to me directly, meObthinks that my reply is important enough to be broadcast in the public channels. Please note that this list is dated and some entries may be outdated. Fortunately, some FCs (Fat Cats) have been removed from office. I am in the process of finding (creating?) a new and updated list. Cheers from Washington, DC. 8<-------- Cut Here -------------------- This list supplied by BULLET'N BOARD, 703-971-5565 (voice) or 703-971-4491 (modem). For further information on our lists and software products you can write to BULLET COMMUNICATIONS, 6118 Franconia Rd., Suite 214, Alexandria, VA 22310. ST DIST FIRST LAST PHONE FAX AK 1 Don Young (202)225-5765 AK S Frank H. Murkowski (202)224-6665 (202)224-5301 AK S Ted Stevens (202)224-3004 (202)224-1044 AL 1 Sonny Callahan (202)225-4931 (202)225-0562 AL 2 William L. Dickinson (202)225-2901 AL 3 Glen Browder (202)225-3261 (202)225-9020 AL 4 Tom Bevill (202)225-4876 (202)225-0842 AL 5 Bud Cramer (202)225-4801 AL 6 Ben Erdreich (202)225-4931 AL 7 Claude Harris (202)225-2665 AL S Howell Heflin (202)224-4124 (202)224-3149 AL S Richard Shelby (202)224-5744 (202)224-3416 AR 1 Bill Alexander (202)225-4076 AR 2 Ray Thornton (202)225-2506 (202)225-2506 AR 3 John Paul Hammerschmidt (202)225-4301 (202)225-7492 AR 4 Beryl Anthony (202)225-3772 (202)225-3646 AR S Dale L. Bumpers (202)224-4843 (202)224-6435 AR S David Pryor (202)224-2353 (202)224-8261 AZ 1 John J. Rhodes (202)225-2635 (202)225-0985 AZ 2 (202)225-4065 AZ 3 Bob Stump (202)225-4576 (202)225-6328 AZ 4 Jon L. Kyl (202)225-3361 (202)225-1143 AZ 5 Jim Kolbe (202)225-2542 (202)225-0378 AZ S Dennis DeConcini (202)224-4521 (202)224-8698 AZ S John McCain (202)224-2235 (202)224-8938 CA 1 Frank Riggs (202)225-3311 (202)225-5577 CA 2 Wally Herger (202)225-3076 (202)225-0996 CA 3 Robert T. Matsui (202)225-7163 (202)225-0566 CA 4 Vic Fazio (202)225-5716 (202)225-0354 CA 5 Nancy Pelosi (202)225-4965 (202)225-8259 CA 6 Barbara Boxer (202)225-5161 (202)225-1004 CA 7 George Miller (202)225-2095 (202)225-5609 CA 8 Ronald V. Dellums (202)225-2661 CA 9 Fortney (Pete) Stark (202)225-5065 CA S John Seymour (202)224-3841 (202)224-6031 CA S Alan Cranston (202)224-3553 (202)224-8128 CA 10 Don Edwards (202)225-3072 CA 11 Tom Lantos (202)225-3531 CA 12 Tom J. Campbell (202)225-5411 (202)225-5944 CA 13 Norman Y. Mineta (202)225-2631 CA 14 John T. Doolittle (202)225-2511 (202)225-5444 CA 15 Gary Condit (202)225-6131 (202)225-0819 CA 16 Leon E. Panetta (202)225-2861 CA 17 Calvin Dooley (202)225-3341 (202)225-9308 CA 18 Richard H. Lehman (202)225-4540 CA 19 Robert J. Lagomarsino (202)225-3601 (202)225-3096 CA 20 William M. Thomas (202)225-2915 (202)225-8798 CA 21 Elton Gallegly (202)225-5811 CA 22 Carlos J. Moorhead (202)225-4176 (202)225-1279 CA 23 Anthony Beilenson (202)225-5911 CA 24 Henry A. Waxman (202)225-3976 (202)225-4099 CA 25 Edward Roybal (202)225-6235 (202)225-1251 CA 26 Howard L. Berman (202)225-4695 (202)225-5279 CA 27 Mel Levine (202)225-6451 (202)225-6975 CA 28 Julian C. Dixon (202)225-7084 (202)225-4091 CA 29 Maxine Waters (202)225-2201 (202)225-7854 CA 30 Matthew G. Martinez (202)225-5464 (202)225-5467 CA 31 Mervyn M. Dymally (202)225-5425 (202)225-6847 CA 32 Glenn Anderson (202)225-6676 CA 33 David Dreier (202)225-2305 (202)225-4745 CA 34 Esteban Edward Torres (202)225-5256 (202)225-9711 CA 35 Jerry Lewis (202)225-5861 (202)225-6498 CA 36 George Brown (202)225-6161 (202)225-8671 CA 37 Al McCandless (202)225-5330 CA 38 Robert K. Dornan (202)225-2965 CA 39 William E. Dannemeyer (202)225-4111 (202)225-1755 CA 40 Christopher Cox (202)225-5611 (202)225-9177 CA 41 Bill Lowery (202)225-3201 CA 42 Dana Rohrabacher (202)225-2415 (202)225-0145 CA 43 Ronald C. Packard (202)225-3906 (202)225-0134 CA 44 Randy Cunningham (202)225-5452 (202)225-2558 CA 45 Duncan L. Hunter (202)225-5672 (202)225-0235 CO 1 Patricia Schroeder (202)225-4431 (202)225-5842 CO 2 David E. Skaggs (202)225-2161 CO 3 Ben Nighthorse Campbell (202)225-4761 CO 4 Wayne Allard (202)225-4676 (202)225-8630 CO 5 Joel Hefley (202)225-4422 CO 6 Dan Schaefer (202)225-7882 CO S Hank Brown (202)224-5941 CO S Timothy Wirth (202)224-5852 (202)224-1933 CT 1 Barbara Kennelly (202)225-2265 (202)225-1031 CT 2 Sam Gejdenson (202)225-2076 (202)225-4977 CT 3 Rosa . DeLauro (202)225-3661 CT 4 Christopher Shays (202)225-5541 (202)225-9629 CT 5 Gary Franks (202)225-3822 (202)225-5085 CT 6 Nancy L. Johnson (202)225-4476 (202)225-4488 CT S Joe Lieberman (202)224-4041 (202)224-9750 CT S Christopher J. Dodd (202)224-2823 (202)224- DE 1 Thomas Carper (202)225-4165 (202)225-1912 DE S Joseph Biden (202)224-5042 (202)224-0139 DE S William V. Roth (202)224-2441 (202)224-2805 FL 1 Earl D. Hutto (202)225-4136 (202)225-5785 FL 2 Pete Peterson (202)225-5235 (202)225-1586 FL 3 Charles E. Bennett (202)225-2501 (202)225-9635 FL 4 Craig James (202)225-4035 (202)225-1727 FL 5 Bill McCollum (202)225-2176 (202)225-0999 FL 6 Clifford B. Stearns (202)225-5744 (202)225-3973 FL 7 Sam Gibbons (202)225-3376 FL 8 C. W. Bill Young (202)225-5961 (202)225-9764 FL 9 Michael Bilirakis (202)225-5755 (202)225-4085 FL S Bob Graham (202)224-3041 (202)224-6843 FL S Connie Mack (202)224-5274 (202)224-9365 FL 10 Andy Ireland (202)225-5015 (202)225-6944 FL 11 Jim Bacchus (202)225-3671 (202)225-9039 FL 12 Tom Lewis (202)225-5792 (202)225-1860 FL 13 Porter J. Goss (202)225-2536 (202)225-6820 FL 14 Harry A. Johnston (202)225-3001 (202)225-8791 FL 15 Clay Shaw (202)225-3026 (202)225-8398 FL 16 Lawrence J. Smith (202)225-7931 (202)225-9816 FL 17 William Lehman (202)225-4211 (202)225-6208 FL 18 Ilena Ros-Lehtinen (202)225-3931 (202)225-5620 FL 19 Dante Fascell (202)225-4506 (202)225-0724 GA 1 Lindsay Thomas (202)225-5831 (202)225-6922 GA 2 Charles Hatcher (202)225-3631 (202)225-1117 GA 3 Richard Ray (202)225-5901 GA 4 Ben Jones (202)225-4272 (202)225-8675 GA 5 John Lewis (202)225-3801 (202)225-0351 GA 6 Newt Gingrich (202)225-4501 (202)225-4656 GA 7 George (Buddy) Darden (202)225-2931 GA 8 J. Roy Rowland (202)225-6531 GA 9 Ed Jenkins (202)225-5211 (202)225-0594 GA S Wyche Fowler (202)224-3643 (202)224-8227 GA S Sam Nunn (202)224-3521 (202)224-0072 GA 10 Doug Barnard (202)225-4101 (202)225-1873 HI 1 Neil Abercrombie (202)225-2726 (202)225-4580 HI 2 Patsy Mink (202)225-4906 (202)225-4987 HI S Spark M. Akaka (202)224-6361 (202)224-2126 HI S Daniel K. Inouye (202)224-3934 (202)224-6747 IA 1 Jim Leach (202)225-6576 (202)225-1278 IA 2 Jim Nussle (202)225-2911 (202)225-9129 IA 3 David R. Nagle (202)225-3301 (202)225-9104 IA 4 Neal Smith (202)225-4426 IA 5 Jim Lightfoot (202)225-3806 (202)225-6973 IA 6 Fred Grandy (202)225-5476 IA S Charles Grassley (202)224-3744 (202)224-0473 IA S Tom Harkin (202)224-3254 (202)224-7431 ID 1 Larry LaRocco (202)225-6611 (202)225-1213 ID 2 Richard H. Stallings (202)225-5531 (202)225-2393 ID S Steven D. Symms (202)224-6142 (202)224-5893 ID S Larry Craig (202)224-2752 (202)224-2573 IL 1 Charles A. Hayes (202)225-4372 (202)225-7571 IL 2 Gus Savage (202)225-0773 (202)225-8608 IL 3 Marty Russo (202)225-5736 (202)225-0295 IL 4 George Sangmeister (202)225-3635 (202)225-4447 IL 5 William O. Lipinski (202)225-5701 (202)225-1012 IL 6 Henry Hyde (202)225-4561 (202)225-1240 IL 7 Cardiss Collins (202)225-5006 (202)225-8396 IL 8 Dan Rostenkowski (202)225-4061 IL 9 Sidney Yates (202)225-2111 (202)225-3493 IL S Alan J. Dixon (202)224-2854 (202)224-5581 IL S Paul Simon (202)224-2152 (202)224-2223 IL 10 John Edward Porter (202)225-4835 (202)225-0157 IL 11 Frank Annunzio (202)225-6661 IL 12 Philip M. Crane (202)225-3711 IL 13 Harris W. Fawell (202)225-3515 (202)225-9420 IL 14 J. Dennis Hastert (202)225-2976 (202)225-0697 IL 15 Ewing Thomas W. IL 16 John W. Cox (202)225-5676 IL 17 Lane Evans (202)225-5905 (202)225-5396 IL 18 Robert Michel (202)225-6201 (202)225-9249 IL 19 Terry L. Bruce (202)225-5001 IL 20 Richard J. Durbin (202)225-5271 (202)225-0170 IL 21 Jerry F. Costello (202)225-5661 (202)225-0285 IL 22 Glenn Poshard (202)225-5201 (202)225-1541 IN 1 Peter J. Visclosky (202)225-2461 IN 2 Philip R. Sharp (202)225-3021 (202)225-8140 IN 3 Tim Roemer (202)225-3915 (202)225-6798 IN 4 Jill Long (202)225-4436 IN 5 James Jontz (202)225-5037 (202)225-5870 IN 6 Dan Burton (202)225-2276 (202)225-0016 IN 7 John T. Myers (202)225-5805 (202)225-1649 IN 8 Frank McCloskey (202)225-4636 (202)225-4688 IN 9 Lee Hamilton (202)225-5315 IN S Richard G. Lugar (202)224-4814 IN S Dan Coats (202)224-5623 (202)224-8964 IN 10 Andrew Jacobs (202)225-4011 (202)225-4093 KS 1 Pat Roberts (202)225-2715 (202)225-5375 KS 2 Jim Slattery (202)225-6601 (202)225-1445 KS 3 Jan Meyers (202)225-2865 (202)225-0554 KS 4 Dan Glickman (202)225-6216 (202)225-5398 KS 5 Dick Nichols (202)225-3911 (202)225-9415 KS S Robert J. Dole (202)224-6521 (202)224-8952 KS S Nancy L. Kassebaum (202)224-4774 (202)224-3514 KY 1 Carroll Hubbard (202)225-3115 (202)225-1622 KY 2 William Natcher (202)225-3501 KY 3 Romano Mazzoli (202)225-5401 KY 4 Jim Bunning (202)225-3465 (202)225-0003 KY 5 Harold Rogers (202)225-4601 (202)225-0940 KY 6 Larry J. Hopkins (202)225-4706 (202)225-1413 KY 7 Carl C. Perkins (202)225-4935 (202)225-1411 KY S Mitchell McConnell (202)224-2541 (202)224-2499 KY S Wendell H. Ford (202)224-4343 (202)224-1144 LA 1 Bob Livingston (202)225-3015 (202)225-0739 LA 2 William J. Jefferson (202)225-6636 (202)225-1988 LA 3 Billy Tauzin (202)225-4031 (202)225-0563 LA 4 Jim McCrery (202)225-2777 (202)225-8039 LA 5 Jerry Huckaby (202)225-2376 (202)225-2387 LA 6 Richard Hugh Baker (202)225-3901 (202)225-7313 LA 7 James A. Hayes (202)225-2031 (202)225-1175 LA 8 Clyde C. Holloway (202)225-4926 (202)225-6252 LA S J. Bennett Johnston (202)224-5824 LA S John Breaux (202)224-4623 (202)224-9753 MA 1 John Oliver MA 2 Richard E. Neal (202)225-5601 (202)225-8112 MA 3 Joseph D. Early (202)225-6101 (202)225-3181 MA 4 Barney Frank (202)225-5931 MA 5 Chester G. Atkins (202)225-3411 MA 6 Nicholas Mavroules (202)225-8020 (202)225-8023 MA 7 Edward J. Markey (202)225-2836 (202)225-8689 MA 8 Joseph P. Kennedy (202)225-5111 (202)225-9322 MA 9 Joe Moakley (202)225-8273 (202)225-7804 MA S John Kerry (202)224-2742 (202)224-8525 MA S Edward M. Kennedy (202)224-4543 (202)224-2417 MA 10 Gerry Studds (202)225-3111 MA 11 Brian Donnelly (202)225-3215 MD 1 Wayne T. Gilchrest (202)225-5311 (202)225-0254 MD 2 Helen Delich Bentley (202)225-3061 (202)225-4251 MD 3 Benjamin L. Cardin (202)225-4016 (202)225-9219 MD 4 C. Thomas McMillen (202)225-8090 MD 5 Steny H. Hoyer (202)225-4131 (202)225-4300 MD 6 Beverly B. Byron (202)225-2721 (202)225-6159 MD 7 Kweisi Mfume (202)225-4741 (202)225-3178 MD 8 Constance A. Morella (202)225-5341 (202)225-1389 MD S Paul S. Sarbanes (202)224-4524 (202)224-1651 MD S Barbara Mikulski (202)224-4654 (202)224-8858 ME 1 Thomas H. Andrews (202)225-6116 (202)225-9065 ME 2 Olympia J. Snowe (202)225-6306 ME S William S. Cohen (202)224-2523 (202)224-2693 ME S George Mitchell (202)224-5344 MI 1 John Conyers (202)225-5126 (202)225-0072 MI 2 Carl Pursell (202)225-4401 MI 3 Howard Wolpe (202)225-5011 (202)225-8602 MI 4 Frederick S. Upton (202)225-3761 (202)225-4986 MI 5 Paul B. Henry (202)225-3831 MI 6 Bob Carr (202)225-4872 (202)225-1260 MI 7 Dale E. Kildee (202)225-3611 (202)225-6393 MI 8 Bob Traxler (202)225-2806 MI 9 Guy Vander Jagt (202)225-3511 MI S Carl M. Levin (202)224-6221 MI S Donald W. Riegle (202)224-4822 MI 10 Dave Camp (202)225-3561 (202)225-9679 MI 11 Robert W. Davis (202)225-4735 MI 12 David E. Bonior (202)225-2106 (202)225-1169 MI 13 Barbara-Rose Collins (202)225-2261 MI 14 Dennis M. Hertel (202)225-6276 MI 15 William Ford (202)225-6261 MI 16 John D. Dingell (202)225-4071 (202)225-7426 MI 17 Sander M. Levin (202)225-4961 (202)225-1033 MI 18 William Broomfield (202)225-6135 (202)225-1807 MN 1 Timothy J. Penny (202)225-2472 MN 2 Vin Weber (202)225-2331 (202)225-0987 MN 3 Jim Ramstad (202)225-2871 (202)225-6351 MN 4 Bruce F. Vento (202)225-6631 (202)225-1968 MN 5 Martin Olav Sabo (202)225-4755 MN 6 Gerry Sikorski (202)225-2271 (202)225-4347 MN 7 Collin C. Peterson (202)225-2165 (202)225-1593 MN 8 James L. Oberstar (202)225-6211 (202)225-0699 MN S David Durenberger (202)224-3244 (202)224-9846 MN S Paul Wellstone (202)224-5641 (202)224-8438 MO 1 William Clay (202)225-2406 (202)225-1725 MO 2 John Kelly Horn (202)225-2561 MO 3 Richard Gephardt (202)225-2671 (202)225-7452 MO 4 Ike Skelton (202)225-2876 MO 5 Alan Wheat (202)225-4535 (202)225-5990 MO 6 E. Thomas Coleman (202)225-7041 (202)225-4799 MO 7 Mel Hancock (202)225-6536 (202)225-7700 MO 8 Bill Emerson (202)225-4404 (202)225-9621 MO 9 Harold L. Volkmer (202)225-2956 (202)225-7834 MO S John C. Danforth (202)224-6154 MO S Christopher Bond (202)224-5721 (202)224-7491 MS 1 Jamie Whitten (202)225-4306 (202)225-4328 MS 2 Mike Espy (202)225-5876 MS 3 G. V. (Sonny) Montgomery (202)225-5031 (202)225-3375 MS 4 Mike Parker (202)225-5865 (202)225-5886 MS 5 Gene Taylor (202)225-5772 (202)225-7074 MS S Trent Lott (202)224-6253 (202)224-2262 MS S Thad Cochran (202)224-5054 (202)224-9450 MT 1 Pat Williams (202)225-3211 (202)225-1257 MT 2 Ron Marlenee (202)225-1555 (202)225-1558 MT S Conrad Burns (202)224-2644 (202)224-8594 MT S Max S. Baucus (202)224-2651 (202)224-4379 NC 1 Walter B. Jones (202)225-3101 (202)225-3354 NC 2 Tim Valentine (202)225-4531 (202)225-1539 NC 3 H. Martin Lancaster (202)225-3415 (202)225-0666 NC 4 David E. Price (202)225-1784 (202)225-6314 NC 5 Stephen L. Neal (202)225-2071 NC 6 Howard Coble (202)225-3065 (202)225-8611 NC 7 Charles Rose (202)225-2731 (202)225-2470 NC 8 W. G. Hefner (202)225-3715 (202)225-4036 NC 9 J. Alex McMillan (202)225-1976 (202)225-8995 NC S Terry Sanford (202)224-3154 (202)224-7406 NC S Jesse A. Helms (202)224-6342 (202)224-1376 NC 10 Cass Ballenger (202)225-2576 (202)225-1316 NC 11 Charles Taylor (202)225-6401 (202)225-0519 ND 1 Byron L. Dorgan (202)225-2611 (202)225-9436 ND S Kent Conrad (202)224-2043 (202)224-7776 ND S Quentin Burdick (202)224-2551 (202)224-1193 NE 1 Douglas Bereuter (202)225-4806 NE 2 Peter Hoagland (202)225-4155 (202)225-4684 NE 3 Bill Barrett (202)225-6435 (202)225-0207 NE S Bob Kerrey (202)224-6551 (202)224-7645 NE S J. James Exon (202)224-4224 (202)225-5213 NH - Smith (202)224-2841 (202)224-1353 NH 1 Bill Zeliff (202)225-5456 (202)225-4370 NH 2 DIck Swett (202)225-5206 (202)225-0046 NH S Warren Rudman (202)224-3324 NJ 1 Robert T. Andrews (202)225-6501 NJ 2 William Hughes (202)225-6572 (202)225-8530 NJ 3 Frank Pallone (202)225-4671 (202)225-9665 NJ 4 Christopher Smith (202)225-3765 (202)225-7768 NJ 5 Marge Roukema (202)225-4465 (202)225-9048 NJ 6 Bernard J. Dwyer (202)225-6301 (202)225-1553 NJ 7 Matthew Rinaldo (202)225-5361 NJ 8 Robert Roe (202)225-5751 (202)225-3071 NJ 9 Robert Torricelli (202)225-5061 (202)225-0843 NJ S Frank Lautenberg (202)224-4744 (202)224-9707 NJ S Bill Bradley (202)224-3224 (202)224-8567 NJ 10 Donald Payne (202)225-3436 (202)225-4160 NJ 11 Dean A. Gallo (202)225-5034 (202)225-0658 NJ 12 Dick Zimmer (202)225-5801 NJ 13 Jim Saxton (202)225-4765 (202)225-0778 NJ 14 Frank J. Guarini (202)225-2765 (202)225-7023 NM 1 Steven H. Schiff (202)225-6316 (202)225-4975 NM 2 Joe Skeen (202)225-2365 (202)225-9599 NM 3 Bill Richardson (202)225-6190 NM S Pete V. Domenici (202)224-6621 (202)224-7371 NM S Jeff Bingaman (202)224-5521 (202)224-1810 NV 1 James H. Bilbray (202)225-5965 (202)225-8808 NV 2 Barbara F. Vucanovich (202)225-6155 (202)225-2319 NV S Richard Bryan (202)224-6244 (202)224-1867 NV S Harry Reid (202)224-3542 (202)224-7327 NY 1 George J. Hochbrueckner (202)225-3826 (202)225-0776 NY 2 Thomas J. Downey (202)225-3335 (202)225-1275 NY 3 Robert J. Mrazek (202)225-5956 (202)225-7215 NY 4 Norman Lent (202)225-7896 (202)225-0357 NY 5 Raymond McGrath (202)225-5516 (202)225-3626 NY 6 Floyd H. Flake (202)225-3461 (202)225-4169 NY 7 Gary Ackerman (202)225-2601 NY 8 James Scheuer (202)225-5471 (202)225-9695 NY 9 Thomas J. Manton (202)225-3965 (202)225-1452 NY S Daniel P. Moynihan (202)224-4451 (202)224-9293 NY S Alfonse D'Amato (202)224-6542 (202)224-5871 NY 10 Charles E. Schumer (202)225-6616 (202)225-4183 NY 11 Edolphus Towns (202)225-5936 (202)225-1018 NY 12 Major R. Owens (202)225-6231 (202)225-0112 NY 13 Stephen Solarz (202)225-2361 (202)225-9469 NY 14 Susan Molinari (202)225-3371 (202)225-1272 NY 15 Bill Green (202)225-2436 (202)225-0840 NY 16 Charles B. Rangel (202)225-4365 (202)225-0816 NY 17 Ted Weiss (202)225-5635 (202)225-6923 NY 18 Jose Serrano (202)225-4361 NY 19 Eliot L. Engel (202)225-2464 NY 20 Nita M. Lowey (202)225-6506 (202)225-0546 NY 21 Hamilton Fish (202)225-5441 (202)225-0962 NY 22 Benjamin Gilman (202)225-3776 NY 23 Micheal McNulty (202)225-5076 (202)225-5077 NY 24 Gerald B. H. Solomon (202)225-5614 (202)225-1168 NY 25 Sherwood L. Boehlert (202)225-3665 (202)225-1891 NY 26 David O'B. Martin (202)225-4611 NY 27 James T. Walsh (202)225-3701 (202)225-4042 NY 28 Matthew F. McHugh (202)225-6335 NY 29 Frank Horton (202)225-4916 (202)225-5909 NY 30 Louise M. Slaughter (202)225-3615 (202)225-7822 NY 31 Bill Paxon (202)225-5265 (202)225-5910 NY 32 John J. LaFalce (202)225-3231 (202)225-8693 NY 33 Henry J. Nowak (202)225-3306 (202)225-3523 NY 34 Amo Houghton (202)225-3161 (202)225-5574 OH 1 Thomas Luken (202)225-2216 (202)225-2293 OH 2 Willis Gradison (202)225-3164 OH 3 Tony Hall (202)225-6465 (202)225-6766 OH 4 Michael Oxley (202)225-2676 OH 5 Paul E. Gillmor (202)225-6405 (202)225-1985 OH 6 Bob McEwen (202)225-5705 (202)225-0224 OH 7 David Hobson (202)225-4324 (202)225-1984 OH 8 John A. Boehner (202)225-6205 (202)225-0704 OH 9 Marcy Kaptur (202)225-4146 (202)225-7711 OH S Howard M. Metzenbaum (202)224-2315 (202)224-8906 OH S John H. Glenn (202)224-3353 (202)224-7983 OH 10 Clarence E. Miller (202)225-5131 (202)225-5132 OH 11 Dennis E. Eckart (202)225-6331 (202)225-6331 OH 12 John R. Kasich (202)225-5355 OH 13 Donald J. Pease (202)225-3401 (202)225-0066 OH 14 Thomas C. Sawyer (202)225-5231 (202)225-5278 OH 15 Chalmers Wylie (202)225-2015 OH 16 Ralph Regula (202)225-3876 (202)225-3059 OH 17 James A. Traficant (202)225-5261 (202)225-3719 OH 18 Douglas Applegate (202)225-6265 OH 19 Edward F. Feighan (202)225-5731 (202)225-1230 OH 20 Mary Rose Oakar (202)225-5871 (202)225-0663 OH 21 Louis Stokes (202)225-7032 OK 1 James M. Inhofe (202)225-2211 (202)225-9187 OK 2 Michael L. Synar (202)225-2701 (202)225-2796 OK 3 Bill Brewster (202)225-4565 (202)225-9029 OK 4 Dave McCurdy (202)225-6165 (202)225-9746 OK 5 Mickey Edwards (202)225-2132 (202)225-1193 OK 6 Glenn English (202)225-5565 (202)225-8698 OK S David L. Boren (202)224-4721 (202)224-0154 OK S Donald L. Nickles (202)224-5754 (202)224-6008 OR 1 Les AuCoin (202)225-0855 (202)225-2707 OR 2 Robert F. Smith (202)225-6730 (202)225-3129 OR 3 Ron Wyden (202)225-4811 OR 4 Peter A. DeFazio (202)225-6416 (202)225-0694 OR 5 Mike Kopetski (202)225-5711 (202)225-9477 OR S Mark O. Hatfield (202)224-3753 (202)224-0276 OR S Bob Packwood (202)224-5244 (202)224-9065 PA 1 Thomas Foglietta (202)225-4731 (202)225-0088 PA 2 William H. Gray (202)225-4001 PA 3 Robert A. Borski (202)225-8251 (202)225-4628 PA 4 Joseph P. Kolter (202)225-2565 (202)225-0526 PA 5 Richard Schulze (202)225-5761 (202)225-8464 PA 6 Gus Yatron (202)225-5546 (202)225-5548 PA 7 Curt Weldon (202)225-2011 (202)225-8137 PA 8 Peter H. Kostmayer (202)225-4276 (202)225-5060 PA 9 Bud Shuster (202)225-2431 PA S Harris Wofford (202)224-6324 (202)225-8187 PA S Arlen Specter (202)224-4254 (202)224-9029 PA 10 Joseph McDade (202)225-3731 (202)225-9594 PA 11 Paul Kanjorski (202)225-6511 PA 12 John P. Murtha (202)225-2065 (202)225-5709 PA 13 Lawrence Coughlin (202)225-6111 (202)225-1238 PA 14 William J. Coyne (202)225-2301 PA 15 Donald L. Ritter (202)225-6411 (202)225-5248 PA 16 Robert S. Walker (202)225-2411 (202)225-2484 PA 17 George Gekas (202)225-4315 (202)225-8440 PA 18 Rick Santorum (202)225-2135 (202)225-7747 PA 19 William Goodling (202)225-5836 (202)225-1000 PA 20 Joseph M. Gaydos (202)225-4631 PA 21 Thomas Ridge (202)225-5406 (202)225-1081 PA 22 Austin J. Murphy (202)225-4665 (202)225-4772 PA 23 William F. Clinger (202)225-5121 (202)225-4681 RI 1 Ronald K. Machtley (202)225-4911 (202)225-4417 RI 2 John F. Reed (202)225-2735 (202)225-9580 RI S John H. Chafee (202)224-2921 (202)224-0166 RI S Claiborne Pell (202)224-4642 (202)224-4680 SC 1 Arthur Ravenel (202)225-3176 (202)225-4340 SC 2 Floyd Spence (202)225-2452 (202)225-2455 SC 3 Butler Derrick (202)225-5301 SC 4 Elizabeth J. Patterson (202)225-6030 (202)225-7664 SC 5 John M. Spratt (202)225-5501 (202)225-0464 SC 6 Robin M. Tallon (202)225-3315 (202)225-2857 SC S Ernest F. Hollings (202)224-6121 (202)224-3573 SC S Strom Thurmond (202)224-5972 (202)224-1300 SD 1 Tim Johnson (202)225-2801 (202)225-2427 SD S Thomas Daschle (202)224-2321 (202)224-2047 SD S Larry Pressler (202)224-5842 (202)224-1630 TN 1 James H. Quillen (202)225-6356 (202)225-7812 TN 2 John J. Duncan (202)225-5435 (202)225-6440 TN 3 Marilyn Lloyd (202)225-3271 (202)225-6974 TN 4 Jim Cooper (202)225-6831 (202)225-4520 TN 5 Bob Clement (202)225-4311 (202)225-1035 TN 6 Bart Gordon (202)225-4231 (202)225-6887 TN 7 Don Sundquist (202)225-2811 (202)225-2814 TN 8 John S. Tanner (202)225-4714 (202)225-1765 TN 9 Harold E. Ford (202)225-3265 (202)225-9215 TN S Albert Gore (202)224-4944 (202)224- TN S Jim Sasser (202)224-3344 (202)224-9590 TX 1 Jim Chapman (202)225-3035 (202)225-7265 TX 2 Charles Wilson (202)225-2401 (202)225-1764 TX 3 Sam Johnson (202)225-4201 TX 4 Ralph M. Hall (202)225-6673 (202)225-3332 TX 5 John Bryant (202)225-2231 TX 6 Joe Barton (202)225-2002 (202)225-3052 TX 7 Bill Archer (202)225-2571 (202)225-4381 TX 8 Jack Fields (202)225-4901 (202)225-6899 TX 9 Jack Brooks (202)225-6565 (202)225-1584 TX S Lloyd Bentsen (202)224-5922 TX S Phil Gramm (202)224-2934 TX 10 J. J. Pickle (202)225-4865 (202)225-1103 TX 11 Chet Edwards (202)225-6105 (202)225-0350 TX 12 Pete Geren (202)225-5071 (202)225-2786 TX 13 Bill Sarpalius (202)225-3706 (202)225-6142 TX 14 Greg Laughlin (202)225-2831 (202)225-1108 TX 15 E. (Kika) De la Garza (202)225-2531 (202)225-2534 TX 16 Ronald D. Coleman (202)225-4831 TX 17 Charles W. Stenholm (202)225-6605 (202)225-2234 TX 18 Craig Washington (202)225-3816 TX 19 Larry Combest (202)225-4005 (202)225-9615 TX 20 Henry Gonzalez (202)225-3236 (202)225-1915 TX 21 Lamar S. Smith (202)225-4236 TX 22 Thomas D. DeLay (202)225-5951 TX 23 Albert G. Bustamante (202)225-4511 (202)225-3849 TX 24 Martin Frost (202)225-3605 (202)225-4951 TX 25 Michael Andrews (202)225-7508 (202)225-4210 TX 26 Richard K. Armey (202)225-7772 (202)225-7614 TX 27 Solomon Ortiz (202)225-7742 (202)225-1134 US - George Bush (202)456-2168 UT 1 James V. Hansen (202)225-0453 (202)225-5857 UT 2 Wayne Owens (202)225-3011 (202)225-3524 UT 3 Bill Orton (202)225-7751 (202)225-1223 UT S Edwin (Jake) Garn (202)224-5444 UT S Orrin G. Hatch (202)224-5251 (202)224-6331 VA 1 Herbert Bateman (202)225-4261 (202)225-4382 VA 2 Owen B. Pickett (202)225-4215 (202)225-4218 VA 3 Thomas J. Bliley (202)225-2815 VA 4 Norman D. Sisisky (202)225-6365 (202)225-1170 VA 5 Lewis F. Payne (202)225-4711 (202)225-1147 VA 6 Jim Olin (202)225-5431 (202)225-9623 VA 7 D. French Slaughter (202)225-6561 VA 8 Jim Moran (202)225-4376 (202)225-0017 VA 9 Rick Boucher (202)225-3861 VA S John W. Warner (202)224-2023 (202)224-6295 VA S Charles Robb (202)224-4024 (202)224-8689 VA 10 Frank R. Wolf (202)225-5136 (202)225-0437 VT 1 Bernie Sanders (202)225-4115 (202)225-6790 VT S Patrick Leahy (202)224-4242 VT S Jim Jeffords (202)224-5141 (202)224-1507 WA 1 John R. Miller (202)225-6311 (202)225-0636 WA 2 Al Swift (202)225-2605 WA 3 Jolene Unsoeld (202)225-3536 (202)225-9095 WA 4 Sid Morrison (202)225-5816 (202)225-9293 WA 5 Thomas S. Foley (202)225-2006 WA 6 Norman D. Dicks (202)225-5916 (202)225-1176 WA 7 Jim McDermott (202)225-3106 (202)225-9212 WA S Slade Gorton (202)224-3441 (202)224-9393 WA S Brock Adams (202)224-2621 (202)224-0238 WA 8 Rod Chandler (202)-225-776 WI 1 Les Aspin (202)225-3031 WI 2 Scott Klug 1202)225-2906 (202)225-6942 WI 3 Steve Gunderson (202)225-5506 WI 7 David Obey (202)225-3365 WI 8 Toby Roth (202)225-5665 (202)225-0087 WI 9 F. James Sensenbrenner (202)225-5101 (202)225-3190 WI S Herbert Kohl (202)224-5653 (202)224-9787 WI S Robert Kasten (202)224-5323 (202)224-7700 WV 1 Alan B. Mollohan (202)225-4172 (202)225-7564 WV 2 Harley O. Staggers (202)225-4172 WV 3 Robert Wise (202)225-2711 WV 4 Nick Joe Rahall (202)225-3452 (202)225-9061 WV S John D. Rockefeller (202)224-6472 (202)224-1689 WV S Robert C. Byrd (202)224-3954 (202)224-4025 WY 1 Craig Thomas (202)225-2311 (202)225-0726 WY S Alan K. Simpson (202)224-3424 (202)224-1315 WY S Malcolm Wallop (202)224-6441 (202)224-3230 8<------ Cut Here ----- Cheers. Paul Ferguson | "Government, even in its best state, Network Integrator | is but a necessary evil; in its worst Centreville, Virginia USA | state, an intolerable one." fergp at sytex.com | - Thomas Paine, Common Sense I love my country, but I fear its government. From fergp at sytex.com Tue Jul 20 16:04:25 1993 From: fergp at sytex.com (Paul Ferguson) Date: Tue, 20 Jul 93 16:04:25 PDT Subject: Sprint-bound Message-ID: On Mon, 19 Jul 93 22:24:38 -0700, John Gilmore wrote - > So, will you be working for SprintNet? We have been evaluating > quotes for Internet service from them. They seem to have pretty > good policies -- better than most -- though from what I hear, their > uptime (quality of service) is poorer than the other vendors. Hi John. Actually, they refer to themselves as "SprintLink." ;-) In all reality, I'm leaving Computer Sciences Corporation for a consulting position with Mindbank Consulting Group, based in the Washington, DC area. While CSC has kept me travelling five days a week (mostly in New Yawk City), I welcome the opportunity to stay closer to home for a change. (My wife is certainly happier.) If you turn to page 339 of "The Whole Internet User's Guide & Catalog (by Ed Krol, copyright 1992, O'Reilly & Associates ), in the middle of the page you'll see the name of gentleman for whom I'll be working. I remain distanced from the controversy surrounding the Sprint/Congressional-hearing debate, because I do not work there yet. As far as their reliabilty, I certainly hope to contribute to the future of Sprint's connectivity reputation; hopefully that will be a good thing. Wish me luck, chum. Paul Ferguson | "Government, even in its best state, Network Integrator | is but a necessary evil; in its worst Centreville, Virginia USA | state, an intolerable one." fergp at sytex.com | - Thomas Paine, Common Sense I love my country, but I fear its government. From fergp at sytex.com Tue Jul 20 16:05:34 1993 From: fergp at sytex.com (Paul Ferguson) Date: Tue, 20 Jul 93 16:05:34 PDT Subject: An Ode to Sternlight (fwd) Message-ID: From: warlock at PASCAL.ACM.ORG Newsgroups: sci.crypt Subject: Sternlight, Sternlight, burning bright... Date: 20 Jul 1993 00:07:29 GMT Organization: ACM Network Services, Waco, TX Lines: 38 Reply-To: warlock at PASCAL.ACM.ORG NNTP-Posting-Host: acm.org } .OJ OFF .op The Sternlight Tyger (Apologies to Wm. Blake) Sternlight, Sternlight, burning bright From the flamings left and right, What group covert or front pontific Dare frame thy postings so prolific. From what cloistered chamber flows The torrents of your party prose? Who foots the bill? Who pays the piper? Are you saint or are you viper? Are you the likes of Walter Mitty Or just another gov-committee Whose Dole-ful charge, we must confess, Is simply to obstruct progress.* When the Evil Empire of the Left Gave up the ghost (of cash bereft), Did he smile his work to see Did he who made the spooks make thee? Sternlight, Sternlight, burning bright From the flamings left and right, What group covert or front pontific Dare frame thy postings so prolific. WARLOCK * progress = private sector cryptographic innovation and use. Paul Ferguson | "Government, even in its best state, Network Integrator | is but a necessary evil; in its worst Centreville, Virginia USA | state, an intolerable one." fergp at sytex.com | - Thomas Paine, Common Sense I love my country, but I fear its government. From elee9sf at Menudo.UH.EDU Tue Jul 20 17:09:27 1993 From: elee9sf at Menudo.UH.EDU (Karl Barrus) Date: Tue, 20 Jul 93 17:09:27 PDT Subject: subliminal messages Message-ID: <199307210008.AA21142@Menudo.UH.EDU> -----BEGIN PGP SIGNED MESSAGE----- Eric Hughes just told me some extremely interesting information concerning subliminal channels and the DSS. Apparently, the DSS is very hospitable towards subliminal channels. (I won't summarize further since Eric may have posted to the list). Again: a subliminal channel is a channel in which an external observer is unaware of communication. For example, two prisoners want to communicate. The warden agrees if the messages are plaintext. The prisoners agree if they can authenticate (digitally sign) the messages - - after all, the warden may try to spoof them. The warden agrees to this arrangement (for instance, after reading up on digital signatures in Denning's book, which doesn't cover subliminal channels!), allowing the prisoners to embed their true communication in the digital signature of their plaintext messages. Before showing an example El Gamal subliminal channel, I'll briefly describe El Gamal's authentication scheme (since most people are familiar with or have heard of the RSA method only). In El Gamal's scheme (from Seberry and Pieprzyk's "Cryptography: an Introduction to Computer Security"): 1) Alice chooses p a prime, g a primitive element of GF(p), r a random integer. Loosely, g (being primitive) can be used to generate the rest of the field GF(p) by exponentiation. 2) Alice calculates K = g^r mod p Alice publishes (K,g,p) as the public key 3) a message M is authenticated by first choosing a second random integer r' such that r' and p-1 are relatively prime Alice computes X = g^r' mod p Alice solves M = rX + r'Y mod p-1 for Y Alice sends (M,X,Y) to B and keeps (r,r') secret 4) Bob can verify the message M by calculating A = K^X X^Y mod p and only accepts the message as authentic if and only if A = g^M mod p The example in the book is (I'm not sitting at a NeXT at the moment, the only place it's convenient for me to use Mathematica, or I'd use some larger numbers): Alice chooses p = 11, g = 2, r = 8 Alice computes K = g^r mod p = 2^8 mod 11 = 3 Thus (K,g,p) = (3,2,11) Say the message is M = 5 Alice chooses r' = 9. GCD(r',p-1) = 1, so they are relatively prime Alice computes X = g^r' mod p = 2^9 mod 11 = 6 Alice solves M = rX + r'Y mod p-1 for Y 5 = 8*6 + 9*Y mod 10; yeilding Y = 3 Alice sends out the triple (M,X,Y) = (5,6,3) to Bob. Note: M can be read. Bob now has (M,X,Y) = (5,6,3) and the public key (K,g,p) = (3,2,11) Bob calculates A = K^X X^Y mod p = 3^6 6^3 mod 11 = 10 Bob calculates g^M mod p = 2^5 mod 11 = 10 So, since A = 10 and g^M mod p = 10, the message is valid. Again, when I have a chance I'll plug in much larger numbers so you don't think it all works out by coincidence. In the El Gamal subliminal channel, somehow the random integer r is known by both parties. So Alice and Bob agree on a random r before they ever find themselves in the position of using a subliminal channel. 1) Alice chooses p, g as before. She chooses the r that she and Bob share. She calculates K as before. 2) Alice calculates the subliminal message m, using a plaintext message M, by calculating X = g^m and solving the following equation for Y: M = rX + mY mod (p-1) 3) Alice send (M,X,Y) to Bob. 4) Bob receives (M,X,Y) and knows (p,g) which are public and the secret r he shares with Alice. 5) Bob calculates A = (g^r)^X X^Y mod p and accepts the message M as authentic if A = g^M mod p (as before in El Gamal authentication). 6) Now Bob extracts the subliminal message by computing m = Y^-1 (M - rX) mod (p-1) As before, (K,g,p) = (3,2,11) is public. r = 8 is the shared secret. Alice wants to send m = 9, using the plaintext message M = 5 Alice computes X = g^m mod p = 2^9 mod 11 = 6 Alice solves 5 = 8*6 9Y mod 10 for Y; Y = 3 Alice sends (M,X,Y) = (5,6,3) to Bob. Bob computes A = (2^8)^6 6^3 mod 11 = 10 Bob computes g^M mod p = 2^5 mod 11 = 10 These are equal, so Bob accepts the message. Now, he extracts the subliminal message: m = Y^-1 (M - rX) mod (p-1) = 3^-1 (5 - 8*6) mod 10 = 9. So, it is possible to communicate information with subliminal channels. A real life example where this could occur is with ham radio operators. Encrypted messages are illegal, but checksum message can be transmitted, so the checksum can be modified to include a subliminal message. I'm just pointing this out for theoretical interest - I know it's illegal! Now, back to subliminal messages and the DSS. Suppose the government decides to authenticate the information on your driver's license with DSS. All sorts of information can be included subliminally, such as an arrest record, number of speeding tickets, if the person in question is suspicious, etc... -----BEGIN PGP SIGNATURE----- Version: 2.3 iQCVAgUBLEyIroOA7OpLWtYzAQE95gQAmrCoIB0lWTbBUOcayev0HvKUoAyz2dT4 FSbqi65oytE+EA2RhY9BHOFeRuA8yF97Dm+tTunOUYlA3CTlGRvmfxdA98TuGD7X otmr0qVPJlAFsW7xqm8sJq09mozM+NMONwQJTOObaEr9UzPsgGeyGs4RVz3h29Qp nvxCopYQy6A= =4kzu -----END PGP SIGNATURE----- From smb at research.att.com Tue Jul 20 17:54:25 1993 From: smb at research.att.com (smb at research.att.com) Date: Tue, 20 Jul 93 17:54:25 PDT Subject: subliminal messages Message-ID: <9307210052.AA29937@toad.com> Now, back to subliminal messages and the DSS. Suppose the government decides to authenticate the information on your driver's license with DSS. All sorts of information can be included subliminally, such as an arrest record, number of speeding tickets, if the person in question is suspicious, etc... Or your Capstone keys, during certificate exchange. From pmetzger at lehman.com Tue Jul 20 18:19:25 1993 From: pmetzger at lehman.com (Perry E. Metzger) Date: Tue, 20 Jul 93 18:19:25 PDT Subject: subliminal messages In-Reply-To: <199307210008.AA21142@Menudo.UH.EDU> Message-ID: <9307210117.AA05181@snark.shearson.com> Karl Barrus says: > Eric Hughes just told me some extremely interesting information > concerning subliminal channels and the DSS. Apparently, the DSS is > very hospitable towards subliminal channels. (I won't summarize > further since Eric may have posted to the list). A very good posting, Karl, but I will note in the literature these are called "covert" channels, not "subliminal" channels. Otherwise, really top quality posting. Perry From nobody at rosebud.ee.uh.edu Tue Jul 20 20:54:27 1993 From: nobody at rosebud.ee.uh.edu (nobody at rosebud.ee.uh.edu) Date: Tue, 20 Jul 93 20:54:27 PDT Subject: Server for Anonymous-headers Message-ID: <9307210353.AA02731@toad.com> -----BEGIN PGP SIGNED MESSAGE----- from Henrik: >2. Server for Anonymous-headers. > >My problem with anonymous-headers (that is reversed chains of PGP-encrypted >adresses for remailers) are that they: > > 1) Are too big and ugly, > 2) Needs common updates as remailers goes down. > >Therefor, wouldn't it be nice with servers like the public-keys servers where >you could request the latest header for a pseudonym? > >Maybe even be able to mail directly to that server with pseudonym at server... >and get the mail redirected to 'pseudonym'? Great idea! In the meantime, I put my encrypted return address in my public key and put them both on the existing servers. I put each line of the return address into an 'id' of my key, so that with a little editing the return address can be reassembled. Unfortunately, this will not work in the future, because new revisions of PGP will not guarantee that the order of id's is well defined. Even then, I could number the id's. If PGP was totally bulletproof, it could handle carriage returns within a single id, or at least an id long enough to contain a return address with the carriage returns replaced with markers. PGP 2.2 bombs if you paste too long a sting into an id field. Eternal Optimist 7/20/93 -----BEGIN PGP SIGNATURE----- Version: 2.3 iQCVAgUBLEx5B4jvfLxJbYYtAQFmqAP9ErPHDKg1qN99knL2OmTOG9F2hje2HW6O 7YAL0kcYFXqQWpYoahxV84uRPjoKRjIcR0rsNyqB7AauQR3RwaPidXcFtY0Q0scv 04y7Zli97R+Ww2XjaLOsjUWjWhROo8uBpgLDREndUNFekrDNNYSJRffELMvA09h/ eWOOaMhaNks= =SFGh -----END PGP SIGNATURE----- From anton at hydra.unm.edu Tue Jul 20 22:14:28 1993 From: anton at hydra.unm.edu (Stanton McCandlish) Date: Tue, 20 Jul 93 22:14:28 PDT Subject: Addresses of your site and Aql? In-Reply-To: Message-ID: <9307210512.AA16808@hydra.unm.edu> People keep asking me for site addresses for PGP, so I figured it would be more sensible to post this so everyone gets it. There are of course many more; these are just my "site", sites I know that have a large archive of crypto files, and sites that get new releases of PGP almost instantly. NitV-BBS +1-505-246-8515 N-8-2 1200-14000bps v32[b] v42[b] 24hr soda.berkeley.edu /pub/cypherpunks mucho crypto aql.gatech.edu /pub/cypherpunks many different platform Unix PGP execs scr.doc.ic.ac.uk gets new stuff quick ghost.dsi.unimi.it ditto Hope that helps. :) -- Stanton McCandlish * Space Migration * Networking * ChaOrder * NO GOV'T. * anton at hydra.unm.edu * Intelligence Increase * Nano * Crypto * NO RELIGION * FidoNet: 1:301/2 * Life Extension * Ethics * VR * Now! * NO MORE LIES! * Noise in the Void BBS * +1-505-246-8515 (24hr, 1200-14400, v32bis, N-8-1) * From ld231782 at longs.lance.colostate.edu Tue Jul 20 22:24:28 1993 From: ld231782 at longs.lance.colostate.edu ( L. Detweiler ) Date: Tue, 20 Jul 93 22:24:28 PDT Subject: FBI credit record inquiry proposal Message-ID: <9307210523.AA15381@longs.lance.colostate.edu> Gosh, weren't we just talking about the suspension of requirement for warrants in cases of `national security'? Below the FBI is posturing to get access to credit records of `spies and terrorists' by writing only a letter instead of the currently required warrant. The FBI really scares me with the nonchalance and finesse with which they keep introducing these unpleasant bills into Congress. ===cut=here=== From: kaplan at sol1.lrsm.upenn.edu (Peter Kaplan -Yodh) Newsgroups: alt.privacy Subject: ALERT. New law on FBI and Credit Records Keywords: Credit records, privacy, FBI, suspected "spies and terrorists." Message-ID: <136431 at netnews.upenn.edu> Date: 17 Jul 93 16:42:33 GMT Sender: news at netnews.upenn.edu Followup-To: alt.privacy Organization: /etc/organization Lines: 14 Nntp-Posting-Host: sol1.lrsm.upenn.edu On page 7 of today's New York Times (_Saturday_, July 17) there is a short article about the nation's inflated intelligence budget. Buried in the article are two paragraphs describing another section of the intelligence funding bill. Tacked onto the bill is a provision to allow the FBI to access the credit records of suspected "spies and terrorists" by writing a letter rather than getting a search warrant or other court order. Your credit card bills and mortgage payments are rapidly becoming police information. - - --Peter (kaplan at sol1.lrsm.upenn.edu) From mdiehl at vesta.unm.edu Tue Jul 20 22:45:45 1993 From: mdiehl at vesta.unm.edu (J. Michael Diehl) Date: Tue, 20 Jul 93 22:45:45 PDT Subject: People's rights???? Message-ID: <9307210544.AA12040@vesta.unm.edu> This isn't actually, crypto-related, but it does relate to privacy. The other day, I was watching COPS on TV. (No flames, please) They showed a segment where the LEA had received complaints about the conditions in which some children were living. They were poor and living in a trailer. So the cop knocks on the door and the father answers. THE COP STEPS INSIDE, SAYS, "WE'VE HAD SOME COMPLAINTS.....AND I NEED TO TAKE A LOOK AROUND!" The cop then went through the people's living quarters! Then the cop decided that he was a child-care expert and that the conditions were not fit for the children to live in. SO THE COP TOOK THE CHILDREN AWAY. Now this scares the shit out of me. Did this cop have the right to just walk in and search the place based on a complaint? Why didn't the man know to ask for a warrent? Was this cop trained as a social worker? Is it now possible to be so poor that the stat won't let you keep your children? Now don't get me wrong, I'm not a weep-for-the-poor-liberal; I'm very conservative. But don't these poor people have rights? Does anyone know if there is a news-list devoted to people's rights? Thanx for letting me vent my rage! Laters +-----------------------+-----------------------------+---------+ | J. Michael Diehl ;-) | I thought I was wrong once. | PGP KEY | | mdiehl at triton.unm.edu | But, I was mistaken. |available| | mike.diehl at fido.org | | Ask Me! | | (505) 299-2282 +-----------------------------+---------+ | | +------"I'm just looking for the opportunity to be -------------+ | Politically Incorrect!" | +-----If codes are outlawed, only criminals wil have codes.-----+ +----Is Big Brother in your phone? If you don't know, ask me---+ From ld231782 at longs.lance.colostate.edu Tue Jul 20 23:09:28 1993 From: ld231782 at longs.lance.colostate.edu ( L. Detweiler ) Date: Tue, 20 Jul 93 23:09:28 PDT Subject: Anonymous server encryption In-Reply-To: <199307191135.AA05425@castafiore.cd.chalmers.se> Message-ID: <9307210608.AA15937@longs.lance.colostate.edu> faust at cd.chalmers.se brings up some interesting points about remailer encryption, suggesting the capability to re-encrypt a message at the remailer point instead of a-prior by the sender. This was proposed to allow replies to a anonymous user to be encrypted using that user's public key, avoiding the problem of the final message being transmitted in cleartext. The sophisticated server run by D. Clunie around December for a few months allowed exactly this basic and valuable capability, and so far has been unmatched. In his system the user sent messages to the server encoded by the server's public key. Replies to the user through the server were first encrypted with that user's public key before being transmitted. This means that security at the remailer-to-`nym' is protected even if respondents do not encode their messages first. Despite being fairly simple to implement (esp. with the availability of PGP) this is not yet available on anon.penet.fi. J. Helsingius has repeatedly reaffirmed his intent to put the feature in a New & Improved Mark II server due sometime in the fall. I've also suggested some improvements to anonymous servers. In particular, I would like to see a sophisticated `nym-management' scheme whereby the user can allocate, redirect, and deallocate addresses at will. Such flexibility and versatility allows many other neat unforeseen uses of the anonymous server. For example, many sysadmins are in the habit of creating new email ID's for each new query posted on Usenet to aid in organizing simultaneous queries. With nym-management a user could do this as well. The user could also receive mailing lists at different addresses. This would be useful under a very radical new capability: local archives. In fact, the transition from anonymous servers to personal rented file spaces may be automatic and seamless in the future. Unfortunately, while there's been a modest proliferation of cypherpunk remailers, and quite a bit of general interest (the recent summer Usenix anonymity conference was attended by a few hundred, see comp.org.usenix), the only server allowing anonymous responses is still Helsingius's anon.penet.fi. (I've not heard a lot about Kleinpaste's.) It seems to me this is an extreme weakness in cyberspace at the moment. When his server went down recently for a few days (from 90 degree weather, damage to the system board) many people were `stranded'. In fact, the only link between a lot of people and their correspondents is that server and its nym-to-address database mapping file, and if anything happened to either many would be disconsolate at minimum. I suspect operators are reluctant to run a `full-fledged' anonymous server because of all the cyberspatial politics & hassle involved for virtually no personal benefit and serious drain on personal time, finances, and cycles. When someone sets up an FTP site they at least are creating a sort of personal library and BBS for perusal. But the anonymous server operator actually is ethically restricted from completely perusing the data spawned by his creation. Hopefully the field will change when there are economic incentives to run an anonymous server. For now we will have to rely on selfless heroes and paternalistic voyeurs. I'll leave it to the reader to sort them out. From cdodhner at indirect.com Tue Jul 20 23:49:29 1993 From: cdodhner at indirect.com (Christian D. Odhner) Date: Tue, 20 Jul 93 23:49:29 PDT Subject: Thoughts on remailers Message-ID: <9307210647.AA13445@indirect.com> I have recently encountered a situation (ongoing in the newsgroup alt.zines) in which some person has been sending a woman harassment mail and threats, etc in an anonymous manner. She has tried to put his name on her kill list, but he uses a different ID each message. I assume that he is telneting to the mail port, so analysis of the message headers will show what system the message is from. I will be happy as soon as she can kill all his messages and ignore him. But during conversation with her, I mentioned that it was a good thing he wasn't useing a cypherpunk remailer, else we would never be able to identify the source. She responded with the comment that she could just kill all messages incoming from the remailers and be done with it if that were the case, which gets me thinking... The remailers are perfect for those who would harrass and abuse others. Freedom of speech with 0 responsibility, etc. They are also good for many other things, and the amount of junk mail going through them must be FAR less than the usefull traffic, however we all have seen or heard about what a few obnoxious people can do. The problem I forsee is that junk mailers and porno-grams like the ones I've been dealing with this week will start using our remailers as their method of choice, and once word gets around of that, many, many people could put all the remailers in thier kill lists, thinking "Why would anybody need to send ME anonymous mail?", and the effectiveness of the remailers would be drasticly reduced. Then again, maybe it won't be a problem. I'm realy not sure, but it's worth a little thought. Happy Hunting, -Chris Odhner From tcmay at netcom.com Wed Jul 21 00:14:29 1993 From: tcmay at netcom.com (Timothy C. May) Date: Wed, 21 Jul 93 00:14:29 PDT Subject: subliminal messages Message-ID: <9307210712.AA11086@netcom.netcom.com> Here's my minor correction of Perry Metzger's minor correction: >Karl Barrus says: >> Eric Hughes just told me some extremely interesting information >> concerning subliminal channels and the DSS. Apparently, the DSS is >> very hospitable towards subliminal channels. (I won't summarize >> further since Eric may have posted to the list). > >A very good posting, Karl, but I will note in the literature these are >called "covert" channels, not "subliminal" channels. Otherwise, really >top quality posting. > >Perry Yvo Desmedt gave a very nice paper at the Crypto '88 conference, which I attented, entitled "Abuses in Cryptography and How to Fight Them." He begins: "[Sim83b] introduced the notion of subliminal channel. His example is related to two prisoners who are communicating authenticated messages in full view of a warden who is able to read the messages. The subliminal consists in hiding a message _through_ the authentication scheme such that the warden _cannot detect its use nor read the hidden part_." Later he writes: "Abuses (in particular subliminal channels) are not covert channels in the strict way, as will briefly be discussed in Section 2.2." Covert channels usually refer to using "out of band" techniques, such as signal crosstalk, time-jitter, amplitude modulation, etc., to pass information (e.g., to leak bits out of a classified computer facility), whereas subliminal channels rely on the crypto protocols. (I suppose the Clipper could use either or both, or could be rigged that way.) I've heard people use the term "covert channel" in a broader sense, encompasssing the subliminal channel term coined by Simmons as well as the tradional covert channel, but certainly the term "subliminal channel" is not incorrect as used by Karl. ("Covert" may be more descriptive than "subliminal," though such is life.) I'll leave the rest of the discussion for interested readers. "Advances in Cryptology--CRYPTO '88," ed. S. Goldwasser, Springer-Verlag, 1990. By the way, Desmedt's paper argues persuasively that "abuse-free cryptography" overcomes the objections to public key crypto that terrorists and others bad folks will be able to pass subliminal messages. If the weaknesses mentioned by Eric Hughes and Karl Barrus are confirmed, this could be another point of attack against Clipper. Like Perry, I enjoyed Karl's summary. -Tim May -- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: by arrangement Note: I put time and money into writing this posting. I hope you enjoy it. From ld231782 at longs.lance.colostate.edu Wed Jul 21 00:15:45 1993 From: ld231782 at longs.lance.colostate.edu ( L. Detweiler ) Date: Wed, 21 Jul 93 00:15:45 PDT Subject: Weaver/BATF trial Message-ID: <9307210712.AA16784@longs.lance.colostate.edu> The Washington Post portrayal posted courtesy of P. Ferguson is beyond deeply disturbing, and borders on the horrifyingly shocking. Particularly the sniper aim on Weaver's wife--around her children!--I found brutally, heinously barbarian. One wonders if law enforcement is composed of responsible servants or maurading mercenaries. I'm really stunned not to see any reaction in the popular press so far to this editorial, but I suspect it won't sow ripples but hurtle shearing shockwaves through the media for years to come. However, perhaps just a few weeks have passed since T.C. May admonished and chastised various members for `demonizing' opponents, and then posts a few statements as follows (the sheer bluntness reminds me of the long-dead cries of Murderous Thug on this list, and I feel compelled to respond by blunting the mad, chaotic, rambling, and unfocused shooting): >The killing of that Fed in Idaho was fully justified, as the jury just >confirmed. >The BATF, DEA, Marshal's Service, and their kind have essentially >become a Gestapo-like band of secret police. They raid homes without >proper warrants (Phil Karn has told us of the San Diego case), they >entrap innocents, they use high tech satellite imagery to locate plots >of land they want for various purposes and then trump up charges (the >Oxnard-Santa Monica case where the County wanted a guy's land and then >drew up drug charges, raided him, and killed him...no drugs were >found), and they seize computers and modems of folks like Steve >Jackson without bothering to do their homework. Killing justified? Gestapo-like band of secret police? Yeeks. First of all, please resist the temptation to tar a vast number of law enforcement agents with the same brush under the polarizing heading `they'. It is more dangerous to see enemies everywhere than only somewhere (hm, I think the inspiration for that quote came from your own words). Unless they all showed up at an annual Loot & Pillage Conference and traded techniques and swapped success stories, my suspicions wouldn't be aroused. But as it stands your paragraph starts out with the explosion of `Gestapo band of secret police' and ends with a limp whine of `without bothering to do their homework'. As it stands, there is actually a bit of hostility between different law enforcement branches (best documented, I think, in Hacker Crackdown by Sterling, as in FBI vs. local police forces). This animosity prevents the various groups from wholeheartedly colluding, for which we can be ecstatically thankful for. Yes, the individual agencies are extremely dangerous in some of their recent actions, but this is more adequately explained in terms of local stupidity and imperialism than global malice and conspiracy. Ah, but the most dangerous call comes next: >And perhaps their next target will be "crypto-terrorists" like us. >After all, many of us advocate overthrowing the fascist/socialist >government (I know I do, and many of you do, too), and many of us >believe strong crypto is the key ingredient for bypassing tax systems, >for trading weapons technology details with others (how long before >some of us are charged with aiding and abetting the enemy?), and for >creating a transnational cyberspace. Uhm, I think if law enforcement officials were at all alarmed by our presence we would have encountered rather obvious signs by now. But look how little interference has been erected in front of cypherpunkesque adventurism. Cypherpunk remailers have only gone down for extremely mundane reasons. A rather feeble letter was sent to the operator of soda.berkeley.edu suggesting in the most delicate terms that something might be amiss (for which there was great ensuing fireworks, our nervous-edgy heavy barrage of artillery and cannons aimed at a wandering rabbit). *Nothing* has come of the Mycotronx postings like a Tianamen Square tank-rolling clampdown massacre response by the Establishment. We don't even have the whimper of a single misguided officer pursuing a lone local vigilante justice revenge power trip. We got spectacular coverage in Wired and the New York Times and not even a sneeze from a real red-blooded shifty-eyed Enemy in Black. >The Feds must surely come to see us as the enemy. The `Feds' are actually numerous and disparate agencies, have created their own realities that they live in, and so far have almost, apparently, *completely* ignored the Cacaphony of the Cypherpunks. I believe the situation is that the pillars we are targeting most directly (e.g. the NSA, FBI) are precisely those that are most limited in meeting and engaging us on our terms of warfare of a public-relations campaign. When they say anything in the media they sound absolutely ridiculous -- the FBI with their `a lot of dead bodies lying around' and `cryptography as nitroglycerin,' Denning's `I'm not sure if people should be informed' come to mind. Their clandestine preference is our strongest asset. We can advance by being loud and obnoxious and they cannot (a sort of Perotian-Clintonian relationship). So far I think we have exercised it effectively, galliantly, and perhaps even superbly. But as soon as we make statements that bespeak fanatic paranoia and dangerous and polarizing rhetorical posturing we will be swiftly discredited or hammered. >We need to be as prepared as Randy Weaver was! This is a rather irresponsible and dangerous sentiment and metaphor. I urge you to reconsider. Which cypherpunks are volunteering to barricade themselves from the police in their houses? To defy some court proceedings because of `distrust' of the prosecution? To arm their children with rifles for `defense'? Mr. Weaver was apparently subject to the most grave miscarriage of law enforcement in many years, perhaps only second to the Waco massacre in recent history if reported elements of the recent story hold up. But the fact remains that he refused to go to court and completely defied *our* `system' that has been erected to defend the innocent. He managed to delay going to court by a few months with absolutely disastrous and horrible payment. In fact, one could argue quite convincingly that Weaver was very clearly a victim of his own paranoia. If he had trusted the courts to minimize his plight the gruesome horror show might have been averted. Perhaps not. But are we cypherpunks now going to take on the American Judicial System? Dissolute focus means dissolute energy. Finally, I would like to take up the question of the Weaver Debacle in relation to the nation's media. First, anything this horrendous takes *years* to penetrate and percolate through the American consciousness and media, so we should be patient. It is like the trickle of Chinese water torture--one can go insane in the process. The fallout from the Steve Jackson games case has taken that long. (This is not to discourage public relations but to encourage it.) Secondly, the American public is actually firmly supportive of some of these bloody miscarriages. For example, Reno's approval/popularity soared after her public post-Waco culpability speeches. That is, we have met the enemy, and he is us. We *must* change American attitudes if we are to thwart future egregious law enforcement violations. And in this quest I think there is nothing but grave pallor in elevating Weaver as an epitomizing icon of our cause. From b44729 at achilles.ctd.anl.gov Wed Jul 21 05:00:54 1993 From: b44729 at achilles.ctd.anl.gov (Samuel Pigg) Date: Wed, 21 Jul 93 05:00:54 PDT Subject: Chicago area cypherpunks? Message-ID: <9307211159.AA06461@achilles.ctd.anl.gov> Is there a Chicago area cypherpunks group/meeting time/place? (or have I just not been paying attention..?) -Sam From honey at citi.umich.edu Wed Jul 21 05:41:08 1993 From: honey at citi.umich.edu (peter honeyman) Date: Wed, 21 Jul 93 05:41:08 PDT Subject: Thoughts on remailers Message-ID: <9307211241.AA08938@toad.com> pay phones and postal mail are also "perfect for those who would harrass and abuse others." peter From faust at cd.chalmers.se Wed Jul 21 07:35:55 1993 From: faust at cd.chalmers.se (faust at cd.chalmers.se) Date: Wed, 21 Jul 93 07:35:55 PDT Subject: Second-Hand-Remailers Message-ID: <199307211434.AA12334@castafiore.cd.chalmers.se> Second Hand Remailers (SHR). As more users get a taste of the sweet flavor of freedom, more remailers must be connected. Not only to stand the pressure of the mail, but also to assure the cypherpunks that they aren't using remailerX.cypherpunks.GOV! As Mr. Zimmmerman so nice states in the PGP.DOC , we need a grassrot-like organisation. But how do we get this? Keeping a remailer on a system you don't own, are not THAT appealing for the usual 'heck-I-want-freedom-FREE' person. The answer is Second Hand Remailers. A Second Hand Remailer is just like a ordinary cypherpunk remailer, with one difference, it only forwards mail to 'approved' systems, i.e normally other SHR's or LHR's (Last Hand Remailers, like those existing today.). In this way, the owner of the account of a SHR will be able to check up ALL forward-to-adresses before he starts, and thus keeps HIM from getting any flame for pumping GIGs of bad things into the net. (Since there will only be few LHR's , operators who don't want to have anonymously postings in their newsgroups/systems can easily keep track of which to refuse mail from.) Since the mail only passes thru the SHR's and will not be dropped into the net by the SHR but rather thru a LHR, (which, btw even can be a remailer.GOV if you don't care about the reciever and don't include any revealing signatures, like encrypting with your public-key.) the SHR's can't really be blamed for anything. This fact that you can contribute to the great fight for freedom without risking anything, must certainly appeal to all you cypherpunks? What we just need is to change the script for the ordinary remailers to first match the remail-to adress with a aproved list of other remailers. This should not be hard, should it? Imagine, if we just can find an easy way for the ordinary user to set up a SHR, there will be no way to stop or track the remailing since there will be thousands of remailers available and many will be 'friend-of-a-friend's and maybe not even published. (you trade SHR adresses with people you trust in the same way as you introduce new public keys of people you trust to other by signing them.) And, when more remailers get's into the scene, there will be a possibility to make adress-headers by chaining SEVERAL SHR's with one or more LHR's. The SHR's can be chosen among people who you know and whose computers are located near you. But with increasing chains, there will be increasing header-sizes, and there will most certainly go down some SHR's/day so you have to update your headers often. This two fact forces us to install some kind of header-site where you can pick up a fresh adress-header for a given pseudonym, preferly together with that pseudonym's public key. (and send your new header when a SHR's you used have bailed out.) I've said it before, and I'll say it again, we need a service exactly like the PGP-key server but who also supports adress-headers! Regards, Faust - Ziffer macht frei - From elee9sf at Menudo.UH.EDU Wed Jul 21 08:09:41 1993 From: elee9sf at Menudo.UH.EDU (Karl Barrus) Date: Wed, 21 Jul 93 08:09:41 PDT Subject: ANON: remail abuse Message-ID: <199307211508.AA17766@Menudo.UH.EDU> Earlier, Chris Odner brought up some concerns about abusing anonymous remailers. (I deleted the message before saving it, so I can't quote from it). He mentioned his friend is getting abusive mail, probably from telnet to the smtp port, and then mentions the "remailers are perfect for those who would harrass and abuse others." Wait a second... here is an example of harrassment right now, without anything to do with the remailers! I mean, if you want to really hassle somebody, you could just wait patiently until someone leaves their machine for a few seconds and type sh (or ksh) while true do uuencode /vmunix irritate | mail somebody at somewhere done followed with a clear and then leave quickly. I guess I'm one of those people who would get upset and blame the person responsible for the action instead of software and/or technological advancement for possible providing a means. As Peter mentioned, payphones are already perfect for harrassment. So is junk mail... and the crucial thing here is these services cost money. I'm sure future remailers will incorporate digital cash and be a pay-for-each-remail service. Chris also mentions concers about distributing porn and stuff like that through remailers. I guess this could be done, but why give up the speed and convenience of ftp, fsp, irc (dcc), and usenet posting? These services distribute files faster and further than remailing. /-----------------------------------\ | Karl L. Barrus | | elee9sf at menudo.uh.edu | <- preferred address | barrus at tree.egr.uh.edu (NeXTMail) | \-----------------------------------/ From marc at GZA.COM Wed Jul 21 08:59:40 1993 From: marc at GZA.COM (Marc Horowitz) Date: Wed, 21 Jul 93 08:59:40 PDT Subject: Thoughts on remailers In-Reply-To: <9307211241.AA08938@toad.com> Message-ID: <9307211558.AA14701@dun-dun-noodles.aktis.com> >> pay phones and postal mail are also "perfect for those who would >> harrass and abuse others." Both of those cost money. If anonymous remailers cost a dime of anonymous digital cash to use, people wouldn't use them quite as often. There would still be abuse, but random chronic abuse would be much less. Of course, if it cost money, people might not use them when it was really necessary. Not much can be done about that. Marc From pcw at access.digex.net Wed Jul 21 09:30:54 1993 From: pcw at access.digex.net (Peter Wayner) Date: Wed, 21 Jul 93 09:30:54 PDT Subject: Remailers/PayPhones and Today's NYT Message-ID: <199307211630.AA03454@access.digex.net> Today's NYT has an article on PayPhone salons that offer phone booths to their customers. They buy the long distance connection in bulk and resell them to the customers so the customer doesn't have to pay the high payphone charge. They're quite common in poor sections of town. The article mentions that the phones can be problematic because drug dealers can use them to avoid phone taps, but it seems to conclude that this is a small price to pay for bringing the connection to the poor. Most customers use the service to call their home country and speak to relatives. I thought it was interesting that the danger of untraceable drug dealers popped into the reporters mind when they were researching the article. After all, they don't tend to mention illegal problems when they speak about used car dealers or other services. -Peter From mbl at mail.msen.com Wed Jul 21 10:34:42 1993 From: mbl at mail.msen.com (Matthew B Landry) Date: Wed, 21 Jul 93 10:34:42 PDT Subject: Congressional contacts list Message-ID: Just thought I ought to let you know... Carl Pursell (R-MI) is gone. I know because I worked on his opponent's campaign. You might want to advise the source of the list about that. (There are most likely more, but I don't know about them personally.) -- Matthew B. Landry | mbl at mail.msen.com President of Project SAVE | (313)971-5469 (H/W) My opinions are my most prized posession. I don't share them. From tcmay at netcom.com Wed Jul 21 11:34:42 1993 From: tcmay at netcom.com (Timothy C. May) Date: Wed, 21 Jul 93 11:34:42 PDT Subject: Subliminal Channels in the Digital Signature Algorithm (DSA) Message-ID: <9307211832.AA01087@netcom.netcom.com> The recent discussion of possible subliminal channels (which some call covert channels) in the DSA reminds me of a preprint of a paper I received several months back with a rather mysterious note attached to it. There was no return address on the envelope. Apparently a number of Cypherpunks and folks active in the sci.crypt community also received it, as it came up on sci.crypt and we talked about it at a physical Cypherpunks meeting. The note read: "This needs to be made very public. Simmons resigned from Sandia over writing it." Some caveats: * this allegation that Gus Simmons left Sandia was denied by several folks on sci.crypt who actually _know_ Simmons. I don't know him, so I haven't checked directly. * some say this paper is hardly earth-shaking, though the possibility of subliminal channels should be taken seriously, especially in light of the cross-licensing of DSA/DSS with Public Key Partners (RSA Data, etc.). * I don't even know where this paper is being published--the preprint gave no clues. The timing of my getting it, several months back, suggests this year's Crypto Conference. The advance program ought to have it (I can't find my copy). I've OCRed the first page or so, including the Abstract. Too many OCR errors and too many equations with Greek symbols for me to scan-in the entire 20-page paper. The implications for Clipper, Capstone, Skipjack, etc. I'll leave for now. Here it is: The Subliminal Channels in the U.S. Digital Signature Algorithm (DSA) Gustavus J. Simmons Sandia Park. NM 87047. USA Abstract Since the DSA is derivative from El Gamal's digital signature scheme--which Simmons showed in 1985 permitted a subliminal channel--it should come as no surprise that the DSA also permits a similar channel. The subliminal channel in the El Gamal scheme, however, had several shortcomings. In order for the subliminal receiver to be able to recover the subliminal message, it was necessary for him to know the transmitter's secret key. This meant that the subliminal receiver had the capability to utter undetectable forgeries of the transmitter's signature. Also, only a subset of the desired message set could be communicated subliminally (phi (p-l) messages instead of p-1) and some of those that could be transmitted were computationally infeasible for the subliminal receiver to recover. The subliminal channels in the DSA avoid all of these difficulties! In fairness, it should be mentioned that not all are avoided at the same time. The channel in the DSA analogous to the one Simmons demonstrated in the El Gamal scheme can communicate messages conveying the full log-base-2 |X| bits, where X is the set of session keys; all of which are easily recovered by the subliminal receiver. However, this broadband channel still requires the subliminal receiver to know the transmitter's secret key. There are two other narrowband (<< 1og-base-2 |X|) subliminal channels in the DSA that do not give the subliminal receiver any better chance of forging the transmitter's signature than an outsider has. The price one pays for this integrity for the transmitter's signature is a reduced bandwidth for the subliminal channel and a difficult but feasible (dependent on the bandwidth actually used) amount of computation needed to use the channel. Two quite different such channels have been devised: one places the computational load almost entirely on the transmitter, the other almost entirely on the subliminal receiver. Since the total computation is essentially the same in either case, the choice of a particular channel would be based on which end is best equipped to do the necessary computation. To make clear what a remarkable coincidence it is that the apparently inherent shortcomings of subliminal channels using the El Gamal scheme can all be overcome in the DSA, we will analyze each of the channels implemented in both schemes. The inescapable conclusion, though, is that the DSA provides-the most hospitable setting for subliminal communications discovered to date. Introduction In 1983 Simmons introduced the notion of a subliminal channel existing in an encrypted communication channel by pointing out that if for each plaintext there existed two or more corresponding cipher texts, the identity of the cipher used to communicate a plaintext could convey information additional to that revealed by the decryptlon of the cipher [5]. In particular, in a public-key based authentication scheme in which the decryption key must be public information in order for public receivers to be able to decrypt cipher texts and verify the authenticity of the encrypted plaintext, this raised the possibility of there also being subliminal receivers who could recover information hidden from the public receivers: hence the name of a subliminal channel. Clearly subliminal channel receivers must have private information not known to public receivers--and as we will see, the nature of this private information provides a natural classification for subliminal channels. (rest of paper not OCRed...too many errors (blurred fonts), too many equations) From talon57 at well.sf.ca.us Wed Jul 21 11:51:14 1993 From: talon57 at well.sf.ca.us (Brian D Williams) Date: Wed, 21 Jul 93 11:51:14 PDT Subject: chicago area cypherpunks Message-ID: <93Jul21.115018pdt.14097-1@well.sf.ca.us> Samuel Pigg posts: >Is there a Chicago area cypherpunks group/meeting time/place? >(or have I just not been paying attention..?) There is no current group/meeting that I know of, but we could start one ( don't let the well.sf.ca.us fool you, I work in Downtown Chicago) any other Chicago area cypherpunks? Brian Williams From gdale at apple.com Wed Jul 21 12:19:42 1993 From: gdale at apple.com (Geoff Dale) Date: Wed, 21 Jul 93 12:19:42 PDT Subject: Encrypted data across international lines Message-ID: <9307211916.AA25115@apple.com> Does anybody have pointers to the actual statutes prohibiting transmitting encrypted data across international boundries. I had an argument with somebody who didn't think this was illegal. I'm pretty sure you need special permits (export licenses??) for this. _________________________________________________________________________ Geoff Dale -- insert standard disclaimers here -- gdale at apple.com -- How am I posting? -- To comment on this Apple Employee's posting etiquette call 1-800-373-9821 From smb at research.att.com Wed Jul 21 12:25:55 1993 From: smb at research.att.com (smb at research.att.com) Date: Wed, 21 Jul 93 12:25:55 PDT Subject: Remailers/PayPhones and Today's NYT Message-ID: <9307211924.AA16600@toad.com> I thought it was interesting that the danger of untraceable drug dealers popped into the reporters mind when they were researching the article. After all, they don't tend to mention illegal problems when they speak about used car dealers or other services. Well, the article said that some of the phone store operators raised the issue, often defensively. Even if the reporter didn't know about the issue beforehand, they sure knew after that. Also note that part of the market for such stores is that NY Telephone has cut off some payphone service in certain areas, thereby sensitizing the reporter to such questions. From pcw at access.digex.net Wed Jul 21 12:39:42 1993 From: pcw at access.digex.net (Peter Wayner) Date: Wed, 21 Jul 93 12:39:42 PDT Subject: Simmons... Message-ID: <199307211938.AA09000@access.digex.net> I have no idea about the reason behind his departure from Sandia, but I did note with curiosity that Sandia refuses to forward mail to him. This may be Standard Operating Procedure at secure sites, but the Journal of Cryptology reported this in its latest issue. He is still an editor. -Peter From pcw at access.digex.net Wed Jul 21 12:40:50 1993 From: pcw at access.digex.net (Peter Wayner) Date: Wed, 21 Jul 93 12:40:50 PDT Subject: Simmons Subliminal channels and more... Message-ID: <199307211936.AA08235@access.digex.net> I too received a copy of Gus Simmons paper in the mail and I called him on the phone to discuss it with him. He sent me a copy of his latest version of the paper. The significance of the paper is that it is possible to use the DSS algorithm to send messages disguised as signatures. The specs for the DSS used by NIST required that it could not be used to hold secrets. This would make it more exportable and this was one of the reasons why RSA was not chosen as the DSS. On a more philosophical level, it shows that the DSS and the El Gamal system really aren't signature systems. They convey extra information. That means that they really aren't that different from RSA on a functional level. The easiest way to understand how the message passing system works is notice that the DSS uses a random number to compute the signature. If we could somehow recover this number, then we could have the information. What's the simplest hidden way to send a message? Let's say that you want to send a bit. Just keep rerunning the algorithm with different random numbers until the right parity appears. The real approach is more sophisticated than this. My personal feeling is that this shows how utterly impossible it is to keep secret bits from hiding in the noise of the world. If the NSA can't do it, then there is a good chance that no one can. -Peter From ebrandt at jarthur.Claremont.EDU Wed Jul 21 12:54:42 1993 From: ebrandt at jarthur.Claremont.EDU (Eli Brandt) Date: Wed, 21 Jul 93 12:54:42 PDT Subject: subliminal messages In-Reply-To: <9307210117.AA05181@snark.shearson.com> Message-ID: <9307211953.AA16773@toad.com> > A very good posting, Karl, but I will note in the literature these are > called "covert" channels, not "subliminal" channels. Covert channels are signaling techniques which bypass secrecy classification, right? e.g. twiddling with free disk and other system parameters. Passing messages in digital signatures, which I've always seen called "subliminal channels", could of course be used as a covert channel if the OS permits signatures on material accessible to lower-classification folk. > Perry Eli ebrandt at jarthur.claremont.edu From cdodhner at indirect.com Wed Jul 21 13:39:44 1993 From: cdodhner at indirect.com (Christian D. Odhner) Date: Wed, 21 Jul 93 13:39:44 PDT Subject: ANON: remail abuse In-Reply-To: <199307211508.AA17766@Menudo.UH.EDU> Message-ID: <9307212036.AA17170@indirect.com> > I guess I'm one of those people who would get upset and blame the person > responsible for the action instead of software and/or technological > advancement for possible providing a means. I'm sorry, maybe I didn't make myself clear enough. I also am blameing the person, not the technology, and I am merely worried about the response people may use if this becomes more commonplace. > As Peter mentioned, payphones are already perfect for harrassment. So > is junk mail... and the crucial thing here is these services cost money. > I'm sure future remailers will incorporate digital cash and be a > pay-for-each-remail service. I'm sure that would be a big help, although I'm not literate enough yet in the area of digital cash to understand how this would work. > Chris also mentions concers about distributing porn and stuff like that > through remailers. I guess this could be done, but why give up the I'm not concerned in particular with porn etc, that just happens to be the problem in this instance. > /-----------------------------------\ > | Karl L. Barrus | > | elee9sf at menudo.uh.edu | <- preferred address > | barrus at tree.egr.uh.edu (NeXTMail) | > \-----------------------------------/ > Happy Hunting, -Chris Odhner From warlord at MIT.EDU Wed Jul 21 13:50:55 1993 From: warlord at MIT.EDU (Derek Atkins) Date: Wed, 21 Jul 93 13:50:55 PDT Subject: Encrypted data across international lines In-Reply-To: <9307211916.AA25115@apple.com> Message-ID: <9307212050.AA23272@toxicwaste.MEDIA.MIT.EDU> Save a few exceptions (like France), I believe it is legal to transmit encrypted data across country borders. The question comes in as to how to define "cryptographic material", as used in the ITAR (for the US) or similar statutes for other places. Basically, I doubt that anyone will do anything other than raise an eyebrow if you send encrypted data out of the country. -derek From warlord at MIT.EDU Wed Jul 21 13:59:42 1993 From: warlord at MIT.EDU (Derek Atkins) Date: Wed, 21 Jul 93 13:59:42 PDT Subject: MEET: Boston Area meeting Message-ID: <9307212056.AA23296@toxicwaste.MEDIA.MIT.EDU> I would like to hold a meeting on the second saturday in August, the 8th, to corespond with the California meeting. I can get a room at MIT unless someone else has a better place. Also, can people give me topics for the agenda? I'm sure people have things they want to talk about. Send agenda items to me, directly. Send problems/questions/place suggestions to the list. -derek From elee9sf at Menudo.UH.EDU Wed Jul 21 15:20:58 1993 From: elee9sf at Menudo.UH.EDU (elee9sf at Menudo.UH.EDU) Date: Wed, 21 Jul 93 15:20:58 PDT Subject: ANON: Re: remail abuse In-Reply-To: <9307212036.AA17170@indirect.com> Message-ID: <199307212220.AA24582@Menudo.UH.EDU> > I'm sure that would be a big help, although I'm not literate enough yet in > the area of digital cash to understand how this would work. Okay - actually, you don't need to be very familiar with digital cash at all. Just think of a cash accepting remailer as one in which you are charged a fee for each use. Similar to postage stamps and postal mail. When you want to use a digital cash accepting remailer, you would first purchase some postage stamps, certificates, however you want to think of it. Then, you attach the cash/stamp/certificate to the mail (maybe by a special header field), and send it to the remailer. Your mail would probably be encrypted as well to keep others from spying on your cash, altering it (rendering it invalid) and using it for themselves. The remailer would validate your cash, probably store it in a file to prevent multiple uses, and then forward your mail to wherever. The digital cash part just means electronic forms of payment which have cash properties. Say you purchase something with cash. The merchant can't link your identity to the cash, and later when the merchant deposits cash in a bank, the bank cannot link the cash to your transactions with the merchant. But the merchant can verify the cash is valid, and the bank can too. Furthermore, you can't spend the same piece of cash twice. This is confusing to think about without being familiar with modern crypto; one of these days I shall finish a digital cash application I've been working on for people to play with. /-----------------------------------\ | Karl L. Barrus | | elee9sf at menudo.uh.edu | <- preferred address | barrus at tree.egr.uh.edu (NeXTMail) | \-----------------------------------/ From boojum!esr at gvls1.VFL.Paramax.COM Wed Jul 21 16:09:44 1993 From: boojum!esr at gvls1.VFL.Paramax.COM (Eric S. Raymond) Date: Wed, 21 Jul 93 16:09:44 PDT Subject: FAQ, round 2 Message-ID: I've written some more material for it. Criticisms and additions welcome. --- DRAFT VERSION ---- DRAFT VERSION ---- DRAFT VERSION ---- DRAFT VERSION --- From: esr at snark.thyrsus.com (Eric S. Raymond) Newsgroups: news.answers Followup-To: poster This is the Cypherpunks FAQ. It explains the projects and purposes of the Cypherpunks mailing list. It is also intended to serve as a general introduction to privacy and encryption issues. For details on the technical and theoretical aspects of computer cryptography, see the sci.crypt FAQ, available for FTP from rtfm.mit.edu (18.172.1.27) in the directory pub/usenet-by-group/sci.crypt. The cypherpunks archive is available for FTP at soda.berkeley.edu:pub/cypherpunks This site contains code, information, rants, and other miscellany, including the most up-to-date version of this FAQ. This FAQ is maintained by Eric S. Raymond ; send additions and corrections to that address. Sections contributed by others are credited to individual authors. We gratefully acknowledge, in addition, feedback and comments from David Mandl and Eric Hughes . Here is a table of contents for this FAQ: 1. Why cypherpunks? 2. What are the essentials of privacy software? a. Public-key cryptosystems for secure communication. b. Unforgeable electronic signatures for message authentication. c. DC-net or similar protocols to thwart spoofing. 3. What are the potential applications of good privacy software? a. Secure communications. b. Digital cash. c. Electronic voting. d. Electronic contracts. e. Secure anonymous remailers and posters. f. 4. What are the key algorithms, tools, and implementations for privacy software? a. RSA b. DES c. Clipper/Capstone/DSS d. PGP e. Possible non-RSA trapdoor functions. 5. What are the social and political implications of good privacy software? a. Drastically lower transaction costs for trade. b. Expansion of the counter-economy. c. Disempowerment of government. d. Anonymity for whistleblowers. 6. What are the legal, political, and technical obstacles? a. The Clipper/Capstone/DSS power grab. b. The RSA patent and the PGP/RSA fight. c. RSA's base problem may not be NP-complete. 7. What can I do to help? a. Work on cryptographic software. b. Agitate against the Clipper/Capstone/DES proposals. c. Promote the use of encrypted communication. To join the cypherpunks mailing list, send a request to: cypherpunks-request at toad.com Working with us could be your best shot at stopping Big Brother. So if you have skills to contribute, act now. The freedom you save could be your own. 1. Why cypherpunks? Because privacy is essential to freedom. If the government (or any other oppressor that behaves like one) can effectively monitor communications, it can control or suppress them. And it will do so, because the natural tendency of controllers is always to seek more control. The government cannot be relied on to protect your privacy rights. Nor can anyone else --- certainly not your employer, or the corporations that want to know all about you so they can sell you things. Given half the chance, governments and corporations will always push for security standards that protect *them*, but not *you*. Computer technology can help protect you against would-be snoopers, but only if somebody is sufficiently smart and dedicated to build the tools. The Cypherpunks list exists to build and propagate privacy software. Our aim is to give you the tools to keep your private information private, and to communicate with other people and computers in ways snoopers cannot tap. 2. What are the essentials of privacy software? a. Public-key cryptosystems for secure communication. A conventional cryptosystem consists of an encoding/decoding method and a single key. Two users who share a key can exchange private messages. A public-key cryptosystem uses a *pair* of keys; one private, one public. Anyone with either key can decode messages encoded with the other. For privacy, it must be impossible (or at least impractical) to deduce the private key from the public one. Public-key cryptosystems imply many exciting things --- unforgeable electronic signatures, digital cash, and secure electronic contracts are among them. The basic idea behind all of these is that, as long as your private key is secure, people can verify that an encoded message containg known text came from you by decoding with your public key. In the remainder of this FAQ we use `PKC' as an abbreviation for `Public Key Cryptosystem'. The best-known PKCs are the RSA system, the Federal Government's DES standard, and the government's Clipper proposal. We'll discuss these, and others, in more detail below. b. Unforgeable electronic signatures for message authentication. There are many circumstances in which you want to be able to check a public clear-text message for tampering. To do this, the message must contain a `digital signature' or `message digest code' or `message hash' derived from its clear text, which can be checked against the clear text by a receiver. For security, the message hash should have the property that no one knows how to modify a message in a way that preserves its hash. PKCs give you unforgeable signatures as a side-effect. Unfortunately, known PKCs are too slow to use practically for message hashing. Thus, there is a separate category of `Digital Signature Systems'. The three major DSS techniques are Snefru, MD5, and DSS. Snefru, invented by Ralph Merkle at Xerox PARC, is of historical interest only as it has been broken. MD5 is described in Internet RFC 1321, which also gives a reference implementation in C. As of July 1993 it is believed to be secure, but has not been *proved* to be secure. DSS is a Federal Government proposed standard associated with the Clipper proposal. c. DC-net or similar protocols to thwart spoofing. 3. What are the potential applications of good privacy software? a. Secure communications. With a PKC, you can send a message that no one but the intended receiver can decrypt by encoding it with the receiver's public key. If you encode it with *your* public key, the receiver can verify that it came from you. This means that it is possible to do secure communications even over public channels. Neither nosy neighbors, business competitors, nor the government or any (other) criminal gang can interfere with it. b. Digital cash. Unforgeable messages also imply digital cash. You could use a PKC to send to the receiver a code permitting them to draw a particular amount of money from your bank account. The bank, with access to both yours and the payee's public keys, can verify that the order is genuine. This means that it is possible to do trade over electronic links, without any part trusting any other party beyond the bounds of normal commercial risk. c. Electronic voting. Unforgeable messages also imply secure electronic voting. If you encode your voting form with a PKC, the vote-collecting authority can verify it with your public key. d. Electronic contracts. If two or more people encode known text with their private keys applied in succession, all their public keys will be required to decode it. This is an unforgeable contract. Furthermore, it is an unforgeable *private* contract. e. Secure anonymous remailers and posters. 4. What are the key algorithms, tools, and implementations for privacy software? a. RSA RSA stands for `Rivest-Shamir-Adelson', the names of the three computer scientists who developed the technique. RSA has withstood determined attacks for over a decade and is widely believed to be secure. It has been proposed as an Internet standard. The RSA technique is patented. The patents are held by RSA, Inc. . An implemenation in C called RSAREF is available for research and certain noncommercial uses. b. DES c. Clipper/Capstone/DSS d. PGP e. Possible non-RSA trapdoor functions. 5. What are the social and political implications of good privacy software? a. Drastically lower transaction costs for trade. b. Expansion of the counter-economy. c. Disempowerment of government. d. Anonymity for whistleblowers. 6. What are the legal, political, and technical obstacles? a. The Clipper/Capstone/DSS power grab. b. The RSA patent and the PGP/RSA fight. c. RSA's base problem may not be NP-complete. 7. What can I do to help? a. Work on cryptographic software. b. Agitate against the Clipper/Capstone/DES proposals. c. Promote the routine use of encrypted communication. You can help spread PGP and other appropriate tools far and wide (both to help get a better foothold to thwart the Clipper proposal and its ilk, and to work towards making crypto as commonplace as envelopes). --- DRAFT VERSION ---- DRAFT VERSION ---- DRAFT VERSION ---- DRAFT VERSION --- -- >>eric>> From ld231782 at longs.lance.colostate.edu Wed Jul 21 16:20:58 1993 From: ld231782 at longs.lance.colostate.edu ( L. Detweiler ) Date: Wed, 21 Jul 93 16:20:58 PDT Subject: more on FBI credit search access Message-ID: <9307212319.AA04464@longs.lance.colostate.edu> Hm, maybe someone could just check out the article (Sat Jul 17 NYT p. 7). This is a distinctly different interpretation. ===cut=here=== From: Shari Steele Date: Wed, 21 Jul 1993 09:17:28 -0400 Subject: New law on FBI and credit records Hi Peter. Your post in alt.privacy was forwarded to me. I don't know of any legislation that will permit the FBI to obtain your credit report without a search warrant. While it is possible that such legislation exists, what you describe from the NY Times article sounds an awful lot like a proposed amendment to the Electronic Communications Privacy Act (ECPA) introduced this year that would allow the FBI access to *telephone calling data* with a letter (rather than a search warrant) certifying that the person was being investigated for engaging in terrorism or international espionage, or cohorting with such folks. The telephone calling data includes the names and telephone numbers of all calls made from the phone number being investigated, as well as the duration of the calls. While this in itself may be cause for alarm, it is not the same as FBI access to credit reporting information. Shari ****************************************************************************** Shari Steele Director of Legal Services Electronic Frontier Foundation 1001 G Street, NW Suite 950 East Washington, DC 20001 202/347-5400 (voice), 202/393-5509 (fax) ssteele at eff.org ------- End of Forwarded Message From ld231782 at longs.lance.colostate.edu Wed Jul 21 16:34:44 1993 From: ld231782 at longs.lance.colostate.edu ( L. Detweiler ) Date: Wed, 21 Jul 93 16:34:44 PDT Subject: Encrypted data across international lines Message-ID: <9307212331.AA04712@longs.lance.colostate.edu> From: gdale at apple.com (Geoff Dale) >Does anybody have pointers to the actual statutes prohibiting transmitting >encrypted data across international boundries. > >I had an argument with somebody who didn't think this was illegal. This is similar to the question `do any countries prohibit certain kinds of cryptography' that arose after the Clipper announcement suggested that some do. The FCC prohibits the use of codes in amateur radio transmissions, and violations are sufficient to revoke the license. This is enforced by legislation. Also, various countries have rules against using encryption in telegrams. I believe Australia has one, and also Britain. Or maybe it was that Australia had an `official' code under which other codes were illegal. The question is, how are these enforced in practice? I'd like to see a bit of information from the experts on this. What constitutes `codes'? A friend operator told me that, unusual statements, non sequiturs, qualified. Have any operators lost their licenses this way? What is the enforcement like? On a related subject, I recall the discussion here a few months ago about `numbers stations' (or was it sci.crypt?). These are broadcast frequencies where the announcer simply reads off long lists of numbers. They are used for encrypted communication to clandestine operatives, etc. Apparently most are Iron Curtain originating, from what I understand. I saw on TV (nightly news) that there was a great deal of hullaballoo about using the VOA (Voice of America) to send secret communications. A director told a disk jockey to play a certain song and say that it was for a request from `country [x]' where [x] was a very obscure locality in Russia, and the song was unusual. Apparently a disk jockey complained about the practice, and a previous director was against it. A new director was not unequivocally against the practice. There was disagreement on whether the VOA charter allowed it (private analysts saying emphatically no, shady slippery shifty-eyed gov't types saying `well, ...'). If anyone else can expand on this one I'd appreciate it. From mcglk at cpac.washington.edu Wed Jul 21 16:56:14 1993 From: mcglk at cpac.washington.edu (Ken McGlothlen) Date: Wed, 21 Jul 93 16:56:14 PDT Subject: ANON: remail abuse In-Reply-To: <199307211508.AA17766@Menudo.UH.EDU> Message-ID: <9307212358.AA06651@yang.cpac.washington.edu> Just another lurker, speaking up for the first time. . . . elee9sf at menudo.uh.edu (Karl Barrus) writes: [...first, an example of how to harrass without a remailer, then:] | I guess I'm one of those people who would get upset and blame the person | responsible for the action instead of software and/or technological | advancement for possible providing a means. While I tend to agree with you on this point, the fact remains that most people, by and large, are idiots. And while I'm a closet libertarian at heart, this one simple fact of life gives me pause on a number of issues where some potentially useful and/or fun object can be put to extreme nastiness without much (or any) knowledge or imagination: firearms, poisons, neurotoxins, gamma-ray sources, genetic-engineering kits . . . and anonymous remailers. | As Peter mentioned, payphones are already perfect for harrassment. So | is junk mail... and the crucial thing here is these services cost money. | I'm sure future remailers will incorporate digital cash and be a | pay-for-each-remail service. Oh, big deal. Payphone = 25c. Junk mail = 29c for *first-class* harrassment mail. :) Anonymous E-mail remailers = something much less, or free at the moment. Money is *not* the issue. Period. The reason anonymous remailers are not the same as payphones or junk mail is that the latter two leave tangible clues behind. While I'm not entirely happy with the US justice system, it seems to me that given society's current limitations, a police force of some sort is generally a good thing (if strict controls are kept on it). (Sorry, I realize that this is a bit of a fringe opinion in *this* group, but. . . .) Both payphones and mail leave tangible clues which can be investigated and traced by law enforcement authorities. Anonymous mail doesn't---at least, not without actually running a process or a logger on the machine itself. So they're *not* equivalent. | Chris also mentions concers about distributing porn and stuff like that | through remailers. I guess this could be done, but why give up the speed and | convenience of ftp, fsp, irc (dcc), and usenet posting? These services | distribute files faster and further than remailing. But not as anonymously, except in the case of Usenet postings. ---Ken McGlothlen mcglk at cpac.washington.edu mcglk at cpac.bitnet From hughes at toad.com Wed Jul 21 17:09:46 1993 From: hughes at toad.com (hughes at toad.com) Date: Wed, 21 Jul 93 17:09:46 PDT Subject: No Subject In-Reply-To: <0096FD31.CFAACAE0.23924@INDIGO.MESE.COM> Message-ID: <9307211608.AA14922@toad.com> You have been added to the cypherpunks mailing list. The cypherpunks list is a forum for discussing personal defenses for privacy in the digital domain. It is a high volume mailing list. If you want to be added or removed from the list, send mail to cypherpunks-request at toad.com There is no automated list processing software; a human (me, Eric Hughes) will read your message and take the appropriate action. If you get two of these welcome messages, it likely means you've double subscribed and will have trouble getting off the list. Send mail to the above address and tell me if this happens. Do not expect instant turnaround. Remember, a human is looking at your requests, not a program. I try to do list maintenance every other day or so, but sometimes the delays are longer. Do not mail to the whole list asking to be removed. You'll just get the members of the list thinking you're a newbie and you'll get a note from me telling you to send mail the the -request address. If your mail bounces repeatedly, you will be removed from the list. Nothing personal, but I have to look at all the bounce messages. There is no digest version available. There is an announcements list which is moderated and has low volume. Announcements for physical cypherpunks meetings, new software and important developments will be posted there. Mail to cypherpunks-announce-request at toad.com if you want to be added or removed to the announce list. All announcements also go out to the full cypherpunks list, so there is no need to subscribe to both. There is an ftp site for cypherpunks. It is soda.berkeley.edu:pub/cypherpunks This site contains code, information, rants, and other miscellany. There is a glossary there that all new members should download and read. Also recommended for all users are Hal Finney's instructions on how to use the anonymous remailer system; the remailer sources are there for the perl-literate. Enjoy and deploy. Eric ----------------------------------------------------------------------------- Cypherpunks assume privacy is a good thing and wish there were more of it. Cypherpunks acknowledge that those who want privacy must create it for themselves and not expect governments, corporations, or other large, faceless organizations to grant them privacy out of beneficence. Cypherpunks know that people have been creating their own privacy for centuries with whispers, envelopes, closed doors, and couriers. Cypherpunks do not seek to prevent other people from speaking about their experiences or their opinions. The most important means to the defense of privacy is encryption. To encrypt is to indicate the desire for privacy. But to encrypt with weak cryptography is to indicate not too much desire for privacy. Cypherpunks hope that all people desiring privacy will learn how best to defend it. Cypherpunks are therefore devoted to cryptography. Cypherpunks wish to learn about it, to teach it, to implement it, and to make more of it. Cypherpunks know that cryptographic protocols make social structures. Cypherpunks know how to attack a system and how to defend it. Cypherpunks know just how hard it is to make good cryptosystems. Cypherpunks love to practice. They love to play with public key cryptography. They love to play with anonymous and pseudonymous mail forwarding and delivery. They love to play with DC-nets. They love to play with secure communications of all kinds. Cypherpunks write code. They know that someone has to write code to defend privacy, and since it's their privacy, they're going to write it. Cypherpunks publish their code so that their fellow cypherpunks may practice and play with it. Cypherpunks realize that security is not built in a day and are patient with incremental progress. Cypherpunks don't care if you don't like the software they write. Cypherpunks know that software can't be destroyed. Cypherpunks know that a widely dispersed system can't be shut down. Cypherpunks will make the networks safe for privacy. From 72114.1712 at CompuServe.COM Wed Jul 21 17:14:46 1993 From: 72114.1712 at CompuServe.COM (Sandy) Date: Wed, 21 Jul 93 17:14:46 PDT Subject: INTERNATIONAL ENCRYPTION Message-ID: <930722000756_72114.1712_FHF108-1@CompuServe.COM> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT Reply to: ssandfort at attmail.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Geoff Dale asks about statutes prohibiting the transmission of encrypted data across international boundaries. To the best of my knowledge, there's no such animal. If such exists, it is widely violated, with impunity, by me and folks I know, on a regular basis. Where do these urban legends come from? (Have I ever told you about what happened when I put my poodle in the microwave, or what my doberman was choking on?) S a n d y >>>>>> Please send e-mail to: ssandfort at attmail.com <<<<<< ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From peb at PROCASE.COM Wed Jul 21 17:39:47 1993 From: peb at PROCASE.COM (Paul Baclace) Date: Wed, 21 Jul 93 17:39:47 PDT Subject: People's rights???? Message-ID: <9307220037.AA10660@banff.procase.com> Rant=on Over the past few years many LEA pseudo-documentary-tabloid shows have appeared on TV (I figure it all started with Raygun's WOD) with re-creations of events using actors. They usually are portrayed as if they were real to the extent of bluring out faces, etc. (that is, no disclaimers and everything appears to be done live with no indication of due process). I've seen this stuff whilst channel surfing in hotel rooms (the only time I watch TV, really) and it seems very sick. I suppose the producers of such shows don't find legalities like warrants to be interesting enough, so they leave it out. So much for TV being educational. If the general public becomes so dulled to apparent violations of rights as depicted in realistic settings, the cynicism that Nixon had for the general public might one day become true (e.g., Nixon, as documented by transcripts declassified this year, said that people don't care about wiretapping--they think it happens all the time. (I wonder why this statement by Nixon was protected for National Security for ~20 years...)) Rant=off Paul E. Baclace peb at procase.com From smb at research.att.com Wed Jul 21 18:14:52 1993 From: smb at research.att.com (smb at research.att.com) Date: Wed, 21 Jul 93 18:14:52 PDT Subject: more on FBI credit search access Message-ID: <9307220112.AA20607@toad.com> Hm, maybe someone could just check out the article (Sat Jul 17 NYT p. 7). This is a distinctly different interpretation. I already looked at the article. It didn't say much. But I tend to agree with Shari Steele's explanation, and in fact posted a similar analysis to comp.org.eff.talk. Here's what I said: Without more detail than appeared in the NY Times article (and yes, I did go and check it, too), it's impossible to say what that bill really means. But I strongly suspect that it's less of a change than one might think The government already has the right to conduct wiretaps against non- Americans without benefit of a court order. See the Foreign Intelligence Surveillance Act (50 USC 1801, if memory serves). Conversely, the prohibitions against eavesdropping on Americans under that act are quite strict, to the point of requiring destruction of any inadvertent recordings that would not be acceptable under the law. My reading of the NY Times squib is that they are simply bringing another form of intelligence-gathering under the rubric of the FISA, rather than just using it for electronic surveillance. Note: I'm not saying I approve of the new action -- but it doesn't seem to be as big a departure from current practice as one might think. --Steve Bellovin From mdiehl at vesta.unm.edu Wed Jul 21 18:56:18 1993 From: mdiehl at vesta.unm.edu (J. Michael Diehl) Date: Wed, 21 Jul 93 18:56:18 PDT Subject: Key revoked. Message-ID: <9307220155.AA26902@vesta.unm.edu> To whom it may concern: I have completely destroyed my rsa encryption key, ID 700903. This key is no longer valid and any messages or files encrypted with it will be ABSOLUTELY UNREADABLE by me. My new key will be available via finger or the key servers. Thank you. +-----------------------+-----------------------------+---------+ | J. Michael Diehl ;-) | I thought I was wrong once. | PGP KEY | | mdiehl at triton.unm.edu | But, I was mistaken. |available| | mike.diehl at fido.org | | Ask Me! | | (505) 299-2282 +-----------------------------+---------+ | | +------"I'm just looking for the opportunity to be -------------+ | Politically Incorrect!" | +-----If codes are outlawed, only criminals wil have codes.-----+ +----Is Big Brother in your phone? If you don't know, ask me---+ From jpp at markv.com Wed Jul 21 19:01:02 1993 From: jpp at markv.com (jpp at markv.com) Date: Wed, 21 Jul 93 19:01:02 PDT Subject: Thoughts on remailers In-Reply-To: <9307210647.AA13445@indirect.com> Message-ID: <9307211859.aa04589@hermix.markv.com> We just discussed a related issue on another list I subscribe to. I feel that we want accountability along with anonymity in many circumstances. You can deny service to 'bad apples' with out compromising the identities of anyone who uses your service. Not even the identiy of the 'bad apple' need ever be know to you. Chaum discusses how this can be achieved cryptographicaly. Is anyone working on an implementation? j' -- O I am Jay Prime Positive jpp at markv.com 1250 bit key fingerprint = B8 95 E0 AF 9A A2 CD A5 89 C9 F0 FE B4 3A 2C 3F 524 bit key fingerprint = 8A 7C B9 F2 D5 46 4D ED 66 23 F1 71 DE FF 51 48 Public keys by `finger jpp @hermix.markv.com' or pgp-public-keys at pgp.mit.edu Your feedback is welcome, directly or via symbol JPP on hex at sea.east.sun.com From hughes at soda.berkeley.edu Wed Jul 21 19:19:50 1993 From: hughes at soda.berkeley.edu (Eric Hughes) Date: Wed, 21 Jul 93 19:19:50 PDT Subject: ADMIN: cypherpunks@indigo.mese.com has been removed In-Reply-To: <9307211608.AA14922@toad.com> Message-ID: <9307220131.AA08257@soda.berkeley.edu> cypherpunks at indigo.mese.com has been removed from the mailing list because it appears that mail being sent to this alias is ending up back on the list. This behavior is wrong. If the list at large sees this, pardon me. Eric From morpheus at entropy.linet.org Wed Jul 21 19:39:51 1993 From: morpheus at entropy.linet.org (morpheus) Date: Wed, 21 Jul 93 19:39:51 PDT Subject: Weaver/BATF trial In-Reply-To: <9307210712.AA16784@longs.lance.colostate.edu> Message-ID: <1993Jul21.213712.3713@entropy.linet.org> ""L. Detweiler"" writes: [...] > One wonders if law enforcement is composed of responsible servants or > maurading mercenaries. I don't think a rational person needs to wonder about this for long. It's extremely obvious what the true colors of "Law Enforcement" are. The world would be a better place if cypherpunks, after their crypto activities, went out and torched a bacon wagon... "there's more to cypherpunks than the cypher" ;-) -- morpheus at entropy.linet.org Non serviam! Support your local police for a more efficient police state. From khijol!erc at apple.com Wed Jul 21 19:44:51 1993 From: khijol!erc at apple.com (Ed Carp) Date: Wed, 21 Jul 93 19:44:51 PDT Subject: Encrypted data across international lines In-Reply-To: <9307212331.AA04712@longs.lance.colostate.edu> Message-ID: > The FCC prohibits the use of codes in amateur radio transmissions, and > violations are sufficient to revoke the license. This is enforced by Well, yes and no. The FCC prohibits the use or codes, ciphers, or anything else whose primary purpose is to obscure the meaning of the message. On the other hand, compression, since its primary purpose is not to obscure, is OK. But it sure makes it hard for the average Joe Blow ham to read my packet traffic. Not that I have anything to hide, but doubling my throughput on a 1200 baud half-duplex session is sort of important to me. :) -- Ed Carp erc at apple.com 510/659-9560 "Disagreements are not meant to be challenges. They are just a different reality." -- Risa D'Angeles DISCLAIMER: I work for me ... what's it to you? :) From newsham at wiliki.eng.hawaii.edu Wed Jul 21 21:24:55 1993 From: newsham at wiliki.eng.hawaii.edu (Timothy Newsham) Date: Wed, 21 Jul 93 21:24:55 PDT Subject: carbon copy Message-ID: <9307220424.AA25332@toad.com> Forwarded message: > From owner-cypherpunks at toad.com Wed Jul 21 17:00 HST 1993 > Resent-Message-Id: <9307220127.AA16447 at emory.mathcs.emory.edu> > Resent-Date: Wed, 21 Jul 1993 21:21:11 EDT > Resent-From: > Resent-To: > Date: Wed, 21 Jul 1993 15:36:55 -0400 > From: Peter Wayner > Message-Id: <199307211936.AA08235 at access.digex.net> > To: cypherpunks at toad.com > Subject: Simmons Subliminal channels and more... Every single cypherpunk message I am receiving comes in duplicate. The first from cypherpunks list, the second with added header lines as above. Tim N. From honey at citi.umich.edu Wed Jul 21 21:34:55 1993 From: honey at citi.umich.edu (peter honeyman) Date: Wed, 21 Jul 93 21:34:55 PDT Subject: ANON: remail abuse Message-ID: <9307220432.AA25471@toad.com> > The reason anonymous remailers are not the same as payphones or junk mail is > that the latter two leave tangible clues behind. While I'm not entirely happy > with the US justice system, it seems to me that given society's current > limitations, a police force of some sort is generally a good thing (if strict > controls are kept on it). (Sorry, I realize that this is a bit of a fringe > opinion in *this* group, but. . . .) Both payphones and mail leave tangible > clues which can be investigated and traced by law enforcement authorities. > Anonymous mail doesn't---at least, not without actually running a process or a > logger on the machine itself. wow, much to disagree with in that paragraph. tell you what, though. since you have such faith in the bloodhounds of the justice system, why don't you post your home phone number here and invite a test of the efficacy of those tangible clues etc.? i haven't a clue, tangible or otherwise, how you would trace a carefully plotted campaign of harrassment, whether by phone or postal mail. perhaps you could elaborate? peter From tedwards at wam.umd.edu Wed Jul 21 23:14:55 1993 From: tedwards at wam.umd.edu (technopagan priest) Date: Wed, 21 Jul 93 23:14:55 PDT Subject: No Subject Message-ID: <199307220613.AA11756@rac3.wam.umd.edu> Recently, there has been some talk on here concerning anonymous remailers and harassment. I don't think we will ever exist in a society where anonymous information sources will be eliminated. Even 50 years ago, the "rumour mill" was the equivalent of the modern anonymous remailer. And yes, harassing rumours got started and hurt people. But the fault, as I see it, lies not so much in those who started the rumour, but more in the people who believed the rumour without trust in the source. And that is where cryptographically secure models of trust comes in. If we are going to continue to be coherent in our future virtual world, we are going to have to "filter out" information which originates from sources which we do not have a cryptographic web of trust to. Does this make any sense? -Thomas (I'm not signing this message on purpose ;) From chaos at aql.gatech.edu Wed Jul 21 23:39:57 1993 From: chaos at aql.gatech.edu (Paul Goggin) Date: Wed, 21 Jul 93 23:39:57 PDT Subject: your mail In-Reply-To: <199307220613.AA11756@rac3.wam.umd.edu> Message-ID: <9307220636.AA26597@toad.com> Thomas thus said: >And that is where cryptographically secure models of trust comes in. >If we are going to continue to be coherent in our future virtual world, >we are going to have to "filter out" information which originates from >sources which we do not have a cryptographic web of trust to. I understand the predictament and security that it entails. However, I am not sure as I understand you, that this is a good solution. Let's say if everyone jumps on the cryptographic bandwagon, how does the web of trust help out the end user who's feelings have been hurt? Or if the user is not in the web of trust does that eliminate their information from the field? Sorry, its late and I probably should'nt post but what the hell. Probably get flamed in the morning. >Does this make any sense? I decided for about 2 weeks to accept only PGP messages as authenticated, so to speak -- and it sucked even friends that have PGP and such would not go in for the idea of a total security blanket. Just my .02, probably give another .02 in the next 12 hours. Paul -- R O All Comments Copyright by | Technofetisht A N Paul S. Goggin (1993) | Cypher, Cyber, Chaos V Information Broker | Ergoflux, Interzone E chaos at aql.gatech.edu | Carpe Diem: Stop the Clipper wiretap chip Finger account for latest _Phrack_ | Public Key: PGP and RIPEM available For anonymous communication:---> anonymus+4744 at charcoal.com ------------------------------------------------------------------------------ Title 18 USC 2511 and 18 USC 2703 Protected -- Monitoring Absolutely Forbidden From chaos at aql.gatech.edu Wed Jul 21 23:54:58 1993 From: chaos at aql.gatech.edu (Paul Goggin) Date: Wed, 21 Jul 93 23:54:58 PDT Subject: Webs Message-ID: <9307220654.AA26888@toad.com> Thomas thus said: >And that is where cryptographically secure models of trust comes in. >If we are going to continue to be coherent in our future virtual world, >we are going to have to "filter out" information which originates from >sources which we do not have a cryptographic web of trust to. I understand the predictament and security that it entails. However, I am not sure as I understand you, that this is a good solution. Let's say if everyone jumps on the cryptographic bandwagon, how does the web of trust help out the end user who's feelings have been hurt? Or if the user is not in the web of trust does that eliminate their information from the field? Sorry, its late and I probably should'nt post but what the hell. Probably get flamed in the morning. >Does this make any sense? I decided for about 2 weeks to accept only PGP messages as authenticated, so to speak -- and it sucked even friends that have PGP and such would not go in for the idea of a total security blanket. Just my .02, probably give another .02 in the next 12 hours. Paul -- R O All Comments Copyright by | Technofetisht A N Paul S. Goggin (1993) | Cypher, Cyber, Chaos V Information Broker | Ergoflux, Interzone E chaos at aql.gatech.edu | Carpe Diem: Stop the Clipper wiretap chip Finger account for latest _Phrack_ | Public Key: PGP and RIPEM available For anonymous communication:---> anonymus+4744 at charcoal.com ------------------------------------------------------------------------------ Title 18 USC 2511 and 18 USC 2703 Protected -- Monitoring Absolutely Forbidden From vivisect at u.washington.edu Thu Jul 22 10:30:39 1993 From: vivisect at u.washington.edu (Dwayne Campogan) Date: Thu, 22 Jul 93 10:30:39 PDT Subject: setting up a mailing list? Message-ID: <9307221726.AA07874@hardy.u.washington.edu> I have been looking for information or a FAQ for setting up a mailing list of my own.. I would like to compose a list that used PGP encryption by default supported a key-server swap like enviorment with online extraction of specific keys, as the server lists are huge and PGP's extract and sort routines often do not work on them and when they do take quit long.. information and direction needed, recommended, and thnaked for.. -Paris From chaos at aql.gatech.edu Thu Jul 22 11:11:24 1993 From: chaos at aql.gatech.edu (Paul Goggin) Date: Thu, 22 Jul 93 11:11:24 PDT Subject: setting up a mailing list? In-Reply-To: <9307221726.AA07874@hardy.u.washington.edu> Message-ID: <9307221811.AA08590@toad.com> Paris, >I have been looking for information or a FAQ for setting up a mailing >list of my own.. I don't know of a FAQ, does anybody else? >information and direction needed, recommended, and thnaked for.. I know there exist many variants of mailers today, but the major packages I have heard of are "Major Domo" and several varietiest of "Listserver." You can archie for the various sites. As to public key usage, I have little experience with these programs and some other people on the list could answer far more adequately than I -- my initial feeling is are going to hack on the programs a bit. Paul -- R O All Comments Copyright by | Technofetisht A N Paul S. Goggin (1993) | Cypher, Cyber, Chaos V Information Broker | Ergoflux, Interzone E chaos at aql.gatech.edu | Carpe Diem: Stop the Clipper wiretap chip Finger account for latest _Phrack_ | Public Key: PGP and RIPEM available For anonymous communication:---> anonymus+4744 at charcoal.com ------------------------------------------------------------------------------ Title 18 USC 2511 and 18 USC 2703 Protected -- Monitoring Absolutely Forbidden From baumbach at atmel.com Thu Jul 22 14:50:10 1993 From: baumbach at atmel.com (Peter Baumbach) Date: Thu, 22 Jul 93 14:50:10 PDT Subject: forged mail Message-ID: <9307222111.AA04163@bass.chp.atmel.com> I only have access to an email connection to the internet, so I cannot test a method of forging mail that I learned. Is this a taboo topic? It seems it would be useful for anonomous mailers. Give me the go ahead, and I'll continue...tomorrow. I'm done for the day. Peter Baumbach baumbach at atmel.com From warlord at MIT.EDU Thu Jul 22 15:15:11 1993 From: warlord at MIT.EDU (Derek Atkins) Date: Thu, 22 Jul 93 15:15:11 PDT Subject: forged mail In-Reply-To: <9307222111.AA04163@bass.chp.atmel.com> Message-ID: <9307222213.AA26650@toxicwaste.MEDIA.MIT.EDU> No, forging e-mail is not a taboo topic, but then again it doesn't buy you anything if you're up against a smart person. If you just forge mail to me, most likely I can track you down to at LEAST the machine you forged it from! If you go through a remailer, then it strips the headers off, so its not a problem. But there is no reason to need to forge a message to a remailer since it hides your identity in the first place. That's its job. -derek From karn at qualcomm.com Thu Jul 22 16:21:32 1993 From: karn at qualcomm.com (Phil Karn) Date: Thu, 22 Jul 93 16:21:32 PDT Subject: forged mail Message-ID: <9307222320.AA00635@servo> You should also bear in mind a fatal mistake that most people make when they forge email. They test it first by sending themselves a forged note! I'm told that when the guilty parties are confronted with the sendmail logs, they usually confess quickly... Phil From ld231782 at longs.lance.colostate.edu Thu Jul 22 17:25:15 1993 From: ld231782 at longs.lance.colostate.edu ( L. Detweiler ) Date: Thu, 22 Jul 93 17:25:15 PDT Subject: FAX on Internet Message-ID: <9307230020.AA02146@longs.lance.colostate.edu> Here's some information on using the Internet to fax messages. This gives me a lot of ideas. First, there was some talk here about encrypting FAXes. Since somebody is already getting the data on the internet, this would be trivial for someone to do here with PGP. Secondly, I don't know if they are using mail or FTP to transmit, but if they converted it to mail we could have `anonymous faxes' by coupling with the cypherpunk remailers (then to a receiver site that supports the FAX service via email reception). Finally, it seems to me that this is the first glimmer of a very massive new market opening up. Maybe the first entrepreneurs in cyberspace will be developing this service. Digital cash will be extremely useful here. So far, no one has told them `no' (`is this legal?' he asks) but I'm sure there's a lot of people that will be mighty upset by all this stellar progress! The problem with services like these is that once they become wildly successful and popular the weasels whine and clamp down. Note the developers are also behind the Internet Radio. Boy, when a universal network is built where commercial activity is not considered some kind of shady taboo, our economy is going to just GO CRAZY and EXPLODE. I'd like to set up a hypertext library with modest transaction charges, and will do so once the opportunity is there (BTW, also heard that Brewster Kahle, major mastermind between WAIS, has formed his own company and is now marketing workstation `electronic printing presses'.) All the elements are there. We're all dressed up and ready to go, with no way to get there! Somebody go and kick your legislator, and phone and cable company reps! - ------- Forwarded message Date: Thu, 22 Jul 1993 07:04:57 -0800 From: farber at central.cis.upenn.edu (David Farber) Subject: actually it is really an experiment and should be viewed as one but .. From: the terminal of Geoff Goodfellow Today's SAN JOSE MERCURY NEWS Business Section had the following front page story (From the New York Times - by John Markoff): "USERS AVOID FAX COSTS WITH INTERNET MESSAGES" The dividing line between paper facsimile documents and electronic mail is vanishing. Thanks to the volunteer efforts of a group of computer network designers, the network of networks known as Internet now permits users to send an e-mail message to be printed out on fax machines at a growing number of sites around the world. Because transmission charges on the Internet are minimal compared with those of the long-distance phone calls normally used for faxes, the system is a cheap way to send faxes across the country or around the world. To use the system, begun this month as an experiment in remote printing, computer mail users include a fax telephone number in the address portion of their message. The message, which may include both text and graphics, will then be automatically routed to a site that has agreed to serve a local geographic ``cell'' for delivery of the fax message. So far, participating regions include all of Japan, Australia, the Netherlands and Ireland, and in the United States, metropolitan Washington, Silicon Valley and parts of the San Francisco Bay area, as well as other pockets of the country. Leading the project is Marshall T. Rose, a computer communications consultant at Dover Beach Consulting in Mountain View, Calif. He has worked with another Internet researcher, Carl Malamud, who has created Internet Talk Radio, a weekly commercial audio program that is distributed internationally and can be played on computer work stations. The fax cell sites are computers on the Internet that are also connected to inexpensive computer-controlled fax modems that can route the files to virtually any fax machine. Each site can designate the size of the area that it will serve - whether an entire city or just the fax machines within a particular company. So far, in keeping with the utopianism that still permeates Internet culture, none of the fax middlemen and -women are charging for their services. Rose noted that the blurring of fax and electronic mail would raise thorny questions. ``Is this global and local bypass of the telephone companies using the Internet?'' he asked rhetorically. ``Is this legal? We need to think about this.'' (Information on Internet Fax Bypass can be obtained by sending a message to tpc-faq at town.hall.org). ------- End of Forwarded Message From ld231782 at longs.lance.colostate.edu Thu Jul 22 17:45:15 1993 From: ld231782 at longs.lance.colostate.edu ( L. Detweiler ) Date: Thu, 22 Jul 93 17:45:15 PDT Subject: PGP progress report Message-ID: <9307230043.AA02655@longs.lance.colostate.edu> A query was made about the Macintosh version of PGP and the bug fixes in 2.3. There was a bug in random number generation routines apparently introduced in a recent version that caused some decrease in security of the process but nothing seriously weakening. The Macintosh version is developed mostly independently of the `official' PGP version and the bug is not present in the 2.3 release. The 2.3a PGP release fixes the bug. PRZ writes, `The security problem was mostly theoretical, not a practical one for most scenarios.' (more information below). Queries were made about the effort to streamline the Macintosh user interface. In general, this has been underway for a long time in slow but consistent progress (the improvement from say 2.1 to 2.2 was significant). In MacPGP 2.3 a new online help system has been added based on Norstadt's excellent Disinfectant code (a system which exceeds the sophistication of many commercial software packages). There is an announcement currently on sci.crypt for the FTP site. All GUI versions of the PGP code are somewhat limited in sophistication by internal organization of PGP code toward the `teletype output' mindset. A major effort is underway to remodularize the code to internally encapsulate algorithms from the input & output (user interface) to make future GUI versions more accessable to programmers, and ultimately with new versions for users. A Windows version is in the works. PGP-RSAREF negotiations are plodding along with J. Berman of EFF as an intermediary. The developers are unsure of the reasons for the slow pace. J. Bidzos is supposed to make a major public announcement on this avenue very soon. Finally, some concern has been raised about bugs in the PGP code. The various developers are aware of the slightly disconcerting quality control on recent versions. One of the most direct ways that PGP users can help improve the quality of the software is to volunteer to beta-test versions on their platform in a timely manner at the release of new versions. Surprisingly few volunteers are available. If you would like to contribute in this area, please send mail to prz at acm.org. Following is information from Z. Fiedorwicz, the MacPGP developer. (Feel free to redistribute my message in its entirety.) ===cut=here=== Date: Wed, 21 Jul 1993 10:08:33 -0500 From: Zbigniew Fiedorowicz Subject: MacPGP 2.3 randseed bug fix There is a small bug in MacPGP 2.2 and MacPGP 2.3 in the handling of the randseed.bin file used in the generation of the random session IDEA keys used to encrypt outgoing messages. (This bug is also present in the Unix and MS-DOS versions.) Due to this bug only the first four bytes of the 24 byte randseed.bin file are ever read into memory. Since MacPGP also uses keyboard and mouse timings to generate random bytes, this does not give rise to any predictability which could easily be exploited for cracking MacPGP messages. While a special bug fix version 2.3a was released for the Unix and MS-DOS versions of PGP, this was necessitated by the presence of several other bugs NOT present in MacPGP 2.3 (eg. verification of clear-signed messages didn't work). Hence NO version 2.3a release of MacPGP is planned. If you are concerned by this bug, you can fix it by hand with ResEdit following the instructions below. The usual precautions when using ResEdit apply: FIRST MAKE A BACKUP COPY OF MACPGP 2.3 The patch: open the CODE 4 using the Hex Editor (under the Resource menu). Then using the Find menu, find the following offsets in CODE 4 and apply the patches indicated: Offset 0005E8 4878 0004 4878 0001 ^^^^ 0018 <--- replace 0004 by 0018 0005F8 5980 4FEF 0010 640A ^^^^ 5180 <--- replace 5980 by 5180 Then choose "Save" under the File menu. Exactly the same instructions apply to MacPGP 2.2 as well. Technical Explanation: The bug is caused by a single line in the open_strong_pseudorandom(byte key[16], byte buf[24]) function in the crypto.c module: if (fread(buf,1,sizeof(buf),f) < sizeof(buf)) /* empty file? */ ^^^^^^^^^^^ ^^^^^^^^^^^ Since buf is an argument to the function, it gets reinterpreted by the C compiler as simply char *buf and hence sizeof(buf) is taken to be 4 instead of 24 as intended. This line of C gets compiled into the following machine/assembly code: 0005E6: 2F0C MOVE.L A4,-(A7) 0005E8: 4878 0004 PEA $0004 0005EC: 4878 0001 PEA $0001 0005F0: 2F2E 000C MOVE.L $000C(A6),-(A7) 0005F4: 4EAD 067A JSR $067A(A5) 0005F8: 5980 SUBQ.L #$4,D0 0005FA: 4FEF 0010 LEA $0010(A7),A7 0005FE: 640A BCC.S *+$000C ; The patch converts this to 0005E6: 2F0C MOVE.L A4,-(A7) 0005E8: 4878 0018 PEA $0018 0005EC: 4878 0001 PEA $0001 0005F0: 2F2E 000C MOVE.L $000C(A6),-(A7) 0005F4: 4EAD 067A JSR $067A(A5) 0005F8: 5180 SUBQ.L #$8,D0 0005FA: 4FEF 0010 LEA $0010(A7),A7 0005FE: 640A BCC.S *+$000C ; which corresponds to if (fread(buf,1,24,f) < 8) This is of course still not quite right, but unfortunately there is no SUBQ.L #24,D0 instruction. (SUB.L #24,D0 is a 4 byte instruction which would mess up relative offset references all over CODE 4.) However the chances of this causing any problem are extremely small. From UCX_SMTP at crc.monroecc.edu Thu Jul 22 18:01:32 1993 From: UCX_SMTP at crc.monroecc.edu (UCX_SMTP at crc.monroecc.edu) Date: Thu, 22 Jul 93 18:01:32 PDT Subject: No Subject Message-ID: <9307220326.AA23297@emory.mathcs.emory.edu> ---- Transcript of session follows ---- 196608 %NONAME-W-NOMSG, Message number 00000000 -SYSTEM-S-NORMAL, normal successful completion ---- Unsent message follows ---- Received: from toad.com by relay2.UU.NET with SMTP (5.61/UUNET-internet-primary) id AA06943; Wed, 21 Jul 93 23:22:44 -0400 Received: by toad.com id AA21927; Wed, 21 Jul 93 19:16:03 PDT Received: by toad.com id AA21680; Wed, 21 Jul 93 19:02:20 PDT Received: from decwrl.UUCP by toad.com id AA21676; Wed, 21 Jul 93 19:02:19 PDT Received: by uucp-gw-2.pa.dec.com; id AA18750; Wed, 21 Jul 93 19:00:31 -0700 Received: from emory.UUCP by merlin.gatech.edu with UUCP id AA03218 (5.65c/IDA-1.4.4 for decvax!decwrl!hoptoad!CYPHERPUNKS); Wed, 21 Jul 1993 21:36:21 -0400 Received: from indigo.UUCP by emory.mathcs.emory.edu (5.65/Emory_mathcs.3.4.11) via UUCP id AA16552 ; Wed, 21 Jul 93 21:27:59 -0400 Resent-Message-Id: <9307220127.AA16552 at emory.mathcs.emory.edu> Received: by indigo.mese.com (DECUS UUCP /2.0/2.0/2.0/); Wed, 21 Jul 93 21:25:09 EDT Resent-Date: Wed, 21 Jul 1993 21:21:26 EDT Resent-From: Resent-To: Received: by INDIGO.MESE.COM (MX V3.1) with UUCP; Wed, 21 Jul 1993 21:21:18 EDT Received: from relay2.UU.NET by emory.mathcs.emory.edu (5.65/Emory_mathcs.3.4.11) via SMTP id AA12591 ; Wed, 21 Jul 93 20:34:47 -0400 Received: from toad.com by relay2.UU.NET with SMTP (5.61/UUNET-internet-primary) id AA14330; Wed, 21 Jul 93 20:31:29 -0400 Received: by toad.com id AA18642; Wed, 21 Jul 93 16:09:44 PDT Received: by toad.com id AA18609; Wed, 21 Jul 93 16:07:26 PDT Return-Path: Received: from gvls1.VFL.Paramax.COM ([128.126.220.104]) by toad.com id AA18605; Wed, 21 Jul 93 16:07:15 PDT Received: from lock60.UUCP by gvls1.VFL.Paramax.COM (4.1/mls/4.0) id AA04653; Wed, 21 Jul 93 19:07:13 EDT X-Info: VFL.Paramax.COM is the new name for GVL.Unisys.COM Please change any mailing lists or aliases. Both the old and the new addresses will work for a short time. Received: by lock60.Canal.Org (smail2.5) id AA16551; 21 Jul 93 18:50:24 EDT (Wed) Received: by snark.thyrsus.com (/\==/\ Smail3.1.21.1 #21.19) id ; Wed, 21 Jul 93 14:56 EDT Received: by boojum.uucp (Smail3.1.28.1 #2) id m0oIiVK-000BQZC; Wed, 21 Jul 93 14:03 EDT Message-Id: From: Subject: FAQ, round 2 To: boojum!cypherpunks at uunet.uu.net Date: Wed, 21 Jul 93 14:03:02 EDT X-Mailer: ELM [version 2.3 PL11] I've written some more material for it. Criticisms and additions welcome. --- DRAFT VERSION ---- DRAFT VERSION ---- DRAFT VERSION ---- DRAFT VERSION --- From: esr at snark.thyrsus.com (Eric S. Raymond) Newsgroups: news.answers Followup-To: poster This is the Cypherpunks FAQ. It explains the projects and purposes of the Cypherpunks mailing list. It is also intended to serve as a general introduction to privacy and encryption issues. For details on the technical and theoretical aspects of computer cryptography, see the sci.crypt FAQ, available for FTP from rtfm.mit.edu (18.172.1.27) in the directory pub/usenet-by-group/sci.crypt. The cypherpunks archive is available for FTP at soda.berkeley.edu:pub/cypherpunks This site contains code, information, rants, and other miscellany, including the most up-to-date version of this FAQ. This FAQ is maintained by Eric S. Raymond ; send additions and corrections to that address. Sections contributed by others are credited to individual authors. We gratefully acknowledge, in addition, feedback and comments from David Mandl and Eric Hughes . Here is a table of contents for this FAQ: 1. Why cypherpunks? 2. What are the essentials of privacy software? a. Public-key cryptosystems for secure communication. b. Unforgeable electronic signatures for message authentication. c. DC-net or similar protocols to thwart spoofing. 3. What are the potential applications of good privacy software? a. Secure communications. b. Digital cash. c. Electronic voting. d. Electronic contracts. e. Secure anonymous remailers and posters. f. 4. What are the key algorithms, tools, and implementations for privacy software? a. RSA b. DES c. Clipper/Capstone/DSS d. PGP e. Possible non-RSA trapdoor functions. 5. What are the social and political implications of good privacy software? a. Drastically lower transaction costs for trade. b. Expansion of the counter-economy. c. Disempowerment of government. d. Anonymity for whistleblowers. 6. What are the legal, political, and technical obstacles? a. The Clipper/Capstone/DSS power grab. b. The RSA patent and the PGP/RSA fight. c. RSA's base problem may not be NP-complete. 7. What can I do to help? a. Work on cryptographic software. b. Agitate against the Clipper/Capstone/DES proposals. c. Promote the use of encrypted communication. To join the cypherpunks mailing list, send a request to: cypherpunks-request at toad.com Working with us could be your best shot at stopping Big Brother. So if you have skills to contribute, act now. The freedom you save could be your own. 1. Why cypherpunks? Because privacy is essential to freedom. If the government (or any other oppressor that behaves like one) can effectively monitor communications, it can control or suppress them. And it will do so, because the natural tendency of controllers is always to seek more control. The government cannot be relied on to protect your privacy rights. Nor can anyone else --- certainly not your employer, or the corporations that want to know all about you so they can sell you things. Given half the chance, governments and corporations will always push for security standards that protect *them*, but not *you*. Computer technology can help protect you against would-be snoopers, but only if somebody is sufficiently smart and dedicated to build the tools. The Cypherpunks list exists to build and propagate privacy software. Our aim is to give you the tools to keep your private information private, and to communicate with other people and computers in ways snoopers cannot tap. 2. What are the essentials of privacy software? a. Public-key cryptosystems for secure communication. A conventional cryptosystem consists of an encoding/decoding method and a single key. Two users who share a key can exchange private messages. A public-key cryptosystem uses a *pair* of keys; one private, one public. Anyone with either key can decode messages encoded with the other. For privacy, it must be impossible (or at least impractical) to deduce the private key from the public one. Public-key cryptosystems imply many exciting things --- unforgeable electronic signatures, digital cash, and secure electronic contracts are among them. The basic idea behind all of these is that, as long as your private key is secure, people can verify that an encoded message containg known text came from you by decoding with your public key. In the remainder of this FAQ we use `PKC' as an abbreviation for `Public Key Cryptosystem'. The best-known PKCs are the RSA system, the Federal Government's DES standard, and the government's Clipper proposal. We'll discuss these, and others, in more detail below. b. Unforgeable electronic signatures for message authentication. There are many circumstances in which you want to be able to check a public clear-text message for tampering. To do this, the message must contain a `digital signature' or `message digest code' or `message hash' derived from its clear text, which can be checked against the clear text by a receiver. For security, the message hash should have the property that no one knows how to modify a message in a way that preserves its hash. PKCs give you unforgeable signatures as a side-effect. Unfortunately, known PKCs are too slow to use practically for message hashing. Thus, there is a separate category of `Digital Signature Systems'. The three major DSS techniques are Snefru, MD5, and DSS. Snefru, invented by Ralph Merkle at Xerox PARC, is of historical interest only as it has been broken. MD5 is described in Internet RFC 1321, which also gives a reference implementation in C. As of July 1993 it is believed to be secure, but has not been *proved* to be secure. DSS is a Federal Government proposed standard associated with the Clipper proposal. c. DC-net or similar protocols to thwart spoofing. 3. What are the potential applications of good privacy software? a. Secure communications. With a PKC, you can send a message that no one but the intended receiver can decrypt by encoding it with the receiver's public key. If you encode it with *your* public key, the receiver can verify that it came from you. This means that it is possible to do secure communications even over public channels. Neither nosy neighbors, business competitors, nor the government or any (other) criminal gang can interfere with it. b. Digital cash. Unforgeable messages also imply digital cash. You could use a PKC to send to the receiver a code permitting them to draw a particular amount of money from your bank account. The bank, with access to both yours and the payee's public keys, can verify that the order is genuine. This means that it is possible to do trade over electronic links, without any part trusting any other party beyond the bounds of normal commercial risk. c. Electronic voting. Unforgeable messages also imply secure electronic voting. If you encode your voting form with a PKC, the vote-collecting authority can verify it with your public key. d. Electronic contracts. If two or more people encode known text with their private keys applied in succession, all their public keys will be required to decode it. This is an unforgeable contract. Furthermore, it is an unforgeable *private* contract. e. Secure anonymous remailers and posters. 4. What are the key algorithms, tools, and implementations for privacy software? a. RSA RSA stands for `Rivest-Shamir-Adelson', the names of the three computer scientists who developed the technique. RSA has withstood determined attacks for over a decade and is widely believed to be secure. It has been proposed as an Internet standard. The RSA technique is patented. The patents are held by RSA, Inc. . An implemenation in C called RSAREF is available for research and certain noncommercial uses. b. DES c. Clipper/Capstone/DSS d. PGP e. Possible non-RSA trapdoor functions. 5. What are the social and political implications of good privacy software? a. Drastically lower transaction costs for trade. b. Expansion of the counter-economy. c. Disempowerment of government. d. Anonymity for whistleblowers. 6. What are the legal, political, and technical obstacles? a. The Clipper/Capstone/DSS power grab. b. The RSA patent and the PGP/RSA fight. c. RSA's base problem may not be NP-complete. 7. What can I do to help? a. Work on cryptographic software. b. Agitate against the Clipper/Capstone/DES proposals. c. Promote the routine use of encrypted communication. You can help spread PGP and other appropriate tools far and wide (both to help get a better foothold to thwart the Clipper proposal and its ilk, and to work towards making crypto as commonplace as envelopes). --- DRAFT VERSION ---- DRAFT VERSION ---- DRAFT VERSION ---- DRAFT VERSION --- -- >>eric>> From markh at wimsey.bc.ca Thu Jul 22 19:30:15 1993 From: markh at wimsey.bc.ca (Mark C. Henderson) Date: Thu, 22 Jul 93 19:30:15 PDT Subject: PGP progress report Message-ID: > > PGP-RSAREF negotiations are plodding along with J. Berman of EFF as > an intermediary. The developers are unsure of the reasons for the slow > pace. J. Bidzos is supposed to make a major public announcement on > this avenue very soon. This is good news. I believe I've managed to overcome the legal obstacles to RSAREF+GNU MP. This is of interest because PGP+RSAREF+GNU MP is actually considerably faster than PGP on a number of platforms (at least Sun Sparc, IBM RS6000, 80486 Linux). Mark (for those who are interested, overcoming the obstacles involved my writing a public domain implementation of a subset of the functionality of libgmp with the same interface. The subset is, in fact, pretty much what you want to do RSA, LUC &c. My free code is slower than GNU gmp, but it is functional. For more details, see the last few weeks of gnu.misc.discuss). -- Mark Henderson markh at wimsey.bc.ca (personal account) RIPEM key available by key server/finger/E-mail MD5OfPublicKey: F1F5F0C3984CBEAF3889ADAFA2437433 From hughes at soda.berkeley.edu Thu Jul 22 19:40:16 1993 From: hughes at soda.berkeley.edu (Eric Hughes) Date: Thu, 22 Jul 93 19:40:16 PDT Subject: REMAIL: replying to cp-remailed messages In-Reply-To: <9307090322.AA03678@jobe.shell.portal.com> Message-ID: <9307230235.AA26480@soda.berkeley.edu> >We might want to think about changing our >remailers to have a non-anonymous remailing command as well as an anonymous >one. This way you could have "local" privacy from any sysop who snoops on >your mail going out, while still making it easy for people to reply to you. There should be a way to do this already. Just as :: does header pasting when a mailer receives a message, so should ## paste headers when a mailer sends a message. Then you just paste in a Reply-To: header field when the message leaves the last remailer. This technique is also useful for Usenet posting, for things like Organization:, etc. Eric From cpsr at access.digex.net Thu Jul 22 20:15:15 1993 From: cpsr at access.digex.net (Dave Banisar) Date: Thu, 22 Jul 93 20:15:15 PDT Subject: more on FBI credit search access In-Reply-To: <9307212319.AA04464@longs.lance.colostate.edu> Message-ID: Sheri is unfortunally mistaken on this issue. There is a pending legislative initiative to allow for easier access to credit records using a national security letter, instead of a warrant. It was approved by the Senate Intelligence Committee last week. This is different from HR175, the initiative to allow for easier access to toll records that the house approved a few months ago. The ACLU, CPSR, PIRG and the US Privacy Council wrote a letter to Sen. Deconcini opposing the provision last week that I will send up tomorrow along with the text of the bill, if I can find it in time. Dave From elee9sf at Menudo.UH.EDU Thu Jul 22 21:05:16 1993 From: elee9sf at Menudo.UH.EDU (Karl Barrus) Date: Thu, 22 Jul 93 21:05:16 PDT Subject: STEG: subliminal messages Message-ID: <199307230404.AA00923@Menudo.UH.EDU> [I'm forwarding mail from Eric which was meant for the list as well] From: Eric Hughes To: elee9sf at Menudo.UH.EDU >An interesting related topic is subliminal channels and messages. A >subliminal channel is one in which communication takes place without >an external observer realizing it. [summary deleted] Gus Simmons has recently written a paper on subliminal channels in the DSA (the one PKP is about to license). The paper as of yet is not officially published, but likely will be at Crypto '93 next month. I've seen a copy of the paper, but don't have a copy. I do, however, remember this one line. "The DSA provides the most hospitable environment for subliminal channels in any system yet seen." (Almost verbatim, but not quite.) Assume this is true. (I believe Simmons, myself.) What might this mean? Suppose some agency of the government makes digital signatures on some certificate for individuals. To take a concrete example, take driver's licenses. The subliminal channel in the signature might be used to encode, say, the following: 1. number of drunk driving convictions 2. number of drunk driving arrests 3. insurance rating 4. whether this person is suspected of habitually a. merchandising narcotics b. carrying large amounts of cash c. looking at child pornography d. wanting to kill police officers e. carrying concealed messages Since the signature itself contains this information, and since the channel is subliminal, the only way to know whether the channel carries data is to see the software. For this reason the DSA should not be used by government agencies to make certificates for individuals. It should be scrapped for this purpose and some other algorithm designed which has a provable upper bound on the subliminal channel of less than one bit. Eric From deboni at diego.llnl.gov Thu Jul 22 22:05:17 1993 From: deboni at diego.llnl.gov (Tom DeBoni) Date: Thu, 22 Jul 93 22:05:17 PDT Subject: Macpgp 2.3 Message-ID: <9307230459.AA07078@diego.llnl.gov> I just fetched macpgp 2.3 from soda, and wound up with a file ending in the suffix "gz". This is a new one on me, and I don't know how to decode it. Can anybody inform me? Inside whatever it is is a binhexed compactor file, and I can deal with those formats, but the outside wrapper defies every decompressing utility I've got. Tom DeBoni deboni at llnl.gov From chaos at aql.gatech.edu Thu Jul 22 22:25:17 1993 From: chaos at aql.gatech.edu (Paul Goggin) Date: Thu, 22 Jul 93 22:25:17 PDT Subject: Macpgp 2.2 In-Reply-To: <9307230459.AA07078@diego.llnl.gov> Message-ID: <9307230524.AA16150@toad.com> Tom thus said, >I just fetched macpgp 2.3 from soda, and wound up with a file ending in >the suffix "gz". This is a new one on me, and I don't know how to decode >it. Can anybody inform me? Inside whatever it is is a binhexed compactor >file, and I can deal with those formats, but the outside wrapper defies >every decompressing utility I've got. This is GNU's zip compression utility. I am not sure if a port to the mac has been made, but the source code is available. However, I have the prog available here at aql.gatech.edu /pub/cypherpunks/pgp/binaries in cpt.hqx format. The source code for gzip is also available in /pub. Hope this helps. Paul -- R O All Comments Copyright by | Technofetisht A N Paul S. Goggin (1993) | Cypher, Cyber, Chaos V Information Broker | Ergoflux, Interzone E chaos at aql.gatech.edu | Carpe Diem: Stop the Clipper wiretap chip Finger account for latest _Phrack_ | Public Key: PGP and RIPEM available For anonymous communication:---> anonymus+4744 at charcoal.com ------------------------------------------------------------------------------ Title 18 USC 2511 and 18 USC 2703 Protected -- Monitoring Absolutely Forbidden From tcmay at netcom.com Thu Jul 22 22:31:36 1993 From: tcmay at netcom.com (Timothy C. May) Date: Thu, 22 Jul 93 22:31:36 PDT Subject: Macpgp 2.3 In-Reply-To: <9307230459.AA07078@diego.llnl.gov> Message-ID: <9307230531.AA12653@netcom5.netcom.com> > > I just fetched macpgp 2.3 from soda, and wound up with a file ending in > the suffix "gz". This is a new one on me, and I don't know how to decode > it. Can anybody inform me? Inside whatever it is is a binhexed compactor > file, and I can deal with those formats, but the outside wrapper defies > every decompressing utility I've got. > > Tom DeBoni "gunzip" does the job. Fortunately for me, Netcom had it installed. Gunzip the file, send it to your home machine (I use "sz"), unstuff it and double-click the .sea file. This compression stuff--pun intended--is getting out of hand. Files are zipped, gzipped, binhexed, stuffed, and made into self-extracting archives! Seriously, I've had several of these associated with just one file. Mostly the compression is a waste, as the Internet already compresses (so I have been told), and for sure when I "sz" the gunzipped file to my home Mac for debinhexing, unstuffing, and self-extracting, my Supra modem has already tried in vain to compress the files for transmission! (I know, by the way, that binhexing is not compression, and that the .sea archives are a way to ship multiple files and folders, but, still....) MacPGP 2.3 is very nice, by the way! A wonderfuly "help" facility, and an even cleaner interface. -Tim -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available. Note: I put time and money into writing this posting. I hope you enjoy it. From newsham at wiliki.eng.hawaii.edu Thu Jul 22 22:36:36 1993 From: newsham at wiliki.eng.hawaii.edu (Timothy Newsham) Date: Thu, 22 Jul 93 22:36:36 PDT Subject: Remailers/PayPhones and Today's NYT In-Reply-To: <199307211630.AA03454@access.digex.net> Message-ID: <9307230535.AA16240@toad.com> > > The article mentions that the phones can be problematic > because drug dealers can use them to avoid phone taps, > but it seems to conclude that this is a small price to > pay for bringing the connection to the poor. Most customers > use the service to call their home country and speak to > relatives. This is getting quite irritating. Drug dealers have as much right to use a pay fone as the next person until they are proved guilty in a court of law. > -Peter > From mdiehl at vesta.unm.edu Thu Jul 22 23:50:15 1993 From: mdiehl at vesta.unm.edu (J. Michael Diehl) Date: Thu, 22 Jul 93 23:50:15 PDT Subject: Pgp help. Message-ID: <9307230648.AA11771@vesta.unm.edu> Hi all! I've got YAPP (Yet Another Pgp Problem!) I want to know how people are signing their messages and keeping the message in plaintext. I see the message and the pgp sig on the end. Could someone outline how this is done so I can implement it in my mailing system. BTW, I sure like being able to compose email in WordPerfect.... ;^) +-----------------------+-----------------------------+---------+ | J. Michael Diehl ;-) | I thought I was wrong once. | PGP KEY | | mdiehl at triton.unm.edu | But, I was mistaken. |available| | mike.diehl at fido.org | | Ask Me! | | (505) 299-2282 +-----------------------------+---------+ | | +------"I'm just looking for the opportunity to be -------------+ | Politically Incorrect!" | +-----If codes are outlawed, only criminals wil have codes.-----+ +----Is Big Brother in your phone? If you don't know, ask me---+ From gg at well.sf.ca.us Fri Jul 23 02:26:54 1993 From: gg at well.sf.ca.us (George A. Gleason) Date: Fri, 23 Jul 93 02:26:54 PDT Subject: Remailers/PayPhones and Today's NYT Message-ID: <93Jul23.022610pdt.14662-1@well.sf.ca.us> Re "NY Tel cutting off payphone service in *some areas.*" You can bet those areas are black. You can bet that high up in some corporate office tower, the opinion was voiced, "what the hell do those pickaninnies need phones for anyway?!" Call it Information-Age Apartheid if you wish, you won't be off the mark by much. -gg From honey at citi.umich.edu Fri Jul 23 05:35:25 1993 From: honey at citi.umich.edu (peter honeyman) Date: Fri, 23 Jul 93 05:35:25 PDT Subject: Pgp help. Message-ID: <9307231232.AA21957@toad.com> i use a script, which i call sign, as follows: #!/bin/sh exec pgp -sta +clearsig=on ${1+"$@"} please excuse my unix idioms. peter From mulivor at orion.crc.monroecc.edu Fri Jul 23 05:40:24 1993 From: mulivor at orion.crc.monroecc.edu (mulivor at orion.crc.monroecc.edu) Date: Fri, 23 Jul 93 05:40:24 PDT Subject: Your Input Requested for Article Message-ID: <9307231238.AA22099@toad.com> Hello Cypherpunks; I'm a newspaper journalist now writing a piece for the American Journalism Review (formerly Washington Journalism Review). In case you're not familiar with AJR, it's a mass-circulation monthly magazine that's available at many large newsstands. Journalists in the U.S. consider it a principal source of professional news. My article is tentatively scheduled for publication in the Oct. 93 issue. I am looking for: 1. Examples of how and why anonymous e-mail has been used to communicate with journalists. 2. Your comments concerning anon-mail's role in the future of newsgathering, particularly investigative reporting. I need to receive your comments directly, not posted to this list. Kindly include your telephone and fax numbers. Please do not send me responses containing requests to remain partly or completely off-the-record. I won't be able to use those. The less technical your remarks, the more of them I might be able to use, since the magazine has a non-technical readership. (However, in the interest of interview etiquette and personal disclosure, I'll mention that I have a technical degree and teach computer science part-time at a branch of the State University of New York.) I already have the alt.whistleblowers sizeable FAQ. Please do not cross-post this to any other list. Thank you in advance for your kind cooperation. I will acknowledge every reply that I receive from Cypherpunks. ------------------------------ Philip Mulivor mulivor at orion.crc.monroecc.edu 716 256-2222 voice 716 271-4052 fax From khijol!erc at apple.com Fri Jul 23 08:35:37 1993 From: khijol!erc at apple.com (Ed Carp) Date: Fri, 23 Jul 93 08:35:37 PDT Subject: Remailers/PayPhones and Today's NYT In-Reply-To: <93Jul23.022610pdt.14662-1@well.sf.ca.us> Message-ID: > Re "NY Tel cutting off payphone service in *some areas.*" > > You can bet those areas are black. You can bet that high up in some > corporate office tower, the opinion was voiced, "what the hell do those > pickaninnies need phones for anyway?!" Call it Information-Age Apartheid if > you wish, you won't be off the mark by much. Oh, *bullshit*. Decisions like that are almost always driven by monetary concerns. In this case, the vandalism rate for pay phones in certain areas is too high, so they just pull the phones. It's a statistical fact that vandalism is higher in predominately black areas. -- Ed Carp erc at apple.com 510/659-9560 "Disagreements are not meant to be challenges. They are just a different reality." -- Risa D'Angeles DISCLAIMER: I work for me ... what's it to you? :) From lefty at apple.com Fri Jul 23 09:05:37 1993 From: lefty at apple.com (Lefty) Date: Fri, 23 Jul 93 09:05:37 PDT Subject: Macpgp 2.3 Message-ID: <9307231533.AA10180@internal.apple.com> >I just fetched macpgp 2.3 from soda, and wound up with a file ending in >the suffix "gz". This is a new one on me, and I don't know how to decode >it. Can anybody inform me? Inside whatever it is is a binhexed compactor >file, and I can deal with those formats, but the outside wrapper defies >every decompressing utility I've got. It's compressed with the gnu utility gzip, as Tim May and Paul Goggin have pointed out. However, as they failed to mention, soda at least will decompress .gz files on the fly. If you want to pull down the file "xxxx.yyyy.gz", issue the command "get xxxx.yyyy" (i.e. leave off the .gz suffix) and soda will unzip it for you as it ftp's it down. -- Lefty (lefty at apple.com) C:.M:.C:., D:.O:.D:. From any at uu4.psi.com Fri Jul 23 11:06:58 1993 From: any at uu4.psi.com (any at uu4.psi.com) Date: Fri, 23 Jul 93 11:06:58 PDT Subject: local network only? Message-ID: <9307231724.AA00600@hood.sjo.atmel.com> Derek, >mail to me, most likely I can track you down to at LEAST the machine >you forged it from! I don't have an account on this machine. The machine doesn't seem to care. Does the machine keep a record of this letter, I don't know? I'm using the command mconnect on a sun system. It asks me who I am, and then trusts me when I tell it! I have even told it I was ROOT, and it filled in "Operator" from the local passwd file! Is this security so lax because I am on a local area network unconnected to the Internet? Does anyone know? mconnect even gives me help if I ask it! I didn't mail this, not me From warlord at MIT.EDU Fri Jul 23 11:40:39 1993 From: warlord at MIT.EDU (Derek Atkins) Date: Fri, 23 Jul 93 11:40:39 PDT Subject: local network only? In-Reply-To: <9307231724.AA00600@hood.sjo.atmel.com> Message-ID: <9307231839.AA28473@toxicwaste.MEDIA.MIT.EDU> > I don't have an account on this machine. The machine doesn't seem to care. > Does the machine keep a record of this letter, I don't know? You don't need an account on the machine, but I can still tell that you came through amtel.com, and most likely originated from the machine "bass", but I can't be sure about that. Yes, machines do keep logs of all mail transactions, so I could theoretically track down that message. It's not difficult. Granted, it would probably take me some time to track this down truely, although I know that you do get the cypherpunks list in some fashion, so I can recursively track down everyone on the cypherpunks list until I find you. (I'm not going to do that, since its not worth my time, but it's possible!) Yes, using the "mconnect" command will let you type anything you want. Like I said, forging e-mail is trivial, but it down't buy you anything. There are always logs at some point! -derek From composer at Beyond.Dreams.ORG Fri Jul 23 12:00:39 1993 From: composer at Beyond.Dreams.ORG (Jeff Kellem) Date: Fri, 23 Jul 93 12:00:39 PDT Subject: local network only? In-Reply-To: <9307231724.AA00600@hood.sjo.atmel.com> Message-ID: <9307231902.AA00300@Beyond.Dreams.ORG> On the cypherpunks mailing list, Peter (it seems :) forged... ;-) > Derek Atkins wrote... > >mail to me, most likely I can track you down to at LEAST the machine > >you forged it from! > > I don't have an account on this machine. The machine doesn't seem to care. So, you don't have an account on bass.sjo.atmel.com? And, you wouldn't, by chance, have a first name of Peter, would you? :) [Only the machine name was gotten from your mail message.] > I didn't mail this, > not me Of course not. ;-) Just don't believe that simple forged mail is totally untraceable, at least to the machine you forged it from. FYI... -jeff Jeff Kellem Internet: composer at Beyond.Dreams.ORG From lefty at apple.com Fri Jul 23 12:16:58 1993 From: lefty at apple.com (Lefty) Date: Fri, 23 Jul 93 12:16:58 PDT Subject: INTERNATIONAL ENCRYPTION Message-ID: <9307231753.AA12197@internal.apple.com> Sandy Sandfort writes: >Geoff Dale asks about statutes prohibiting the transmission of >encrypted data across international boundaries. To the best of >my knowledge, there's no such animal. If such exists, it is >widely violated, with impunity, by me and folks I know, on a >regular basis. Au contraire, I am certain that France has restrictions on the transmission of encrypted data within its borders. I believe Brazil does as well. >Where do these urban legends come from? Umm, many of them are based on fact? -- Lefty (lefty at apple.com) C:.M:.C:., D:.O:.D:. From shipley at tfs.COM Fri Jul 23 12:30:39 1993 From: shipley at tfs.COM (Peter Shipley) Date: Fri, 23 Jul 93 12:30:39 PDT Subject: local network only? In-Reply-To: <9307231839.AA28473@toxicwaste.MEDIA.MIT.EDU> Message-ID: <9307231927.AA08706@edev0.tfs.com.TFS> > >Yes, using the "mconnect" command will let you type anything you want. >Like I said, forging e-mail is trivial, but it down't buy you >anything. There are always logs at some point! > btw: mconnect is the same as the command: telnet smtp From bobi at vswr.sps.mot.com Fri Jul 23 13:06:59 1993 From: bobi at vswr.sps.mot.com (Bob Izenberg) Date: Fri, 23 Jul 93 13:06:59 PDT Subject: Remailers/PayPhones and Today's NYT In-Reply-To: Message-ID: <9307232002.AA19450@vswr.sps.mot.com> Ed Carp wrote: # Decisions like that are almost always driven by monetary concerns. Sounds like a perfect discussion to continue in email. :-) Bob -- ============================================================================== Bob Izenberg voice phone: 512-891-8680 Motorola RISC Software bobi at vswr.sps.mot.com ============================================================================== From pbreton at cs.umb.edu Fri Jul 23 13:15:40 1993 From: pbreton at cs.umb.edu (Peter Breton) Date: Fri, 23 Jul 93 13:15:40 PDT Subject: forged mail In-Reply-To: <9307222213.AA26650@toxicwaste.MEDIA.MIT.EDU> Message-ID: > you anything if you're up against a smart person. If you just forge > mail to me, most likely I can track you down to at LEAST the machine > you forged it from! ....but a smart person can ensure that you can't track him down FARTHER than the machine he forged it from (without extraordinary aid, like access to the site's sendmail logs). > If you go through a remailer, then it strips the headers off, so its > not a problem. But there is no reason to need to forge a message to a > remailer since it hides your identity in the first place. That's its > job. Actually, forging mail at the machine you're on en route to the remailer protects you against: 1) Anyone who can snoop the message headers on the way to the remailer ("Tra la la. Let's keep a little list of everyone using those remailers...") 2) A corrupt remailer operator. I'm assuming you send from a fairly large organization. Then even though they can find out which machine originated the message, one can't determine which of the users (and there may be more than 100) originated the message. Plausible deniability. Peter (NOT the one who allegedly forged mail from bass.sco.atmel.com ;-) From fnerd at smds.com Fri Jul 23 16:20:47 1993 From: fnerd at smds.com (FutureNerd Steve Witham) Date: Fri, 23 Jul 93 16:20:47 PDT Subject: Macpgp 2.2 Message-ID: <9307232314.AA09474@smds.com> > However, I have the prog > available here at aql.gatech.edu /pub/cypherpunks/pgp/binaries in cpt.hqx > format. The source code for gzip is also available in /pub. > > Hope this helps. > > A N Paul S. Goggin (1993) | Cypher, Cyber, Chaos > E chaos at aql.gatech.edu | Carpe Diem: Stop the Clipper wiretap chip Thanks, but a) BINARIES? b) who are these binaries PGP-signed by? c) what program do I use to verify the signature(s)? I do mean the thanks. Just wondering. -fnerd quote me From chaos at aql.gatech.edu Fri Jul 23 17:52:16 1993 From: chaos at aql.gatech.edu (Paul Goggin) Date: Fri, 23 Jul 93 17:52:16 PDT Subject: Macpgp 2.2 In-Reply-To: <9307232314.AA09474@smds.com> Message-ID: <9307240051.AA29998@toad.com> fnerd formulates: >> However, I have the prog >> available here at aql.gatech.edu /pub/cypherpunks/pgp/binaries in cpt.hqx >> format. The source code for gzip is also available in /pub. >Thanks, but > a) BINARIES? > b) who are these binaries PGP-signed by? > c) what program do I use to verify the signature(s)? If you look in this directory you will find pgp sigs for the files by the uploading individuals. I do not have access to every type of computer, thus I queried on cypherpunks approximately 5 weeks (I think) for binary submissions. The unix versions have individual sigs as you can see, as to the dos, this is the original shipping material, I have not looked inside since I rely on Unix myself. The Mac version was picked up from soda.berkeley.edu, as I understand it sigs are included within the compactor pro archive. The os2 version is in the same boat as dos. As for the amiga version, I am at a loss I do not have access to an amiga, but viewing the archive a signature is apparently not attached. I will try to find out who I received the file from as I currently do not remember. I would like everyones opinion though. I thought that offering binaries from sources I considered secure was a good idea. I understand the inherent danger in not compiling the source yourself, but.... not everyone knows how to compile. What is the list's opinion. Is this a bad idea? Improper? Paul -- R O All Comments Copyright by | Technofetisht A N Paul S. Goggin (1993) | Cypher, Cyber, Chaos V Information Broker | Ergoflux, Interzone E chaos at aql.gatech.edu | Carpe Diem: Stop the Clipper wiretap chip Finger account for latest _Phrack_ | Public Key: PGP and RIPEM available For anonymous communication:---> anonymus+4744 at charcoal.com ------------------------------------------------------------------------------ Title 18 USC 2511 and 18 USC 2703 Protected -- Monitoring Absolutely Forbidden From eichin at paycheck.cygnus.com Fri Jul 23 19:05:53 1993 From: eichin at paycheck.cygnus.com (Mark W. Eichin) Date: Fri, 23 Jul 93 19:05:53 PDT Subject: Macpgp 2.3 In-Reply-To: <9307230531.AA12653@netcom5.netcom.com> Message-ID: <9307231610.AA03543@paycheck.cygnus.com> >> one file. Mostly the compression is a waste, as the Internet already >> compresses (so I have been told), and for sure when I "sz" the You have been mislead; while Usenet News feeds are sometimes compressed, Internet connections in general are not. I have a citation of a paper somewhere (mentioned on the com-priv mailing list) which (if I recall correctly) said that less than 1/3 of the traffic over the NSFnet backbone used any kind of compression... >> compresses (so I have been told), and for sure when I "sz" the The compression is only *partly* for the benefit of reduced transmission time -- more often files at ftp sites are compressed to save disk space at the ftp site, and possibly to reduce ftp transit time to remote sites. (That said, there are some versions of ftpd, namely the wuarchive one, that given a foo.Z if you request foo it will automatically decompress it for you in case you don't have compress; I think the same support for gzip exists (is trivial in any case), though I don't know if many sites have it installed. _Mark_ ... just me at home ... From nowhere at bsu-cs.bsu.edu Fri Jul 23 20:45:53 1993 From: nowhere at bsu-cs.bsu.edu (Chael Hall) Date: Fri, 23 Jul 93 20:45:53 PDT Subject: Encrypted communications with phone and PC Message-ID: <9307240345.AA00738@bsu-cs.bsu.edu> I am about 300 messages behind on the list because I'm dialing in long- distance right now, but I just happened to think of something because it is related directly to my work... I install and debug voice mail systems all the time that run on 286's, 386's or 486's and can run up to 24 telephone lines on a single computer *at full speed*. The analog signal gets digitized by the voice board, compressed, and stored on disk whenever a person leaves a message. What if an extra step were added where the information were encrypted before being written to disk and it took the receiver entering his PGP key on the PC before it would play the messages to him? Then, if this works, the user on each end could use a computer with a voice board in it and dial into one port while an encrypted/scrambled session is being transmitted on another port. Who knows how real-time it would be and I don't have the technical expertise to pull it off, but I see these things go out of our office every day with little security other than that of obscurity on them. One note, though, the voice boards that we use (high quality) cost anywhere from $800 for a repaired one to $1000 for the one I like the best to $1200 for a different brand that we also sell. Neither voice mail software vendor is willing to give us the super-secret security code that unlocks full system access, so I seriously doubt if I could scare any source out of them. Anyway, it is a thought and now that I have my own voice board to play with I might just try to piece together some interesting software. Chael -- Chael Hall nowhere at bsu-cs.bsu.edu, 00CCHALL at BSUVC.BSU.EDU, chall at bsu.edu (317) 776-4000 from 8 am - 5 pm CST From banisar at washofc.cpsr.org Fri Jul 23 20:47:31 1993 From: banisar at washofc.cpsr.org (Dave Banisar) Date: Fri, 23 Jul 93 20:47:31 PDT Subject: Credit Reports and NS Message-ID: <00541.2826315450.4450@washofc.cpsr.org> Credit Reports and NS Here is the letter opposing the provision to allow for easier access to credit reports. As you can guess, the Senate Intelligence Committee (which generally acts as the biggest supporter of the agencies on the Hill) did not address our concerns at all and approved the provision. I was unable to easily find the actualy text but will get it after I come back from vacation. Dave July 12, 1993 The Honorable Dennis Deconcini Chairman Senate Select Committee on Intelligence United States Senate SH-211 Hart Senate Office Building Washington, DC 20510-6475 Dear Chairman DeConcini; We are writing to voice our strong opposition to the Administration's legislative proposal to amend the Fair Credit Reporting Act (FCRA) to allow the Federal Bureau of Investigation (FBI) to obtain consumer credit reports in foreign counterintelligence cases. The FBI seeks a national security letter exemption to the FCRA to obtain personal information from consumer reporting agencies without a subpoena or court order. A national security letter gives the FBI the authority to obtain records without judicial approval and without providing notice to the individual that his or her records have been obtained by the Bureau. Similar FBT proposals were rejected in previous years after Congressional leaders expressed concern over the civil liberties issues raised. Although the current draft proposal is more comprehensive than those circulated in previous years, the changes and additions do not alter significantly the central character of the proposal. The Administration's 1993 proposal includes explicit limits to'dissemination of obtained information within the goverrment, penalties for violations including punitive damages, and reporting requirements. These provisions are positive changes from the legislation put forward in previous years, but they do not save the proposal from its intrinsic flaws. Therefore, the reasons for our fundamental opposition to the current proposal remain the same: 1) the FBI has not demonstrated a compelling need for access to consumer credit reports; and 2) legislation that implicates civil liberties should be addressed separately and not as part of the authorization process. There are only two instances in which Congress has authorized the FBI, in counterintelligence investigations, to obtain information about individuals pursuant to a national security letter but without a subpoena, search warrant or court order. First, the Electronic Communications Privacy Act (ECPA) of 1986 included a provision requiring common carriers to disclose subscriber information and long distance toll records to the FBI in response to a national security letter. Second, congress included in the 1987 Intelligence Authorization Act an amendment to the Right to Financial Privacy Act (RFPA) that requires banks to provide customer records to the FBI in response to a similar letter. In that case, the FBI presented to Congress its case for obtaining financial records in foreign counter- intelligence cases and the difficulty of obtaining those records without a court order. in both instances when congress has previously authorized the national security letter, Congress recognized that the procedure departs dramatically from the procedure necessary to obtain a court order. The FBI's current proposal seeks similar access to individuals' credit records held by consumer reporting companies. The FBI has yet to adequately justify its need to add such highly personal, sensitive information to the narrow category of records subject to the national security letter exemption. The Bureau claims obtaining credit reports will allow it to more easily determine where a subject of an investigation banks -- information the FBI claims will help them effectuate their ability to access bank records under the RFPA. We opposed the national security letter exemption in the RFPA and do not endorse the FBI's slippery slope approach to ensuring that they can more easily obtain financial information in foreign counterintelligence cases. This information can be and is routinely gained without credit reports. We do not believe convenience is a sufficient justification for this significant exception to the law. The FBI further argues that obtaining banking information through a credit report is preferred because it is actually leas intrusive than those investigative methods that would otherwise be used. While we too are frustrated that other information- gathering techniques are frequently too intrusive, our objections to the other techniques do not lead us to endorse yet another technique that is also intrusive and that weakens existing privacy law. Finally, we object to using the authorization process as the vehicle for pursuing this change. The national security latter exemption, because it diminishes the due process and privacy protections for individuals, must be given the most careful consideration. The FBI's proposal should be introduced as separate legislation on which public hearings can be held. only in this way can the Committee test thoroughly the FBI's case for the exemption and hear from witnesses who object to the change. We urge you to reject the FBI's proposal in its current form. We are available to work with you on this issue. Sincerely, Janiori Goldman Michelle Meier Privacy and Technology Project Consumers Union American civil Liberties Union Marc Rotenberg Evan Hendricks Computer Professionals for U.S. Privacy Council Social Responsibility cc: Members, Senate Select Committee on Intelligence The Honorable George J. Mitchell Senate Majority Leader The Honorable Donald W. Riegle, Jr., Chairman Senate Committee on Banking, Housing and Urban Affairs The Honorable Patrick J. Leahy, Chairman Subcommittee on Technology and the Law From karn at qualcomm.com Sat Jul 24 00:17:13 1993 From: karn at qualcomm.com (Phil Karn) Date: Sat, 24 Jul 93 00:17:13 PDT Subject: Credit Reports and NS In-Reply-To: <00541.2826315450.4450@washofc.cpsr.org> Message-ID: <9307240716.AA10145@servo> "national security" - the root password to the Constitution...sigh... Phil From mdiehl at vesta.unm.edu Sat Jul 24 00:25:55 1993 From: mdiehl at vesta.unm.edu (J. Michael Diehl) Date: Sat, 24 Jul 93 00:25:55 PDT Subject: Key Signing Policy. Message-ID: <9307240723.AA08656@vesta.unm.edu> -----BEGIN PGP SIGNED MESSAGE----- Well, I got a lot of good discussion about when to sign someone's key. I have since come up with my own policy on when I will sign a key. Actually, I plagarized much of it from the many good responses I received. If anyone looks at my policy, recognizes their words and objects, please tell me. Otherwise, after about 10 days, I will make my statement a matter of public domain. Also, If you have any comments/questions/additions to my statement, please tell me I hope this will help clear up some of the confusion reguarding when to sign someone's key. Laters. BTW, what do you think of my new sig? ========================+==========================================+ J. Michael Diehl ;^) | Have you hugged a Hetero........Lately? | mdiehl at triton.unm.edu | "I'm just looking for the opportunity to | mike.diehl at fido.org help| be Politically Incorrect!" +=========+ al945 at cwns9.ins.cwru.edu| Is Big Brother in your phone? | PGP KEY | (505) 299-2282 (voice) | If you don't know, ask me. |Available| ========================+================================+=========+ PGP Key = 7C06F1 = A6 27 E1 1D 5F B2 F2 F1 12 E7 53 2D 85 A2 10 5D This message is protected by 18 USC 2511 and 18 USC 2703. Monitoring by anyone other than the recipient is absolutely forbidden by US Law -----BEGIN PGP SIGNATURE----- Version: 2.2 iQCVAgUBLFDMSlWjzUwifAbxAQG3ngP/QXhforNMRIcDp8/alFhz5jMfXYH5+UTd xIs+hi6ocrSK2ZEtqfndto1agHaTdlNjAaJRgD8twmGrMUi+iEfRfsVtLwjBOTLV Ly0sJbnLbxR9K+2DweC6YsqDNEMvCxS3QHR3q5/sq8jLcPMEdC0wHuZ8lhMp8yCC VhFpls1Lv9Q= =Lgii -----END PGP SIGNATURE----- From gg at well.sf.ca.us Sat Jul 24 02:27:14 1993 From: gg at well.sf.ca.us (George A. Gleason) Date: Sat, 24 Jul 93 02:27:14 PDT Subject: Remailers/PayPhones and Today's NYT Message-ID: <93Jul24.022600pdt.14455-1@well.sf.ca.us> How about a valid debate being over **how** to best provide universal service in this day & age of red-lining? Interesting to note that when the private entrepreneurs open up U.S. versions of the traditional European "Call Offices," (rows of payphones with a window clerk or other attendant to help provide service & security), all of a sudden a chorus of voices go up, "OH NO, the Dope Dealers will use these things!" Well, one excuse or another, same old racist BS either way. The right to anonymity has got to be universal, and the right to access has got to be universal, or these things become mere privileges which can be taken away on a whim. -gg From Charles.M.Schroth at williams.edu Sat Jul 24 10:08:46 1993 From: Charles.M.Schroth at williams.edu (Matt Schroth) Date: Sat, 24 Jul 93 10:08:46 PDT Subject: FAQ corrections Message-ID: <199307241707.AA29043@rowe.williams.edu> [I tried mailing this directly to Eric Raymond, but I got a bounce message a day later.] Eric, I have read some things I think are incorrect in the FAQ you're working on. I could be wrong, of course, but I wanted to point them out to you anyway: In the introduction to PKC, you say that "the Federal Government's DES standard" is a PKC. Is there some way to view DES as a public key system that I'm not aware of? I have only seen it used as a symmetric key system. In 3a, you state that "If you encode with *your* public key...". I think you meant "with your private key...", as anyone can encode something with a public key. In 4a, "RSA stands for 'Rivest-Shamir-Adelson'"...his name is Adleman. I saw a few "more needed here's". Are you soliciting help for these, or are you just not finished with those sections yourself? Good luck, Matt From earhart+ at CMU.EDU Sat Jul 24 10:38:55 1993 From: earhart+ at CMU.EDU (Rob Earhart) Date: Sat, 24 Jul 93 10:38:55 PDT Subject: Key Signing Policy. In-Reply-To: <9307240723.AA08656@vesta.unm.edu> Message-ID: J. Michael Diehl writes: > BTW, what do you think of my new sig? It's a bit long... )Rob From collins at newton.apple.com Sat Jul 24 13:00:08 1993 From: collins at newton.apple.com (Scott Collins) Date: Sat, 24 Jul 93 13:00:08 PDT Subject: FAQ, round 2 (posting because of bounce) Message-ID: <9307241954.AA26549@newton.apple.com> I tried to mail these comments directly to Eric Raymond, who posted his in progress FAQ. My mail bounced, so I am posting it in hopes that he will get it. I missed a lot of the FAQ commentary, so I apologize if this is all known. Scott Collins | "Few people realize what tremendous power there | is in one of these things." -- Willy Wonka ......................|................................................ BUSINESS. voice:408.862.0540 fax:974.6094 collins at newton.apple.com Apple Computer, Inc. 1 Infinite Loop, MS 301-2C Cupertino, CA 95014 ....................................................................... PERSONAL. voice/fax:408.257.1746 1024/669687 catalyst at netcom.com ..........bounced comments follow.......... Hi, Good work on the FAQ. I'ts not a rewarding job, I'm sure; I just wanted to personally express gratitude. Sorry I took so long to get these comments to you. > The best-known PKCs are [...] DES DES is a symmetric cypher, i.e. *not* a public key crypto-system. >`digital signature' or `message digest code' or `message hash' A message digest or hash is distinct from a digital signature. In particular, for a given input, everyone will derive the same digest or hash but a different signature. >The three major DSS techniques are Snefru, MD5, and DSS. Again, MD5 is not a signature algorigthm. It is only a (supposedly) cryptographically secure, i.e. one way, hash. Everyone who runs MD5 on the same input, will get the same output. If you meant that MD5 is used as a component of some signature algorithms (which is true), then I apologize, it wasn't clear to me. > DSS is [...] associated with the Clipper proposal. They both come from the government. They were both influenced by the NSA. They are not associated in any formal way. More cousins than brothers. >c. DC-net or similar protocols to thwart spoofing. DC-nets are anonymous voting mechanisms (at their heart). I don't see the direct relation to 'thwart spoofing'. > If two or more people encode known text with their private keys applied in >succession, all their public keys will be required to decode it. This is >an unforgeable contract. Yes, although more often digital signatures are what people want and mean when they discuss digital contracts. With individual digital signatures, i.e. a hash of the contract signed with your private key, each signature can be individually verified. > RSA stands for `Rivest-Shamir-Adelson', Adleman Keep up the good work, Scott Collins | "Few people realize what tremendous power there | is in one of these things." -- Willy Wonka ......................|................................................ BUSINESS. voice:408.862.0540 fax:974.6094 collins at newton.apple.com Apple Computer, Inc. 1 Infinite Loop, MS 301-2C Cupertino, CA 95014 ....................................................................... PERSONAL. voice/fax:408.257.1746 1024/669687 catalyst at netcom.com From UCX_SMTP at crc.monroecc.edu Sat Jul 24 15:04:20 1993 From: UCX_SMTP at crc.monroecc.edu (UCX_SMTP at crc.monroecc.edu) Date: Sat, 24 Jul 93 15:04:20 PDT Subject: No Subject Message-ID: <9307230148.AA09179@emory.mathcs.emory.edu> ---- Transcript of session follows ---- 196608 %NONAME-W-NOMSG, Message number 00000000 -SYSTEM-S-NORMAL, normal successful completion ---- Unsent message follows ---- Received: from toad.com by relay2.UU.NET with SMTP (5.61/UUNET-internet-primary) id AA00909; Thu, 22 Jul 93 21:41:38 -0400 Received: by toad.com id AA14078; Thu, 22 Jul 93 18:01:32 PDT Received: by toad.com id AA13842; Thu, 22 Jul 93 17:53:04 PDT Return-Path: Received: from decwrl.UUCP by toad.com id AA13837; Thu, 22 Jul 93 17:53:03 PDT Received: by uucp-gw-2.pa.dec.com; id AA12960; Thu, 22 Jul 93 12:50:15 -0700 Received: from emory.UUCP by merlin.gatech.edu with UUCP id AA20089 (5.65c/IDA-1.4.4 for decvax!decwrl!hoptoad!CYPHERPUNKS); Thu, 22 Jul 1993 15:25:50 -0400 Received: from indigo.UUCP by emory.mathcs.emory.edu (5.65/Emory_mathcs.3.4.11) via UUCP id AA07594 ; Thu, 22 Jul 93 15:15:19 -0400 Resent-Message-Id: <9307221915.AA07594 at emory.mathcs.emory.edu> Received: by indigo.mese.com (DECUS UUCP /2.0/2.0/2.0/); Thu, 22 Jul 93 14:38:30 EDT Resent-Date: Thu, 22 Jul 1993 14:27:57 EDT Resent-From: Resent-To: Received: by INDIGO.MESE.COM (MX V3.1) with UUCP; Thu, 22 Jul 1993 14:27:48 EDT Received: from orion.crc.monroecc.edu by emory.mathcs.emory.edu (5.65/Emory_mathcs.3.4.11) via SMTP id AA23297 ; Wed, 21 Jul 93 23:26:36 -0400 Date: Wed, 21 Jul 93 23:26:36 -0400 From: UCX_SMTP at crc.monroecc.edu Message-Id: <9307220326.AA23297 at emory.mathcs.emory.edu> Apparently-To: To: ---- Transcript of session follows ---- 196608 %NONAME-W-NOMSG, Message number 00000000 -SYSTEM-S-NORMAL, normal successful completion ---- Unsent message follows ---- Received: from toad.com by relay2.UU.NET with SMTP (5.61/UUNET-internet-primary) id AA06943; Wed, 21 Jul 93 23:22:44 -0400 Received: by toad.com id AA21927; Wed, 21 Jul 93 19:16:03 PDT Received: by toad.com id AA21680; Wed, 21 Jul 93 19:02:20 PDT Received: from decwrl.UUCP by toad.com id AA21676; Wed, 21 Jul 93 19:02:19 PDT Received: by uucp-gw-2.pa.dec.com; id AA18750; Wed, 21 Jul 93 19:00:31 -0700 Received: from emory.UUCP by merlin.gatech.edu with UUCP id AA03218 (5.65c/IDA-1.4.4 for decvax!decwrl!hoptoad!CYPHERPUNKS); Wed, 21 Jul 1993 21:36:21 -0400 Received: from indigo.UUCP by emory.mathcs.emory.edu (5.65/Emory_mathcs.3.4.11) via UUCP id AA16552 ; Wed, 21 Jul 93 21:27:59 -0400 Resent-Message-Id: <9307220127.AA16552 at emory.mathcs.emory.edu> Received: by indigo.mese.com (DECUS UUCP /2.0/2.0/2.0/); Wed, 21 Jul 93 21:25:09 EDT Resent-Date: Wed, 21 Jul 1993 21:21:26 EDT Resent-From: Resent-To: Received: by INDIGO.MESE.COM (MX V3.1) with UUCP; Wed, 21 Jul 1993 21:21:18 EDT Received: from relay2.UU.NET by emory.mathcs.emory.edu (5.65/Emory_mathcs.3.4.11) via SMTP id AA12591 ; Wed, 21 Jul 93 20:34:47 -0400 Received: from toad.com by relay2.UU.NET with SMTP (5.61/UUNET-internet-primary) id AA14330; Wed, 21 Jul 93 20:31:29 -0400 Received: by toad.com id AA18642; Wed, 21 Jul 93 16:09:44 PDT Received: by toad.com id AA18609; Wed, 21 Jul 93 16:07:26 PDT Return-Path: Received: from gvls1.VFL.Paramax.COM ([128.126.220.104]) by toad.com id AA18605; Wed, 21 Jul 93 16:07:15 PDT Received: from lock60.UUCP by gvls1.VFL.Paramax.COM (4.1/mls/4.0) id AA04653; Wed, 21 Jul 93 19:07:13 EDT X-Info: VFL.Paramax.COM is the new name for GVL.Unisys.COM Please change any mailing lists or aliases. Both the old and the new addresses will work for a short time. Received: by lock60.Canal.Org (smail2.5) id AA16551; 21 Jul 93 18:50:24 EDT (Wed) Received: by snark.thyrsus.com (/\==/\ Smail3.1.21.1 #21.19) id ; Wed, 21 Jul 93 14:56 EDT Received: by boojum.uucp (Smail3.1.28.1 #2) id m0oIiVK-000BQZC; Wed, 21 Jul 93 14:03 EDT Message-Id: From: Subject: FAQ, round 2 To: boojum!cypherpunks at uunet.uu.net Date: Wed, 21 Jul 93 14:03:02 EDT X-Mailer: ELM [version 2.3 PL11] I've written some more material for it. Criticisms and additions welcome. --- DRAFT VERSION ---- DRAFT VERSION ---- DRAFT VERSION ---- DRAFT VERSION --- From: esr at snark.thyrsus.com (Eric S. Raymond) Newsgroups: news.answers Followup-To: poster This is the Cypherpunks FAQ. It explains the projects and purposes of the Cypherpunks mailing list. It is also intended to serve as a general introduction to privacy and encryption issues. For details on the technical and theoretical aspects of computer cryptography, see the sci.crypt FAQ, available for FTP from rtfm.mit.edu (18.172.1.27) in the directory pub/usenet-by-group/sci.crypt. The cypherpunks archive is available for FTP at soda.berkeley.edu:pub/cypherpunks This site contains code, information, rants, and other miscellany, including the most up-to-date version of this FAQ. This FAQ is maintained by Eric S. Raymond ; send additions and corrections to that address. Sections contributed by others are credited to individual authors. We gratefully acknowledge, in addition, feedback and comments from David Mandl and Eric Hughes . Here is a table of contents for this FAQ: 1. Why cypherpunks? 2. What are the essentials of privacy software? a. Public-key cryptosystems for secure communication. b. Unforgeable electronic signatures for message authentication. c. DC-net or similar protocols to thwart spoofing. 3. What are the potential applications of good privacy software? a. Secure communications. b. Digital cash. c. Electronic voting. d. Electronic contracts. e. Secure anonymous remailers and posters. f. 4. What are the key algorithms, tools, and implementations for privacy software? a. RSA b. DES c. Clipper/Capstone/DSS d. PGP e. Possible non-RSA trapdoor functions. 5. What are the social and political implications of good privacy software? a. Drastically lower transaction costs for trade. b. Expansion of the counter-economy. c. Disempowerment of government. d. Anonymity for whistleblowers. 6. What are the legal, political, and technical obstacles? a. The Clipper/Capstone/DSS power grab. b. The RSA patent and the PGP/RSA fight. c. RSA's base problem may not be NP-complete. 7. What can I do to help? a. Work on cryptographic software. b. Agitate against the Clipper/Capstone/DES proposals. c. Promote the use of encrypted communication. To join the cypherpunks mailing list, send a request to: cypherpunks-request at toad.com Working with us could be your best shot at stopping Big Brother. So if you have skills to contribute, act now. The freedom you save could be your own. 1. Why cypherpunks? Because privacy is essential to freedom. If the government (or any other oppressor that behaves like one) can effectively monitor communications, it can control or suppress them. And it will do so, because the natural tendency of controllers is always to seek more control. The government cannot be relied on to protect your privacy rights. Nor can anyone else --- certainly not your employer, or the corporations that want to know all about you so they can sell you things. Given half the chance, governments and corporations will always push for security standards that protect *them*, but not *you*. Computer technology can help protect you against would-be snoopers, but only if somebody is sufficiently smart and dedicated to build the tools. The Cypherpunks list exists to build and propagate privacy software. Our aim is to give you the tools to keep your private information private, and to communicate with other people and computers in ways snoopers cannot tap. 2. What are the essentials of privacy software? a. Public-key cryptosystems for secure communication. A conventional cryptosystem consists of an encoding/decoding method and a single key. Two users who share a key can exchange private messages. A public-key cryptosystem uses a *pair* of keys; one private, one public. Anyone with either key can decode messages encoded with the other. For privacy, it must be impossible (or at least impractical) to deduce the private key from the public one. Public-key cryptosystems imply many exciting things --- unforgeable electronic signatures, digital cash, and secure electronic contracts are among them. The basic idea behind all of these is that, as long as your private key is secure, people can verify that an encoded message containg known text came from you by decoding with your public key. In the remainder of this FAQ we use `PKC' as an abbreviation for `Public Key Cryptosystem'. The best-known PKCs are the RSA system, the Federal Government's DES standard, and the government's Clipper proposal. We'll discuss these, and others, in more detail below. b. Unforgeable electronic signatures for message authentication. There are many circumstances in which you want to be able to check a public clear-text message for tampering. To do this, the message must contain a `digital signature' or `message digest code' or `message hash' derived from its clear text, which can be checked against the clear text by a receiver. For security, the message hash should have the property that no one knows how to modify a message in a way that preserves its hash. PKCs give you unforgeable signatures as a side-effect. Unfortunately, known PKCs are too slow to use practically for message hashing. Thus, there is a separate category of `Digital Signature Systems'. The three major DSS techniques are Snefru, MD5, and DSS. Snefru, invented by Ralph Merkle at Xerox PARC, is of historical interest only as it has been broken. MD5 is described in Internet RFC 1321, which also gives a reference implementation in C. As of July 1993 it is believed to be secure, but has not been *proved* to be secure. DSS is a Federal Government proposed standard associated with the Clipper proposal. c. DC-net or similar protocols to thwart spoofing. 3. What are the potential applications of good privacy software? a. Secure communications. With a PKC, you can send a message that no one but the intended receiver can decrypt by encoding it with the receiver's public key. If you encode it with *your* public key, the receiver can verify that it came from you. This means that it is possible to do secure communications even over public channels. Neither nosy neighbors, business competitors, nor the government or any (other) criminal gang can interfere with it. b. Digital cash. Unforgeable messages also imply digital cash. You could use a PKC to send to the receiver a code permitting them to draw a particular amount of money from your bank account. The bank, with access to both yours and the payee's public keys, can verify that the order is genuine. This means that it is possible to do trade over electronic links, without any part trusting any other party beyond the bounds of normal commercial risk. c. Electronic voting. Unforgeable messages also imply secure electronic voting. If you encode your voting form with a PKC, the vote-collecting authority can verify it with your public key. d. Electronic contracts. If two or more people encode known text with their private keys applied in succession, all their public keys will be required to decode it. This is an unforgeable contract. Furthermore, it is an unforgeable *private* contract. e. Secure anonymous remailers and posters. 4. What are the key algorithms, tools, and implementations for privacy software? a. RSA RSA stands for `Rivest-Shamir-Adelson', the names of the three computer scientists who developed the technique. RSA has withstood determined attacks for over a decade and is widely believed to be secure. It has been proposed as an Internet standard. The RSA technique is patented. The patents are held by RSA, Inc. . An implemenation in C called RSAREF is available for research and certain noncommercial uses. b. DES c. Clipper/Capstone/DSS d. PGP e. Possible non-RSA trapdoor functions. 5. What are the social and political implications of good privacy software? a. Drastically lower transaction costs for trade. b. Expansion of the counter-economy. c. Disempowerment of government. d. Anonymity for whistleblowers. 6. What are the legal, political, and technical obstacles? a. The Clipper/Capstone/DSS power grab. b. The RSA patent and the PGP/RSA fight. c. RSA's base problem may not be NP-complete. 7. What can I do to help? a. Work on cryptographic software. b. Agitate against the Clipper/Capstone/DES proposals. c. Promote the routine use of encrypted communication. You can help spread PGP and other appropriate tools far and wide (both to help get a better foothold to thwart the Clipper proposal and its ilk, and to work towards making crypto as commonplace as envelopes). --- DRAFT VERSION ---- DRAFT VERSION ---- DRAFT VERSION ---- DRAFT VERSION --- -- >>eric>> From geoffw at nexsys.net Sat Jul 24 15:17:39 1993 From: geoffw at nexsys.net (Geoff White) Date: Sat, 24 Jul 93 15:17:39 PDT Subject: Remailers/PayPhones and Today's NYT Message-ID: <9307241600.AA00619@nexsys.nexsys.net> > How about a valid debate being over **how** to best provide universal > service in this day & age of red-lining? Interesting to note that when the > private entrepreneurs open up U.S. versions of the traditional European > "Call Offices," (rows of payphones with a window clerk or other attendant to > help provide service & security), all of a sudden a chorus of voices go up, > "OH NO, the Dope Dealers will use these things!" Well, one excuse or > another, same old racist BS either way. The right to anonymity has got to > be universal, and the right to access has got to be universal, or these > things become mere privileges which can be taken away on a whim. > > -gg > So what if some small time drug dealers are using them. One thing is for sure, the Big Time drug dealers, (the ones with the ships, planes, and enough money to finance the transport of tons of contraband) do not, and will not be using them. As far as dening payphone service in "high crime" (read black areas), well the information kiosk would tend to solve the problem of vandalism, so what's the big deal? An for all you supposed libertarian types, I'm sure there is some enterprising person or family who will be willing to take the perceived risks with operating such an establishment to get the potential financial reward. From hugh at toad.com Sat Jul 24 16:04:23 1993 From: hugh at toad.com (Hugh Daniel) Date: Sat, 24 Jul 93 16:04:23 PDT Subject: POLITICS: Cutting off coin payphone services In-Reply-To: <93Jul23.022610pdt.14662-1@well.sf.ca.us> Message-ID: <9307242301.AA27582@ecotone.toad.com> I ran into one that boiled by blood over a year ago. I was on the north side of Chicago having just gotten off the L, and walked about a block to find a payphone to call the friends I was visiting to have them pick me up. I had problems dialing, the phone seemed broken and would not dial right, even when I used more then enough money. I decided to report the problem to the operator (and hopefully get my call thorough). She told me that the phone was not broken, but was in an area that was not allowed to make coin calls from 7pm to something like 8am! I was welcome to make phone card or collect calls if I wished. Right. You can be sure that I did not do any biz with that phone company again if I could avoid it! Hard though, as it was Illinois Bell. This is in no way the worst part of Chicago, the area around the L is a bit grungy, but within blocks there are lots-o-YUPPIES. I wonder if this could be used against anonymity on the nets? Maybe this is something that should be fought in the courts now so as not to set bad presidents(sp?) for anonymity in general. ||ugh Daniel From hfinney at shell.portal.com Sat Jul 24 17:02:44 1993 From: hfinney at shell.portal.com (hfinney at shell.portal.com) Date: Sat, 24 Jul 93 17:02:44 PDT Subject: REMAIL: replying to cp-remailed messages Message-ID: <9307242019.AA01355@jobe.shell.portal.com> I want to elaborate on Eric's comment about the "##" pasting token. The cypherpunks remailers are activated by mail header fields. They look for a header entry of the form "Request-Remailing-To:" among the Subject, From, To, etc. headers. Although it is traditional for user-defined extension header fields to start with "X-", Eric argued that since we hope to extend remailer availability to the point that it is a widespread and standard service, it was reasonable to choose a non-"X-" field name. Since some mailers don't allow users to insert header fields, Eric created the "::" incoming pasting token. If no header field is found matching the ones the remailer looks for, it then checks to see if the first non-blank line of the message is "::". If so, it copies all the following lines of the message into the header, up to the next blank line, and then restarts processing of the message. The "::" line is intended to be followed by the user-added header fields like "Request-Remailing-To". When the remailer does a remailing step, it strips all of the header fields except Subject. Keeping the Subject header impairs security somewhat because it would facilitate pairing up input and output messages, but it adds a lot of convenience for users. What is little known is that there is another step which can be done. Just before the remailer sends a message for which remailing has been requested, it again checks the first non-blank line, this time to see if it is the outgoing pasting token "##". If so, it again copies the following lines up to a blank line into the message header of the outgoing message. The message is then sent without further processing. This means that any header line can be added to an outgoing message by this means. In particular, as Eric pointed out, a Reply-To header could be added which would reveal the true sender of the message for those cases where that was wanted. Subject headers could also be added at this step as well as after the :: incoming pasting token. Hal Finney hfinney at shell.portal.com From hfinney at shell.portal.com Sat Jul 24 17:03:51 1993 From: hfinney at shell.portal.com (hfinney at shell.portal.com) Date: Sat, 24 Jul 93 17:03:51 PDT Subject: forged mail Message-ID: <9307242018.AA01350@jobe.shell.portal.com> From: Peter Breton > Actually, forging mail at the machine you're on en route to the remailer > protects you against: > > 1) Anyone who can snoop the message headers on the way to the remailer > ("Tra la la. Let's keep a little list of everyone using those remailers...") > > 2) A corrupt remailer operator. It's not so much a matter of "corrupt" remailer operators. The remailer scripts on the cypherpunks FTP site are distributed with automatic logging of the text of ALL remailed messages by default. This is intended for debugging purposes, but some of the remailers still operate in this mode. This could perhaps provide some protection against liability for operators of remailers, because they can trace back the source of an abusive message that was sent through their remailers. However, it obviously seriously impairs user privacy. The only logs my remailers (on hfinney at shell.portal.com and hal at alumni.caltech.edu) keep are the date and time when they did an operation. No record is kept of any message header or content which would allow re- construction of sender information. The date/time stamps just give me a general idea of how much my remailer is used. However, Eric Hughes has pointed out that most Unix systems can be configured to keep logs of all incoming and outgoing mail. Such logs could be used to reconstruct input/output pairs, by observing that a particular message sent to me was followed by a particular outgoing message a few seconds later. I have not been able to determine whether such logs are kept on the machines I use (the directories which would hold them are protected) but it's safest to assume that they are. I think a better solution to the problem than trying forged mail is to use a chain of cypherpunks remailers, some of which are user-owned and -operated and which (I think) have policies of not keeping content logs. The monthly postings of remailer lists include information on which machines are user- owned, although no information is listed presently about logging. Since the whole point of a remailer is to lose incoming-to-outgoing correspondence, it seems to me that logging should be minimized, otherwise there is little point to running a remailer. Hal Finney hfinney at shell.portal.com From smb at research.att.com Sat Jul 24 17:22:44 1993 From: smb at research.att.com (smb at research.att.com) Date: Sat, 24 Jul 93 17:22:44 PDT Subject: Remailers/PayPhones and Today's NYT Message-ID: <9307250020.AA14394@toad.com> A lot of the issue isn't drug dealers using payphones, it's credit card fraud. Ask yourself what hurts phone companies in their bottom lines. From williacw at vuse.vanderbilt.edu Sat Jul 24 22:07:56 1993 From: williacw at vuse.vanderbilt.edu (Charles Williams) Date: Sat, 24 Jul 93 22:07:56 PDT Subject: TEST Message-ID: <9307250538.AA03918@necs.vuse> Could someone E-Mail me a PGP encrypted message, so that I may test out my key. I'll place my public key in this messaege. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.3a mQCNAixv1gEAAAEEAJkpZFvYyCu23f5y7NuMQuEjIZzEbN2trPJJfGO5V8+8RX+V j94S5cx3q5lkOEJz7/YjWx6c0EIU+gEbdQ4Fw/Ar5jOmVJNcCqUHJZlH/eLhVWb2 R5JqNF8FLfFBkBAWCccfPTbccdGFPz6Jjnzn87HJT3r4HKSgKKDQOWvqVsxdAAUR tDJDaGFybGVzIFcuIFdpbGxpYW1zIDxXZXNsZXlAY3RydmF4LnZhbmRlcmJpbHQu ZWR1PokAlQIFECxv2KWg0Dlr6lbMXQEBWgkD/268KxYNV0POptYQJRQKNNaAulCd oaS5oG5EoQSg3mK9HkshWeq6mapk1xs0f2iZEedFqJq8m/oP1BMHM8XQ+uqn+HTp /lsPg1aVqgkBzB3udF755WHf+IlbplnNTdJTqu4gLJKhwlYEEQUcop3KgJ4gh8g+ h/u+O8gpXqSdncS1 =GuoW -----END PGP PUBLIC KEY BLOCK----- From WESLEY at ctrvax.Vanderbilt.Edu Sat Jul 24 22:12:56 1993 From: WESLEY at ctrvax.Vanderbilt.Edu (WESLEY at ctrvax.Vanderbilt.Edu) Date: Sat, 24 Jul 93 22:12:56 PDT Subject: MESSAGE Message-ID: <01H0XV5CT7O28X4EY2@ctrvax.Vanderbilt.Edu> I don't think my last message worked too well. I am asking that someone reply to this message with a PGP encrypted message, using the following KEY. Thanks -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.3a mQCNAixv1gEAAAEEAJkpZFvYyCu23f5y7NuMQuEjIZzEbN2trPJJfGO5V8+8RX+V j94S5cx3q5lkOEJz7/YjWx6c0EIU+gEbdQ4Fw/Ar5jOmVJNcCqUHJZlH/eLhVWb2 R5JqNF8FLfFBkBAWCccfPTbccdGFPz6Jjnzn87HJT3r4HKSgKKDQOWvqVsxdAAUR tDJDaGFybGVzIFcuIFdpbGxpYW1zIDxXZXNsZXlAY3RydmF4LnZhbmRlcmJpbHQu ZWR1PokAlQIFECxv2KWg0Dlr6lbMXQEBWgkD/268KxYNV0POptYQJRQKNNaAulCd oaS5oG5EoQSg3mK9HkshWeq6mapk1xs0f2iZEedFqJq8m/oP1BMHM8XQ+uqn+HTp /lsPg1aVqgkBzB3udF755WHf+IlbplnNTdJTqu4gLJKhwlYEEQUcop3KgJ4gh8g+ h/u+O8gpXqSdncS1 =GuoW -----END PGP PUBLIC KEY BLOCK----- From UCX_SMTP at crc.monroecc.edu Sat Jul 24 22:13:56 1993 From: UCX_SMTP at crc.monroecc.edu (UCX_SMTP at crc.monroecc.edu) Date: Sat, 24 Jul 93 22:13:56 PDT Subject: No Subject Message-ID: <9307242219.AA18696@emory.mathcs.emory.edu> ---- Transcript of session follows ---- 196608 %NONAME-W-NOMSG, Message number 00000000 -SYSTEM-S-NORMAL, normal successful completion ---- Unsent message follows ---- Received: from toad.com by relay2.UU.NET with SMTP (5.61/UUNET-internet-primary) id AA17170; Sat, 24 Jul 93 22:13:19 GMT Received: by toad.com id AA13070; Sat, 24 Jul 93 15:04:20 PDT Received: by toad.com id AA13067; Sat, 24 Jul 93 15:04:03 PDT Return-Path: Received: from decwrl.UUCP by toad.com id AA13063; Sat, 24 Jul 93 15:04:02 PDT Received: by uucp-gw-2.pa.dec.com; id AA15103; Sat, 24 Jul 93 07:52:21 -0700 Received: from emory.UUCP by merlin.gatech.edu with UUCP id AA27657 (5.65c/IDA-1.4.4 for decvax!decwrl!hoptoad!CYPHERPUNKS); Sat, 24 Jul 1993 10:35:54 -0400 Received: from indigo.UUCP by emory.mathcs.emory.edu (5.65/Emory_mathcs.3.4.11) via UUCP id AA28817 ; Sat, 24 Jul 93 10:26:15 -0400 Resent-Message-Id: <9307241426.AA28817 at emory.mathcs.emory.edu> Received: by indigo.mese.com (DECUS UUCP /2.0/2.0/2.0/); Sat, 24 Jul 93 09:20:26 EDT Resent-Date: Sat, 24 Jul 1993 08:42:46 EDT Resent-From: Resent-To: Received: by INDIGO.MESE.COM (MX V3.1) with UUCP; Sat, 24 Jul 1993 08:42:36 EDT Received: from orion.crc.monroecc.edu by emory.mathcs.emory.edu (5.65/Emory_mathcs.3.4.11) via SMTP id AA09179 ; Thu, 22 Jul 93 21:48:31 -0400 Date: Thu, 22 Jul 93 21:48:31 -0400 From: UCX_SMTP at crc.monroecc.edu Message-Id: <9307230148.AA09179 at emory.mathcs.emory.edu> Apparently-To: To: ---- Transcript of session follows ---- 196608 %NONAME-W-NOMSG, Message number 00000000 -SYSTEM-S-NORMAL, normal successful completion ---- Unsent message follows ---- Received: from toad.com by relay2.UU.NET with SMTP (5.61/UUNET-internet-primary) id AA00909; Thu, 22 Jul 93 21:41:38 -0400 Received: by toad.com id AA14078; Thu, 22 Jul 93 18:01:32 PDT Received: by toad.com id AA13842; Thu, 22 Jul 93 17:53:04 PDT Return-Path: Received: from decwrl.UUCP by toad.com id AA13837; Thu, 22 Jul 93 17:53:03 PDT Received: by uucp-gw-2.pa.dec.com; id AA12960; Thu, 22 Jul 93 12:50:15 -0700 Received: from emory.UUCP by merlin.gatech.edu with UUCP id AA20089 (5.65c/IDA-1.4.4 for decvax!decwrl!hoptoad!CYPHERPUNKS); Thu, 22 Jul 1993 15:25:50 -0400 Received: from indigo.UUCP by emory.mathcs.emory.edu (5.65/Emory_mathcs.3.4.11) via UUCP id AA07594 ; Thu, 22 Jul 93 15:15:19 -0400 Resent-Message-Id: <9307221915.AA07594 at emory.mathcs.emory.edu> Received: by indigo.mese.com (DECUS UUCP /2.0/2.0/2.0/); Thu, 22 Jul 93 14:38:30 EDT Resent-Date: Thu, 22 Jul 1993 14:27:57 EDT Resent-From: Resent-To: Received: by INDIGO.MESE.COM (MX V3.1) with UUCP; Thu, 22 Jul 1993 14:27:48 EDT Received: from orion.crc.monroecc.edu by emory.mathcs.emory.edu (5.65/Emory_mathcs.3.4.11) via SMTP id AA23297 ; Wed, 21 Jul 93 23:26:36 -0400 Date: Wed, 21 Jul 93 23:26:36 -0400 From: UCX_SMTP at crc.monroecc.edu Message-Id: <9307220326.AA23297 at emory.mathcs.emory.edu> Apparently-To: To: ---- Transcript of session follows ---- 196608 %NONAME-W-NOMSG, Message number 00000000 -SYSTEM-S-NORMAL, normal successful completion ---- Unsent message follows ---- Received: from toad.com by relay2.UU.NET with SMTP (5.61/UUNET-internet-primary) id AA06943; Wed, 21 Jul 93 23:22:44 -0400 Received: by toad.com id AA21927; Wed, 21 Jul 93 19:16:03 PDT Received: by toad.com id AA21680; Wed, 21 Jul 93 19:02:20 PDT Received: from decwrl.UUCP by toad.com id AA21676; Wed, 21 Jul 93 19:02:19 PDT Received: by uucp-gw-2.pa.dec.com; id AA18750; Wed, 21 Jul 93 19:00:31 -0700 Received: from emory.UUCP by merlin.gatech.edu with UUCP id AA03218 (5.65c/IDA-1.4.4 for decvax!decwrl!hoptoad!CYPHERPUNKS); Wed, 21 Jul 1993 21:36:21 -0400 Received: from indigo.UUCP by emory.mathcs.emory.edu (5.65/Emory_mathcs.3.4.11) via UUCP id AA16552 ; Wed, 21 Jul 93 21:27:59 -0400 Resent-Message-Id: <9307220127.AA16552 at emory.mathcs.emory.edu> Received: by indigo.mese.com (DECUS UUCP /2.0/2.0/2.0/); Wed, 21 Jul 93 21:25:09 EDT Resent-Date: Wed, 21 Jul 1993 21:21:26 EDT Resent-From: Resent-To: Received: by INDIGO.MESE.COM (MX V3.1) with UUCP; Wed, 21 Jul 1993 21:21:18 EDT Received: from relay2.UU.NET by emory.mathcs.emory.edu (5.65/Emory_mathcs.3.4.11) via SMTP id AA12591 ; Wed, 21 Jul 93 20:34:47 -0400 Received: from toad.com by relay2.UU.NET with SMTP (5.61/UUNET-internet-primary) id AA14330; Wed, 21 Jul 93 20:31:29 -0400 Received: by toad.com id AA18642; Wed, 21 Jul 93 16:09:44 PDT Received: by toad.com id AA18609; Wed, 21 Jul 93 16:07:26 PDT Return-Path: Received: from gvls1.VFL.Paramax.COM ([128.126.220.104]) by toad.com id AA18605; Wed, 21 Jul 93 16:07:15 PDT Received: from lock60.UUCP by gvls1.VFL.Paramax.COM (4.1/mls/4.0) id AA04653; Wed, 21 Jul 93 19:07:13 EDT X-Info: VFL.Paramax.COM is the new name for GVL.Unisys.COM Please change any mailing lists or aliases. Both the old and the new addresses will work for a short time. Received: by lock60.Canal.Org (smail2.5) id AA16551; 21 Jul 93 18:50:24 EDT (Wed) Received: by snark.thyrsus.com (/\==/\ Smail3.1.21.1 #21.19) id ; Wed, 21 Jul 93 14:56 EDT Received: by boojum.uucp (Smail3.1.28.1 #2) id m0oIiVK-000BQZC; Wed, 21 Jul 93 14:03 EDT Message-Id: From: Subject: FAQ, round 2 To: boojum!cypherpunks at uunet.uu.net Date: Wed, 21 Jul 93 14:03:02 EDT X-Mailer: ELM [version 2.3 PL11] I've written some more material for it. Criticisms and additions welcome. --- DRAFT VERSION ---- DRAFT VERSION ---- DRAFT VERSION ---- DRAFT VERSION --- From: esr at snark.thyrsus.com (Eric S. Raymond) Newsgroups: news.answers Followup-To: poster This is the Cypherpunks FAQ. It explains the projects and purposes of the Cypherpunks mailing list. It is also intended to serve as a general introduction to privacy and encryption issues. For details on the technical and theoretical aspects of computer cryptography, see the sci.crypt FAQ, available for FTP from rtfm.mit.edu (18.172.1.27) in the directory pub/usenet-by-group/sci.crypt. The cypherpunks archive is available for FTP at soda.berkeley.edu:pub/cypherpunks This site contains code, information, rants, and other miscellany, including the most up-to-date version of this FAQ. This FAQ is maintained by Eric S. Raymond ; send additions and corrections to that address. Sections contributed by others are credited to individual authors. We gratefully acknowledge, in addition, feedback and comments from David Mandl and Eric Hughes . Here is a table of contents for this FAQ: 1. Why cypherpunks? 2. What are the essentials of privacy software? a. Public-key cryptosystems for secure communication. b. Unforgeable electronic signatures for message authentication. c. DC-net or similar protocols to thwart spoofing. 3. What are the potential applications of good privacy software? a. Secure communications. b. Digital cash. c. Electronic voting. d. Electronic contracts. e. Secure anonymous remailers and posters. f. 4. What are the key algorithms, tools, and implementations for privacy software? a. RSA b. DES c. Clipper/Capstone/DSS d. PGP e. Possible non-RSA trapdoor functions. 5. What are the social and political implications of good privacy software? a. Drastically lower transaction costs for trade. b. Expansion of the counter-economy. c. Disempowerment of government. d. Anonymity for whistleblowers. 6. What are the legal, political, and technical obstacles? a. The Clipper/Capstone/DSS power grab. b. The RSA patent and the PGP/RSA fight. c. RSA's base problem may not be NP-complete. 7. What can I do to help? a. Work on cryptographic software. b. Agitate against the Clipper/Capstone/DES proposals. c. Promote the use of encrypted communication. To join the cypherpunks mailing list, send a request to: cypherpunks-request at toad.com Working with us could be your best shot at stopping Big Brother. So if you have skills to contribute, act now. The freedom you save could be your own. 1. Why cypherpunks? Because privacy is essential to freedom. If the government (or any other oppressor that behaves like one) can effectively monitor communications, it can control or suppress them. And it will do so, because the natural tendency of controllers is always to seek more control. The government cannot be relied on to protect your privacy rights. Nor can anyone else --- certainly not your employer, or the corporations that want to know all about you so they can sell you things. Given half the chance, governments and corporations will always push for security standards that protect *them*, but not *you*. Computer technology can help protect you against would-be snoopers, but only if somebody is sufficiently smart and dedicated to build the tools. The Cypherpunks list exists to build and propagate privacy software. Our aim is to give you the tools to keep your private information private, and to communicate with other people and computers in ways snoopers cannot tap. 2. What are the essentials of privacy software? a. Public-key cryptosystems for secure communication. A conventional cryptosystem consists of an encoding/decoding method and a single key. Two users who share a key can exchange private messages. A public-key cryptosystem uses a *pair* of keys; one private, one public. Anyone with either key can decode messages encoded with the other. For privacy, it must be impossible (or at least impractical) to deduce the private key from the public one. Public-key cryptosystems imply many exciting things --- unforgeable electronic signatures, digital cash, and secure electronic contracts are among them. The basic idea behind all of these is that, as long as your private key is secure, people can verify that an encoded message containg known text came from you by decoding with your public key. In the remainder of this FAQ we use `PKC' as an abbreviation for `Public Key Cryptosystem'. The best-known PKCs are the RSA system, the Federal Government's DES standard, and the government's Clipper proposal. We'll discuss these, and others, in more detail below. b. Unforgeable electronic signatures for message authentication. There are many circumstances in which you want to be able to check a public clear-text message for tampering. To do this, the message must contain a `digital signature' or `message digest code' or `message hash' derived from its clear text, which can be checked against the clear text by a receiver. For security, the message hash should have the property that no one knows how to modify a message in a way that preserves its hash. PKCs give you unforgeable signatures as a side-effect. Unfortunately, known PKCs are too slow to use practically for message hashing. Thus, there is a separate category of `Digital Signature Systems'. The three major DSS techniques are Snefru, MD5, and DSS. Snefru, invented by Ralph Merkle at Xerox PARC, is of historical interest only as it has been broken. MD5 is described in Internet RFC 1321, which also gives a reference implementation in C. As of July 1993 it is believed to be secure, but has not been *proved* to be secure. DSS is a Federal Government proposed standard associated with the Clipper proposal. c. DC-net or similar protocols to thwart spoofing. 3. What are the potential applications of good privacy software? a. Secure communications. With a PKC, you can send a message that no one but the intended receiver can decrypt by encoding it with the receiver's public key. If you encode it with *your* public key, the receiver can verify that it came from you. This means that it is possible to do secure communications even over public channels. Neither nosy neighbors, business competitors, nor the government or any (other) criminal gang can interfere with it. b. Digital cash. Unforgeable messages also imply digital cash. You could use a PKC to send to the receiver a code permitting them to draw a particular amount of money from your bank account. The bank, with access to both yours and the payee's public keys, can verify that the order is genuine. This means that it is possible to do trade over electronic links, without any part trusting any other party beyond the bounds of normal commercial risk. c. Electronic voting. Unforgeable messages also imply secure electronic voting. If you encode your voting form with a PKC, the vote-collecting authority can verify it with your public key. d. Electronic contracts. If two or more people encode known text with their private keys applied in succession, all their public keys will be required to decode it. This is an unforgeable contract. Furthermore, it is an unforgeable *private* contract. e. Secure anonymous remailers and posters. 4. What are the key algorithms, tools, and implementations for privacy software? a. RSA RSA stands for `Rivest-Shamir-Adelson', the names of the three computer scientists who developed the technique. RSA has withstood determined attacks for over a decade and is widely believed to be secure. It has been proposed as an Internet standard. The RSA technique is patented. The patents are held by RSA, Inc. . An implemenation in C called RSAREF is available for research and certain noncommercial uses. b. DES c. Clipper/Capstone/DSS d. PGP